diff --git a/README.md b/README.md index 150c0f96..9e0a01b2 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ Please contact your Technical Account Manager for more information, and support | primary\_count | The number of additional cluster master nodes to run | string | n/a | yes | | secondary\_count | The number of secondary cluster nodes to run | string | n/a | yes | | vpc\_id | AWS VPC id to install into | string | n/a | yes | +| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no | | airgap\_installer\_url | URL to replicated's airgap installer package | string | `"https://install.terraform.io/installer/replicated-v5.tar.gz"` | no | | airgap\_package\_url | signed URL to download the package | string | `""` | no | | ami | AMI to launch instance with; defaults to latest Ubuntu Xenial | string | `""` | no | diff --git a/config.tf b/config.tf index 7a77d571..197520cc 100644 --- a/config.tf +++ b/config.tf @@ -53,6 +53,8 @@ data "template_file" "cloud_config" { proxy_url = "${var.http_proxy_url}" installer_url = "${var.installer_url}" + ca_cert_url = "${var.ca_cert_url}" + import_key = "${var.import_key}" startup_script = "${base64encode(var.startup_script)}" @@ -86,6 +88,8 @@ data "template_file" "cloud_config_secondary" { installer_url = "${var.installer_url}" role = "secondary" + ca_cert_url = "${var.ca_cert_url}" + import_key = "${var.import_key}" } } diff --git a/files/install-ptfe.sh b/files/install-ptfe.sh index de7cd7e5..80196548 100644 --- a/files/install-ptfe.sh +++ b/files/install-ptfe.sh @@ -47,6 +47,57 @@ export role airgap_url_path="/etc/ptfe/airgap-package-url" airgap_installer_url_path="/etc/ptfe/airgap-installer-url" +# ------------------------------------------------------------------------------ +# Custom CA certificate download and configuration block +# ------------------------------------------------------------------------------ +if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \ + $(< /etc/ptfe/custom-ca-cert-url) != none ]]; then + custom_ca_cert_url=$(cat /etc/ptfe/custom-ca-cert-url) + custom_ca_cert_file_name=$(echo "${custom_ca_cert_url}" | awk -F '/' '{ print $NF }') + ca_tmp_dir="/tmp/ptfe/customer-certs" + replicated_conf_file="replicated-ptfe.conf" + local_messages_file="local_messages.log" + # Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom", + # since we're trusting user input to be both a working URL and a valid certificate. + # These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files. + mkdir -p "${ca_tmp_dir}" + pushd "${ca_tmp_dir}" + touch ${local_messages_file} + if wget --trust-server-files "${custom_ca_cert_url}" >> ./wget_output.log 2>&1; + then + if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ]; + then + if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout; + then + mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt + cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original + jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated + if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated; + then + cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file} + else + echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}" + echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}" + echo "" | tee -a "${local_messages_file}" + fi + else + echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}" + echo "" | tee -a "${local_messages_file}" + fi + else + echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_cert_url} downloaded." | tee -a "${local_messages_file}" + echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}" + echo "" | tee -a "${local_messages_file}" + fi + else + echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_cert_url}." | tee -a "${local_messages_file}" + echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}" + echo "" | tee -a "${local_messages_file}" + fi + + popd +fi + ptfe_install_args=( -DD "--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \ diff --git a/templates/cloud-config-secondary.yaml b/templates/cloud-config-secondary.yaml index 9e9c95d1..bf42bd9f 100644 --- a/templates/cloud-config-secondary.yaml +++ b/templates/cloud-config-secondary.yaml @@ -40,6 +40,11 @@ write_files: permissions: "0400" content: "${proxy_url}" +- path: /etc/ptfe/custom-ca-cert-url + owner: root:root + permissions: "0400" + content: "${ca_cert_url}" + - path: /etc/apt/apt.conf.d/00aaa_proxy owner: root:root permissions: "0400" diff --git a/templates/cloud-config.yaml b/templates/cloud-config.yaml index b21d4461..43eb89d9 100644 --- a/templates/cloud-config.yaml +++ b/templates/cloud-config.yaml @@ -59,6 +59,11 @@ write_files: permissions: "0400" content: "${proxy_url}" +- path: /etc/ptfe/custom-ca-cert-url + owner: root:root + permissions: "0400" + content: "${ca_cert_url}" + - path: /etc/profile.d/proxy.sh owner: root:root permissions: "0755" diff --git a/variables.tf b/variables.tf index f212be23..08e07d8b 100644 --- a/variables.tf +++ b/variables.tf @@ -42,6 +42,12 @@ variable "airgap_package_url" { default = "" } +variable "ca_cert_url" { + type = "string" + description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections" + default = "none" +} + variable "ami" { type = "string" description = "AMI to launch instance with; defaults to latest Ubuntu Xenial" @@ -276,7 +282,6 @@ data "aws_ami" "rhel" { } } - ## random password for the installer dashboard resource "random_pet" "console_password" { length = 3