Merge pull request #16457 from bjorndown/feature/pass-ssl-cert-file-via-fw-cfg

podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd e…
2022-11-28 06:31:35 -05:00 · 2022-11-28 06:31:35 -05:00 · e4e7e41ce5
parent d5f806eb05 caa2dfe01b
commit e4e7e41ce5
3 changed files with 65 additions and 30 deletions
--- a/pkg/machine/ignition.go
+++ b/pkg/machine/ignition.go
@ -24,6 +24,10 @@ import (
 	https://github.com/openshift/machine-config-operator/blob/master/pkg/server/server.go
 */
 const (
 	UserCertsTargetPath = "/etc/containers/certs.d"
 )
 // Convenience function to convert int to ptr
 func intToPtr(i int) *int {
 	return &i
@ -495,24 +499,17 @@ Delegate=memory pids cpu io
 		if _, err := os.Stat(sslCertFile); err == nil {
 			certFiles = getCerts(sslCertFile, false)
 			files = append(files, certFiles...)
 		} else {
 			logrus.Warnf("Invalid path in SSL_CERT_FILE: %q", err)
 		}
 	}
-			if len(certFiles) > 0 {
+	if sslCertDir, ok := os.LookupEnv("SSL_CERT_DIR"); ok {
-				setSSLCertFile := fmt.Sprintf("export %s=%s", "SSL_CERT_FILE", filepath.Join("/etc/containers/certs.d", filepath.Base(sslCertFile)))
+		if _, err := os.Stat(sslCertDir); err == nil {
-				files = append(files, File{
+			certFiles = getCerts(sslCertDir, true)
-					Node: Node{
+			files = append(files, certFiles...)
-						Group: getNodeGrp("root"),
+		} else {
-						Path:  "/etc/profile.d/ssl_cert_file.sh",
+			logrus.Warnf("Invalid path in SSL_CERT_DIR: %q", err)
 						User:  getNodeUsr("root"),
 					},
 					FileEmbedded1: FileEmbedded1{
 						Append: nil,
 						Contents: Resource{
 							Source: encodeDataURLPtr(setSSLCertFile),
 						},
 						Mode: intToPtr(0644),
 					},
 				})
 			}
 		}
 	}
@ -564,7 +561,7 @@ func prepareCertFile(path string, name string) (File, error) {
 		return File{}, err
 	}
-	targetPath := filepath.Join("/etc/containers/certs.d", name)
+	targetPath := filepath.Join(UserCertsTargetPath, name)
 	logrus.Debugf("Copying cert file from '%s' to '%s'.", path, targetPath)
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@ -560,18 +560,7 @@ func (v *MachineVM) Start(name string, opts machine.StartOptions) error {
 	attr.Files = files
 	cmdLine := v.CmdLine
-	// It is here for providing the ability to propagate
+	cmdLine = propagateHostEnv(cmdLine)
 	// proxy settings (e.g. HTTP_PROXY and others) on a start
 	// and avoid a need of re-creating/re-initiating a VM
 	if proxyOpts := machine.GetProxyVariables(); len(proxyOpts) > 0 {
 		proxyStr := "name=opt/com.coreos/environment,string="
 		var proxies string
 		for k, v := range proxyOpts {
 			proxies = fmt.Sprintf("%s%s=\"%s\"|", proxies, k, v)
 		}
 		proxyStr = fmt.Sprintf("%s%s", proxyStr, base64.StdEncoding.EncodeToString([]byte(proxies)))
 		cmdLine = append(cmdLine, "-fw_cfg", proxyStr)
 	}
 	// Disable graphic window when not in debug mode
 	// Done in start, so we're not suck with the debug level we used on init
@ -702,6 +691,35 @@ func (v *MachineVM) Start(name string, opts machine.StartOptions) error {
 	return nil
 }
 // propagateHostEnv is here for providing the ability to propagate
 // proxy and SSL settings (e.g. HTTP_PROXY and others) on a start
 // and avoid a need of re-creating/re-initiating a VM
 func propagateHostEnv(cmdLine []string) []string {
 	varsToPropagate := make([]string, 0)
 	for k, v := range machine.GetProxyVariables() {
 		varsToPropagate = append(varsToPropagate, fmt.Sprintf("%s=%q", k, v))
 	}
 	if sslCertFile, ok := os.LookupEnv("SSL_CERT_FILE"); ok {
 		pathInVM := filepath.Join(machine.UserCertsTargetPath, filepath.Base(sslCertFile))
 		varsToPropagate = append(varsToPropagate, fmt.Sprintf("%s=%q", "SSL_CERT_FILE", pathInVM))
 	}
 	if _, ok := os.LookupEnv("SSL_CERT_DIR"); ok {
 		varsToPropagate = append(varsToPropagate, fmt.Sprintf("%s=%q", "SSL_CERT_DIR", machine.UserCertsTargetPath))
 	}
 	if len(varsToPropagate) > 0 {
 		prefix := "name=opt/com.coreos/environment,string="
 		envVarsJoined := strings.Join(varsToPropagate, "|")
 		fwCfgArg := prefix + base64.StdEncoding.EncodeToString([]byte(envVarsJoined))
 		return append(cmdLine, "-fw_cfg", fwCfgArg)
 	}
 	return cmdLine
 }
 func (v *MachineVM) checkStatus(monitor *qmp.SocketMonitor) (machine.Status, error) {
 	// this is the format returned from the monitor
 	// {"return": {"status": "running", "singlestep": false, "running": true}}
--- a/pkg/machine/qemu/machine_test.go
+++ b/pkg/machine/qemu/machine_test.go
@ -4,8 +4,13 @@
 package qemu
 import (
 	"encoding/base64"
 	"fmt"
 	"strings"
 	"testing"
 	"github.com/containers/podman/v4/pkg/machine"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@ -18,3 +23,18 @@ func TestEditCmd(t *testing.T) {
 	require.Equal(t, vm.CmdLine, []string{"command", "-flag", "newvalue", "-anotherflag", "anothervalue"})
 }
 func TestPropagateHostEnv(t *testing.T) {
 	t.Setenv("SSL_CERT_FILE", "/some/foo.cert")
 	t.Setenv("SSL_CERT_DIR", "/some/my/certs")
 	t.Setenv("HTTP_PROXY", "proxy")
 	cmdLine := propagateHostEnv(make([]string, 0))
 	assert.Len(t, cmdLine, 2)
 	assert.Equal(t, "-fw_cfg", cmdLine[0])
 	tokens := strings.Split(cmdLine[1], ",string=")
 	decodeString, err := base64.StdEncoding.DecodeString(tokens[1])
 	assert.NoError(t, err)
 	assert.Equal(t, fmt.Sprintf("HTTP_PROXY=\"proxy\"|SSL_CERT_FILE=\"%s/foo.cert\"|SSL_CERT_DIR=%q", machine.UserCertsTargetPath, machine.UserCertsTargetPath), string(decodeString))
 }