SSL Root CA autoinstall snippet for autoyast

java/code/src/com/redhat/rhn/frontend/action/common/DownloadFile.java

@@ -282,8 +282,8 @@ else if (ksession != null) {
 
         if (map.containsKey(CHILD) && !Config.get().getBoolean("ks_restrict_child_channels")) {
             Channel child = ChannelFactory.lookupByLabel(map.get(CHILD));
-            if (child == null || tree == null || child.getParentChannel() == null ||
-                    !child.getParentChannel().equals(tree.getChannel())) {
+            if (child == null || tree == null || (child.getParentChannel() != null &&
+                    !child.getParentChannel().equals(tree.getChannel()))) {
                 response.sendError(HttpServletResponse.SC_NOT_FOUND);
                 return mapping.findForward("error");
             }

java/conf/cobbler/snippets/autoyast_channels

@@ -0,0 +1,12 @@
+#import uyuni_cobbler_helper
+#set $distrotree = $distro_name.split(":")[0]
+#for $label, $channel in $uyuni_cobbler_helper.channels($distrotree).items()
+      <listentry>
+        <ask_on_error config:type="boolean">true</ask_on_error>
+        <media_url>https://$redhat_management_server/ks/dist/child/$label/$distrotree</media_url>
+        <name>$channel["name"]</name>
+#if $channel["product"]
+        <product>$channel["product"]</product>
+#end if
+     </listentry>
+#end for

java/conf/cobbler/snippets/root_ca

@@ -0,0 +1,13 @@
+#import uyuni_cobbler_helper
+
+<script>
+    <filename>root-ca-update.sh</filename>
+    <source>
+        <![CDATA[
+cat <<EOF >/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT
+$uyuni_cobbler_helper.get_ssl_ca_cert()
+EOF
+/usr/sbin/update-ca-certificates
+]]>
+    </source>
+</script>

java/spacewalk-java.changes.cbosdo.ca-snippet

@@ -0,0 +1 @@
+- Add snippet to set the SSL root CA (bsc#1194792)

java/spacewalk-java.spec

@@ -250,6 +250,7 @@ Requires:       tomcat-native
 Requires(pre):  salt
 Requires(pre):  tomcat >= 7
 Requires(pre):  uyuni-base-server
+Requires:       uyuni-cobbler-helper
 
 %if 0%{?rhel}
 Recommends:     rng-tools
@@ -580,6 +581,8 @@ install -m 644 conf/cobbler/snippets/redhat_register_using_salt    %{buildroot}%
 install -m 644 conf/cobbler/snippets/minion_script    %{buildroot}%{spacewalksnippetsdir}/minion_script
 install -m 644 conf/cobbler/snippets/sles_no_signature_checks %{buildroot}%{spacewalksnippetsdir}/sles_no_signature_checks
 install -m 644 conf/cobbler/snippets/wait_for_networkmanager_script %{buildroot}%{spacewalksnippetsdir}/wait_for_networkmanager_script
+install -m 644 conf/cobbler/snippets/autoyast_channels %{buildroot}%{spacewalksnippetsdir}/autoyast_channels
+install -m 644 conf/cobbler/snippets/root_ca %{buildroot}%{spacewalksnippetsdir}/root_ca
 
 # special links for rhn-search
 RHN_SEARCH_BUILD_DIR=%{_datadir}/rhn/search/lib
@@ -746,6 +749,8 @@ fi
 %config %{spacewalksnippetsdir}/minion_script
 %config %{spacewalksnippetsdir}/sles_no_signature_checks
 %config %{spacewalksnippetsdir}/wait_for_networkmanager_script
+%config %{spacewalksnippetsdir}/autoyast_channels
+%config %{spacewalksnippetsdir}/root_ca
 %if 0%{?suse_version}
 %config(noreplace) %{serverdir}/tomcat/webapps/rhn/META-INF/context.xml
 %else

python/uyuni-cobbler-helper/uyuni-cobbler-helper.changes

@@ -0,0 +1,2 @@
+- Add helper function getting channels from a distribution tree
+

python/uyuni-cobbler-helper/uyuni-cobbler-helper.changes.cbosdo.ca-snippet

@@ -0,0 +1 @@
+- Add snippet helper reading the SSL root CA (bsc#1194792)

