Skip to content

Commit eadc3bd

Browse files
wrichtermarkllama
wrichter
authored and
markllama
committed
enable injection of custom ca cert into trust chain
1 parent f863d7f commit eadc3bd

7 files changed

Lines changed: 114 additions & 0 deletions

File tree

bastion.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -196,6 +196,10 @@ parameters:
196196
description: List of docker repository URLs which will be installed on each node, if a repo is insecure use '#insecure' suffix.
197197
default: ''
198198

199+
trusted_ca_cert:
200+
type: string
201+
description: Certificate Authority Certificate to be added to trust chain
202+
199203
resources:
200204

201205
# A VM to provide host based orchestration and other sub-services
@@ -230,6 +234,7 @@ resources:
230234
parts:
231235
- config: {get_resource: set_hostname}
232236
- config: {get_resource: included_files}
237+
- config: {get_resource: ca_cert}
233238
- config: {get_resource: rhn_register}
234239
- config: {get_resource: set_extra_repos}
235240
- config: {get_resource: set_extra_docker_repos}
@@ -293,6 +298,15 @@ resources:
293298
ssh_authorized_keys:
294299
- {get_param: ansible_public_key}
295300

301+
# Add CA Cert to trust chain
302+
ca_cert:
303+
type: OS::Heat::SoftwareConfig
304+
properties:
305+
config:
306+
str_replace:
307+
params:
308+
$CA_CERT: {get_param: trusted_ca_cert}
309+
template: {get_file: fragments/ca_cert.sh}
296310

297311
# Register the host with RHN for access to software packages
298312
rhn_register:

fragments/ca_cert.sh

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#!/bin/bash
2+
#
3+
# Register with subscription manager and enable required RPM respositories
4+
#
5+
# ENVVARS:
6+
# CA_CERT - a ca certificate to be added to trust chain
7+
8+
# Exit on command fail
9+
set -eu
10+
set -x
11+
12+
# Return the final non-zero exit code of a failed pipe (or 0 for success)
13+
set -o pipefail
14+
15+
# =============================================================================
16+
# MAIN
17+
# =============================================================================
18+
19+
if [ -n "$CA_CERT" ] ; then
20+
update-ca-trust enable
21+
cat >/etc/pki/ca-trust/source/anchors/ca.crt <<EOF
22+
$CA_CERT
23+
EOF
24+
update-ca-trust extract
25+
else
26+
exit 0
27+
fi

infra.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,10 @@ parameters:
228228
type: string
229229
hidden: true
230230

231+
trusted_ca_cert:
232+
type: string
233+
description: Certificate Authority Certificate to be added to trust chain
234+
231235
resources:
232236

233237
# Create a network connection on the internal communications network
@@ -299,6 +303,7 @@ resources:
299303
parts:
300304
- config: {get_resource: set_hostname}
301305
- config: {get_resource: included_files}
306+
- config: {get_resource: ca_cert}
302307
- config: {get_resource: rhn_register}
303308
- config: {get_resource: set_extra_repos}
304309
- config: {get_resource: set_extra_docker_repos}
@@ -350,6 +355,16 @@ resources:
350355
ssh_authorized_keys:
351356
- {get_param: ansible_public_key}
352357

358+
# Add CA Cert to trust chain
359+
ca_cert:
360+
type: OS::Heat::SoftwareConfig
361+
properties:
362+
config:
363+
str_replace:
364+
params:
365+
$CA_CERT: {get_param: trusted_ca_cert}
366+
template: {get_file: fragments/ca_cert.sh}
367+
353368
# Attach to a source of software updates for RHEL
354369
rhn_register:
355370
type: OS::Heat::SoftwareConfig

loadbalancer_dedicated.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,10 @@ parameters:
169169
type: string
170170
hidden: true
171171

172+
trusted_ca_cert:
173+
type: string
174+
description: Certificate Authority Certificate to be added to trust chain
175+
172176
resources:
173177
floating_ip_assoc:
174178
type: OS::Neutron::FloatingIPAssociation
@@ -233,6 +237,7 @@ resources:
233237
parts:
234238
- config: {get_resource: set_hostname}
235239
- config: {get_resource: included_files}
240+
- config: {get_resource: ca_cert}
236241
- config: {get_resource: rhn_register}
237242
- config: {get_resource: set_extra_repos}
238243
- config: {get_resource: set_extra_docker_repos}
@@ -281,6 +286,16 @@ resources:
281286
ssh_authorized_keys:
282287
- {get_param: ansible_public_key}
283288

289+
# Add CA Cert to trust chain
290+
ca_cert:
291+
type: OS::Heat::SoftwareConfig
292+
properties:
293+
config:
294+
str_replace:
295+
params:
296+
$CA_CERT: {get_param: trusted_ca_cert}
297+
template: {get_file: fragments/ca_cert.sh}
298+
284299
# Connect to a software source for updates on RHEL
285300
rhn_register:
286301
type: OS::Heat::SoftwareConfig

master.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,10 @@ parameters:
221221
type: string
222222
hidden: true
223223

