diff options
| author |   Scott Murray <scott.murray@konsulko.com> | 2023-04-24 18:01:29 -0400 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2023-04-27 09:56:18 +0000 |
| commit | fdb58afacf2dff95cca48a772d653e45a1b577f3 (patch) | |
| tree | 1617355cb79b7549ff84eb424dab6daee64a1343 /recipes-connectivity/kuksa-val/kuksa-val_git.bb | |
| parent | 34fd1612e443164364287894f50bde3de693eeb1 (diff) | |
kuksa-val: Rework to support updated SSL certificates
Changes:
- Tweak the kuksa-val recipe to remove installing a newer server
certificate (since it will be done elsewhere), and to split the
certificates up into finer grained packages to ease installing
them piecemeal and replacing them with other packages.
- Remove the unused genCerts.sh certificate script patch form the
kuksa-val recipe, an updated patch will be added in the near
future.
- Added a patch in the kuksa-viss-client recipe that enables the
library to use certificates installed in /etc/kuksa-certificates or
/etc/kuksa-val instead of the default ones that are shipped.
- Add kuksa-certificates-agl recipe that installs AGL specific CA,
server, and client certificates plus the required server and client
keys to act as a replacement for the default ones shipped with
KUKSA.val. The kuksa-certificates-agl name is used to avoid needing
a rename with a future switch to kuksa-databroker. Note that the
RPROVIDES variable is used for the various certificate packages to
make them installable alternatives to the kuksa-val-certificates-*
ones. The certificates installed are valid for 1 year and have
AGL as the providing organization, longer validity ones will be
added in follow up commits for Octopus and Pike.
- Update the existing users of kuksa-val-*-certificates with the new
kuksa-val-certificates-* package names.
- Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-*
packages to quiet the BitBake warnings coming from having multiple
providers.
Bug-AGL: SPEC-4763
Change-Id: Ic6f1ca8b54f637674cd5ae42df0bed6ca4e729aa
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val_git.bb')
| -rw-r--r-- | recipes-connectivity/kuksa-val/kuksa-val_git.bb | 70 |
1 files changed, 32 insertions, 38 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index 04f6f4f64..a894f0133 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -14,17 +14,12 @@ DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc" require kuksa-val.inc SRC_URI += "file://kuksa-val.service \ - file://0001-Make-Boost-requirements-more-liberal.patch;striplevel=2 \ - file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;striplevel=2 \ - file://0003-Make-install-locations-configurable.patch;striplevel=2 \ - file://0004-Disable-default-fetch-and-build-of-googletest.patch;striplevel=2 \ - file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;striplevel=2 \ - file://Server.key \ - file://Server.pem \ + file://0001-Make-Boost-requirements-more-liberal.patch;patchdir=.. \ + file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;patchdir=.. \ + file://0003-Make-install-locations-configurable.patch;patchdir=.. \ + file://0004-Disable-default-fetch-and-build-of-googletest.patch;patchdir=.. \ + file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;patchdir=.. \ " -# NOTE: Ideally this would be applied, but our S definition makes it problematic: -# file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;striplevel=? -# S = "${WORKDIR}/git/kuksa-val-server" @@ -32,10 +27,11 @@ inherit cmake pkgconfig systemd useradd SYSTEMD_SERVICE:${PN} = "kuksa-val.service" -USERADD_PACKAGES = "${PN}" +USERADD_PACKAGES = "${PN} ${PN}-server-certificates" USERADDEXTENSION = "useradd-staticids" GROUPADD_PARAM:${PN} = "-g 900 kuksa ;" USERADD_PARAM:${PN} = "--system -g 900 -u 900 -o -d / --shell /bin/nologin kuksa ;" +GROUPADD_PARAM:${PN}-server-certificates = "-g 900 kuksa ;" # Configure file locations more along the lines of FHS instead of kuksa.val's # default locations. @@ -55,39 +51,37 @@ do_install:append() { install -d ${D}${systemd_system_unitdir} install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir} fi - - # Install replacement server key + certificate - # These are AGL specific versions generated using a tweaked - # genCerts.sh script from the source tree that adds the now - # required subjectAltName extension field to make python3-ssl - # happy. This will be addressed with upstream and can hopefully - # be dropped in the future. - rm -f ${D}${sysconfdir}/kuksa-val/Server.key - install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ - rm -f ${D}${sysconfdir}/kuksa-val/Server.pem - install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ - - # Restrict server certificate access - # NOTE: The client certificates are left alone here for client - # development convenience for now, but this will need to - # be revisited. - chmod 640 ${D}${sysconfdir}/kuksa-val/Server.key - chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.key - chmod 640 ${D}${sysconfdir}/kuksa-val/Server.pem - chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem } -# Put client certificates into their own package so we can avoid -# duplicates of them for e.g. cluster clients. Longer term this -# will need to be revisited. -PACKAGE_BEFORE_PN += "${PN}-client-certificates" +# Put certificates into their own packages so we can avoid duplicates +# of them for e.g. cluster clients, and so downstream users can +# replace them with their own certificates. +# +# NOTE: +# Downstream users can replace these packages with alternates by +# having their packages set their RPROVIDES to include the desired +# kuksa-val-certificates-* and explicitly adding their package(s) +# to an image, they will end up getting priority during rootfs +# construction and installed instead of the default ones here. + +PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client" + +FILES:${PN}-certificates-ca = " \ + ${sysconfdir}/kuksa-val/CA.pem \ +" -FILES:${PN}-client-certificates = " \ +FILES:${PN}-certificates-server = " \ + ${sysconfdir}/kuksa-val/Server.key \ + ${sysconfdir}/kuksa-val/Server.pem \ +" +RDEPENDS:${PN}-certificates-server += "${PN}-certificates-ca" + +FILES:${PN}-certificates-client = " \ ${sysconfdir}/kuksa-val/Client.key \ ${sysconfdir}/kuksa-val/Client.pem \ - ${sysconfdir}/kuksa-val/CA.pem \ " +RDEPENDS:${PN}-certificate-clients += "${PN}-certificates-ca" FILES:${PN} += "${systemd_system_unitdir} ${datadir}" -RDEPENDS:${PN} += "${PN}-client-certificates" +RDEPENDS:${PN} += "${PN}-certificates-server ${PN}-certificates-client" |