Custom CA certificates installation mechanism
Change-Id: I0fd596d93a0e575a391250d4bed261ad370a3664
This commit is contained in:
parent
138afba32e
commit
79d857f9e7
docker/base
@ -230,6 +230,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
|
||||
{% block base_redhat_binary_versionlock %}{% endblock %}
|
||||
{% if install_type == 'binary' %}
|
||||
{% set base_centos_binary_packages = [
|
||||
'ca-certificates',
|
||||
'findutils',
|
||||
'iproute',
|
||||
'iscsi-initiator-utils',
|
||||
@ -259,6 +260,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
|
||||
{% if install_type == 'source' %}
|
||||
|
||||
{% set base_centos_source_packages = [
|
||||
'ca-certificates',
|
||||
'curl',
|
||||
'iproute',
|
||||
'iscsi-initiator-utils',
|
||||
@ -429,6 +431,7 @@ RUN sed -i -e "s+#\!/usr/bin/env python+#\!/usr/bin/env python3+g" /usr/local/bi
|
||||
{% endif %}
|
||||
|
||||
COPY start.sh /usr/local/bin/kolla_start
|
||||
COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
|
||||
COPY sudoers /etc/sudoers
|
||||
COPY curlrc /root/.curlrc
|
||||
|
||||
@ -461,7 +464,7 @@ ENTRYPOINT ["dumb-init", "--single-child", "--"]
|
||||
{% endif %}
|
||||
|
||||
RUN touch /usr/local/bin/kolla_extend_start \
|
||||
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
|
||||
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts \
|
||||
&& chmod 440 /etc/sudoers \
|
||||
&& mkdir -p /var/log/kolla \
|
||||
&& chown :kolla /var/log/kolla \
|
||||
|
27
docker/base/copy_cacerts.sh
Normal file
27
docker/base/copy_cacerts.sh
Normal file
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copy custom CA certificates to system trusted CA certificates folder
|
||||
# and run CA update utility
|
||||
|
||||
# Remove old certificates
|
||||
rm -f /usr/local/share/ca-certificates/kolla-customca-* \
|
||||
/etc/pki/ca-trust/source/anchors/kolla-customca-*
|
||||
|
||||
if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
|
||||
[[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
|
||||
if [[ -e /etc/debian_version ]]; then
|
||||
# Debian, Ubuntu
|
||||
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
|
||||
file=$(basename "$cert")
|
||||
cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
|
||||
done
|
||||
update-ca-certificates
|
||||
elif [[ -e /etc/redhat-release ]]; then
|
||||
# CentOS, RHEL
|
||||
for cert in /var/lib/kolla/config_files/ca-certificates/*; do
|
||||
file=$(basename "$cert")
|
||||
cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
|
||||
done
|
||||
update-ca-trust
|
||||
fi
|
||||
fi
|
@ -9,6 +9,9 @@ sudo -E kolla_set_configs
|
||||
CMD=$(cat /run_command)
|
||||
ARGS=""
|
||||
|
||||
# Install/remove custom CA certificates
|
||||
sudo kolla_copy_cacerts
|
||||
|
||||
if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
|
||||
# Run additional commands if present
|
||||
. kolla_extend_start
|
||||
|
@ -15,4 +15,7 @@ root ALL=(ALL) ALL
|
||||
# root user via sudo without password confirmation
|
||||
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
|
||||
|
||||
# Copy custom CA certificates to containers
|
||||
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
|
||||
|
||||
#includedir /etc/sudoers.d
|
||||
|
Loading…
Reference in New Issue
Block a user