particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

api/worker, koji: change CA logic for client certificates

Browse source 
Prior this commit, /etc/osbuild-composer/ca-crt.pem certificate was
used as an authority to validate client certificates.

After this commit, the host's trusted certificates are used to do
the validation. Ability to override this behaviour is also introduced:

In osbuild-composer config file, under koji and worker sections, a new CA
option is now available. If set, osbuild-composer uses it as a path
to certificate used to validate client certificates instead of the
default ones.

With this feature, it's possible to restore the validation behaviour
used before this change. Just put following lines in
/etc/osbuild-composer/osbuild-composer.toml:

[koji]
ca = "/etc/osbuild-composer/ca-crt.pem"

[worker]
ca = "/etc/osbuild-composer/ca-crt.pem"
This commit is contained in:
Ondřej Budai 2020-09-23 09:50:12 +02:00 committed by Tom Gundersen
parent 68be242850
commit 5b57814664
2 changed files with 21 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
test/image-tests/osbuild-composer.toml
View file

@ -1,5 +1,6 @@
[koji]
allowed_domains = [ "localhost", "worker.osbuild.org" ]
ca = "/etc/osbuild-composer/ca-crt.pem"
[koji.servers.localhost.kerberos]
principal = "osbuild-krb@LOCAL"
@ -7,3 +8,4 @@ keytab = "/etc/osbuild-composer/client.keytab"
[worker]
allowed_domains = [ "localhost", "worker.osbuild.org" ]
ca = "/etc/osbuild-composer/ca-crt.pem"