[#3840] update CA default config and dhcp examples

2025-08-30 13:37:55 +00:00 · 2025-05-15 12:39:54 +03:00 · 2025-05-15 12:39:54 +03:00 · 4c6bcfa35c
commit 4c6bcfa35c
parent b8f1831af8
9 changed files with 40 additions and 14 deletions
--- a/doc/examples/kea4/all-keys-netconf.json
+++ b/doc/examples/kea4/all-keys-netconf.json
@ -542,7 +542,7 @@

            // Name of the lease file. In the case of a database it specifies the
            // database name.
-            "name": "kea-dhcp4.csv",
+            "name": "kea-leases4.csv",

            // memfile-specific parameter indicating whether leases should
            // be saved on persistent storage (disk) or not. The true value
--- a/doc/examples/kea4/all-keys.json
+++ b/doc/examples/kea4/all-keys.json
@ -542,7 +542,7 @@

            // Name of the lease file. In the case of a database it specifies the
            // database name.
-            "name": "kea-dhcp4.csv",
+            "name": "kea-leases4.csv",

            // memfile-specific parameter indicating whether leases should
            // be saved on persistent storage (disk) or not. The true value
--- a/doc/examples/kea4/dhcpv4-over-dhcpv6.json
+++ b/doc/examples/kea4/dhcpv4-over-dhcpv6.json
@ -12,7 +12,7 @@

  "lease-database": {
      "type": "memfile",
-      "name": "kea-dhcp4.csv",
+      "name": "kea-leases4.csv",
      "lfc-interval": 3600
  },

--- a/doc/examples/kea6/all-keys-netconf.json
+++ b/doc/examples/kea6/all-keys-netconf.json
@ -468,7 +468,7 @@

            // Name of the lease file. In the case of a database it specifies the
            // database name.
-            "name": "kea-dhcp6.csv",
+            "name": "kea-leases6.csv",

            // memfile-specific parameter indicating whether leases should
            // be saved on persistent storage (disk) or not. The true value
--- a/doc/examples/kea6/all-keys.json
+++ b/doc/examples/kea6/all-keys.json
@ -468,7 +468,7 @@

            // Name of the lease file. In the case of a database it specifies the
            // database name.
-            "name": "kea-dhcp6.csv",
+            "name": "kea-leases6.csv",

            // memfile-specific parameter indicating whether leases should
            // be saved on persistent storage (disk) or not. The true value
--- a/doc/examples/kea6/dhcpv4-over-dhcpv6.json
+++ b/doc/examples/kea6/dhcpv4-over-dhcpv6.json
@ -13,7 +13,7 @@

  "lease-database": {
      "type": "memfile",
-      "name": "kea-dhcp6.csv"
+      "name": "kea-leases6.csv"
  },

  "preferred-lifetime": 3000,
--- a/src/bin/dhcp4/tests/dhcp4_test_utils.cc
+++ b/src/bin/dhcp4/tests/dhcp4_test_utils.cc
@ -50,10 +50,6 @@ BaseServerTest::~BaseServerTest() {
    s2 << CfgMgr::instance().getDataDir() << "/kea-leases4.csv";
    static_cast<void>(::remove(s2.str().c_str()));

-    std::ostringstream s3;
-    s3 << CfgMgr::instance().getDataDir() << "/kea-dhcp4.csv";
-    static_cast<void>(::remove(s3.str().c_str()));
-
    // Revert to original data directory.
    CfgMgr::instance().getDataDir(true, original_datadir_);

--- a/src/bin/dhcp6/tests/dhcp6_test_utils.cc
+++ b/src/bin/dhcp6/tests/dhcp6_test_utils.cc
@ -53,10 +53,6 @@ BaseServerTest::~BaseServerTest() {
    s2 << CfgMgr::instance().getDataDir() << "/kea-leases6.csv";
    static_cast<void>(::remove(s2.str().c_str()));

-    std::ostringstream s3;
-    s3 << CfgMgr::instance().getDataDir() << "/kea-dhcp6.csv";
-    static_cast<void>(::remove(s3.str().c_str()));
-
    // Revert to original data directory.
    CfgMgr::instance().getDataDir(true, original_datadir_);

--- a/src/bin/keactrl/kea-ctrl-agent.conf.pre
+++ b/src/bin/keactrl/kea-ctrl-agent.conf.pre
@ -26,6 +26,40 @@
    // is specifically for HA updates only.
    "http-port": 8000,

+    // Allow access only to kea-api user.
+    // To make it work, please store your password in kea-api-password file.
+    // Make sure the password file has sufficiently restrictive access permissions,
+    // in particular it is not world-readable.
+    // The basic HTTP auth offers poor security for unencrypted channels.
+    // If possible, a better, stronger HTTPS mechanism should be deployed,
+    // in particular when the client authentication is enabled by setting the
+    // cert-required to true (the default). See trust-anchor, cert-file,
+    // key-file and cert-required below. For more details read the Kea Security
+    // section in the ARM.
+    "authentication": {
+        "type": "basic",
+        "realm": "Kea Control Agent",
+        "directory": "/etc/kea",
+        "clients": [
+            {
+                "user": "kea-api",
+                "password-file": "kea-api-password"
+            }
+        ]
+    },
+
+    // Configuration section containing HTTPS parameters:
+    // TLS trust anchor (Certificate Authority). This is a file name or
+    // (for OpenSSL only) a directory path.
+    // "trust-anchor": "kea-server-ca",
+    // TLS server certificate file name.
+    // "cert-file": "kea-server-cert",
+    // TLS server private key file name.
+    // "key-file": "kea-server-key",
+    // TLS require client certificates flag. Default is true and means
+    // require client certificates. False means they are optional.
+    // "cert-required": true
+
    // Specify location of the files to which the Control Agent
    // should connect to forward commands to the DHCPv4, DHCPv6
    // and D2 servers via unix domain sockets.