From 79715dd750757da903d900a33cd259457d020b98 Mon Sep 17 00:00:00 2001 From: Jay Faulkner Date: Thu, 20 Aug 2020 22:39:17 +0000 Subject: [PATCH] Add element to configure IPA with TLS, use configdir First, this change preconfigures IPA to use a configdir. This will permit deployers to add or modify IPA configuration in elements. This change was a prerequisite to adding additional DIB elements which require configuration. Additionally, this adds a DIB element to configure TLS support for IPA's API. If added to a ramdisk build with no configuration, it will create a self-signed certificate and configure IPA to use it. It also exposes various environment variables to allow deployers to use preexisting certificates or CA files. Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33 --- .../ironic-python-agent.conf | 2 +- .../ironic-python-agent.init | 2 +- .../ironic-python-agent.service | 2 +- .../static/etc/ironic-python-agent.d/README | 3 ++ dib/ironic-python-agent-tls/README.rst | 32 +++++++++++++++++++ dib/ironic-python-agent-tls/element-deps | 3 ++ .../extra-data.d/10-configure-ipa-tls | 31 ++++++++++++++++++ .../package-installs.yaml | 1 + 8 files changed, 73 insertions(+), 3 deletions(-) create mode 100644 dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README create mode 100644 dib/ironic-python-agent-tls/README.rst create mode 100644 dib/ironic-python-agent-tls/element-deps create mode 100755 dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls create mode 100644 dib/ironic-python-agent-tls/package-installs.yaml diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf index 6fe38dc..bc2686e 100644 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf @@ -19,4 +19,4 @@ pre-start script echo Starting Ironic Python Agent end script -exec /usr/local/bin/ironic-python-agent +exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/ diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init index 7ecb3a0..5261a6c 100755 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.init @@ -18,7 +18,7 @@ SCRIPT_NAME=/usr/local/bin/${NAME} case "$1" in start) - $SCRIPT_NAME + $SCRIPT_NAME --config-dir /etc/ironic-python-agent.d/ ;; stop) ;; diff --git a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service index d6e4ca2..4d23a1f 100644 --- a/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service +++ b/dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.service @@ -4,7 +4,7 @@ After=network-online.target [Service] ExecStartPre=/sbin/modprobe vfat -ExecStart=/usr/local/bin/ironic-python-agent +ExecStart=/usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/ Restart=always RestartSec=30s diff --git a/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README b/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README new file mode 100644 index 0000000..87cfc15 --- /dev/null +++ b/dib/ironic-python-agent-ramdisk/static/etc/ironic-python-agent.d/README @@ -0,0 +1,3 @@ +Files ending in *.conf in this directory will be loading in alphabetical +order. When a config setting is set multiple times, the last one read +will take precedence. diff --git a/dib/ironic-python-agent-tls/README.rst b/dib/ironic-python-agent-tls/README.rst new file mode 100644 index 0000000..d19351e --- /dev/null +++ b/dib/ironic-python-agent-tls/README.rst @@ -0,0 +1,32 @@ +======================= +ironic-python-agent-tls +======================= +Adds TLS support to ironic-python-agent-ramdisk. + +If enabled without any environment variables set to modify configuration, +this element will enable TLS API support in IPA with a self-signed certificate +and key created at build time. + +Optionally, you can provide your own SSL certifiate and key, and optionally +ca, via the following environment variables. They should be set to an +accessible path on the build systems filesystem. If set, they will be copied +into the built ramdisk, and IPA will be configured to use them. + +The environment variables are: + - ``DIB_IPA_CERT_FILE`` should point to the TLS certificate for ramdisk use. + - ``DIB_IPA_KEY_FILE`` should point to the private key matching + ``DIB_IPA_CERT_FILE``. + +If having a certificate generated, you can configure how it's generated: + - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated + certificate. Defaults to "ipa-ramdisk.example.com". + - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate. + Defaults to 1095 (three years). + +Note that the certificates generated by this element are self-signed, and +any nodes using them will need to set agent_verify_ca=False in driver_info. + +This element can also configure client certificate validation in IPA. If you +wish to validate client certificates, set ``DIB_IPA_CA_FILE`` to a CA file +you wish IPA client connections to be validated against. This CA file will +be copied into the built ramdisk, and IPA will be configured to use it. diff --git a/dib/ironic-python-agent-tls/element-deps b/dib/ironic-python-agent-tls/element-deps new file mode 100644 index 0000000..eb4f191 --- /dev/null +++ b/dib/ironic-python-agent-tls/element-deps @@ -0,0 +1,3 @@ +ironic-python-agent-ramdisk +install-static +package-installs diff --git a/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls b/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls new file mode 100755 index 0000000..dc8259d --- /dev/null +++ b/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls @@ -0,0 +1,31 @@ +#!/bin/bash + +# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element +KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d +CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf +CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf + +if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then + echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert" + openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt +else + sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt + sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key +fi + +sudo cat < $CONFFILE +[DEFAULT] +listen_tls = True + +[ssl] +cert_file = /etc/ironic-python-agent.d/agent.crt +key_file = /etc/ironic-python-agent.d/agent.key +EOF + +if [[ -n $DIB_IPA_CA_FILE ]]; then + echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates" + cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem + sudo cat <$CACONFFILE +[ssl] +ca_file = /etc/ironic-python-agent/agent.cacert.pem +EOF diff --git a/dib/ironic-python-agent-tls/package-installs.yaml b/dib/ironic-python-agent-tls/package-installs.yaml new file mode 100644 index 0000000..7a32898 --- /dev/null +++ b/dib/ironic-python-agent-tls/package-installs.yaml @@ -0,0 +1 @@ +openssl: