Merge "Add element to configure IPA with TLS, use configdir"

2020-09-09 13:41:54 +00:00 · 2020-09-09 13:41:54 +00:00 · 89b310b8b6
parent 8602442973 79715dd750
commit 89b310b8b6
8 changed files with 73 additions and 3 deletions
--- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf
+++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf
@ -19,4 +19,4 @@ pre-start script
    echo Starting Ironic Python Agent
 end script

-exec /usr/local/bin/ironic-python-agent
+exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
--- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init
+++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init
@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME}

 case "$1" in
    start)
-        $SCRIPT_NAME
+        $SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/
        ;;
    stop)
        ;;
--- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service
+++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service
@ -4,7 +4,7 @@ After=network-online.target

 [Service]
 ExecStartPre=/sbin/modprobe vfat
-ExecStart=/usr/local/bin/ironic-python-agent
+ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
 Restart=always
 RestartSec=30s

--- a/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README
+++ b/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README
@ -0,0 +1,3 @@
+Files ending in *.conf in this directory will be loading in alphabetical
+order. When a config setting is set multiple times, the last one read
+will take precedence.
--- a/dib/ironic-python-agent-tls/README.rst
+++ b/dib/ironic-python-agent-tls/README.rst
@ -0,0 +1,32 @@
+=======================
+ironic-python-agent-tls
+=======================
+Adds TLS support to ironic-python-agent-ramdisk.
+
+If enabled without any environment variables set to modify configuration,
+this element will enable TLS API support in IPA with a self-signed certificate
+and key created at build time.
+
+Optionally, you can provide your own SSL certifiate and key, and optionally
+ca, via the following environment variables. They should be set to an
+accessible path on the build systems filesystem. If set, they will be copied
+into the built ramdisk, and IPA will be configured to use them.
+
+The environment variables are:
+ - ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
+ - ``DIB_IPA_KEY_FILE`` should point to the private key matching
+   ``DIB_IPA_CERT_FILE``.
+
+If having a certificate generated, you can configure how it's generated:
+ - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
+   certificate. Defaults to "ipa-ramdisk.example.com".
+ - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
+    Defaults to 1095 (three years).
+
+Note that the certificates generated by this element are self-signed, and
+any nodes using them will need to set agent_verify_ca=False in driver_info.
+
+This element can also configure client certificate validation in IPA. If you
+wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
+you wish IPA client connections to be validated against. This CA file will
+be copied into the built ramdisk, and IPA will be configured to use it.
--- a/dib/ironic-python-agent-tls/element-deps
+++ b/dib/ironic-python-agent-tls/element-deps
@ -0,0 +1,3 @@
+ironic-python-agent-ramdisk
+install-static
+package-installs
--- a/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
+++ b/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
+KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
+CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
+CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
+
+if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
+    echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
+    openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
+else
+    sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
+    sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
+fi
+
+sudo cat <<EOF > $CONFFILE
+[DEFAULT]
+listen_tls = True
+
+[ssl]
+cert_file = /etc/ironic-python-agent.d/agent.crt
+key_file = /etc/ironic-python-agent.d/agent.key
+EOF
+
+if [[ -n $DIB_IPA_CA_FILE ]]; then
+    echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
+    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
+    sudo cat <<EOF >$CACONFFILE
+[ssl]
+ca_file = /etc/ironic-python-agent/agent.cacert.pem
+EOF
--- a/dib/ironic-python-agent-tls/package-installs.yaml
+++ b/dib/ironic-python-agent-tls/package-installs.yaml
@ -0,0 +1 @@
+openssl: