ostree: drop RHSM for MTLS over ENV

osbuild · Oct 15, 2024 · 9505bf9 · 9505bf9
1 parent 347abb4
commit 9505bf9
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 53 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,5 +10,7 @@ __pycache__
 /test/data/manifests
 /tools/appsre-ansible/inventory
 dictionary.dic
+/cmd/ostree-resolve/*.crt
+/cmd/ostree-resolve/*.key
 
 *~
diff --git a/cmd/ostree-resolve/main.go b/cmd/ostree-resolve/main.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/osbuild/images/pkg/ostree"
+)
+
+func main() {
+	fmt.Println("Resolving ostree source, configuration:")
+	fmt.Printf("CA: %s\n", os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CA_CERT"))
+	fmt.Printf("Client cert: %s\n", os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CLIENT_CERT"))
+	fmt.Printf("Client key: %s\n", os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CLIENT_KEY"))
+	fmt.Printf("Proxy: %s\n", os.Getenv("OSBUILD_SOURCES_OSTREE_PROXY"))
+
+	spec := ostree.SourceSpec{
+		URL: "https://builder.home.lan/ccb2194f-9876-4e76-9e64-a338a32df230/",
+		Ref: "fedora/40/x86_64/iot",
+	}
+	cs, err := ostree.Resolve(spec)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("Resolved checksum: %s", cs.Checksum)
+}
diff --git a/pkg/distro/fedora/images.go b/pkg/distro/fedora/images.go
@@ -812,9 +812,8 @@ func makeOSTreeParentCommit(options *ostree.ImageOptions, defaultRef string) (*o
 
 	}
 	parentCommit = &ostree.SourceSpec{
-		URL:  options.URL,
-		Ref:  parentRef,
-		RHSM: options.RHSM,
+		URL: options.URL,
+		Ref: parentRef,
 	}
 	return parentCommit, commitRef
 }
@@ -834,9 +833,8 @@ func makeOSTreePayloadCommit(options *ostree.ImageOptions, defaultRef string) (o
 	}
 
 	return ostree.SourceSpec{
-		URL:  options.URL,
-		Ref:  commitRef,
-		RHSM: options.RHSM,
+		URL: options.URL,
+		Ref: commitRef,
 	}, nil
 }
 

diff --git a/pkg/distro/rhel/images.go b/pkg/distro/rhel/images.go
@@ -781,7 +781,6 @@ func makeOSTreeParentCommit(options *ostree.ImageOptions, defaultRef string) (*o
 	parentCommit = &ostree.SourceSpec{
 		URL:  options.URL,
 		Ref:  parentRef,
-		RHSM: options.RHSM,
 	}
 	return parentCommit, commitRef
 }
@@ -803,6 +802,5 @@ func makeOSTreePayloadCommit(options *ostree.ImageOptions, defaultRef string) (o
 	return ostree.SourceSpec{
 		URL:  options.URL,
 		Ref:  commitRef,
-		RHSM: options.RHSM,
 	}, nil
 }
diff --git a/pkg/distro/test_distro/distro.go b/pkg/distro/test_distro/distro.go
@@ -263,7 +263,6 @@ func (t *TestImageType) Manifest(b *blueprint.Blueprint, options distro.ImageOpt
 			}
 			// copy any other options that might be specified
 			ostreeSource.URL = options.OSTree.URL
-			ostreeSource.RHSM = options.OSTree.RHSM
 		}
 		ostreeSources = []ostree.SourceSpec{ostreeSource}
 	}

diff --git a/pkg/ostree/ostree.go b/pkg/ostree/ostree.go
@@ -13,8 +13,6 @@ import (
 	"regexp"
 	"strings"
 	"time"
-
-	"github.com/osbuild/images/pkg/rhsm"
 )
 
 var (
@@ -25,9 +23,8 @@ var (
 // SourceSpec serves as input for ResolveParams, and contains all necessary
 // variables to resolve a ref, which can then be turned into a CommitSpec.
 type SourceSpec struct {
-	URL  string
-	Ref  string
-	RHSM bool
+	URL string
+	Ref string
 }
 
 // CommitSpec specifies an ostree commit using any combination of Ref (branch), URL (source), and Checksum (commit ID).
@@ -68,10 +65,6 @@ type ImageOptions struct {
 
 	// If specified, the URL will be used only for metadata.
 	ContentURL string `json:"contenturl"`
-
-	// Indicate if the 'org.osbuild.rhsm.consumer' secret should be added when pulling from the
-	// remote.
-	RHSM bool `json:"rhsm"`
 }
 
 // Validate the image options. This doesn't verify the existence of any remote
@@ -141,56 +134,57 @@ func verifyChecksum(commit string) bool {
 // ResolveRef resolves the URL path specified by the location and ref
 // (location+"refs/heads/"+ref) and returns the commit ID for the named ref. If
 // there is an error, it will be of type ResolveRefError.
-func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions, ca *string) (string, error) {
+func ResolveRef(location, ref string) (string, error) {
 	u, err := url.Parse(location)
 	if err != nil {
 		return "", NewResolveRefError("error parsing ostree repository location: %v", err)
 	}
 	u.Path = path.Join(u.Path, "refs/heads/", ref)
 
-	var client *http.Client
-	if consumerCerts {
-		if subs == nil {
-			subs, err = rhsm.LoadSystemSubscriptions()
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	client := &http.Client{
+		Transport: transport,
+		Timeout: 300 * time.Second,
+	}
+	if u.Scheme == "https" {
+		tlsConf := &tls.Config{}
+
+		// If CA is set, load the CA certificate and add it to the TLS configuration. Otherwise, use the system CA.
+		if caFilename := os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CA_CERT"); caFilename != "" {
+			caCertPEM, err := os.ReadFile(caFilename)
 			if err != nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
+				return "", NewResolveRefError("error adding ca certificate when resolving ref: %s", err)
 			}
-			if subs.Consumer == nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+			tlsConf.RootCAs = x509.NewCertPool()
+			if ok := tlsConf.RootCAs.AppendCertsFromPEM(caCertPEM); !ok {
+				return "", NewResolveRefError("error adding ca certificate when resolving ref")
 			}
 		}
 
-		tlsConf := &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		}
+		certFilename := os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CLIENT_CERT")
+		keyFilename := os.Getenv("OSBUILD_SOURCES_OSTREE_SSL_CLIENT_KEY")
 
-		if ca != nil {
-			caCertPEM, err := os.ReadFile(*ca)
+		if certFilename != "" && keyFilename != "" {
+			cert, err := tls.LoadX509KeyPair(certFilename, keyFilename)
 			if err != nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
-			}
-			roots := x509.NewCertPool()
-			ok := roots.AppendCertsFromPEM(caCertPEM)
-			if !ok {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+				return "", NewResolveRefError("error adding client certificate when resolving ref: %s", err)
 			}
-			tlsConf.RootCAs = roots
+			tlsConf.Certificates = []tls.Certificate{cert}
 		}
 
-		cert, err := tls.LoadX509KeyPair(subs.Consumer.ConsumerCert, subs.Consumer.ConsumerKey)
+		transport.TLSClientConfig = tlsConf
+	}
+
+	proxy := os.Getenv("OSBUILD_SOURCES_OSTREE_PROXY")
+	if proxy != "" {
+		proxyURL, err := url.Parse(proxy)
 		if err != nil {
-			return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
+			return "", NewResolveRefError("error preparing ostree request while parsing OSBUILD_SOURCES_OSTREE_PROXY: %s", err)
 		}
-		tlsConf.Certificates = []tls.Certificate{cert}
 
-		client = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConf,
-			},
-			Timeout: 300 * time.Second,
+		transport.Proxy = func(request *http.Request) (*url.URL, error) {
+			return proxyURL, nil
 		}
-	} else {
-		client = &http.Client{}
 	}
 
 	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
@@ -234,10 +228,6 @@ func Resolve(source SourceSpec) (CommitSpec, error) {
 		URL: source.URL,
 	}
 
-	if source.RHSM {
-		commit.Secrets = "org.osbuild.rhsm.consumer"
-	}
-
 	if verifyChecksum(source.Ref) {
 		// the ref is a commit: return as is
 		commit.Checksum = source.Ref
@@ -252,7 +242,7 @@ func Resolve(source SourceSpec) (CommitSpec, error) {
 	// URL set: Resolve checksum
 	if source.URL != "" {
 		// If a URL is specified, we need to fetch the commit at the URL.
-		checksum, err := ResolveRef(source.URL, source.Ref, source.RHSM, nil, nil)
+		checksum, err := ResolveRef(source.URL, source.Ref)
 		if err != nil {
 			return CommitSpec{}, err // ResolveRefError
 		}