diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf index 6fe38dc..bc2686e 100644 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf @@ -19,4 +19,4 @@ pre-start script echo Starting Ironic Python Agent end script -exec /usr/local/bin/ironic-python-agent +exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/ diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init index 7ecb3a0..5261a6c 100755 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init @@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME} case "$1" in start) - $SCRIPT_NAME + $SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/ ;; stop) ;; diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service index d6e4ca2..4d23a1f 100644 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service @@ -4,7 +4,7 @@ After=network-online.target [Service] ExecStartPre=/sbin/modprobe vfat -ExecStart=/usr/local/bin/ironic-python-agent +ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/ Restart=always RestartSec=30s diff --git a/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README b/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README new file mode 100644 index 0000000..87cfc15 --- /dev/null +++ b/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README @@ -0,0 +1,3 @@ +Files ending in *.conf in this directory will be loading in alphabetical +order. When a config setting is set multiple times, the last one read +will take precedence. diff --git a/dib/ironic-python-agent-tls/README.rst b/dib/ironic-python-agent-tls/README.rst new file mode 100644 index 0000000..d19351e --- /dev/null +++ b/dib/ironic-python-agent-tls/README.rst @@ -0,0 +1,32 @@ +======================= +ironic-python-agent-tls +======================= +Adds TLS support to ironic-python-agent-ramdisk. + +If enabled without any environment variables set to modify configuration, +this element will enable TLS API support in IPA with a self-signed certificate +and key created at build time. + +Optionally, you can provide your own SSL certifiate and key, and optionally +ca, via the following environment variables. They should be set to an +accessible path on the build systems filesystem. If set, they will be copied +into the built ramdisk, and IPA will be configured to use them. + +The environment variables are: + - ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use. + - ``DIB_IPA_KEY_FILE`` should point to the private key matching + ``DIB_IPA_CERT_FILE``. + +If having a certificate generated, you can configure how it's generated: + - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated + certificate. Defaults to "ipa-ramdisk.example.com". + - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate. + Defaults to 1095 (three years). + +Note that the certificates generated by this element are self-signed, and +any nodes using them will need to set agent_verify_ca=False in driver_info. + +This element can also configure client certificate validation in IPA. If you +wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file +you wish IPA client connections to be validated against. This CA file will +be copied into the built ramdisk, and IPA will be configured to use it. diff --git a/dib/ironic-python-agent-tls/element-deps b/dib/ironic-python-agent-tls/element-deps new file mode 100644 index 0000000..eb4f191 --- /dev/null +++ b/dib/ironic-python-agent-tls/element-deps @@ -0,0 +1,3 @@ +ironic-python-agent-ramdisk +install-static +package-installs diff --git a/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls b/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls new file mode 100755 index 0000000..dc8259d --- /dev/null +++ b/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls @@ -0,0 +1,31 @@ +#!/bin/bash + +# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element +KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d +CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf +CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf + +if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then + echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert" + openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt +else + sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt + sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key +fi + +sudo cat < $CONFFILE +[DEFAULT] +listen_tls = True + +[ssl] +cert_file = /etc/ironic-python-agent.d/agent.crt +key_file = /etc/ironic-python-agent.d/agent.key +EOF + +if [[ -n $DIB_IPA_CA_FILE ]]; then + echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates" + cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem + sudo cat <$CACONFFILE +[ssl] +ca_file = /etc/ironic-python-agent/agent.cacert.pem +EOF diff --git a/dib/ironic-python-agent-tls/package-installs.yaml b/dib/ironic-python-agent-tls/package-installs.yaml new file mode 100644 index 0000000..7a32898 --- /dev/null +++ b/dib/ironic-python-agent-tls/package-installs.yaml @@ -0,0 +1 @@ +openssl: