From 10ab3758c7940aac12369e43f24a9fd4533fc57e Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Sat, 23 May 2026 13:48:38 +0200
Subject: [PATCH 1/3] Use candlepin_ssl_port variable in health check

---
 src/roles/candlepin/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
index 3d8b4b518..2469b40d2 100644
--- a/src/roles/candlepin/tasks/main.yml
+++ b/src/roles/candlepin/tasks/main.yml
@@ -90,7 +90,7 @@
         After=redis.service postgresql.service
         [Service]
         TimeoutStartSec=300
-    healthcheck: curl --fail --insecure https://localhost:23443/candlepin/status
+    healthcheck: "curl --fail --insecure https://localhost:{{ candlepin_ssl_port }}/candlepin/status"
     sdnotify: healthy
 
 - name: Run daemon reload to make Quadlet create the service files

From 1af5ab289cf9d7b213e5c536ce5cf61101b281ff Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Sat, 23 May 2026 14:05:26 +0200
Subject: [PATCH 2/3] Only pass in Candlepin secrets instead of full configs

This uses an updated Candlepin image that contains templates for config
files and uses environment variables to provide configuration. On the
Ansible side these are provided via podman secrets.

This reduces the coupling between how the container is built and
configured.
---
 src/roles/candlepin/defaults/main.yml         |  11 --
 src/roles/candlepin/tasks/main.yml            |  45 +++---
 .../candlepin/templates/candlepin.conf.j2     |  38 -----
 src/roles/candlepin/templates/server.xml.j2   | 139 ------------------
 src/roles/candlepin/templates/tomcat.conf     |  44 ------
 5 files changed, 24 insertions(+), 253 deletions(-)
 delete mode 100644 src/roles/candlepin/templates/candlepin.conf.j2
 delete mode 100644 src/roles/candlepin/templates/server.xml.j2
 delete mode 100644 src/roles/candlepin/templates/tomcat.conf

diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml
index a0a8b15b4..b17b503a0 100644
--- a/src/roles/candlepin/defaults/main.yml
+++ b/src/roles/candlepin/defaults/main.yml
@@ -1,17 +1,6 @@
 ---
 candlepin_ssl_port: 23443
 candlepin_hostname: localhost
-candlepin_tls_versions:
-  - "TLSv1.2"
-candlepin_ciphers:
-  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
 candlepin_registry_auth_file: /etc/foreman/registry-auth.json
diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
index 2469b40d2..f90220660 100644
--- a/src/roles/candlepin/tasks/main.yml
+++ b/src/roles/candlepin/tasks/main.yml
@@ -14,36 +14,27 @@
   ansible.builtin.include_tasks:
     file: certs.yml
 
-- name: Create Candlepin configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-candlepin-conf
-    data: "{{ lookup('ansible.builtin.template', 'candlepin.conf.j2') }}"
-    labels:
-      filename: candlepin.conf
-      app: candlepin
+    name: candlepin-db-url
+    data: "jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server.xml
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-server-xml
-    data: "{{ lookup('ansible.builtin.template', 'server.xml.j2') }}"
-    labels:
-      filename: server.xml
-      app: tomcat
+    name: candlepin-db-username
+    data: "{{ candlepin_database_user }}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-conf
-    data: "{{ lookup('ansible.builtin.template', 'tomcat.conf') }}"
-    labels:
-      filename: tomcat.conf
-      app: tomcat
+    name: candlepin-db-password
+    data: "{{ candlepin_database_password }}"
   notify:
     - Restart candlepin
 