python/uyuni-cobbler-helper/uyuni-cobbler-helper.spec

@@ -0,0 +1,56 @@
+#
+# spec file for package uyuni-cobbler-helper
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+## The productprettyname macros is controlled in the prjconf. If not defined, we fallback here
+%{!?productprettyname: %global productprettyname Uyuni}
+
+Name:           uyuni-cobbler-helper
+Version:        5.1.0
+Release:        0
+Summary:        Python helper functions for %{productprettyname} Cobbler snippets
+License:        Apache-2.0
+Group:          System/Management
+URL:            https://github.com/uyuni-project/uyuni
+Source0:        %{name}-%{version}.tar.gz
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildArch:      noarch
+BuildRequires:  python-rpm-macros
+BuildRequires:  %{python_module base}
+Requires:       python
+Requires:       python-psycopg2 >= 2.8.4
+Provides:       uyuni-cobbler-helper
+%python_subpackages
+
+%description
+This package provides utility functions to expose %{productprettyname} data to Cobbler snippets.
+
+%prep
+%autosetup
+
+%build
+
+%install
+%{python_expand # expanded-body:
+  install -d %{buildroot}%{$python_sitelib}
+  install -m 644 uyuni_cobbler_helper.py %{buildroot}%{$python_sitelib}/uyuni_cobbler_helper.py
+}
+
+
+%files %{python_files}
+%{python_sitelib}/uyuni_cobbler_helper.py
+
+%changelog

python/uyuni-cobbler-helper/uyuni_cobbler_helper.py

@@ -0,0 +1,52 @@
+"""
+cobbler helper module for kickstart macros
+"""
+
+import psycopg2
+import configparser
+
+
+def channels(distrotree):
+    cnx = _connect_db()
+    cursor = cnx.cursor()
+
+    query = """SELECT CT.name, CT.label, CP.product
+FROM rhnkickstartabletree T,
+     rhnchanneltreeview CT,
+     rhnchannel C
+     LEFT JOIN rhnchannelproduct CP ON C.channel_product_id = CP.id
+WHERE T.channel_id = CT.parent_or_self_id
+  AND CT.id = C.id
+  AND T.label = %s;"""
+
+    cursor.execute(query, (distrotree,))
+    result = {}
+    for row in cursor.fetchall():
+        result[row[1]] = {"name": row[0], "product": row[2]}
+
+    cnx.close()
+    return result
+
+
+def _connect_db():
+    config = configparser.ConfigParser()
+    with open("/etc/rhn/rhn.conf", "r", encoding="utf-8") as fd:
+        content = "[default]\n" + fd.read()
+        config.read_string(content)
+
+    # pylint: disable-next=undefined-variable
+    return psycopg2.connect(
+        host=config.get("default", "db_host"),
+        user=config.get("default", "db_user"),
+        password=config.get("default", "db_password"),
+        dbname=config.get("default", "db_name"),
+        port=int(config.get("default", "db_port")),
+    )
+
+
+def get_ssl_ca_cert():
+    with open(
+        "/etc/pki/trust/anchors/LOCAL-RHN-ORG-TRUSTED-SSL-CERT", "r", encoding="utf-8"
+    ) as fd:
+        content = fd.read()
+        return content

rel-eng/packages/uyuni-cobbler-helper

@@ -0,0 +1 @@
+5.1.0-0 python/uyuni-cobbler-helper/

spacewalk/setup/bin/spacewalk-setup-cobbler

@@ -77,6 +77,7 @@ def manipulate_cobbler_settings(config_dir: str, settings_yaml: str, fqdn: str):
     filecontent["redhat_management_server"] = fqdn or socket.getfqdn()
     filecontent["client_use_localhost"] = True
     filecontent["uyuni_authentication_endpoint"] = "http://localhost"
+    filecontent["cheetah_import_whitelist"].append("uyuni_cobbler_helper")
     yaml_dump = yaml.safe_dump(filecontent)
     with open(full_path, "w") as settings_file:
         settings_file.write(yaml_dump)

spacewalk/setup/spacewalk-setup.changes.cbosdo.profile-dl

@@ -0,0 +1 @@
+- Add uyuni-cobbler-helper to Cobbler's python module whitelist