openstack/ironic-python-agent-builder
Code Issues Proposed changes
ironic-python-agent-builder/dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls
Jay Faulkner 79715dd750 Add element to configure IPA with TLS, use configdir 
First, this change preconfigures IPA to use a configdir. This will
permit deployers to add or modify IPA configuration in elements.
This change was a prerequisite to adding additional DIB elements
which require configuration.

Additionally, this adds a DIB element to configure TLS support for
IPA's API. If added to a ramdisk build with no configuration, it
will create a self-signed certificate and configure IPA to use it.
It also exposes various environment variables to allow deployers
to use preexisting certificates or CA files.

Change-Id: Ibf88937766fa32f72b90ca81f9e8fba3515b6e33
2020-09-08 20:40:19 +00:00

32 lines
1.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# /etc/ironic-python-agent.d/ is created by the ironic-python-agent-ramdisk element
KEYDIR=$TMP_MOUNT_PATH/etc/ironic-python-agent.d
CONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf
CACONFFILE=$TMP_MOUNT_PATH/etc/ironic-python-agent.d/11-configure-client-cert-ca.conf
if [[ -z $DIB_IPA_CERT_FILE ]] && [[ -z $DIB_IPA_KEY_FILE ]]; then
echo "Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert"
openssl req -new -newkey rsa:4096 -days ${DIB_IPA_CERT_EXPIRATION:1095} -nodes -x509 -subj "/C=US/ST=NA/L=NA/O=NA/CN=${DIB_IPA_CERT_HOSTNAME:ipa-ramdisk.example.com}" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt
else
sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt
sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key
fi
sudo cat <<EOF > $CONFFILE
[DEFAULT]
listen_tls = True
[ssl]
cert_file = /etc/ironic-python-agent.d/agent.crt
key_file = /etc/ironic-python-agent.d/agent.key
EOF
if [[ -n $DIB_IPA_CA_FILE ]]; then
echo "DIB_IPA_CA_FILE set, configuring IPA to validate client certificates"
cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem
sudo cat <<EOF >$CACONFFILE
[ssl]
ca_file = /etc/ironic-python-agent/agent.cacert.pem
EOF
View Git Blame Copy Permalink