From da78fa099ff4db9fc4f2ca7f61eabc7075346293 Mon Sep 17 00:00:00 2001
From: Jay Faulkner <jay.faulkner@verizonmedia.com>
Date: Wed, 9 Sep 2020 14:54:48 -0700
Subject: [PATCH] Followups for TLS support

- Fixed a syntax error, and an ordering issue in DIB TLS element
- Removed unneeded deps, since openssl runs on build machine now

Change-Id: Idcdaefdb3aa80fd651ca6de35d18d3581ffe5116
---
 dib/ironic-python-agent-tls/element-deps          |  2 --
 dib/ironic-python-agent-tls/package-installs.yaml |  1 -
 .../10-configure-ipa-tls                          | 15 ++++++++-------
 3 files changed, 8 insertions(+), 10 deletions(-)
 delete mode 100644 dib/ironic-python-agent-tls/package-installs.yaml
 rename dib/ironic-python-agent-tls/{extra-data.d => pre-finalize.d}/10-configure-ipa-tls (55%)

diff --git a/dib/ironic-python-agent-tls/element-deps b/dib/ironic-python-agent-tls/element-deps
index eb4f191..4069a28 100644
--- a/dib/ironic-python-agent-tls/element-deps
+++ b/dib/ironic-python-agent-tls/element-deps
@@ -1,3 +1 @@
 ironic-python-agent-ramdisk
-install-static
-package-installs
diff --git a/dib/ironic-python-agent-tls/package-installs.yaml b/dib/ironic-python-agent-tls/package-installs.yaml
deleted file mode 100644
index 7a32898..0000000
--- a/dib/ironic-python-agent-tls/package-installs.yaml
+++ /dev/null
@@ -1 +0,0 @@
-openssl:
diff --git a/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls b/dib/ironic-python-agent-tls/pre-finalize.d/10-configure-ipa-tls
similarity index 55%
rename from dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
rename to dib/ironic-python-agent-tls/pre-finalize.d/10-configure-ipa-tls
index dc8259d..005a3bb 100755
--- a/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
+++ b/dib/ironic-python-agent-tls/pre-finalize.d/10-configure-ipa-tls
@@ -1,19 +1,19 @@
 #!/bin/bash
 
 # /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
-KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
-CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
-CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
+KEYDIR=$TMP_BUILD_DIR/mnt/etc/ironic-python-agent.d
+CONFFILE=$KEYDIR/10-configure-tls.conf
+CACONFFILE=$KEYDIR/11-configure-client-cert-ca.conf
 
 if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
     echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
-    openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
+    sudo openssl req -new -nodes -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:-1095} -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:-ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
 else
     sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
     sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
 fi
 
-sudo cat <<EOF > $CONFFILE
+cat <<EOF | sudo tee $CONFFILE
 [DEFAULT]
 listen_tls = True
 
@@ -24,8 +24,9 @@ EOF
 
 if [[ -n $DIB_IPA_CA_FILE ]]; then
     echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
-    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
-    sudo cat <<EOF >$CACONFFILE
+    sudo cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
+    cat <<EOF | sudo tee $CACONFFILE
 [ssl]
 ca_file = /etc/ironic-python-agent/agent.cacert.pem
 EOF
+fi