Custom CA certificates installation mechanism

Change-Id: I0fd596d93a0e575a391250d4bed261ad370a3664
3 years ago · 79d857f9e7
4 changed files with 37 additions and 1 deletions
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@ -230,6 +230,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
 {% block base_redhat_binary_versionlock %}{% endblock %}
    {% if install_type == 'binary' %}
 {% set base_centos_binary_packages = [
+        'ca-certificates',
        'findutils',
        'iproute',
        'iscsi-initiator-utils',
@ -259,6 +260,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
    {% if install_type == 'source' %}

 {% set base_centos_source_packages = [
+    'ca-certificates',
    'curl',
    'iproute',
    'iscsi-initiator-utils',
@ -429,6 +431,7 @@ RUN sed -i -e "s+#\!/usr/bin/env python+#\!/usr/bin/env python3+g" /usr/local/bi
 {% endif %}

 COPY start.sh /usr/local/bin/kolla_start
+COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
 COPY sudoers /etc/sudoers
 COPY curlrc /root/.curlrc

@ -461,7 +464,7 @@ ENTRYPOINT ["dumb-init", "--single-child", "--"]
 {% endif %}

 RUN touch /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
+    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts \
    && chmod 440 /etc/sudoers \
    && mkdir -p /var/log/kolla \
    && chown :kolla /var/log/kolla \
--- a/docker/base/copy_cacerts.sh
+++ b/docker/base/copy_cacerts.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Copy custom CA certificates to system trusted CA certificates folder
+# and run CA update utility
+
+# Remove old certificates
+rm -f /usr/local/share/ca-certificates/kolla-customca-* \
+        /etc/pki/ca-trust/source/anchors/kolla-customca-*
+
+if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
+        [[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
+    if [[ -e /etc/debian_version ]]; then
+        # Debian, Ubuntu
+        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
+            file=$(basename "$cert")
+            cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
+        done
+        update-ca-certificates
+    elif [[ -e /etc/redhat-release ]]; then
+        # CentOS, RHEL
+        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
+            file=$(basename "$cert")
+            cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
+        done
+        update-ca-trust
+    fi
+fi
--- a/docker/base/start.sh
+++ b/docker/base/start.sh
@ -9,6 +9,9 @@ sudo -E kolla_set_configs
 CMD=$(cat /run_command)
 ARGS=""

+# Install/remove custom CA certificates
+sudo kolla_copy_cacerts
+
 if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
    # Run additional commands if present
    . kolla_extend_start
--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@ -15,4 +15,7 @@ root ALL=(ALL) ALL
 # root user via sudo without password confirmation
 %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs

+# Copy custom CA certificates to containers
+%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
+
 #includedir /etc/sudoers.d