osbuild: new stage 'cacert' (HMS-4839)

[lzap]

This pull request adds a new stage called 'cacert' to the osbuild package. It also includes file changes to support the CACustomization feature, which allows users to specify a list of certificates for the CA (Certificate Authority). The changes include updates to the Customizations struct, the osCustomizations function, and the OSCustomizations struct. Additionally, a new function called parseCerts is added to parse the certificate strings. The changes also include updates to the serialize and prependKernelCmdlineStage functions in the OS struct. Finally, a new file called ca_stage.go is added to the osbuild package, which contains the implementation of the NewCAStageStage function.

Needs: osbuild/osbuild#1854

[lzap]

Missing the filename extension, will add during review.

[achilleas-k]

Can we break down this PR into multiple commits for easier reviewing and history?

I like to have commits that introduce new things separate from the following ones that use them, so maybe:

1. Add osbuild/..._stage.go
2. Add manifest/os.go changes.
3. Add blueprint customization.
4. Add config option to all-customizations.json.

(though, 2 and 3 can be merged).

[achilleas-k]

ca, while an accurate initialism and probably a very common term to refer to what we're doing, is probably not a great name for a configuration key in the soup of top-level blueprint customization names.

CertificateAuthority (certificate-authority) is, on the other hand, too long.

Maybe CACerts (toml:"ca-certs") would be a better name?

[lzap]

Sure, in the same struct I see a two-worded JSON field SSHKey as sshkey so I will stick with this theme and go for cacerts.

[achilleas-k]

This doesn't match the customization struct in the code. The way the customization is written now this should be:

"ca": {
  "certs": [
    "..."
  ]
}

[achilleas-k]

The stage is called pki.update-ca-trust so please name the file accordingly for easier navigation.
pki_update_stage.go for example.

[achilleas-k]

Can we break down this PR into multiple commits for easier reviewing and history?

I like to have commits that introduce new things separate from the following ones that use them, so maybe:

1. Add osbuild/..._stage.go
2. Add manifest/os.go changes.
3. Add blueprint customization.
4. Add config option to all-customizations.json.

(though, 2 and 3 can be merged).

[lzap]

Sure, amended all remarks. If you don’t mind, I am keeping one commit for easier work from my side, multiple commits rebasing is a pain to work with this isn’t a big PR by any means. I will split it after the code is ready.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove "Stale" label or comment or this will be closed in 7 days.

[mvo5]

Thank you for this PR! It looks good but I still have some ideas/suggestions inline for your consideration. But I'm happy to help with them if you have no enough time :)

[lzap]

I have extracted the checking code + test into separate package cert and implemented an explicit check method. No warnings but errors.

[mvo5]

Thanks for the update, looks very nice now, I made a suggestion inline, hope it's useful.

[mvo5]

I would love to see a test for this but I understand this area is really difficult to test so fine to ignore that (but I also can't help to mention it)

[lzap]

Amended the recommended changes, fixed tests.

Let me know where and how to add a test for this.

REMINDER: For myself - the commit should be split as requested.

[mvo5]

This looks good now from my PoV, one tiny suggestion about a test.

[lzap]

Rebased, hopefully it passes now.

[lzap]

Any other comments? I would love to get this in.

[achilleas-k]

I don't feel too strongly about extracting the two lines into a function but the stage should be moved so that it's before the selinux one.

[achilleas-k]

Is it worth extracting this into a helper function, just for easier reading?

[achilleas-k]

Please move this whole block up before the selinux stage is added (L798), so that any newly created files get labelled correctly.

[mvo5]

Oh, that is an excellent catch - thank you! Is there any way (not here probably) how we could detect this via tests (assuming we had a bit more test infra for manifest/os.go?

[achilleas-k]

We could, yeah.

[lzap]

I think the MTLS change kicked in and now breaking tests I need to fix this prior this PR:

internal/cloudapi/v2/server.go:231:55: cannot convert source (variable of type ostree.SourceSpec) to type worker.OSTreeResolveSpec

[lzap]

Moved, also I think I have found a good place for the CA file nodes code.

