Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add KRA and OCSP containers #4750

Merged
merged 5 commits into from
May 23, 2024
Merged

Add KRA and OCSP containers #4750

merged 5 commits into from
May 23, 2024

Conversation

edewata
Copy link
Contributor

@edewata edewata commented May 21, 2024

The Dockerfile has been updated to define new KRA and OCSP containers.

A new test has been added to create CA and KRA containers, then verify key archival and recovery. A new test has also been added to create CA and OCSP containers, then verify CRL publishing and revocation checking.

https://github.com/dogtagpki/pki/wiki/Deploying-KRA-on-Podman
https://github.com/dogtagpki/pki/wiki/Deploying-OCSP-on-Podman

@edewata edewata requested a review from fmarco76 May 21, 2024 14:47
fmarco76
fmarco76 requested changes May 22, 2024
View reviewed changes
Copy link
Member

@fmarco76 fmarco76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a small concern with the restart operation which need to be verified/fixed before to merge.

Dockerfile
RUN chgrp -Rf root /var/lib/pki/pki-tomcat
RUN chmod -Rf g+rw /var/lib/pki/pki-tomcat

CMD [ "/usr/share/pki/kra/bin/pki-kra-run" ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CMD is executed when the container is executed with run command but it is also executed when the container is started with start command after it has been stopped.
Looking at the executable, if the container is restarted for some reason, it will deploy again the KRA subsystem with potential problems/errors.

Dockerfile
RUN chgrp -Rf root /var/lib/pki/pki-tomcat
RUN chmod -Rf g+rw /var/lib/pki/pki-tomcat

CMD [ "/usr/share/pki/ocsp/bin/pki-ocsp-run" ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above and I think also the already provided container have the same problem.

base/kra/bin/pki-kra-run
echo "################################################################################"
echo "INFO: Starting PKI KRA"

if [ "$UID" = "0" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid restart problems, all the above configuration could be optional so the subsystem will be configured only if it has not been done before.

base/ocsp/bin/pki-ocsp-run
echo "################################################################################"
echo "INFO: Starting OCSP Responder"

if [ "$UID" = "0" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above and the same should apply to other pki_<subsystem>_run command.

@edewata
Copy link
Contributor Author

edewata commented May 22, 2024
edited
Loading

@fmarco76 Thanks for the feedback! I have updated the tests to confirm that the containers can be restarted properly (except for pki-server container since it requires some additional changes). Yes, currently pkispawn indeed will run again on restart, but it should work just fine with existing config files (we already have tests for that scenario). Ideally it should run only once, but there are multiple scenarios that need to be considered (e.g. are there existing config files, are there existing certs, are there existing database, what if the certs are changed) so if that's OK I'd rather we handle them separately later to keep this PR simple.

edewata added 5 commits May 22, 2024 19:30
@edewata
Update PKI Server container
c5eca26 
The PKI Server container has been updated to keep the certs
and CSRs created during startup.
@edewata
Update CA container test
eb2dc1b 
The CA container test has been updated to verify that the
container can be restarted successfully.
@edewata
Update ACME container test
f7e9127 
The ACME container test has been updated to verify that the
container can be restarted successfully.
@edewata
Add KRA container
dc303ad 
The Dockerfile has been updated to define a new KRA container.

A new test has been added to create CA and KRA containers, then
verify key archival and recovery.
@edewata
Add OCSP container
df81f73 
The Dockerfile has been updated to define a new OCSP container.

A new test has been added to create CA and OCSP containers, then
verify CRL publishing and revocation checking.
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

fmarco76
fmarco76 approved these changes May 23, 2024
View reviewed changes
Copy link
Member

@fmarco76 fmarco76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@edewata
Copy link
Contributor Author

edewata commented May 23, 2024

@fmarco76 Thanks!

@edewata edewata merged commit 685264b into dogtagpki:master May 23, 2024
143 of 148 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fmarco76 fmarco76 fmarco76 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edewata @fmarco76