sources/ostree: pull from remote using rhsm mTLS certs
The consumer certs are used to uniquely identify a system against candlepin. These consumer certs can be used to identify the system when pulling from RH controlled ostree repositories.
This commit is contained in:
Sanne Raymaekers
Christian Kellner
parent
1c81d1e966
commit
fcaad0462a
2 changed files with 36 additions and 3 deletions
|
|
@ -38,6 +38,20 @@ class Subscriptions:
|
||||||
|
|
||||||
raise RuntimeError("no matching rhsm key and cert")
|
raise RuntimeError("no matching rhsm key and cert")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def get_consumer_secrets():
|
||||||
|
"""Returns the consumer identity certificate which uniquely identifies the system"""
|
||||||
|
key = "/etc/pki/consumer/cert.pem"
|
||||||
|
cert = "/etc/pki/consumer/key.pem"
|
||||||
|
|
||||||
|
if not (os.path.exists(key) and os.path.exists(cert)):
|
||||||
|
raise RuntimeError("rhsm consumer key and cert not found")
|
||||||
|
|
||||||
|
return {
|
||||||
|
'consumer_key': key,
|
||||||
|
'consumer_cert': cert
|
||||||
|
}
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def from_host_system(cls):
|
def from_host_system(cls):
|
||||||
"""Read redhat.repo file and process the list of repositories in there."""
|
"""Read redhat.repo file and process the list of repositories in there."""
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,7 @@ import uuid
|
||||||
|
|
||||||
from osbuild import sources
|
from osbuild import sources
|
||||||
from osbuild.util.ostree import show
|
from osbuild.util.ostree import show
|
||||||
|
from osbuild.util.rhsm import Subscriptions
|
||||||
|
|
||||||
SCHEMA = """
|
SCHEMA = """
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
|
|
@ -43,6 +44,19 @@ SCHEMA = """
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"description": "GPG keys to verify the commits"
|
"description": "GPG keys to verify the commits"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"secrets": {
|
||||||
|
"type": "object",
|
||||||
|
"additionalProperties": false,
|
||||||
|
"required": [
|
||||||
|
"name"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"name": {
|
||||||
|
"type": "string",
|
||||||
|
"description": "Name of the secrets provider."
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -89,13 +103,18 @@ class OSTreeSource(sources.SourceService):
|
||||||
gpg = remote.get("gpgkeys", [])
|
gpg = remote.get("gpgkeys", [])
|
||||||
uid = str(uuid.uuid4())
|
uid = str(uuid.uuid4())
|
||||||
|
|
||||||
verify_args = []
|
remote_add_args = []
|
||||||
if not gpg:
|
if not gpg:
|
||||||
verify_args = ["--no-gpg-verify"]
|
remote_add_args = ["--no-gpg-verify"]
|
||||||
|
|
||||||
|
if remote.get("secrets", {}).get("name") == "org.osbuild.rhsm.consumer":
|
||||||
|
secrets = Subscriptions.get_consumer_secrets()
|
||||||
|
remote_add_args.append("--tls-client-key-path=%s", secrets['consumer_key'])
|
||||||
|
remote_add_args.append("--tls-client-cert-path=%s", secrets['consumer_cert'])
|
||||||
|
|
||||||
ostree("remote", "add",
|
ostree("remote", "add",
|
||||||
uid, url,
|
uid, url,
|
||||||
*verify_args,
|
*remote_add_args,
|
||||||
repo=self.repo)
|
repo=self.repo)
|
||||||
|
|
||||||
for key in gpg:
|
for key in gpg:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue