summaryrefslogtreecommitdiffstats
path: root/recipes-connectivity/kuksa-val/kuksa-val_git.bb
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2023-04-24 18:01:29 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2023-04-27 09:56:24 +0000
commit2abc36aa3020a5e9fc1597ffdc1749eda2121036 (patch)
tree946624076b6779b20465cb462c7a4d233321913b /recipes-connectivity/kuksa-val/kuksa-val_git.bb
parentbd52c7c7c182e5a5ff719f07f11e29fb2cd56eac (diff)
kuksa-val: Rework to support updated SSL certificates
Changes: - Tweak the kuksa-val recipe to remove installing a newer server certificate (since it will be done elsewhere), and to split the certificates up into finer grained packages to ease installing them piecemeal and replacing them with other packages. - Remove the unused genCerts.sh certificate script patch form the kuksa-val recipe, an updated patch will be added in the near future. - Added a patch in the kuksa-viss-client recipe that enables the library to use certificates installed in /etc/kuksa-certificates or /etc/kuksa-val instead of the default ones that are shipped. - Add kuksa-certificates-agl recipe that installs AGL specific CA, server, and client certificates plus the required server and client keys to act as a replacement for the default ones shipped with KUKSA.val. The kuksa-certificates-agl name is used to avoid needing a rename with a future switch to kuksa-databroker. Note that the RPROVIDES variable is used for the various certificate packages to make them installable alternatives to the kuksa-val-certificates-* ones. The certificates installed are valid for 1 year and have AGL as the providing organization, longer validity ones will be added in follow up commits for Octopus and Pike. - Update the existing users of kuksa-val-*-certificates with the new kuksa-val-certificates-* package names. - Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-* packages to quiet the BitBake warnings coming from having multiple providers. Bug-AGL: SPEC-4763 Change-Id: Ic6f1ca8b54f637674cd5ae42df0bed6ca4e729aa Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val_git.bb')
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb70
1 files changed, 32 insertions, 38 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 04f6f4f64..a894f0133 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -14,17 +14,12 @@ DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
require kuksa-val.inc
SRC_URI += "file://kuksa-val.service \
- file://0001-Make-Boost-requirements-more-liberal.patch;striplevel=2 \
- file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;striplevel=2 \
- file://0003-Make-install-locations-configurable.patch;striplevel=2 \
- file://0004-Disable-default-fetch-and-build-of-googletest.patch;striplevel=2 \
- file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;striplevel=2 \
- file://Server.key \
- file://Server.pem \
+ file://0001-Make-Boost-requirements-more-liberal.patch;patchdir=.. \
+ file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;patchdir=.. \
+ file://0003-Make-install-locations-configurable.patch;patchdir=.. \
+ file://0004-Disable-default-fetch-and-build-of-googletest.patch;patchdir=.. \
+ file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;patchdir=.. \
"
-# NOTE: Ideally this would be applied, but our S definition makes it problematic:
-# file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;striplevel=?
-#
S = "${WORKDIR}/git/kuksa-val-server"
@@ -32,10 +27,11 @@ inherit cmake pkgconfig systemd useradd
SYSTEMD_SERVICE:${PN} = "kuksa-val.service"
-USERADD_PACKAGES = "${PN}"
+USERADD_PACKAGES = "${PN} ${PN}-server-certificates"
USERADDEXTENSION = "useradd-staticids"
GROUPADD_PARAM:${PN} = "-g 900 kuksa ;"
USERADD_PARAM:${PN} = "--system -g 900 -u 900 -o -d / --shell /bin/nologin kuksa ;"
+GROUPADD_PARAM:${PN}-server-certificates = "-g 900 kuksa ;"
# Configure file locations more along the lines of FHS instead of kuksa.val's
# default locations.
@@ -55,39 +51,37 @@ do_install:append() {
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
fi
-
- # Install replacement server key + certificate
- # These are AGL specific versions generated using a tweaked
- # genCerts.sh script from the source tree that adds the now
- # required subjectAltName extension field to make python3-ssl
- # happy. This will be addressed with upstream and can hopefully
- # be dropped in the future.
- rm -f ${D}${sysconfdir}/kuksa-val/Server.key
- install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
- rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
- install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
-
- # Restrict server certificate access
- # NOTE: The client certificates are left alone here for client
- # development convenience for now, but this will need to
- # be revisited.
- chmod 640 ${D}${sysconfdir}/kuksa-val/Server.key
- chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.key
- chmod 640 ${D}${sysconfdir}/kuksa-val/Server.pem
- chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
}
-# Put client certificates into their own package so we can avoid
-# duplicates of them for e.g. cluster clients. Longer term this
-# will need to be revisited.
-PACKAGE_BEFORE_PN += "${PN}-client-certificates"
+# Put certificates into their own packages so we can avoid duplicates
+# of them for e.g. cluster clients, and so downstream users can
+# replace them with their own certificates.
+#
+# NOTE:
+# Downstream users can replace these packages with alternates by
+# having their packages set their RPROVIDES to include the desired
+# kuksa-val-certificates-* and explicitly adding their package(s)
+# to an image, they will end up getting priority during rootfs
+# construction and installed instead of the default ones here.
+
+PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client"
+
+FILES:${PN}-certificates-ca = " \
+ ${sysconfdir}/kuksa-val/CA.pem \
+"
-FILES:${PN}-client-certificates = " \
+FILES:${PN}-certificates-server = " \
+ ${sysconfdir}/kuksa-val/Server.key \
+ ${sysconfdir}/kuksa-val/Server.pem \
+"
+RDEPENDS:${PN}-certificates-server += "${PN}-certificates-ca"
+
+FILES:${PN}-certificates-client = " \
${sysconfdir}/kuksa-val/Client.key \
${sysconfdir}/kuksa-val/Client.pem \
- ${sysconfdir}/kuksa-val/CA.pem \
"
+RDEPENDS:${PN}-certificate-clients += "${PN}-certificates-ca"
FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
-RDEPENDS:${PN} += "${PN}-client-certificates"
+RDEPENDS:${PN} += "${PN}-certificates-server ${PN}-certificates-client"