Add element to configure IPA with TLS, use configdir
First, this change preconfigures IPA to use a configdir. This will permit deployers to add or modify IPA configuration in elements. This change was a prerequisite to adding additional DIB elements which require configuration. Additionally, this adds a DIB element to configure TLS support for IPA's API. If added to a ramdisk build with no configuration, it will create a self-signed certificate and configure IPA to use it. It also exposes various environment variables to allow deployers to use preexisting certificates or CA files. Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33
This commit is contained in:
parent
710ff8fa9c
commit
79715dd750
@ -19,4 +19,4 @@ pre-start script
|
|||||||
echo Starting Ironic Python Agent
|
echo Starting Ironic Python Agent
|
||||||
end script
|
end script
|
||||||
|
|
||||||
exec /usr/local/bin/ironic-python-agent
|
exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
|
||||||
|
@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME}
|
|||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
$SCRIPT_NAME
|
$SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
;;
|
;;
|
||||||
|
@ -4,7 +4,7 @@ After=network-online.target
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStartPre=/sbin/modprobe vfat
|
ExecStartPre=/sbin/modprobe vfat
|
||||||
ExecStart=/usr/local/bin/ironic-python-agent
|
ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=30s
|
RestartSec=30s
|
||||||
|
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
Files ending in *.conf in this directory will be loading in alphabetical
|
||||||
|
order. When a config setting is set multiple times, the last one read
|
||||||
|
will take precedence.
|
32
dib/ironic-python-agent-tls/README.rst
Normal file
32
dib/ironic-python-agent-tls/README.rst
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
=======================
|
||||||
|
ironic-python-agent-tls
|
||||||
|
=======================
|
||||||
|
Adds TLS support to ironic-python-agent-ramdisk.
|
||||||
|
|
||||||
|
If enabled without any environment variables set to modify configuration,
|
||||||
|
this element will enable TLS API support in IPA with a self-signed certificate
|
||||||
|
and key created at build time.
|
||||||
|
|
||||||
|
Optionally, you can provide your own SSL certifiate and key, and optionally
|
||||||
|
ca, via the following environment variables. They should be set to an
|
||||||
|
accessible path on the build systems filesystem. If set, they will be copied
|
||||||
|
into the built ramdisk, and IPA will be configured to use them.
|
||||||
|
|
||||||
|
The environment variables are:
|
||||||
|
- ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use.
|
||||||
|
- ``DIB_IPA_KEY_FILE`` should point to the private key matching
|
||||||
|
``DIB_IPA_CERT_FILE``.
|
||||||
|
|
||||||
|
If having a certificate generated, you can configure how it's generated:
|
||||||
|
- ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated
|
||||||
|
certificate. Defaults to "ipa-ramdisk.example.com".
|
||||||
|
- ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate.
|
||||||
|
Defaults to 1095 (three years).
|
||||||
|
|
||||||
|
Note that the certificates generated by this element are self-signed, and
|
||||||
|
any nodes using them will need to set agent_verify_ca=False in driver_info.
|
||||||
|
|
||||||
|
This element can also configure client certificate validation in IPA. If you
|
||||||
|
wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file
|
||||||
|
you wish IPA client connections to be validated against. This CA file will
|
||||||
|
be copied into the built ramdisk, and IPA will be configured to use it.
|
3
dib/ironic-python-agent-tls/element-deps
Normal file
3
dib/ironic-python-agent-tls/element-deps
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
ironic-python-agent-ramdisk
|
||||||
|
install-static
|
||||||
|
package-installs
|
31
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
Executable file
31
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
Executable file
@ -0,0 +1,31 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
|
||||||
|
KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
|
||||||
|
CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
|
||||||
|
CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
|
||||||
|
|
||||||
|
if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
|
||||||
|
echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
|
||||||
|
openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
|
||||||
|
else
|
||||||
|
sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
|
||||||
|
sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo cat <<EOF > $CONFFILE
|
||||||
|
[DEFAULT]
|
||||||
|
listen_tls = True
|
||||||
|
|
||||||
|
[ssl]
|
||||||
|
cert_file = /etc/ironic-python-agent.d/agent.crt
|
||||||
|
key_file = /etc/ironic-python-agent.d/agent.key
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [[ -n $DIB_IPA_CA_FILE ]]; then
|
||||||
|
echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
|
||||||
|
cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
|
||||||
|
sudo cat <<EOF >$CACONFFILE
|
||||||
|
[ssl]
|
||||||
|
ca_file = /etc/ironic-python-agent/agent.cacert.pem
|
||||||
|
EOF
|
1
dib/ironic-python-agent-tls/package-installs.yaml
Normal file
1
dib/ironic-python-agent-tls/package-installs.yaml
Normal file
@ -0,0 +1 @@
|
|||||||
|
openssl:
|
Loading…
Reference in New Issue
Block a user