This repository has been archived by the owner on Feb 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for libvirt VNC TLS with option of a dedicated CA
Configures ca/certs/key for nova-novnc vencrypt. A dedicated IPA sub-CA can optionally be used to restrict access. A custom certmonger helper is used to support this as certmonger currently has limited support for IPA sub-CAs. Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5 Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
- Loading branch information
1 parent
a890973
commit ceb4fae
Showing
6 changed files
with
327 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
#!/usr/bin/python | ||
from __future__ import print_function | ||
try: | ||
import ConfigParser as configparser | ||
except ImportError: | ||
import configparser | ||
import os | ||
import sys | ||
import subprocess | ||
|
||
CM_SUBMIT_STATUS_ISSUED = 0 | ||
CM_SUBMIT_STATUS_UNCONFIGURED = 4 | ||
|
||
def main(): | ||
if len(sys.argv) < 3: | ||
return CM_SUBMIT_STATUS_UNCONFIGURED | ||
sub_ca = sys.argv[1] | ||
wrapped_command = sys.argv[2:] | ||
|
||
operation = os.environ.get('CERTMONGER_OPERATION') | ||
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA' | ||
|
||
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa': | ||
config = configparser.ConfigParser() | ||
try: | ||
with open('/etc/ipa/default.conf') as fp: | ||
config.readfp(fp) | ||
except: | ||
return CM_SUBMIT_STATUS_UNCONFIGURED | ||
host = config.get('global', 'host') | ||
realm = config.get('global', 'realm') | ||
if host is None or realm is None: | ||
return CM_SUBMIT_STATUS_UNCONFIGURED | ||
principal = 'host/{}@{}'.format(host, realm) | ||
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper' | ||
try: | ||
subprocess.check_call([ | ||
'/usr/bin/kinit', '-k', principal | ||
]) | ||
except: | ||
return CM_SUBMIT_STATUS_UNCONFIGURED | ||
|
||
try: | ||
data = subprocess.check_output([ | ||
'/usr/bin/ipa', 'ca-show', sub_ca | ||
]) | ||
except: | ||
return CM_SUBMIT_STATUS_ISSUED | ||
|
||
config = {} | ||
for line in data.split('\n'): | ||
line = line.strip() | ||
try: | ||
key, value = line.split(': ') | ||
except: | ||
continue | ||
config[key] = value | ||
|
||
if config.get('Name').lower() != sub_ca.lower(): | ||
return CM_SUBMIT_STATUS_ISSUED | ||
|
||
print(realm, sub_ca, 'CA') | ||
print('-----BEGIN CERTIFICATE-----') | ||
certificate = config['Certificate'] | ||
for i in range((len(certificate)/64) + 1): | ||
print(certificate[i*64:(i+1)*64]) | ||
print('-----END CERTIFICATE-----') | ||
sys.stdout.flush() | ||
else: | ||
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca | ||
|
||
os.execl(wrapped_command[0], *wrapped_command) | ||
|
||
if __name__ == '__main__': | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# Copyright 2017 Red Hat, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
# | ||
# == Class: tripleo::certmonger::ca::libvirt_vnc | ||
# | ||
# Sets the necessary file that will be used libvirt vnc servers and | ||
# clients. | ||
# | ||
# === Parameters: | ||
# | ||
# [*origin_ca_pem*] | ||
# (Optional) Path to the CA certificate that libvirt vnc will use. This is not | ||
# assumed automatically or uses the system CA bundle as is the case of other | ||
# services because a limitation with the file sizes in GNU TLS, which libvirt | ||
# uses as a TLS backend. | ||
# Defaults to undef | ||
# | ||
# [*certmonger_ca*] | ||
# (Optional) The CA name that certmonger will use to generate VNC certificates. | ||
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be | ||
# added to the certmonger CA list. | ||
# Defaults to hiera('certmonger_ca_vnc', 'local'). | ||
# | ||
class tripleo::certmonger::ca::libvirt_vnc( | ||
$origin_ca_pem = undef, | ||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'), | ||
){ | ||
if $origin_ca_pem { | ||
$ensure_file = 'link' | ||
} else { | ||
$ensure_file = 'absent' | ||
} | ||
file { '/etc/pki/libvirt-vnc/ca-cert.pem': | ||
ensure => $ensure_file, | ||
mode => '0644', | ||
target => $origin_ca_pem, | ||
} | ||
|
||
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) { | ||
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper' | ||
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit' | ||
file { $wrapper_path: | ||
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py', | ||
mode => '0755', | ||
notify => Service['certmonger'] | ||
} | ||
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger": | ||
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'", | ||
path => ['/usr/bin', '/bin'], | ||
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'", | ||
