Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add in CA plumbing for custom certificates #7

Merged
merged 4 commits into from
Sep 30, 2019
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Please contact your Technical Account Manager for more information, and support
| primary\_count | The number of additional cluster master nodes to run | string | n/a | yes |
| secondary\_count | The number of secondary cluster nodes to run | string | n/a | yes |
| vpc\_id | AWS VPC id to install into | string | n/a | yes |
| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no |
| airgap\_installer\_url | URL to replicated's airgap installer package | string | `"https://install.terraform.io/installer/replicated-v5.tar.gz"` | no |
| airgap\_package\_url | signed URL to download the package | string | `""` | no |
| ami | AMI to launch instance with; defaults to latest Ubuntu Xenial | string | `""` | no |
Expand Down
2 changes: 2 additions & 0 deletions config.tf
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ data "template_file" "cloud_config" {
proxy_url = "${var.http_proxy_url}"
installer_url = "${var.installer_url}"

ca_cert_url = "${var.ca_cert_url}"

import_key = "${var.import_key}"
startup_script = "${base64encode(var.startup_script)}"

Expand Down
51 changes: 51 additions & 0 deletions files/install-ptfe.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,57 @@ export role
airgap_url_path="/etc/ptfe/airgap-package-url"
airgap_installer_url_path="/etc/ptfe/airgap-installer-url"

# ------------------------------------------------------------------------------
# Custom CA certificate download and configuration block
# ------------------------------------------------------------------------------
if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \
$(< /etc/ptfe/custom-ca-cert-url) != none ]]; then
custom_ca_cert_url=$(cat /etc/ptfe/custom-ca-cert-url)
custom_ca_cert_file_name=$(echo "${custom_ca_cert_url}" | awk -F '/' '{ print $NF }')
ca_tmp_dir="/tmp/ptfe/customer-certs"
replicated_conf_file="replicated-ptfe.conf"
local_messages_file="local_messages.log"
# Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom",
# since we're trusting user input to be both a working URL and a valid certificate.
# These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files.
mkdir -p "${ca_tmp_dir}"
pushd "${ca_tmp_dir}"
touch ${local_messages_file}
if wget --trust-server-files "${custom_ca_cert_url}" >> ./wget_output.log 2>&1;
then
if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ];
then
if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout;
then
mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt
cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original
jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated
if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated;
then
cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file}
else
echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}"
echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}"
echo "" | tee -a "${local_messages_file}"
fi
else
echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}"
echo "" | tee -a "${local_messages_file}"
fi
else
echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_cert_url} downloaded." | tee -a "${local_messages_file}"
echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}"
echo "" | tee -a "${local_messages_file}"
fi
else
echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_cert_url}." | tee -a "${local_messages_file}"
echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}"
echo "" | tee -a "${local_messages_file}"
fi

popd
fi

ptfe_install_args=(
-DD
"--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \
Expand Down
5 changes: 5 additions & 0 deletions templates/cloud-config-secondary.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ write_files:
permissions: "0400"
content: "${proxy_url}"

- path: /etc/ptfe/custom-ca-cert-url
owner: root:root
permissions: "0400"
content: "${ca_cert_url}"
rogeruiz marked this conversation as resolved.
Show resolved Hide resolved

- path: /etc/apt/apt.conf.d/00aaa_proxy
owner: root:root
permissions: "0400"
Expand Down
5 changes: 5 additions & 0 deletions templates/cloud-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ write_files:
permissions: "0400"
content: "${proxy_url}"

- path: /etc/ptfe/custom-ca-cert-url
owner: root:root
permissions: "0400"
content: "${ca_cert_url}"

- path: /etc/profile.d/proxy.sh
owner: root:root
permissions: "0755"
Expand Down
7 changes: 6 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ variable "airgap_package_url" {
default = ""
}

variable "ca_cert_url" {
type = "string"
description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections"
default = "none"
}

variable "ami" {
type = "string"
description = "AMI to launch instance with; defaults to latest Ubuntu Xenial"
Expand Down Expand Up @@ -270,7 +276,6 @@ data "aws_ami" "rhel" {
}
}


## random password for the installer dashboard
resource "random_pet" "console_password" {
length = 3
Expand Down