Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add KRA and OCSP containers #4750

Merged
merged 5 commits into from
May 23, 2024
Merged

Add KRA and OCSP containers #4750

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c5eca26
Update PKI Server container
edewata May 22, 2024
eb2dc1b
Update CA container test
edewata May 22, 2024
f7e9127
Update ACME container test
edewata May 22, 2024
dc303ad
Add KRA container
edewata May 21, 2024
df81f73
Add OCSP container
edewata May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 48 additions & 14 deletions .github/workflows/acme-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,18 @@ jobs:
- name: Create network
run: docker network create example

- name: Set up client container
run: |
tests/bin/runner-init.sh client
env:
HOSTNAME: client.example.com

- name: Connect client container to network
run: docker network connect example client --alias client.example.com

- name: Install dependencies in client container
run: docker exec client dnf install -y certbot

- name: Create shared folders
run: |
mkdir certs
Expand All @@ -53,20 +65,7 @@ jobs:
--detach \
pki-acme

- name: Set up client container
run: |
tests/bin/runner-init.sh client
env:
HOSTNAME: client.example.com

- name: Connect client container to network
run: docker network connect example client --alias client.example.com

- name: Install dependencies in client container
run: docker exec client dnf install -y certbot

- name: Wait for ACME container to start
run: |
# wait for ACME to start
docker exec client curl \
--retry 60 \
--retry-delay 0 \
Expand Down Expand Up @@ -166,6 +165,20 @@ jobs:

diff expected output

- name: Install CA signing cert
run: |
docker exec client pki \
nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing

- name: Check ACME status
run: |
docker exec client pki \
-U https://acme.example.com:8443 \
acme-info

- name: Verify certbot in client container
run: |
docker exec client certbot register \
Expand Down Expand Up @@ -204,6 +217,27 @@ jobs:
--server http://acme.example.com:8080/acme/directory \
--non-interactive

- name: Restart ACME
run: |
docker restart acme
sleep 5

# wait for ACME to restart
docker exec client curl \
--retry 60 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
http://acme.example.com:8080/acme/directory

- name: Check ACME status again
run: |
docker exec client pki \
-U https://acme.example.com:8443 \
acme-info

- name: Check ACME container logs
if: always()
run: |
Expand Down
32 changes: 31 additions & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,40 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
outputs: type=docker

- name: Build pki-kra image
uses: docker/build-push-action@v5
with:
context: .
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
COPR_REPO=${{ env.COPR_REPO }}
tags: pki-kra
target: pki-kra
cache-from: type=local,src=/tmp/.buildx-cache
outputs: type=docker

- name: Build pki-ocsp image
uses: docker/build-push-action@v5
with:
context: .
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
COPR_REPO=${{ env.COPR_REPO }}
tags: pki-ocsp
target: pki-ocsp
cache-from: type=local,src=/tmp/.buildx-cache
outputs: type=docker

- name: Save PKI images
run: |
docker images
docker save -o pki-images.tar pki-dist pki-runner pki-server pki-ca
docker save -o pki-images.tar \
pki-dist \
pki-runner \
pki-server \
pki-ca \
pki-kra \
pki-ocsp

- name: Store PKI images
uses: actions/cache@v4
Expand Down
36 changes: 29 additions & 7 deletions .github/workflows/ca-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,8 +211,7 @@ jobs:
--detach \
pki-ca

- name: Wait for CA container to start
run: |
# wait for CA to start
docker exec client curl \
--retry 180 \
--retry-delay 0 \
Expand Down Expand Up @@ -443,20 +442,20 @@ jobs:
--request $REQUEST_ID

# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add admin user
- name: Add CA admin user
run: |
docker exec ca pki-server ca-user-add \
--full-name Administrator \
--type adminType \
admin

- name: Assign admin cert to admin user
- name: Assign admin cert to CA admin user
run: |
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
admin

- name: Add admin user into CA groups
- name: Add CA admin user into CA groups
run: |
docker exec ca pki-server ca-user-role-add admin "Administrators"
docker exec ca pki-server ca-user-role-add admin "Certificate Manager Agents"
Expand All @@ -468,7 +467,7 @@ jobs:

- name: Check admin operations from CA container
run: |
# check admin user
# check CA admin user
docker exec ca pki \
-n admin \
ca-user-show \
Expand Down Expand Up @@ -496,7 +495,7 @@ jobs:

- name: Check admin operations from client container
run: |
# check admin user
# check CA admin user
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
Expand All @@ -518,6 +517,29 @@ jobs:
$REQUEST_ID \
--force

- name: Restart CA
run: |
docker restart ca
sleep 5

# wait for CA to restart
docker exec client curl \
--retry 180 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
https://ca.example.com:8443

- name: Check CA admin user again
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-user-show \
admin

- name: Check DS server systemd journal
if: always()
run: |
Expand Down
Loading
Loading