ironic-python-agent-builder/dib/ironic-python-agent-tls/README.rst

=======================
ironic-python-agent-tls
=======================
Adds TLS support to ironic-python-agent-ramdisk.

If enabled without any environment variables set to modify configuration,
this element will enable TLS API support in IPA with a self-signed certificate
and key created at build time.

Optionally, you can provide your own SSL certifiate and key, and optionally
ca, via the following environment variables. They should be set to an
accessible path on the build systems filesystem. If set, they will be copied
into the built ramdisk, and IPA will be configured to use them.

The environment variables are:
 - ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
 - ``DIB_IPA_KEY_FILE`` should point to the private key matching
   ``DIB_IPA_CERT_FILE``.

If having a certificate generated, you can configure how it's generated:
 - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
   certificate. Defaults to "ipa-ramdisk.example.com".
 - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
    Defaults to 1095 (three years).

Note that the certificates generated by this element are self-signed, and
any nodes using them will need to set agent_verify_ca=False in driver_info.

This element can also configure client certificate validation in IPA. If you
wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
you wish IPA client connections to be validated against. This CA file will
be copied into the built ramdisk, and IPA will be configured to use it.
Add element to configure IPA with TLS, use configdir First, this change preconfigures IPA to use a configdir. This will permit deployers to add or modify IPA configuration in elements. This change was a prerequisite to adding additional DIB elements which require configuration. Additionally, this adds a DIB element to configure TLS support for IPA's API. If added to a ramdisk build with no configuration, it will create a self-signed certificate and configure IPA to use it. It also exposes various environment variables to allow deployers to use preexisting certificates or CA files. Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33 2020-08-20 22:39:17 +00:00			`=======================`
			`ironic-python-agent-tls`
			`=======================`
			`Adds TLS support to ironic-python-agent-ramdisk.`

			`If enabled without any environment variables set to modify configuration,`
			`this element will enable TLS API support in IPA with a self-signed certificate`
			`and key created at build time.`

			`Optionally, you can provide your own SSL certifiate and key, and optionally`
			`ca, via the following environment variables. They should be set to an`
			`accessible path on the build systems filesystem. If set, they will be copied`
			`into the built ramdisk, and IPA will be configured to use them.`

			`The environment variables are:`
			- ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
			- ``DIB_IPA_KEY_FILE`` should point to the private key matching
			``DIB_IPA_CERT_FILE``.

			`If having a certificate generated, you can configure how it's generated:`
			- ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
			`certificate. Defaults to "ipa-ramdisk.example.com".`
			- ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
			`Defaults to 1095 (three years).`

			`Note that the certificates generated by this element are self-signed, and`
			`any nodes using them will need to set agent_verify_ca=False in driver_info.`

			`This element can also configure client certificate validation in IPA. If you`
			wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
			`you wish IPA client connections to be validated against. This CA file will`
			`be copied into the built ramdisk, and IPA will be configured to use it.`