[lzap]

Thanks, that was helpful. It now generates fine.

[lzap]

It looks like it works fine:

go run ./cmd/gen-manifests --distros rhel-9.5 --arches x86_64 --types qcow2 --config ./test/configs/all-customizations.json --output ./manifests --metadata=false

sudo osbuild ./manifests/rhel_9.5-x86_64-qcow2-all_customizations.json --export build --export os --export image --output-directory /tmp/osbuild-test --store /tmp/osbuild-test

lzap@dev:/tmp/osbuild-test/os/etc/pki/ca-trust/source/anchors$ cat 27894af897dd2423607045716438a725f28a6d0b.pem 
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUJ4lK+JfdJCNgcEVxZDinJfKKbQswDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
VQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRwwGgYDVQQDDBNUZXN0IENB
IGZvciBvc2J1aWxkMCAXDTI0MDkwMzEzMjkyMFoYDzIyOTgwNjE4MTMyOTIwWjBo
MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcM
B1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIYXQxHDAaBgNVBAMME1Rlc3QgQ0EgZm9y
IG9zYnVpbGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeA7OcWTrV
gstoBsUaeJKm8nelg7Lc0WNXH6yOTLsr4td4yHs0YOvFGwgSf+ffV3RAG1mgqnMG
MgkD2+z+7QhHbHHs3y0d0zfhA2bg0KVvfCWk7fNRPHY0UOePpXk245Bfw3D0VTpl
F7nePk1I7ZY09snPWUeb2rjKXzYjKjzM0h27+ykV8I8+FbdyPk/pR8whyDqtHLUa
XfFy2TFloDSYMkHKVd38BnL0bj91x5F+KsZkN4HzfbYwxLbCQfOSgy7q6TWce9kq
Lo6tya9vuvpWFm1dye7L+BodAQAq/dI/JMeCfyTb0eFb+tyzfr5aVIoqqDN+p9ft
cw4OefpHbhtNAgMBAAGjUzBRMB0GA1UdDgQWBBRV2A9YmusekPzu5Yf08cV0oPL1
wjAfBgNVHSMEGDAWgBRV2A9YmusekPzu5Yf08cV0oPL1wjAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgQZ2Xfj+NxaKBZgn2KNxS0MTbhzHRz6Rn
qJs+h8OUz2Crmaf6N+RHlmDRZXUrDjSHpxVT2LxFy7ofRrLYIezFDUYfb920VkkV
SVcxh1YDFROJalfMoE6wdyR/LnK4MJZS9fUpeCJJc/A0J+9FK9CwcyUrHgJ8XbJh
MKYyQ+cf6O7wzutuBpMyRqSKS+hVM7BQTmSFvv1eAJlo6klGAmmKiYmAEvcQadH1
djrujsA3Cn5vX2L+0yuiLB5/zoxqx5cEy97TuKUYB8OqMMujAXNzF4L3HJDUNba2
AhEkFozMXwYX73TGbGZ0mawPS5D3v3tYTEmJFf6SnVCmUW1fs57g
-----END CERTIFICATE-----

[mvo5]

Thank you! This looks fine, I have some inline suggestions but no blockers, this seems all fine now. Thanks also for splitting it up.

[mvo5]

(super nitpick) panic(err) would also work (and is slightly shorter)

[lzap]

This looks like a pattern in the whole file, I would rather not change it in this PR.

[mvo5]

Hm, I am not sure we should panic here, I see we do this a lot in this function whichI find confusing given that we have an error return here and that the certs come from the user so they maybe wrong and panic() seems a bit heavy handed for user inputs. But we can tweak in a followup given the rest of the function.

[lzap]

Ditto.

[lzap]

Rebased.

[mvo5]

Thank you!

[lzap]

Forgot to run prepare-source.sh fixed, rebased.

Holidays, all the remarks were solved.