Add element to configure IPA with TLS, use configdir

First, this change preconfigures IPA to use a configdir. This will
permit deployers to add or modify IPA configuration in elements.
This change was a prerequisite to adding additional DIB elements
which require configuration.

Additionally, this adds a DIB element to configure TLS support for
IPA's API. If added to a ramdisk build with no configuration, it
will create a self-signed certificate and configure IPA to use it.
It also exposes various environment variables to allow deployers
to use preexisting certificates or CA files.

Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33

dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf

@@ -19,4 +19,4 @@ pre-start script
     echo Starting Ironic Python Agent
 end script
 
-exec /usr/local/bin/ironic-python-agent
+exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/

dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init

@@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME}
 
 case "$1" in
     start)
-        $SCRIPT_NAME
+        $SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/
         ;;
     stop)
         ;;

dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service

@@ -4,7 +4,7 @@ After=network-online.target
 
 [Service]
 ExecStartPre=/sbin/modprobe vfat
-ExecStart=/usr/local/bin/ironic-python-agent
+ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
 Restart=always
 RestartSec=30s
 

dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README

@@ -0,0 +1,3 @@
+Files ending in *.conf in this directory will be loading in alphabetical
+order. When a config setting is set multiple times, the last one read
+will take precedence.

dib/ironic-python-agent-tls/README.rst

@@ -0,0 +1,32 @@
+=======================
+ironic-python-agent-tls
+=======================
+Adds TLS support to ironic-python-agent-ramdisk.
+
+If enabled without any environment variables set to modify configuration,
+this element will enable TLS API support in IPA with a self-signed certificate
+and key created at build time.
+
+Optionally, you can provide your own SSL certifiate and key, and optionally
+ca, via the following environment variables. They should be set to an
+accessible path on the build systems filesystem. If set, they will be copied
+into the built ramdisk, and IPA will be configured to use them.
+
+The environment variables are:
+ - ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
+ - ``DIB_IPA_KEY_FILE`` should point to the private key matching
+   ``DIB_IPA_CERT_FILE``.
+
+If having a certificate generated, you can configure how it's generated:
+ - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
+   certificate. Defaults to "ipa-ramdisk.example.com".
+ - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
+    Defaults to 1095 (three years).
+
+Note that the certificates generated by this element are self-signed, and
+any nodes using them will need to set agent_verify_ca=False in driver_info.
+
+This element can also configure client certificate validation in IPA. If you
+wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
+you wish IPA client connections to be validated against. This CA file will
+be copied into the built ramdisk, and IPA will be configured to use it.

dib/ironic-python-agent-tls/element-deps

@@ -0,0 +1,3 @@
+ironic-python-agent-ramdisk
+install-static
+package-installs

dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
+KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
+CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
+CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
+
+if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
+    echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
+    openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
+else
+    sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
+    sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
+fi
+
+sudo cat <<EOF > $CONFFILE
+[DEFAULT]
+listen_tls = True
+
+[ssl]
+cert_file = /etc/ironic-python-agent.d/agent.crt
+key_file = /etc/ironic-python-agent.d/agent.key
+EOF
+
+if [[ -n $DIB_IPA_CA_FILE ]]; then
+    echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
+    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
+    sudo cat <<EOF >$CACONFFILE
+[ssl]
+ca_file = /etc/ironic-python-agent/agent.cacert.pem
+EOF

dib/ironic-python-agent-tls/package-installs.yaml

@@ -0,0 +1 @@
+openssl: