Skip to content

Commit

Permalink
blueprint: add cacert customization
Browse files Browse the repository at this point in the history
  • Loading branch information
lzap authored and thozza committed Jan 10, 2025
1 parent f41c764 commit 25cc47d
Show file tree
Hide file tree
Showing 13 changed files with 273 additions and 191 deletions.
7 changes: 7 additions & 0 deletions internal/blueprint/blueprint.go
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,13 @@ func Convert(bp Blueprint) iblueprint.Blueprint {

customizations.RHSM = &irhsm
}

if ca := c.CACerts; ca != nil {
ica := iblueprint.CACustomization{
PEMCerts: ca.PEMCerts,
}
customizations.CACerts = &ica
}
}

ibp := iblueprint.Blueprint{
Expand Down
6 changes: 6 additions & 0 deletions internal/blueprint/blueprint_convert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,9 @@ func TestConvert(t *testing.T) {
},
},
},
CACerts: &CACustomization{
PEMCerts: []string{"pem-cert"},
},
},
Distro: "distro",
},
Expand Down Expand Up @@ -401,6 +404,9 @@ func TestConvert(t *testing.T) {
},
},
},
CACerts: &iblueprint.CACustomization{
PEMCerts: []string{"pem-cert"},
},
},
Distro: "distro",
},
Expand Down
5 changes: 5 additions & 0 deletions internal/blueprint/customizations.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ type Customizations struct {
Installer *InstallerCustomization `json:"installer,omitempty" toml:"installer,omitempty"`
RPM *RPMCustomization `json:"rpm,omitempty" toml:"rpm,omitempty"`
RHSM *RHSMCustomization `json:"rhsm,omitempty" toml:"rhsm,omitempty"`
CACerts *CACustomization `json:"cacerts,omitempty" toml:"cacerts,omitempty"`
}

type IgnitionCustomization struct {
Expand Down Expand Up @@ -135,6 +136,10 @@ type OpenSCAPJSONTailoringCustomizations struct {
Filepath string `json:"filepath,omitempty" toml:"filepath,omitempty"`
}

type CACustomization struct {
PEMCerts []string `json:"pem_certs,omitempty" toml:"pem_certs,omitempty"`
}

type CustomizationError struct {
Message string
}
Expand Down
6 changes: 6 additions & 0 deletions internal/cloudapi/v2/compose.go
Original file line number Diff line number Diff line change
Expand Up @@ -1015,6 +1015,12 @@ func (request *ComposeRequest) GetBlueprintFromCustomizations() (blueprint.Bluep
bp.Customizations.RHSM = bpRhsm
}

if cacerts := request.Customizations.Cacerts; cacerts != nil {
bp.Customizations.CACerts = &blueprint.CACustomization{
PEMCerts: cacerts.PemCerts,
}
}

// Did bp.Customizations get set at all? If not, set it back to nil
if reflect.DeepEqual(*bp.Customizations, blueprint.Customizations{}) {
bp.Customizations = nil
Expand Down
381 changes: 195 additions & 186 deletions internal/cloudapi/v2/openapi.v2.gen.go

Large diffs are not rendered by default.

15 changes: 15 additions & 0 deletions internal/cloudapi/v2/openapi.v2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1175,6 +1175,17 @@ components:
properties:
config:
$ref: '#/components/schemas/RHSMConfig'
CACertsCustomization:
type: object
additionalProperties: false
required:
- pem_certs
properties:
pem_certs:
type: array
example: ['---BEGIN CERTIFICATE---\nMIIC0DCCAbigAwIBAgIUI...\n---END CERTIFICATE---']
items:
type: string
UploadTarget:
type: object
required:
Expand Down Expand Up @@ -1518,6 +1529,8 @@ components:
$ref: '#/components/schemas/RPMCustomization'
rhsm:
$ref: '#/components/schemas/RHSMCustomization'
cacerts:
$ref: '#/components/schemas/CACertsCustomization'
SSHKey:
type: object
additionalProperties: false
Expand Down Expand Up @@ -1666,6 +1679,8 @@ components:
$ref: '#/components/schemas/RPMCustomization'
rhsm:
$ref: '#/components/schemas/RHSMCustomization'
cacerts:
$ref: '#/components/schemas/CACertsCustomization'
Container:
type: object
required:
Expand Down
12 changes: 12 additions & 0 deletions test/cases/api.sh
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,18 @@ EOF
)
export RHSM_CUSTOMIZATION_BLOCK