224+
trusted_ca_cert:
225+
type: string
226+
description: Certificate Authority Certificate to be added to trust chain
227+
224228
resources:
225229

226230
# Create a network connection on the internal communications network
@@ -291,6 +295,7 @@ resources:
291295
parts:
292296
- config: {get_resource: set_hostname}
293297
- config: {get_resource: included_files}
298+
- config: {get_resource: ca_cert}
294299
- config: {get_resource: rhn_register}
295300
- config: {get_resource: set_extra_repos}
296301
- config: {get_resource: set_extra_docker_repos}
@@ -342,6 +347,16 @@ resources:
342347
ssh_authorized_keys:
343348
- {get_param: ansible_public_key}
344349

350+
# Add CA Cert to trust chain
351+
ca_cert:
352+
type: OS::Heat::SoftwareConfig
353+
properties:
354+
config:
355+
str_replace:
356+
params:
357+
$CA_CERT: {get_param: trusted_ca_cert}
358+
template: {get_file: fragments/ca_cert.sh}
359+
345360
# Attach to a source of software updates for RHEL
346361
rhn_register:
347362
type: OS::Heat::SoftwareConfig

node.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,10 @@ parameters:
346346
type: string
347347
description: Extra parameters for openshift-ansible
348348

349+
trusted_ca_cert:
350+
type: string
351+
description: Certificate Authority Certificate to be added to trust chain
352+
349353
resources:
350354

351355
# Generate a string to distinguish one node from the others
@@ -396,6 +400,7 @@ resources:
396400
parts:
397401
- config: {get_resource: set_hostname}
398402
- config: {get_resource: included_files}
403+
- config: {get_resource: ca_cert}
399404
- config: {get_resource: rhn_register}
400405
- config: {get_resource: set_extra_repos}
401406
- config: {get_resource: set_extra_docker_repos}
@@ -453,6 +458,16 @@ resources:
453458
ssh_authorized_keys:
454459
- {get_param: ansible_public_key}
455460

461+
# Add CA Cert to trust chain
462+
ca_cert:
463+
type: OS::Heat::SoftwareConfig
464+
properties:
465+
config:
466+
str_replace:
467+
params:
468+
$CA_CERT: {get_param: trusted_ca_cert}
469+
template: {get_file: fragments/ca_cert.sh}
470+
456471
# Connect to software update source for RHEL
457472
rhn_register:
458473
type: OS::Heat::SoftwareConfig

openshift.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -493,6 +493,11 @@ parameters:
493493
description: Extra parameters for openshift-ansible as a JSON string
494494
default: ""
495495

496+
trusted_ca_cert:
497+
type: string
498+
description: Certificate Authority Certificate to be added to trust chain
499+
default: ''
500+
496501
resources:
497502

498503
# Network Components
@@ -582,6 +587,7 @@ resources:
582587
system_update: {get_param: system_update}
583588
extra_repository_urls: {get_param: extra_repository_urls}
584589
extra_docker_repository_urls: {get_param: extra_docker_repository_urls}
590+
trusted_ca_cert: {get_param: trusted_ca_cert}
585591

586592
openshift_masters:
587593
depends_on: [external_router_interface, fixed_network, fixed_subnet]
@@ -625,6 +631,7 @@ resources:
625631
extra_docker_repository_urls: {get_param: extra_docker_repository_urls}
626632
dns_servers: {get_param: dns_nameserver}
627633
dns_update_key: {get_param: dns_update_key}
634+
trusted_ca_cert: {get_param: trusted_ca_cert}
628635

629636
openshift_infra_nodes:
630637
depends_on: [external_router_interface, fixed_network, fixed_subnet]
@@ -669,6 +676,7 @@ resources:
669676
extra_docker_repository_urls: {get_param: extra_docker_repository_urls}
670677
dns_servers: {get_param: dns_nameserver}
671678
dns_update_key: {get_param: dns_update_key}
679+
trusted_ca_cert: {get_param: trusted_ca_cert}
672680

673681
openshift_nodes:
674682
depends_on: [external_router_interface, fixed_network, fixed_subnet]
@@ -745,6 +753,7 @@ resources:
745753
prepare_ansible: {get_param: prepare_ansible}
746754
execute_ansible: {get_param: execute_ansible}
747755
extra_openshift_ansible_params: {get_param: extra_openshift_ansible_params}
756+
trusted_ca_cert: {get_param: trusted_ca_cert}
748757

749758
# Define the network access policy for openshift nodes
750759
node_security_group:
@@ -992,8 +1001,12 @@ resources:
9921001
extra_docker_repository_urls: {get_param: extra_docker_repository_urls}
9931002
stack_name: {get_param: 'OS::stack_name'}
9941003
bastion_node: {get_attr: [bastion_host, resource.host]}
1004+
<<<<<<< HEAD
9951005
dns_servers: {get_param: dns_nameserver}
9961006
dns_update_key: {get_param: dns_update_key}
1007+
=======
1008+
trusted_ca_cert: {get_param: trusted_ca_cert}
1009+
>>>>>>> aa01b47... add ca config to dedicated loadbalancer
9971010

9981011
outputs:
9991012

0 commit comments

Comments
 (0)