Add element to configure IPA with TLS, use configdir
First, this change preconfigures IPA to use a configdir. This will permit deployers to add or modify IPA configuration in elements. This change was a prerequisite to adding additional DIB elements which require configuration. Additionally, this adds a DIB element to configure TLS support for IPA's API. If added to a ramdisk build with no configuration, it will create a self-signed certificate and configure IPA to use it. It also exposes various environment variables to allow deployers to use preexisting certificates or CA files. Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33
This commit is contained in:
parent
710ff8fa9c
commit
79715dd750
@ -19,4 +19,4 @@ pre-start script
|
||||
echo Starting Ironic Python Agent
|
||||
end script
|
||||
|
||||
exec /usr/local/bin/ironic-python-agent
|
||||
exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
|
||||
|
@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
$SCRIPT_NAME
|
||||
$SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/
|
||||
;;
|
||||
stop)
|
||||
;;
|
||||
|
@ -4,7 +4,7 @@ After=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/sbin/modprobe vfat
|
||||
ExecStart=/usr/local/bin/ironic-python-agent
|
||||
ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
|
||||
Restart=always
|
||||
RestartSec=30s
|
||||
|
||||
|
@ -0,0 +1,3 @@
|
||||
Files ending in *.conf in this directory will be loading in alphabetical
|
||||
order. When a config setting is set multiple times, the last one read
|
||||
will take precedence.
|
32
dib/ironic-python-agent-tls/README.rst
Normal file
32
dib/ironic-python-agent-tls/README.rst
Normal file
@ -0,0 +1,32 @@
|
||||
=======================
|
||||
ironic-python-agent-tls
|
||||
=======================
|
||||
Adds TLS support to ironic-python-agent-ramdisk.
|
||||
|
||||
If enabled without any environment variables set to modify configuration,
|
||||
this element will enable TLS API support in IPA with a self-signed certificate
|
||||
and key created at build time.
|
||||
|
||||
Optionally, you can provide your own SSL certifiate and key, and optionally
|
||||
ca, via the following environment variables. They should be set to an
|
||||
accessible path on the build systems filesystem. If set, they will be copied
|
||||
into the built ramdisk, and IPA will be configured to use them.
|
||||
|
||||
The environment variables are:
|
||||
- ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
|
||||
- ``DIB_IPA_KEY_FILE`` should point to the private key matching
|
||||
``DIB_IPA_CERT_FILE``.
|
||||
|
||||
If having a certificate generated, you can configure how it's generated:
|
||||
- ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
|
||||
certificate. Defaults to "ipa-ramdisk.example.com".
|
||||
- ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
|
||||
Defaults to 1095 (three years).
|
||||
|
||||
Note that the certificates generated by this element are self-signed, and
|
||||
any nodes using them will need to set agent_verify_ca=False in driver_info.
|
||||
|
||||
This element can also configure client certificate validation in IPA. If you
|
||||
wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
|
||||
you wish IPA client connections to be validated against. This CA file will
|
||||
be copied into the built ramdisk, and IPA will be configured to use it.
|
3
dib/ironic-python-agent-tls/element-deps
Normal file
3
dib/ironic-python-agent-tls/element-deps
Normal file
@ -0,0 +1,3 @@
|
||||
ironic-python-agent-ramdisk
|
||||
install-static
|
||||
package-installs
|
31
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
Executable file
31
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
|
||||
# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
|
||||
KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
|
||||
CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
|
||||
CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
|
||||
|
||||
if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
|
||||
echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
|
||||
openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
|
||||
else
|
||||
sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
|
||||
sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
|
||||
fi
|
||||
|
||||
sudo cat <<EOF > $CONFFILE
|
||||
[DEFAULT]
|
||||
listen_tls = True
|
||||
|
||||
[ssl]
|
||||
cert_file = /etc/ironic-python-agent.d/agent.crt
|
||||
key_file = /etc/ironic-python-agent.d/agent.key
|
||||
EOF
|
||||
|
||||
if [[ -n $DIB_IPA_CA_FILE ]]; then
|
||||
echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
|
||||
cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
|
||||
sudo cat <<EOF >$CACONFFILE
|
||||
[ssl]
|
||||
ca_file = /etc/ironic-python-agent/agent.cacert.pem
|
||||
EOF
|
1
dib/ironic-python-agent-tls/package-installs.yaml
Normal file
1
dib/ironic-python-agent-tls/package-installs.yaml
Normal file
@ -0,0 +1 @@
|
||||
openssl:
|
Loading…
Reference in New Issue
Block a user