Custom CA certificates installation mechanism

Change-Id: I0fd596d93a0e575a391250d4bed261ad370a3664
This commit is contained in:
Viktor Michalek 2019-08-31 02:44:46 +02:00 committed by Radosław Piliszek
parent 138afba32e
commit 79d857f9e7
4 changed files with 37 additions and 1 deletions

View File

@ -230,6 +230,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
{% block base_redhat_binary_versionlock %}{% endblock %} {% block base_redhat_binary_versionlock %}{% endblock %}
{% if install_type == 'binary' %} {% if install_type == 'binary' %}
{% set base_centos_binary_packages = [ {% set base_centos_binary_packages = [
'ca-certificates',
'findutils', 'findutils',
'iproute', 'iproute',
'iscsi-initiator-utils', 'iscsi-initiator-utils',
@ -259,6 +260,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
{% if install_type == 'source' %} {% if install_type == 'source' %}
{% set base_centos_source_packages = [ {% set base_centos_source_packages = [
'ca-certificates',
'curl', 'curl',
'iproute', 'iproute',
'iscsi-initiator-utils', 'iscsi-initiator-utils',
@ -429,6 +431,7 @@ RUN sed -i -e "s+#\!/usr/bin/env python+#\!/usr/bin/env python3+g" /usr/local/bi
{% endif %} {% endif %}
COPY start.sh /usr/local/bin/kolla_start COPY start.sh /usr/local/bin/kolla_start
COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
COPY sudoers /etc/sudoers COPY sudoers /etc/sudoers
COPY curlrc /root/.curlrc COPY curlrc /root/.curlrc
@ -461,7 +464,7 @@ ENTRYPOINT ["dumb-init", "--single-child", "--"]
{% endif %} {% endif %}
RUN touch /usr/local/bin/kolla_extend_start \ RUN touch /usr/local/bin/kolla_extend_start \
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \ && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts \
&& chmod 440 /etc/sudoers \ && chmod 440 /etc/sudoers \
&& mkdir -p /var/log/kolla \ && mkdir -p /var/log/kolla \
&& chown :kolla /var/log/kolla \ && chown :kolla /var/log/kolla \

View File

@ -0,0 +1,27 @@
#!/bin/bash
# Copy custom CA certificates to system trusted CA certificates folder
# and run CA update utility
# Remove old certificates
rm -f /usr/local/share/ca-certificates/kolla-customca-* \
/etc/pki/ca-trust/source/anchors/kolla-customca-*
if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
[[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
if [[ -e /etc/debian_version ]]; then
# Debian, Ubuntu
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
file=$(basename "$cert")
cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
done
update-ca-certificates
elif [[ -e /etc/redhat-release ]]; then
# CentOS, RHEL
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
file=$(basename "$cert")
cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
done
update-ca-trust
fi
fi

View File

@ -9,6 +9,9 @@ sudo -E kolla_set_configs
CMD=$(cat /run_command) CMD=$(cat /run_command)
ARGS="" ARGS=""
# Install/remove custom CA certificates
sudo kolla_copy_cacerts
if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
# Run additional commands if present # Run additional commands if present
. kolla_extend_start . kolla_extend_start

View File

@ -15,4 +15,7 @@ root ALL=(ALL) ALL
# root user via sudo without password confirmation # root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
# Copy custom CA certificates to containers
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
#includedir /etc/sudoers.d #includedir /etc/sudoers.d