starlingx
/
config
Code Issues Proposed changes
StarlingX System Configuration Management
5,285 Commits 22 Branches 10 Tags 78 MiB
Python 97.3%
Shell 2.3%
CSS 0.2%
Go to file
Leonardo Mendes 49df34a4f4 Add Intermediate CA support to IPsec configuration 
The current implementation of IPsec configuration by IPsec
server/client supports Root CA only. This commit adds support
for Intermediate CA. Now, IPSec Auth Server send both certificates
to IPSec Auth client to store. If it's a self-signed certificate,
the same certificate is send as Root CA.

Test plan:
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and a self-signed CA
      installed. Run "ipsec-client pxecontroller --opcode 1" in
      controller-1. Observe that 4 CAs certificates are created,
      but they are the same certificate. Observe that a security
      association is established between the hosts via "swanctl
      --list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and a self-signed CA
      installed. Run "ipsec-client pxecontroller --opcode 2" in
      controller-1. Observe the previously created CertificateRequest
      was deleted and generated a new one for controller-1's node.
      The new certificate is sent to IPsec Client with Root and
      Intermediate CA, which is the same, to be stored and the
      swanctl rekey command executed successfully.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and an intermediate CA
      installed. Run "ipsec-client pxecontroller --opcode 1" in
      worker-0. Observe that 4 CAs certificates are created,
      including Root and Intermediate CA. Observe that a security
      association is established between the hosts via "swanctl
      --list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and an Intermediate CA
      installed. Run "ipsec-client pxecontroller --opcode 2" in
      worker-0. Observe the previously created CertificateRequest
      was deleted and generated a new one for worker-0's node.
      The new certificate is sent to IPsec Client with Root and
      Intermediate CA to be stored and the swanctl rekey command
      executed successfully.
PASS: In a DX system, simulate the IPsec cert is about to expire,
      run the script, verify IPsec cert, private key and trusted CA
      cert are renewed.

Story: 2010940
Task: 49825

Change-Id: I25c973350c4f460233a4e6e5ddda8366b948d120
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
 		2024-04-09 16:01:53 -03:00
api-ref/source Improve kube-rootca-get-id API and error handling 2023-11-24 09:16:48 -05:00
config-gate Update debian package versions to use git commits 2023-02-10 20:11:06 +00:00
controllerconfig Migration script to delete encrypted-fs attribute 2024-04-01 05:58:25 +00:00
devstack Deprecate old policy engine and restrict access 2022-08-10 11:18:38 -03:00
doc Fix tsconfig/root constraints file in tox.ini 2024-03-04 22:22:31 +00:00
releasenotes Remove host hardware sysinv profile 2021-10-18 18:01:40 -03:00
storageconfig Remove the use of the mgmt_ip field in host table 2023-11-01 10:30:21 -04:00
sysinv Add Intermediate CA support to IPsec configuration 2024-04-09 16:01:53 -03:00
tmp/patch-scripts/EXAMPLE_SYSINV/scripts StarlingX open source release updates 2018-05-31 07:35:52 -07:00
tools/docker/images Enable kubernetes SCTPSupport feature 2019-09-03 19:23:05 +00:00
tsconfig Upgrade changes to support MGMT FQDN 2024-03-05 12:42:21 -03:00
workerconfig Remove the use of the mgmt_ip field in host table 2023-11-01 10:30:21 -04:00
.gitignore Minor zuul and tox file cleanup after manifest re-org 2019-09-06 15:40:37 -05:00
.gitreview OpenDev Migration Patch 2019-04-19 19:52:42 +00:00
.yamllint clear yamllint errors under stx-config 2018-09-12 21:11:57 +08:00
.zuul.yaml Update controllerconfig tox environment for debian 2023-05-31 15:25:25 +00:00
CONTRIBUTORS.wrs StarlingX open source release updates 2018-05-31 07:35:52 -07:00
LICENSE StarlingX open source release updates 2018-05-31 07:35:52 -07:00
README.rst starlingx/config README improvement 2023-07-19 12:18:04 -03:00
bindep.txt py3: Add py39 gate for sysinv 2021-08-27 08:39:06 -04:00
centos_build_layer.cfg Build layering, add layer build config file 2019-10-15 12:29:05 +08:00
centos_dev_wheels.inc Config file changes to add 'tsconfig' after relocation from 'update' 2019-09-05 11:51:05 -04:00
centos_iso_image.inc Merge sysinv_fpga_agent with sysinv_agent 2022-10-03 14:12:28 -04:00
centos_pkg_dirs Merge sysinv_fpga_agent with sysinv_agent 2022-10-03 14:12:28 -04:00
centos_pkg_dirs_containers Config file changes for packages relocated to repo 'openstack-armada-app' 2019-09-05 10:42:00 -04:00
centos_stable_wheels.inc Config file changes to add 'tsconfig' after relocation from 'update' 2019-09-05 11:51:05 -04:00
debian_build_layer.cfg Add debian_build_layer.cfg file 2021-10-05 14:50:08 -04:00
debian_iso_image.inc Setup debian build directory and ipsec-auth package 2024-01-26 09:46:14 -03:00
debian_pkg_dirs Setup debian build directory and ipsec-auth package 2024-01-26 09:46:14 -03:00
debian_stable_wheels.inc debian: Add sysinv wheel to the build 2022-11-21 13:33:24 +00:00
test-requirements.txt Calling an additional shell lint command from zuul 2021-06-03 17:35:50 -05:00
tox.ini Fix tsconfig/root constraints file in tox.ini 2024-03-04 22:22:31 +00:00

README.rst

config

The starlingx/config repository handles the StarlingX configuration management services.

Its key component is the System Inventory Service (Sysinv), which provides the system command-line interface (CLI)1.

This repository is not intended to be developed standalone, but rather as part of the StarlingX Source System, which is defined by the StarlingX manifest2.

References

  1. https://docs.starlingx.io/cli_ref/system.html↩︎

  2. https://opendev.org/starlingx/manifest.git↩︎