diff --git a/cmd/osbuild-composer/main.go b/cmd/osbuild-composer/main.go index df36f640e..20455bb2b 100644 --- a/cmd/osbuild-composer/main.go +++ b/cmd/osbuild-composer/main.go @@ -32,22 +32,28 @@ import ( const configFile = "/etc/osbuild-composer/osbuild-composer.toml" type connectionConfig struct { - CACertFile string + // CA used for client certificate validation. If nil, then the CAs + // trusted by the host system are used. + CACertFile *string ServerKeyFile string ServerCertFile string AllowedDomains []string } func createTLSConfig(c *connectionConfig) (*tls.Config, error) { - caCertPEM, err := ioutil.ReadFile(c.CACertFile) - if err != nil { - return nil, err - } + var roots *x509.CertPool - roots := x509.NewCertPool() - ok := roots.AppendCertsFromPEM(caCertPEM) - if !ok { - panic("failed to parse root certificate") + if c.CACertFile != nil { + caCertPEM, err := ioutil.ReadFile(*c.CACertFile) + if err != nil { + return nil, err + } + + roots = x509.NewCertPool() + ok := roots.AppendCertsFromPEM(caCertPEM) + if !ok { + panic("failed to parse root certificate") + } } cert, err := tls.LoadX509KeyPair(c.ServerCertFile, c.ServerKeyFile) @@ -82,9 +88,11 @@ func main() { } `toml:"kerberos,omitempty"` } `toml:"servers"` AllowedDomains []string `toml:"allowed_domains"` + CA *string `toml:"ca"` } `toml:"koji"` Worker *struct { AllowedDomains []string `toml:"allowed_domains"` + CA *string `toml:"ca"` } `toml:"worker,omitempty"` } var verbose bool @@ -213,7 +221,7 @@ func main() { kojiServer := kojiapi.NewServer(logger, workers, rpm, distros, kojiServers) tlsConfig, err := createTLSConfig(&connectionConfig{ - CACertFile: "/etc/osbuild-composer/ca-crt.pem", + CACertFile: config.Koji.CA, ServerKeyFile: "/etc/osbuild-composer/composer-key.pem", ServerCertFile: "/etc/osbuild-composer/composer-crt.pem", AllowedDomains: config.Koji.AllowedDomains, @@ -245,7 +253,7 @@ func main() { } tlsConfig, err := createTLSConfig(&connectionConfig{ - CACertFile: "/etc/osbuild-composer/ca-crt.pem", + CACertFile: config.Worker.CA, ServerKeyFile: "/etc/osbuild-composer/composer-key.pem", ServerCertFile: "/etc/osbuild-composer/composer-crt.pem", AllowedDomains: config.Worker.AllowedDomains, diff --git a/test/image-tests/osbuild-composer.toml b/test/image-tests/osbuild-composer.toml index 51f9014fd..df44527ce 100644 --- a/test/image-tests/osbuild-composer.toml +++ b/test/image-tests/osbuild-composer.toml @@ -1,5 +1,6 @@ [koji] allowed_domains = [ "localhost", "worker.osbuild.org" ] +ca = "/etc/osbuild-composer/ca-crt.pem" [koji.servers.localhost.kerberos] principal = "osbuild-krb@LOCAL" @@ -7,3 +8,4 @@ keytab = "/etc/osbuild-composer/client.keytab" [worker] allowed_domains = [ "localhost", "worker.osbuild.org" ] +ca = "/etc/osbuild-composer/ca-crt.pem"