notify => Service['certmonger'] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
# Copyright 2017 Red Hat, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
# | ||
# == Resource: tripleo::certmonger::libvirt_vnc | ||
# | ||
# Request a certificate for libvirt-vnc and do the necessary setup. | ||
# | ||
# === Parameters | ||
# | ||
# [*hostname*] | ||
# The hostname of the node. this will be set in the CN of the certificate. | ||
# | ||
# [*service_certificate*] | ||
# The path to the certificate that will be used for TLS in this service. | ||
# | ||
# [*service_key*] | ||
# The path to the key that will be used for TLS in this service. | ||
# | ||
# [*certmonger_ca*] | ||
# (Optional) The CA that certmonger will use to generate the certificates. | ||
# Defaults to hiera('certmonger_ca_vnc', 'local'). | ||
# | ||
# [*postsave_cmd*] | ||
# (Optional) Specifies the command to execute after requesting a certificate. | ||
# If nothing is given, it will default to: "systemctl reload ${service name}" | ||
# Defaults to undef. | ||
# | ||
# [*principal*] | ||
# (Optional) The service principal that is set for the service in kerberos. | ||
# Defaults to undef | ||
# | ||
# [*cacertfile*] | ||
# (Optional) Specifies that path to write the CA cerftificate to. | ||
# Defaults to undef | ||
# | ||
# [*notify_service*] | ||
# (Optional) Service to reload when certificate is created/renewed | ||
# Defaults to $::nova::params::libvirt_service_name | ||
# | ||
define tripleo::certmonger::libvirt_vnc ( | ||
$hostname, | ||
$service_certificate, | ||
$service_key, | ||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'), | ||
$postsave_cmd = undef, | ||
$principal = undef, | ||
$cacertfile = undef, | ||
$notify_service = undef, | ||
) { | ||
include ::certmonger | ||
include ::nova::params | ||
|
||
$notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name) | ||
|
||
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}") | ||
|
||
certmonger_certificate { $name : | ||
ensure => 'present', | ||
certfile => $service_certificate, | ||
keyfile => $service_key, | ||
hostname => $hostname, | ||
dnsname => $hostname, | ||
principal => $principal, | ||
postsave_cmd => $postsave_cmd_real, | ||
ca => $certmonger_ca, | ||
cacertfile => $cacertfile, | ||
wait => true, | ||
tag => 'libvirt-cert', | ||
require => Class['::certmonger'], | ||
} | ||
|
||
if $cacertfile { | ||
file { $cacertfile : | ||
require => Certmonger_certificate[$name], | ||
mode => '0644' | ||
} | ||
~> Service<| title == $notify_service_real |> | ||
} | ||
|
||
file { $service_certificate : | ||
require => Certmonger_certificate[$name], | ||
mode => '0644' | ||
} | ||
file { $service_key : | ||
require => Certmonger_certificate[$name], | ||
group => 'qemu', | ||
mode => '0640' | ||
} | ||
|
||
File[$service_certificate] ~> Service<| title == $notify_service_real |> | ||
File[$service_key] ~> Service<| title == $notify_service_real |> | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# Copyright 2017 Red Hat, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
# | ||
# == Class: tripleo::certmonger::libvirt_vnc_dirs | ||
# | ||
# Creates the necessary directories for libvirt vnc certificates and keys in the | ||
# assigned locations if specified. It also assigns the correct SELinux tags. | ||
# | ||
# === Parameters: | ||
# | ||
# [*certificate_dir*] | ||
# (Optional) Directory where libvirt-vnc's certificates will be stored. If left | ||
# unspecified, it won't be created. | ||
# Defaults to undef | ||
# | ||
# [*key_dir*] | ||
# (Optional) Directory where libvirt-vnc's keys will be stored. | ||
# Defaults to undef | ||
# | ||
class tripleo::certmonger::libvirt_vnc_dirs( | ||
$certificate_dir = undef, | ||
$key_dir = undef, | ||
){ | ||
|
||
if $certificate_dir { | ||
file { $certificate_dir : | ||
ensure => 'directory', | ||
selrole => 'object_r', | ||
seltype => 'cert_t', | ||
seluser => 'system_u', | ||
} | ||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |> | ||
} | ||
|
||
if $key_dir { | ||
file { $key_dir : | ||
ensure => 'directory', | ||
selrole => 'object_r', | ||
seltype => 'cert_t', | ||
seluser => 'system_u', | ||
} | ||
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |> | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
features: | ||
- | | ||
Add support for libvirt VNC TLS with option of a dedicated CA | ||
Configures ca/certs/key for nova-novnc vencrypt. | ||
A dedicated IPA sub-CA can optionally be used to restrict access. | ||
A custom certmonger helper is used to support this as certmonger currently | ||
has limited support for IPA sub-CAs. |