diff options
Diffstat (limited to 'ironic/conductor/utils.py')
-rw-r--r-- | ironic/conductor/utils.py | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py index 7e0433923..9ee4a5145 100644 --- a/ironic/conductor/utils.py +++ b/ironic/conductor/utils.py @@ -16,6 +16,7 @@ import contextlib import crypt import datetime from distutils.version import StrictVersion +import os import secrets import time @@ -462,6 +463,8 @@ def wipe_internal_info_on_power_off(node): # Wipe cached steps since they may change after reboot. driver_internal_info.pop('agent_cached_deploy_steps', None) driver_internal_info.pop('agent_cached_clean_steps', None) + # Remove TLS certificate since it's regenerated on each run. + driver_internal_info.pop('agent_verify_ca', None) node.driver_internal_info = driver_internal_info @@ -473,6 +476,8 @@ def wipe_token_and_url(task): # Remove agent_url since it will be re-asserted # upon the next deployment attempt. info.pop('agent_url', None) + # Remove TLS certificate since it's regenerated on each run. + info.pop('agent_verify_ca', None) task.node.driver_internal_info = info @@ -1232,3 +1237,45 @@ def get_attached_vif(port): if inspection_vif: return (inspection_vif, 'inspecting') return (None, None) + + +def store_agent_certificate(node, agent_verify_ca): + """Store certificate received from the agent and return its path.""" + existing_verify_ca = node.driver_internal_info.get( + 'agent_verify_ca') + if existing_verify_ca: + if os.path.exists(existing_verify_ca): + try: + with open(existing_verify_ca, 'rt') as fp: + existing_text = fp.read() + except EnvironmentError: + with excutils.save_and_reraise_exception(): + LOG.exception('Could not read the existing TLS certificate' + ' for node %s', node.uuid) + + if existing_text.strip() != agent_verify_ca.strip(): + LOG.error('Content mismatch for agent_verify_ca for ' + 'node %s', node.uuid) + raise exception.InvalidParameterValue( + _('Detected change in ramdisk provided "agent_verify_ca"')) + else: + return existing_verify_ca + else: + LOG.info('Current agent_verify_ca was not found for node ' + '%s, assuming take over and storing', node.uuid) + + fname = os.path.join(CONF.agent.certificates_path, '%s.crt' % node.uuid) + try: + # FIXME(dtantsur): it makes more sense to create this path on conductor + # start-up, but it requires reworking a ton of unit tests. + os.makedirs(CONF.agent.certificates_path, exist_ok=True) + with open(fname, 'wt') as fp: + fp.write(agent_verify_ca) + except EnvironmentError: + with excutils.save_and_reraise_exception(): + LOG.exception('Could not save the TLS certificate for node %s', + node.uuid) + else: + LOG.debug('Saved the custom certificate for node %(node)s to %(file)s', + {'node': node.uuid, 'file': fname}) + return fname |