# Test certificate with common name "Test CA for osbuild", serial 27894af897dd2423607045716438a725f28a6d0b valid until 2298
CACERTS_CUSTOMIZATION_BLOCK=$(cat <<EOF
,
"cacerts": {
"pem_certs": [
"-----BEGIN CERTIFICATE-----\nMIIDszCCApugAwIBAgIUJ4lK+JfdJCNgcEVxZDinJfKKbQswDQYJKoZIhvcNAQEL\nBQAwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD\nVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRwwGgYDVQQDDBNUZXN0IENB\nIGZvciBvc2J1aWxkMCAXDTI0MDkwMzEzMjkyMFoYDzIyOTgwNjE4MTMyOTIwWjBo\nMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcM\nB1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIYXQxHDAaBgNVBAMME1Rlc3QgQ0EgZm9y\nIG9zYnVpbGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeA7OcWTrV\ngstoBsUaeJKm8nelg7Lc0WNXH6yOTLsr4td4yHs0YOvFGwgSf+ffV3RAG1mgqnMG\nMgkD2+z+7QhHbHHs3y0d0zfhA2bg0KVvfCWk7fNRPHY0UOePpXk245Bfw3D0VTpl\nF7nePk1I7ZY09snPWUeb2rjKXzYjKjzM0h27+ykV8I8+FbdyPk/pR8whyDqtHLUa\nXfFy2TFloDSYMkHKVd38BnL0bj91x5F+KsZkN4HzfbYwxLbCQfOSgy7q6TWce9kq\nLo6tya9vuvpWFm1dye7L+BodAQAq/dI/JMeCfyTb0eFb+tyzfr5aVIoqqDN+p9ft\ncw4OefpHbhtNAgMBAAGjUzBRMB0GA1UdDgQWBBRV2A9YmusekPzu5Yf08cV0oPL1\nwjAfBgNVHSMEGDAWgBRV2A9YmusekPzu5Yf08cV0oPL1wjAPBgNVHRMBAf8EBTAD\nAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgQZ2Xfj+NxaKBZgn2KNxS0MTbhzHRz6Rn\nqJs+h8OUz2Crmaf6N+RHlmDRZXUrDjSHpxVT2LxFy7ofRrLYIezFDUYfb920VkkV\nSVcxh1YDFROJalfMoE6wdyR/LnK4MJZS9fUpeCJJc/A0J+9FK9CwcyUrHgJ8XbJh\nMKYyQ+cf6O7wzutuBpMyRqSKS+hVM7BQTmSFvv1eAJlo6klGAmmKiYmAEvcQadH1\ndjrujsA3Cn5vX2L+0yuiLB5/zoxqx5cEy97TuKUYB8OqMMujAXNzF4L3HJDUNba2\nAhEkFozMXwYX73TGbGZ0mawPS5D3v3tYTEmJFf6SnVCmUW1fs57g\n-----END CERTIFICATE-----\n"
]
}
EOF
)
export CACERTS_CUSTOMIZATION_BLOCK

if [ "$TEST_MODULE_HOTFIXES" = "1" ]; then
if [ "$ARCH" = "x86_64" ]; then
NGINX_REPO_URL="https://rpmrepo.osbuild.org/v2/mirror/public/el8/el8-x86_64-nginx-20240626"
Expand Down
2 changes: 1 addition & 1 deletion test/cases/api/aws.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ function createReqFile() {
"key": "$(cat "${WORKDIR}/usertest.pub")"
}
]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}${CACERTS_CUSTOMIZATION_BLOCK}
},
"image_request": {
"architecture": "$ARCH",
Expand Down
2 changes: 1 addition & 1 deletion test/cases/api/azure.sh
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ function createReqFile() {
"postgresql",
"dummy"
]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}${CACERTS_CUSTOMIZATION_BLOCK}
},
"image_request": {
"architecture": "$ARCH",
Expand Down
22 changes: 22 additions & 0 deletions test/cases/api/common/common.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/bash
# vim: sw=2:et:

# Reusable function, which waits for a given host to respond to SSH
function _instanceWaitSSH() {
Expand Down Expand Up @@ -83,6 +84,7 @@ function _instanceCheck() {

verify_repository_customization "$_ssh"
verify_openscap_customization "$_ssh"
verify_cacert_customization "$_ssh"

echo "✔️ Checking timezone customization"
TZ=$($_ssh timedatectl show -p Timezone --value)
Expand Down Expand Up @@ -243,3 +245,23 @@ function verify_openscap_customization {
exit 1
fi
}

# Verify that CA cert file was extracted
function verify_cacert_customization {
echo "✔️ Checking CA cert extration"
local _ssh="$1"
local _serial="27894af897dd2423607045716438a725f28a6d0b"
local _cn="Test CA for osbuild"

if ! $_ssh "test -e /etc/pki/ca-trust/source/anchors/${_serial}.pem"; then
echo "Anchor CA file does not exist, directory contents:"
$_ssh "find /etc/pki/ca-trust/source/anchors"
exit 1
fi

if ! $_ssh "grep -q \"${_cn}\" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"; then
echo "Extracted CA file is not present, bundle contents:"
$_ssh "grep '^#' /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
exit 1
fi
}
2 changes: 1 addition & 1 deletion test/cases/api/common/s3.sh
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ function createReqFileGuest() {
"key": "$(cat "${WORKDIR}/usertest.pub")"
}
]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}${CACERTS_CUSTOMIZATION_BLOCK}
},
"image_request": {
"architecture": "$ARCH",
Expand Down
2 changes: 1 addition & 1 deletion test/cases/api/gcp.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ function createReqFile() {
"postgresql",
"dummy"
]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${FIREWALL_CUSTOMIZATION_BLOCK}${RPM_CUSTOMIZATION_BLOCK}${RHSM_CUSTOMIZATION_BLOCK}${CACERTS_CUSTOMIZATION_BLOCK}
},
"image_request": {
"architecture": "$ARCH",
Expand Down
2 changes: 1 addition & 1 deletion test/cases/api/oci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ function createReqFile() {
"postgresql",
"dummy"
]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}${OPENSCAP_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}
${TIMEZONE_CUSTOMIZATION_BLOCK}${CACERTS_CUSTOMIZATION_BLOCK}
},
"image_request": {
"architecture": "$ARCH",
Expand Down

0 comments on commit 25cc47d

Please sign in to comment.