particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

templates/packer: support ldap service account for repo mtls conf

Browse source 
The secret needs 3 fields, the cert, key and baseurl for the
repository. The CA is optional.
This commit is contained in:
Sanne Raymaekers 2024-03-29 14:58:42 +01:00
parent 53f77368fd
commit c8130d0689
2 changed files with 45 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

44
templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_ldap_sa_mtls_creds.sh Executable file
View file

@ -0,0 +1,44 @@
#!/bin/bash
set -euo pipefail
source /tmp/cloud_init_vars
echo "Deploy MTLS credentials for custom repositories."
LDAP_SERVICE_ACCOUNT_MTLS_IMAGE_BUILDER_ARN=${LDAP_SERVICE_ACCOUNT_MTLS_IMAGE_BUILDER_ARN:-}
if [[ -z "$LDAP_SERVICE_ACCOUNT_MTLS_IMAGE_BUILDER_ARN" ]]; then
echo "LDAP_SERVICE_ACCOUNT_MTLS_IMAGE_BUILDER_ARN not defined, skipping."
exit 0
fi
/usr/local/bin/aws secretsmanager get-secret-value \
--endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
--secret-id "${LDAP_SERVICE_ACCOUNT_MTLS_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/ldap_service_account_mtls_credentials.json
MTLS_CERT=$(jq -r ".cert" /tmp/ldap_service_account_mtls_credentials.json)
MTLS_KEY=$(jq -r ".key" /tmp/ldap_service_account_mtls_credentials.json)
BASEURL=$(jq -r ".baseurl" /tmp/ldap_service_account_mtls_credentials.json)
CA=$(jq -r ".ca" /tmp/ldap_service_account_mtls_credentials.json)
rm /tmp/ldap_service_account_mtls_credentials.json
sudo tee /etc/osbuild-worker/image_builder_sa_mtls_cert.pem > /dev/null << EOF
$MTLS_CERT
EOF
sudo tee /etc/osbuild-worker/image_builder_sa_mtls_key.pem > /dev/null << EOF
$MTLS_KEY
EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
[repository_mtls]
baseurl = "$BASEURL"
mtls_client_key = "/etc/osbuild-worker/image_builder_sa_mtls_key.pem"
mtls_client_cert = "/etc/osbuild-worker/image_builder_sa_mtls_cert.pem"
EOF
if [ "$CA" != null ]; then
sudo tee /etc/osbuild-worker/image_builder_sa_ca.pem > /dev/null << EOF
$CA
EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
ca = "/etc/osbuild-worker/image_builder_sa_ca.pem"
EOF
fi

1
templates/packer/ansible/roles/common/files/worker-initialization.service
View file

@ -19,6 +19,7 @@ ExecStart=/usr/local/libexec/worker-initialization-scripts/get_gcp_creds.sh
ExecStart=/usr/local/libexec/worker-initialization-scripts/get_koji_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/get_koji_creds.sh
ExecStart=/usr/local/libexec/worker-initialization-scripts/get_oci_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/get_oci_creds.sh
ExecStart=/usr/local/libexec/worker-initialization-scripts/get_pulp_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/get_pulp_creds.sh
ExecStart=/usr/local/libexec/worker-initialization-scripts/get_ldap_sa_mtls_creds.sh
ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh
[Install] [Install]