Add Templates feature to foreman-proxy by shubhamsg199 · Pull Request #519 · theforeman/foremanctl

shubhamsg199 · 2026-05-25T17:30:50Z

Why are you introducing these changes? (Problem description, related links)

What are the changes introduced in this pull request?

Enable templates feature for foreman-proxy

How to test this pull request

Steps to reproduce:

foremanctl deploy --add-feature templates

Checklist

Tests added/updated (if applicable)
Documentation updated (if applicable)

ehelms · 2026-06-10T21:10:06Z

Does templates need to be in the features.yaml? I do not see how the feature in this PR ensures foreman-proxy gets added.

shubhamsg199 · 2026-06-11T16:43:19Z

Does templates need to be in the features.yaml? I do not see how the feature in this PR ensures foreman-proxy gets added.

Yes, templates is declared in features.yaml under the foreman_proxy key (same pattern as bmc). I don't think we have a way to ensure if foreman-proxy gets added.

shubhamsg199 · 2026-06-11T17:07:20Z

@ehelms Made some updates that ensures foreman-proxy gets added on the feature install. Not sure if that should be part of this PR.

Signed-off-by: Shubham Ganar <shubhamsg123m@gmail.com>

evgeni · 2026-06-23T06:17:09Z

@@ -0,0 +1,3 @@
+---
+:enabled: {{ feature_enabled }}


as you're exposing "listen on", you'd need to alter the value of :enabled: accordingly. (both maps to true, the others can be used directly to only enable http/https mode.

so far we have not been opening the http port at all, and all plugins are configured for both/true.

given templates is the first one that is actually useful over plain http, we need to rethink that now

What's the point of setting it to http or https? Why not just true / false?
Do we enforce SSL when the value is https or true?

We don't enforce SSL in that case, no.

But if a module is enabled on plain HTTP, the authorization is reduced to "the reverse DNS matches an entry in trusted_hosts" aka "no authorization as everyone can fake this shit"¹.

So we need to only ever allow plain HTTP to modules that don't need authorization (like templates).

¹: This is not a problem today, as we don't expose the HTTP port at all

evgeni · 2026-06-23T06:44:21Z

+    settings = proxy_v2_features['templates'].get('settings', {})
+    template_url = settings.get('template_url')
+    assert template_url == 'http://quadlet.example.com:8000'
+


can we write a test that actually uses the template feature to get data?

stejskalleos · 2026-06-23T11:26:03Z

 | `--add-feature bmc` | Enable BMC feature | `--foreman-proxy-bmc` |
 | `--bmc-ipmi-implementation` | IPMI implementation to use for BMC | `--foreman-proxy-bmc-default-provider` |
 | `--bmc-redfish-verify-ssl` | Verify SSL certificates for Redfish BMC connections | `--foreman-proxy-bmc-redfish-verify-ssl` |
+| `--add-feature templates` | Enable Templates feature on Smart Proxy | `--foreman-proxy-templates` |


Can you please update the https://github.com/theforeman/foremanctl/blob/master/src/plugins/modules/migrate_answers.py#L14 as well?

stejskalleos · 2026-06-23T11:35:50Z

@@ -0,0 +1,3 @@
+---
+:enabled: {{ feature_enabled }}


What's the point of setting it to http or https? Why not just true / false?
Do we enforce SSL when the value is https or true?

stejskalleos · 2026-06-23T11:36:12Z

@@ -0,0 +1,3 @@
+---
+:enabled: {{ feature_enabled }}
+:template_url: {{ foreman_proxy_templates_url | default('http://' + ansible_facts['fqdn'] + ':8000') }}


Question: What if we did not provide a default value and instead required users to set it manually?

Plus, you need two default values: one for HTTP and one for HTTPS.

No newline at end of file

That should be fixed as well.

stejskalleos · 2026-06-23T11:36:21Z

+    settings = proxy_v2_features['templates'].get('settings', {})
+    template_url = settings.get('template_url')
+    assert template_url == 'http://quadlet.example.com:8000'
+


stejskalleos · 2026-06-23T11:37:16Z

            --add-feature remote-execution \
            --add-feature bmc \
+            --add-feature templates \
+            --templates-listen-on http \


What if we drop it? Is this parameter still relevant?

shubhamsg199 self-assigned this May 25, 2026

pr-processor Bot added the Not yet reviewed label May 25, 2026

shubhamsg199 marked this pull request as draft May 25, 2026 17:31

shubhamsg199 force-pushed the templates-feature branch from dcadf66 to 9a7993c Compare May 25, 2026 18:00

ehelms reviewed May 26, 2026

View reviewed changes

Comment thread src/playbooks/deploy/metadata.obsah.yaml

pr-processor Bot removed the Not yet reviewed label May 26, 2026

shubhamsg199 marked this pull request as ready for review June 3, 2026 09:30

shubhamsg199 force-pushed the templates-feature branch 3 times, most recently from 77b2cc9 to 6be7b5b Compare June 5, 2026 15:23

stejskalleos requested changes Jun 8, 2026

View reviewed changes

Comment thread .github/workflows/test.yml

pr-processor Bot added the Waiting on contributor label Jun 8, 2026

stejskalleos self-assigned this Jun 8, 2026

shubhamsg199 force-pushed the templates-feature branch from 6be7b5b to 26ddc10 Compare June 8, 2026 08:23

pr-processor Bot added Needs re-review and removed Waiting on contributor labels Jun 8, 2026

shubhamsg199 force-pushed the templates-feature branch from 26ddc10 to 215ec14 Compare June 9, 2026 07:18

pr-processor Bot removed the Needs re-review label Jun 9, 2026

shubhamsg199 force-pushed the templates-feature branch from 215ec14 to c5bb26e Compare June 9, 2026 09:43

shubhamsg199 force-pushed the templates-feature branch 4 times, most recently from 713b3d9 to ded1e9b Compare June 11, 2026 17:00

arvind4501 reviewed Jun 12, 2026

View reviewed changes

Comment thread tests/foreman_proxy_test.py Outdated

shubhamsg199 force-pushed the templates-feature branch 2 times, most recently from f0ba618 to b20b505 Compare June 12, 2026 15:23

evgeni reviewed Jun 15, 2026

View reviewed changes

Comment thread src/filter_plugins/foremanctl.py

shubhamsg199 force-pushed the templates-feature branch from b20b505 to da1bfa2 Compare June 22, 2026 10:56

Add Templates feature to foreman-proxy

5485068

Signed-off-by: Shubham Ganar <shubhamsg123m@gmail.com>

shubhamsg199 force-pushed the templates-feature branch from da1bfa2 to 5485068 Compare June 22, 2026 10:57

shubhamsg199 requested review from arvind4501, evgeni and stejskalleos June 23, 2026 05:41

evgeni reviewed Jun 23, 2026

View reviewed changes

arvind4501 reviewed Jun 23, 2026

View reviewed changes

Comment thread .github/workflows/test.yml

evgeni reviewed Jun 23, 2026

View reviewed changes

stejskalleos requested changes Jun 23, 2026

View reviewed changes

pr-processor Bot added the Waiting on contributor label Jun 23, 2026

Uh oh!

Conversation

shubhamsg199 commented May 25, 2026

Why are you introducing these changes? (Problem description, related links)

What are the changes introduced in this pull request?

How to test this pull request

Checklist

Uh oh!

Uh oh!

Uh oh!

ehelms commented Jun 10, 2026

Uh oh!

shubhamsg199 commented Jun 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

shubhamsg199 commented Jun 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

shubhamsg199 commented Jun 11, 2026 •

edited

Loading

shubhamsg199 commented Jun 11, 2026 •

edited

Loading