@@ -55,6 +46,14 @@
   notify:
     - Restart candlepin
 
+- name: Create oauth secret
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-oauth-secret
+    data: "{{ candlepin_oauth_secret }}"
+  notify:
+    - Restart candlepin
+
 - name: Pull the Candlepin container image
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
@@ -73,10 +72,14 @@
       - 'candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440,type=mount'
       - 'candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440,type=mount'
       - 'candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440,type=mount'
-      - 'candlepin-candlepin-conf,target=/etc/candlepin/candlepin.conf,mode=0440,type=mount'
-      - 'candlepin-tomcat-server-xml,target=/etc/tomcat/server.xml,mode=440,type=mount'
-      - 'candlepin-tomcat-conf,target=/etc/tomcat/tomcat.conf,mode=440,type=mount'
+      - 'candlepin-tomcat-keystore-password,target=CANDLEPIN_KEYSTORE_PASSWORD,type=env'
       - 'candlepin-db-ca,target={{ candlepin_database_ssl_ca_path }},mode=0440,type=mount'
+      - 'candlepin-db-url,target=CANDLEPIN_DB_URL,type=env'
+      - 'candlepin-db-username,target=CANDLEPIN_DB_USERNAME,type=env'
+      - 'candlepin-db-password,target=CANDLEPIN_DB_PASSWORD,type=env'
+      - 'candlepin-oauth-secret,target=CANDLEPIN_OAUTH_SECRET,type=env'
+    env:
+      CANDLEPIN_PORT: "{{ candlepin_ssl_port }}"
     volumes:
       - /var/log/candlepin:/var/log/candlepin:Z
       - /var/log/tomcat:/var/log/tomcat:Z
diff --git a/src/roles/candlepin/templates/candlepin.conf.j2 b/src/roles/candlepin/templates/candlepin.conf.j2
deleted file mode 100644
index 0bbca142d..000000000
--- a/src/roles/candlepin/templates/candlepin.conf.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-candlepin.consumer_system_name_pattern=.+
-
-candlepin.environment_content_filtering=true
-candlepin.auth.basic.enable=false
-candlepin.auth.trusted.enable=false
-
-candlepin.db.database_manage_on_startup=Manage
-
-candlepin.auth.oauth.enable=true
-candlepin.auth.oauth.consumer.katello.secret={{ candlepin_oauth_secret }}
-
-module.config.adapter_module=org.candlepin.katello.KatelloModule
-
-candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key
-candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
-
-candlepin.async.jobs.ExpiredPoolsCleanupJob.schedule=0 0 0 * * ?
-
-jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
-jpa.config.hibernate.hbm2ddl.auto=validate
-jpa.config.hibernate.connection.username={{ candlepin_database_user }}
-jpa.config.hibernate.connection.password={{ candlepin_database_password }}
-jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
-jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}
-
-
-org.quartz.jobStore.misfireThreshold=60000
-org.quartz.jobStore.useProperties=false
-org.quartz.jobStore.dataSource=myDS
-org.quartz.jobStore.tablePrefix=QRTZ_
-org.quartz.jobStore.class=org.quartz.impl.jdbcjobstore.JobStoreTX
-org.quartz.jobStore.driverDelegateClass=org.quartz.impl.jdbcjobstore.PostgreSQLDelegate
-
-org.quartz.dataSource.myDS.driver=org.postgresql.Driver
-org.quartz.dataSource.myDS.user={{ candlepin_database_user }}
-org.quartz.dataSource.myDS.password={{ candlepin_database_password }}
-org.quartz.dataSource.myDS.maxConnections=5
-org.quartz.dataSource.myDS.URL=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}
diff --git a/src/roles/candlepin/templates/server.xml.j2 b/src/roles/candlepin/templates/server.xml.j2
deleted file mode 100644
index 99db65da1..000000000
--- a/src/roles/candlepin/templates/server.xml.j2
+++ /dev/null
@@ -1,139 +0,0 @@
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-    <!-- Define a SSL HTTP/1.1 Connector on port <%= $ssl_port %>
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-
-    <Connector port="{{ candlepin_ssl_port }}"
-               address="{{ candlepin_hostname }}"
-               protocol="HTTP/1.1"
-               SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="want"
-               sslProtocol="{{ candlepin_tls_versions | join(',') }}"
-               sslEnabledProtocols="{{ candlepin_tls_versions | join(',') }}"
-               keystoreFile="/etc/candlepin/certs/keystore"
-               keystorePass="{{ candlepin_keystore_password }}"
-               keystoreType="PKCS12"
-               ciphers="{{ candlepin_ciphers | join(',\n                   ') }}"
-    />
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        -->
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/src/roles/candlepin/templates/tomcat.conf b/src/roles/candlepin/templates/tomcat.conf
deleted file mode 100644
index 5e9fdfa52..000000000
--- a/src/roles/candlepin/templates/tomcat.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# System-wide configuration file for tomcat services
-# This will be loaded by systemd as an environment file,
-# so please keep the syntax. For shell expansion support
-#
-# There are 2 "classes" of startup behavior in this package.
-# The old one, the default service named tomcat.service.
-# The new named instances are called tomcat@instance.service.
-#
-# Use this file to change default values for all services.
-# Change the service specific ones to affect only one service.
-# For tomcat.service it's /etc/sysconfig/tomcat, for
-# tomcat@instance it's /etc/sysconfig/tomcat@instance.
-
-# This variable is used to figure out if config is loaded or not.
-TOMCAT_CFG_LOADED="1"
-
-# In new-style instances, if CATALINA_BASE isn't specified, it will
-# be constructed by joining TOMCATS_BASE and NAME.
-TOMCATS_BASE="/var/lib/tomcats/"
-
-# Where your java installation lives
-JAVA_HOME="/usr/lib/jvm/jre-17"
-
-# Where your tomcat installation lives
-CATALINA_HOME="/usr/share/tomcat"
-
-# System-wide tmp
-CATALINA_TMPDIR="/var/cache/tomcat/temp"
-
-# You can pass some parameters to java here if you wish to
-JAVA_OPTS="-Xms1024m -Xmx4096m -Dcom.redhat.fips=false"
-
-# You can change your tomcat locale here
-
-#LANG="en_US"
-
-
-# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="0"
-
-# Time to wait in seconds, before killing process
-# TODO(stingray): does nothing, fix.
-
-# SHUTDOWN_WAIT="30"

From 3fdd31266073716a06be45b25f80b8a2ed1c0e4c Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Sat, 23 May 2026 14:16:49 +0200
Subject: [PATCH 3/3] [TMP] Test with Candlepin container image

---
 src/vars/images.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/vars/images.yml b/src/vars/images.yml
index 65356335f..e5b2bd4ee 100644
--- a/src/vars/images.yml
+++ b/src/vars/images.yml
@@ -20,8 +20,8 @@ iop_vulnerability_frontend_registry_auth_file: "{{ registry_auth_file }}"
 iop_advisor_frontend_registry_auth_file: "{{ registry_auth_file }}"
 
 container_tag_stream: "nightly"
-candlepin_container_image: quay.io/foreman/candlepin
-candlepin_container_tag: "foreman-{{ container_tag_stream }}"
+candlepin_container_image: quay.io/foreman/candlepin-stage
+candlepin_container_tag: on-pr-9a8f5cc0dbaffc38bd9f43273333fc0393e76df9
 foreman_container_image: quay.io/foreman/foreman
 foreman_container_tag: "{{ container_tag_stream }}"
 foreman_proxy_container_image: "quay.io/foreman/foreman-proxy"