Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

blueprint: fix cacerts name for TOML #1076

Merged
merged 1 commit into from
Dec 6, 2024
Merged

blueprint: fix cacerts name for TOML #1076

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion cmd/otk/osbuild-resolve-ostree-commit/main_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,13 @@ func TestMockResolve(t *testing.T) {
{
"tree": {
"ref": "otk/ostree/test",
"url": "https://ostree.example.org/repo"
"url": "https://ostree.example.org/repo",
"mtls": {
"ca": "ca.crt",
"client_cert": "client.crt",
"client_key": "client.key"
},
"proxy": "proxy.example.com:8080"
}
}
`
Expand Down
5 changes: 0 additions & 5 deletions pkg/blueprint/ca_customizations.go
View file
Open in desktop

This file was deleted.

18 changes: 10 additions & 8 deletions pkg/blueprint/customizations.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type Customizations struct {
Installer *InstallerCustomization `json:"installer,omitempty" toml:"installer,omitempty"`
RPM *RPMCustomization `json:"rpm,omitempty" toml:"rpm,omitempty"`
RHSM *RHSMCustomization `json:"rhsm,omitempty" toml:"rhsm,omitempty"`
CACerts *CACustomization `json:"cacerts,omitempty" toml:"ca,omitempty"`
CACerts *CACustomization `json:"cacerts,omitempty" toml:"cacerts,omitempty"`
}

type IgnitionCustomization struct {
Expand Down Expand Up @@ -144,6 +144,10 @@ type ContainerStorageCustomization struct {
StoragePath *string `json:"destination-path,omitempty" toml:"destination-path,omitempty"`
}

type CACustomization struct {
PEMCerts []string `json:"pem_certs,omitempty" toml:"pem_certs,omitempty"`
}

type CustomizationError struct {
Message string
}
Expand Down Expand Up @@ -441,16 +445,14 @@ func (c *Customizations) GetRHSM() *RHSMCustomization {
}

func (c *Customizations) checkCACerts() error {
if c == nil {
if c == nil || c.CACerts == nil {
return nil
}

if c.CACerts != nil {
for _, bundle := range c.CACerts.PEMCerts {
_, err := cert.ParseCerts(bundle)
if err != nil {
return err
}
for _, bundle := range c.CACerts.PEMCerts {
_, err := cert.ParseCerts(bundle)
if err != nil {
return err
}
}

Expand Down
21 changes: 21 additions & 0 deletions test/scripts/base-host-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
# vim: sw=4:et
set -euo pipefail

running_wait() {
Expand Down Expand Up @@ -78,6 +79,22 @@ get_oscap_score() {
fi
}

check_ca_cert() {
serial=$(jq -r '.blueprint.customizations.cacerts.pem_certs[0]' "${config}" | openssl x509 -noout -serial | cut -d= -f 2-)

echo "📗 Checking CA cert anchor file"
if ! [ -e "/etc/pki/ca-trust/source/anchors/${serial}.pem" ]; then
echo "Anchor CA file does not exist"
exit 1
fi

echo "📗 Checking extracted CA cert file"
if ! [ -e "/etc/pki/ca-trust/source/extracted/pem/directory-hash/Test_CA_for_osbuild.pem.pem" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lzap I just noticed a potential typo in the filename - note the double .pem.pem 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is curious, do we generate funky filenames here or is the test not running correctly?

Copy link
Member

@thozza thozza Dec 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mvo5 see #1076 (comment). The cacert customization is not applied to any image we boot-test, so this code is never executed.

echo "Extracted CA file does not exist"
exit 1
fi
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiousity, where do I see this output? I am unable to locate this job.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the manifest were not rebuilt during the CI run (because it didn't change), you'd find a link to the run in which it was tested in the job that generated it (e.g. https://gitlab.com/redhat/services/products/image-builder/ci/images/-/jobs/8565731980). Since the manifest didn't change and you added the test, it was not run at all. A complete manifest regeneration would be required. That can be achieved by bumping the rngseed in

images/Schutzfile

Line 3 in 048c8c6

"rngseed": 1,

I did it in #1093 and if my comment about the potential typo from above is correct, it should fail 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The story continuous:

  • osbuild: new stage 'cacert' (HMS-4839) #907 added the cacert customization only to all-customizations.json,
  • all-customizations.json is applied only when building qcow2

    images/test/config-map.json

    Lines 2 to 13 in 048c8c6

    "./configs/all-customizations.json": {
    "distros": [
    "rhel-10*",
    "rhel-9*",
    "rhel-8*",
    "centos*",
    "fedora*"
    ],
    "image-types": [
    "qcow2"
    ]
    },
  • We do not boot-test qcow2 in this repository CI, so the change in the base-host-check.sh won't run in the CI.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, apologies: #1096

echo "❓ Checking system status"
if ! running_wait; then

Expand Down Expand Up @@ -114,4 +131,8 @@ if (( $# > 0 )); then
if jq -e .blueprint.customizations.openscap "${config}"; then
get_oscap_score "${config}"
fi

if jq -e '.blueprint.customizations.cacerts.pem_certs[0]' "${config}"; then
check_ca_cert "${config}"
fi
fi
Loading