ssl-ca: Allow CA certificate to be specified

Allow a CA certificate to be specified, and automatically add it to the default system CA bundle via a new "ssl-ca" DIB element. This is required for sites which use their own Certificate Authority. This DIB element is safe to include on all images, regardless of whether or not it is activated with a valid CA certificate. Based on SSL PKI spec: I32473fe797a4c1e28d14c3b82c8892c7c59a4e55 Depends on t-h-t update for ssl.ca_certificate property via Heat: Ibacd7c98980520e11c0df89632013f2ba2dbe370 Change-Id: I3441b4b688aacb2bb8d8326ee72f87974dd554ff
2014-07-30 10:37:28 -07:00 · 2014-07-30 10:37:28 -07:00 · 878ea354a4
commit 878ea354a4
parent 5cd8695248
3 changed files with 52 additions and 0 deletions
--- a/elements/ssl-ca/README.md
+++ b/elements/ssl-ca/README.md
@ -0,0 +1,18 @@
+Install and trust a CA at the operating system level, making it available for use by
+OpenStack services and other network clients authenticating SSL-secured connections.
+
+Configuration
+-------------
+
+ssl:
+  ca_certificate: certdata
+
+The CA certificate will be written to /etc/ssl/from-heat-ca.crt and installed using
+update-ca-certificates (apt-based distros) or update-ca-trusts (yum-based distros).
+
+This may be used in conjunction with openstack-ssl to enable SSL-secure connections
+between OpenStack services, or independently to enable secure integration with
+external resources such as Keystone -> LDAP server or Cinder -> external backend.
+
+If multiple CA certificates are to be trusted, they should be concatenated in PEM
+format within the single ca_certificate property defining the trust store.
--- a/elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt
+++ b/elements/ssl-ca/os-apply-config/etc/ssl/from-heat-ca.crt
@ -0,0 +1 @@
+{{ssl.ca_certificate}}
--- a/elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs
+++ b/elements/ssl-ca/os-refresh-config/configure.d/51-ssl-load-ca-certs
@ -0,0 +1,33 @@
+#!/bin/bash
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+set -eux
+set -o pipefail
+
+CA_CERT=/etc/ssl/from-heat-ca.crt
+
+if [ -s ${CA_CERT} ]; then
+  if [[ "ubuntu debian" =~ "${DISTRO_NAME}" ]]; then
+    # On Debian, place the CA certificate where 'update-ca-certificates' will find it
+    cp ${CA_CERT} /usr/local/share/ca-certificates/from-heat-ca.crt
+    update-ca-certificates
+  else
+    # On RPM-based distros, place the CA certificate where 'update-ca-trust' will find it
+    cp ${CA_CERT} /etc/pki/ca-trust/source/anchors/from-heat-ca.crt
+    update-ca-trust
+  fi
+fi