openstack
/
ironic-python-agent-builder
Code Issues Proposed changes
ironic-python-agent-builder/dib/ironic-python-agent-tls
History
Sharpz7 a48825d260 [codespell] Fixing Spelling Mistakes 
This is the first in a series of commits to add support for codespell. This is continuning the process completed in ironic-python-agent.

Future Commits will add a Tox Target, CI support and potentially a git-blame-ignore-revs file if their are lots of spelling mistakes that could clutter git blame.

Change-Id: I6ce80cc993cdd4c8d38266f3ff3f8f134f0fc5a9
 		2024-01-26 04:11:31 +00:00
..
pre-finalise.d Advertise HTTPS in IPA ramdisk without Ironic assist 2020-09-18 09:36:56 -07:00
README.rst [codespell] Fixing Spelling Mistakes 2024-01-26 04:11:31 +00:00
element-deps Followups for TLS support 2020-09-09 15:55:02 -07:00

README.rst

ironic-python-agent-tls

Adds TLS support to ironic-python-agent-ramdisk.

If enabled without any environment variables set to modify configuration, this element will enable TLS API support in IPA with a self-signed certificate and key created at build time.

Optionally, you can provide your own SSL certificate and key, and optionally ca, via the following environment variables. They should be set to an accessible path on the build systems filesystem. If set, they will be copied into the built ramdisk, and IPA will be configured to use them.

The environment variables are:
  • DIB_IPA_CERT_FILE should point to the TLS certificate for ramdisk use.
  • DIB_IPA_KEY_FILE should point to the private key matching DIB_IPA_CERT_FILE.
If having a certificate generated, you can configure how it's generated:
  • DIB_IPA_CERT_HOSTNAME the CN for the generated certificate. Defaults to "ipa-ramdisk.example.com".
  • DIB_IPA_CERT_EXPIRATION expiration, in days, for the certificate.

    Defaults to 1095 (three years).

Note that the certificates generated by this element are self-signed, and any nodes using them will need to set agent_verify_ca=False in driver_info.

This element can also configure client certificate validation in IPA. If you wish to validate client certificates, set DIB_IPA_CA_FILE to a CA file you wish IPA client connections to be validated against. This CA file will be copied into the built ramdisk, and IPA will be configured to use it.