From 878ea354a48ec1ce96f038661fb2c99898d717a1 Mon Sep 17 00:00:00 2001 From: Jonathan Brownell Date: Wed, 30 Jul 2014 10:37:28 -0700 Subject: [PATCH] ssl-ca: Allow CA certificate to be specified Allow a CA certificate to be specified, and automatically add it to the default system CA bundle via a new "ssl-ca" DIB element. This is required for sites which use their own Certificate Authority. This DIB element is safe to include on all images, regardless of whether or not it is activated with a valid CA certificate. Based on SSL PKI spec: I32473fe797a4c1e28d14c3b82c8892c7c59a4e55 Depends on t-h-t update for ssl.ca_certificate property via Heat: Ibacd7c98980520e11c0df89632013f2ba2dbe370 Change-Id: I3441b4b688aacb2bb8d8326ee72f87974dd554ff --- elements/ssl-ca/README.md | 18 ++++++++++ .../os-apply-config/etc/ssl/from-heat-ca.crt | 1 + .../configure.d/51-ssl-load-ca-certs | 33 +++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 elements/ssl-ca/README.md create mode 100644 elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt create mode 100755 elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs diff --git a/elements/ssl-ca/README.md b/elements/ssl-ca/README.md new file mode 100644 index 000000000..f17c1c9ba --- /dev/null +++ b/elements/ssl-ca/README.md @@ -0,0 +1,18 @@ +Install and trust a CA at the operating system level, making it available for use by +OpenStack services and other network clients authenticating SSL-secured connections. + +Configuration +------------- + +ssl: + ca_certificate: certdata + +The CA certificate will be written to /etc/ssl/from-heat-ca.crt and installed using +update-ca-certificates (apt-based distros) or update-ca-trusts (yum-based distros). + +This may be used in conjunction with openstack-ssl to enable SSL-secure connections +between OpenStack services, or independently to enable secure integration with +external resources such as Keystone -> LDAP server or Cinder -> external backend. + +If multiple CA certificates are to be trusted, they should be concatenated in PEM +format within the single ca_certificate property defining the trust store. diff --git a/elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt b/elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt new file mode 100644 index 000000000..30a5b0d38 --- /dev/null +++ b/elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt @@ -0,0 +1 @@ +{{ssl.ca_certificate}} diff --git a/elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs b/elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs new file mode 100755 index 000000000..90437152a --- /dev/null +++ b/elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs @@ -0,0 +1,33 @@ +#!/bin/bash +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -eux +set -o pipefail + +CA_CERT=/etc/ssl/from-heat-ca.crt + +if [ -s ${CA_CERT} ]; then + if [[ "ubuntu debian" =~ "${DISTRO_NAME}" ]]; then + # On Debian, place the CA certificate where 'update-ca-certificates' will find it + cp ${CA_CERT} /usr/local/share/ca-certificates/from-heat-ca.crt + update-ca-certificates + else + # On RPM-based distros, place the CA certificate where 'update-ca-trust' will find it + cp ${CA_CERT} /etc/pki/ca-trust/source/anchors/from-heat-ca.crt + update-ca-trust + fi +fi