Browse Source

Merge "Add element to configure IPA with TLS, use configdir"

tags/2.2.0
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
commit
89b310b8b6
8 changed files with 73 additions and 3 deletions
  1. +1
    -1
      dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf
  2. +1
    -1
      dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init
  3. +1
    -1
      dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service
  4. +3
    -0
      dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README
  5. +32
    -0
      dib/ironic-python-agent-tls/README.rst
  6. +3
    -0
      dib/ironic-python-agent-tls/element-deps
  7. +31
    -0
      dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
  8. +1
    -0
      dib/ironic-python-agent-tls/package-installs.yaml

+ 1
- 1
dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf View File

@@ -19,4 +19,4 @@ pre-start script
echo Starting Ironic Python Agent
end script

exec /usr/local/bin/ironic-python-agent
exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/

+ 1
- 1
dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init View File

@@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME}

case "$1" in
start)
$SCRIPT_NAME
$SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/
;;
stop)
;;


+ 1
- 1
dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service View File

@@ -4,7 +4,7 @@ After=network-online.target

[Service]
ExecStartPre=/sbin/modprobe vfat
ExecStart=/usr/local/bin/ironic-python-agent
ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
Restart=always
RestartSec=30s



+ 3
- 0
dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README View File

@@ -0,0 +1,3 @@
Files ending in *.conf in this directory will be loading in alphabetical
order. When a config setting is set multiple times, the last one read
will take precedence.

+ 32
- 0
dib/ironic-python-agent-tls/README.rst View File

@@ -0,0 +1,32 @@
=======================
ironic-python-agent-tls
=======================
Adds TLS support to ironic-python-agent-ramdisk.

If enabled without any environment variables set to modify configuration,
this element will enable TLS API support in IPA with a self-signed certificate
and key created at build time.

Optionally, you can provide your own SSL certifiate and key, and optionally
ca, via the following environment variables. They should be set to an
accessible path on the build systems filesystem. If set, they will be copied
into the built ramdisk, and IPA will be configured to use them.

The environment variables are:
- ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
- ``DIB_IPA_KEY_FILE`` should point to the private key matching
``DIB_IPA_CERT_FILE``.

If having a certificate generated, you can configure how it's generated:
- ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
certificate. Defaults to "ipa-ramdisk.example.com".
- ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
Defaults to 1095 (three years).

Note that the certificates generated by this element are self-signed, and
any nodes using them will need to set agent_verify_ca=False in driver_info.

This element can also configure client certificate validation in IPA. If you
wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
you wish IPA client connections to be validated against. This CA file will
be copied into the built ramdisk, and IPA will be configured to use it.

+ 3
- 0
dib/ironic-python-agent-tls/element-deps View File

@@ -0,0 +1,3 @@
ironic-python-agent-ramdisk
install-static
package-installs

+ 31
- 0
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls View File

@@ -0,0 +1,31 @@
#!/bin/bash

# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf

if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
else
sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
fi

sudo cat <<EOF > $CONFFILE
[DEFAULT]
listen_tls = True

[ssl]
cert_file = /etc/ironic-python-agent.d/agent.crt
key_file = /etc/ironic-python-agent.d/agent.key
EOF

if [[ -n $DIB_IPA_CA_FILE ]]; then
echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
sudo cat <<EOF >$CACONFFILE
[ssl]
ca_file = /etc/ironic-python-agent/agent.cacert.pem
EOF

+ 1
- 0
dib/ironic-python-agent-tls/package-installs.yaml View File

@@ -0,0 +1 @@
openssl:

Loading…
Cancel
Save