Browse Source

Custom CA certificates installation mechanism

Change-Id: I0fd596d93a0e575a391250d4bed261ad370a3664
changes/21/686121/8
Viktor Michalek 3 years ago committed by Radosław Piliszek
parent
commit
79d857f9e7
  1. 5
      docker/base/Dockerfile.j2
  2. 27
      docker/base/copy_cacerts.sh
  3. 3
      docker/base/start.sh
  4. 3
      docker/base/sudoers

5
docker/base/Dockerfile.j2

@ -230,6 +230,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
{% block base_redhat_binary_versionlock %}{% endblock %}
{% if install_type == 'binary' %}
{% set base_centos_binary_packages = [
'ca-certificates',
'findutils',
'iproute',
'iscsi-initiator-utils',
@ -259,6 +260,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
{% if install_type == 'source' %}
{% set base_centos_source_packages = [
'ca-certificates',
'curl',
'iproute',
'iscsi-initiator-utils',
@ -429,6 +431,7 @@ RUN sed -i -e "s+#\!/usr/bin/env python+#\!/usr/bin/env python3+g" /usr/local/bi
{% endif %}
COPY start.sh /usr/local/bin/kolla_start
COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
COPY sudoers /etc/sudoers
COPY curlrc /root/.curlrc
@ -461,7 +464,7 @@ ENTRYPOINT ["dumb-init", "--single-child", "--"]
{% endif %}
RUN touch /usr/local/bin/kolla_extend_start \
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts \
&& chmod 440 /etc/sudoers \
&& mkdir -p /var/log/kolla \
&& chown :kolla /var/log/kolla \

27
docker/base/copy_cacerts.sh

@ -0,0 +1,27 @@
#!/bin/bash
# Copy custom CA certificates to system trusted CA certificates folder
# and run CA update utility
# Remove old certificates
rm -f /usr/local/share/ca-certificates/kolla-customca-* \
/etc/pki/ca-trust/source/anchors/kolla-customca-*
if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
[[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
if [[ -e /etc/debian_version ]]; then
# Debian, Ubuntu
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
file=$(basename "$cert")
cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
done
update-ca-certificates
elif [[ -e /etc/redhat-release ]]; then
# CentOS, RHEL
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
file=$(basename "$cert")
cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
done
update-ca-trust
fi
fi

3
docker/base/start.sh

@ -9,6 +9,9 @@ sudo -E kolla_set_configs
CMD=$(cat /run_command)
ARGS=""
# Install/remove custom CA certificates
sudo kolla_copy_cacerts
if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
# Run additional commands if present
. kolla_extend_start

3
docker/base/sudoers

@ -15,4 +15,7 @@ root ALL=(ALL) ALL
# root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
# Copy custom CA certificates to containers
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
#includedir /etc/sudoers.d

Loading…
Cancel
Save