openstack/ironic-python-agent-builder
Code Issues Proposed changes

Followups for TLS support

Browse Source 
- Fixed a syntax error, and an ordering issue in DIB TLS element
- Removed unneeded deps, since openssl runs on build machine now

Change-Id: Idcdaefdb3aa80fd651ca6de35d18d3581ffe5116
This commit is contained in:
Jay Faulkner 2020-09-09 14:54:48 -07:00
parent 89b310b8b6
commit da78fa099f
3 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dib/ironic-python-agent-tls/element-deps
View File

@ -1,3 +1 @@
ironic-python-agent-ramdisk ironic-python-agent-ramdisk
install-static
package-installs

1
dib/ironic-python-agent-tls/package-installs.yaml
View File

@ -1 +0,0 @@
openssl:

15
dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls → dib/ironic-python-agent-tls/pre-finalize.d/10-configure-ipa-tls
View File

@ -1,19 +1,19 @@
#!/bin/bash #!/bin/bash
# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element # /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d KEYDIR=$TMP_BUILD_DIR/mnt/etc/ironic-python-agent.d
CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf CONFFILE=$KEYDIR/10-configure-tls.conf
CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf CACONFFILE=$KEYDIR/11-configure-client-cert-ca.conf
if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert" echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt sudo openssl req -new -nodes -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:-1095} -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:-ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
else else
sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
fi fi
sudo cat <<EOF > $CONFFILE cat <<EOF | sudo tee $CONFFILE
[DEFAULT] [DEFAULT]
listen_tls = True listen_tls = True
@ -24,8 +24,9 @@ EOF
if [[ -n $DIB_IPA_CA_FILE ]]; then if [[ -n $DIB_IPA_CA_FILE ]]; then
echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates" echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem sudo cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
sudo cat <<EOF >$CACONFFILE cat <<EOF | sudo tee $CACONFFILE
[ssl] [ssl]
ca_file = /etc/ironic-python-agent/agent.cacert.pem ca_file = /etc/ironic-python-agent/agent.cacert.pem
EOF EOF
fi