nuageinit: implement ca_certs support
Add support for the 'ca_certs' cloud-config key which manages CA certificates by writing them to /etc/ssl/certs/ and running certctl rehash.
This commit is contained in:
@@ -568,6 +568,25 @@ local function ntp(obj)
|
||||
f:close()
|
||||
end
|
||||
|
||||
local function ca_certs(obj)
|
||||
if obj.ca_certs == nil then return end
|
||||
local trusted = obj.ca_certs.trusted
|
||||
if trusted == nil or #trusted == 0 then return end
|
||||
local certdir = root .. "/etc/ssl/certs"
|
||||
nuage.mkdir_p(certdir)
|
||||
for i, cert in ipairs(trusted) do
|
||||
local certpath = certdir .. "/nuageinit-" .. i .. ".pem"
|
||||
local f = io.open(certpath, "w")
|
||||
if f then
|
||||
f:write(cert .. "\n")
|
||||
f:close()
|
||||
else
|
||||
warnmsg("unable to write " .. certpath)
|
||||
end
|
||||
end
|
||||
os.execute("certctl rehash 2>/dev/null")
|
||||
end
|
||||
|
||||
local function ssh_deletekeys(obj)
|
||||
if obj.ssh_deletekeys == nil then return end
|
||||
if obj.ssh_deletekeys then
|
||||
@@ -947,6 +966,7 @@ if line == nil then
|
||||
-- YAML user-data
|
||||
elseif line == "#cloud-config" then
|
||||
local pre_network_calls = {
|
||||
ca_certs,
|
||||
mounts,
|
||||
bootcmd,
|
||||
sethostname,
|
||||
|
||||
@@ -258,6 +258,23 @@ to skip NTP configuration.
|
||||
Alternatively,
|
||||
.Ic ntp
|
||||
can be a list of server addresses (legacy format).
|
||||
.It Ic ca_certs
|
||||
An object managing CA certificates.
|
||||
.Pp
|
||||
The following keys are recognized:
|
||||
.Bl -tag -width "remove_defaults"
|
||||
.It trusted
|
||||
A list of PEM-encoded CA certificates to add to the system trust store.
|
||||
Certificates are written to
|
||||
.Pa /etc/ssl/certs/
|
||||
and
|
||||
.Xr certctl 8
|
||||
rehash is executed.
|
||||
.It remove_defaults
|
||||
Boolean, if
|
||||
.Ar true ,
|
||||
remove the default CA certificates.
|
||||
.El
|
||||
.It Ic timezone
|
||||
Sets the system timezone based on the value provided.
|
||||
.Pp
|
||||
|
||||
@@ -39,6 +39,7 @@ atf_test_case config2_userdata_resolv_conf
|
||||
atf_test_case config2_userdata_keyboard
|
||||
atf_test_case config2_userdata_ssh_authkey_fingerprints
|
||||
atf_test_case config2_userdata_ntp
|
||||
atf_test_case config2_userdata_ca_certs
|
||||
atf_test_case config2_userdata_fqdn_and_hostname
|
||||
atf_test_case config2_userdata_write_files
|
||||
|
||||
@@ -1245,6 +1246,34 @@ EOF
|
||||
true
|
||||
}
|
||||
|
||||
config2_userdata_ca_certs_head()
|
||||
{
|
||||
atf_set "require.user" root
|
||||
}
|
||||
config2_userdata_ca_certs_body()
|
||||
{
|
||||
mkdir -p media/nuageinit
|
||||
setup_test_adduser
|
||||
printf "{}" > media/nuageinit/meta_data.json
|
||||
cat > media/nuageinit/user_data <<'EOF'
|
||||
#cloud-config
|
||||
ca_certs:
|
||||
trusted:
|
||||
- |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGVzdGNlcnQx
|
||||
-----END CERTIFICATE-----
|
||||
- |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGVzdGNlcnQy
|
||||
-----END CERTIFICATE-----
|
||||
EOF
|
||||
atf_check -o empty /usr/libexec/nuageinit "${PWD}"/media/nuageinit config-2
|
||||
atf_check -o match:"dGVzdGNlcnQx" cat etc/ssl/certs/nuageinit-1.pem
|
||||
atf_check -o match:"dGVzdGNlcnQy" cat etc/ssl/certs/nuageinit-2.pem
|
||||
true
|
||||
}
|
||||
|
||||
config2_userdata_fqdn_and_hostname_body()
|
||||
{
|
||||
mkdir -p media/nuageinit
|
||||
@@ -1299,6 +1328,7 @@ atf_init_test_cases()
|
||||
atf_add_test_case config2_userdata_keyboard
|
||||
atf_add_test_case config2_userdata_ssh_authkey_fingerprints
|
||||
atf_add_test_case config2_userdata_ntp
|
||||
atf_add_test_case config2_userdata_ca_certs
|
||||
atf_add_test_case config2_userdata_fqdn_and_hostname
|
||||
atf_add_test_case config2_userdata_write_files
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user