kuksa-val: add regenerated server certificate

[AGL/meta-agl-demo.git] / recipes-connectivity / kuksa-val / kuksa-val_git.bb

diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 033e81e..8bfa5ab 100644 (file)
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \
             file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \
             file://0003-Make-install-locations-configurable.patch \
             file://0004-Disable-default-fetch-and-build-of-googletest.patch \
+            file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \
+            file://Server.key \
+            file://Server.pem \
 "
 
 inherit cmake pkgconfig systemd useradd
@@ -40,7 +43,7 @@ EXTRA_OECMAKE = " \
 
 do_install:append() {
     # Lower the logging level used in the installed config.ini from the upstream
-    # default of "ALL", which seems to cause performance issues at the moment.
+    # default of "ALL", which spams the logs.
     sed -i 's/^log-level = .*/log-level = WARNING/' ${D}/${sysconfdir}/kuksa-val/config.ini
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
@@ -48,6 +51,17 @@ do_install:append() {
         install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
     fi
 
+    # Install replacement server key + certificate
+    # These are AGL specific versions generated using a tweaked
+    # genCerts.sh script from the source tree that adds the now
+    # required subjectAltName extension field to make python3-ssl
+    # happy.  This will be addressed with upstream and can hopefully
+    # be dropped in the future.
+    rm -f ${D}${sysconfdir}/kuksa-val/Server.key
+    install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
+    rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
+    install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
+
     # Restrict server certificate access
     # NOTE: The client certificates are left alone here for client
     #       development convenience for now, but this will need to
@@ -58,5 +72,17 @@ do_install:append() {
     chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
 }
 
+# Put client certificates into their own package so we can avoid
+# duplicates of them for e.g. cluster clients.  Longer term this
+# will need to be revisited.
+PACKAGE_BEFORE_PN += "${PN}-client-certificates"
+
+FILES:${PN}-client-certificates = " \
+    ${sysconfdir}/kuksa-val/Client.key \
+    ${sysconfdir}/kuksa-val/Client.pem \
+    ${sysconfdir}/kuksa-val/CA.pem \
+"
+
 FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
 
+RDEPENDS:${PN} += "${PN}-client-certificates"