Introduce kolla_update_cacerts

This adds a script to run at container start via kolla_start to update the container environment for trusted CAs (TLS-E). Also adds the cloud-admin user to the kolla group to be allowed to run kolla* commands as root. This is required to get the openstackclient CA trust updated for tls endpoints. Jira: OSP-26299 Jira: OSP-26849
openstack-k8s-operators · Sep 28, 2023 · d902789 · d902789
1 parent 3df2216
commit d902789
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 1 deletion.
diff --git a/container-images/kolla/base/start.sh b/container-images/kolla/base/start.sh
@@ -9,6 +9,9 @@ sudo -E kolla_set_configs
 CMD=$(cat /run_command)
 ARGS=""
 
+# Install custom CA certificates
+sudo kolla_update_cacerts
+
 if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
     # Run additional commands if present
     . kolla_extend_start

diff --git a/container-images/kolla/base/uid_gid_manage.sh b/container-images/kolla/base/uid_gid_manage.sh
@@ -37,7 +37,7 @@ _SUPPORTED_USERS['aodh']='aodh 42402 42402 /var/lib/aodh kolla'
 _SUPPORTED_USERS['barbican']='barbican 42403 42403 /var/lib/barbican kolla,nfast'
 _SUPPORTED_USERS['ceilometer']='ceilometer 42405 42405 /var/lib/ceilometer kolla'
 _SUPPORTED_USERS['cinder']='cinder 42407 42407 /var/lib/cinder kolla'
-_SUPPORTED_USERS['cloud-admin']='cloud-admin 42401 42401 /home/cloud-admin'
+_SUPPORTED_USERS['cloud-admin']='cloud-admin 42401 42401 /home/cloud-admin kolla'
 _SUPPORTED_USERS['designate']='designate 42411 42411 /var/lib/designate kolla'
 _SUPPORTED_USERS['etcd']='etcd 42413 42413 /var/lib/etcd kolla'
 _SUPPORTED_USERS['frrvty']='frrvty 42483 42483'

diff --git a/container-images/kolla/base/update_cacerts.sh b/container-images/kolla/base/update_cacerts.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copy custom CA certificates to system trusted CA certificates folder
+# and run CA update utility
+
+# Remove old certificates
+rm -f /usr/local/share/ca-certificates/ng-customca-* \
+        /etc/pki/ca-trust/source/anchors/ng-customca-*
+
+if [[ -d /var/lib/config-data/ca-certificates ]] && \
+        [[ ! -z "$(ls -A /var/lib/config-data/ca-certificates/)" ]]; then
+    # CentOS
+    for cert in /var/lib/config-data/ca-certificates/*; do
+        file=$(basename "$cert")
+        cp $cert "/etc/pki/ca-trust/source/anchors/ng-customca-$file"
+    done
+    update-ca-trust
+fi
diff --git a/container-images/tcib/base/base.yaml b/container-images/tcib/base/base.yaml
@@ -25,6 +25,8 @@ tcib_actions:
 - run: chmod 755 /usr/local/bin/kolla_start
 - run: cp /usr/share/tcib/container-images/kolla/base/httpd_setup.sh /usr/local/bin/kolla_httpd_setup
 - run: chmod 755 /usr/local/bin/kolla_httpd_setup
+- run: cp /usr/share/tcib/container-images/kolla/base/update_cacerts.sh /usr/local/bin/kolla_update_cacerts
+- run: chmod 755 /usr/local/bin/kolla_update_cacerts
 - run: cp /usr/share/tcib/container-images/kolla/base/sudoers /etc/sudoers
 - run: chmod 440 /etc/sudoers
 - run: sed -ri '/^(passwd:|group:)/ s/systemd//g' /etc/nsswitch.conf