-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add est to pkispawn #4844
Add est to pkispawn #4844
Conversation
f61256e
to
dfb98e1
Compare
I noticed that there are some database changes. I think we should provide a database upgrade procedure for someone who already has a CA from an older PKI version then upgrades to the new PKI version to add EST into their system. |
About the |
Actually, this path is not needed, it could be inside I have added a first CI test for this deployment but there are many items not working and requiring some thinking before to move on with this PR. |
1e5944c
to
e01ae7b
Compare
a8ec1a7
to
2af054b
Compare
@edewata after a lot of effort to make it works like other subsystem I gave up and make it more like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general it looks good, but there is a change that broke one of the ACME tests, and I also have some minor comments. Feel free to update & merge.
Just FYI, I'm working on adding support for ACME removal using pkidestroy. I suppose EST removal will be similar.
if: always() | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ca-basic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The artifacts name should match the test name to prevent conflicts and to make it easier to find, but gathering and uploading the artifacts is actually optional since the previous steps are already displaying the important logs so feel free to remove it if you want.
base/server/etc/default.cfg
Outdated
acme_realm_bind_password | ||
acme_realm_password | ||
est_realm_bind_password | ||
est_realm_password | ||
est_ca_password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to keep the acme_*
params here since they are still used in configure_acme_realm()
. If we want to merge the realm params for ACME & EST we probably should use something like pki_realm_*
or maybe just realm_*
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a mistake moving between different implementations. Thanks!
@@ -5376,15 +5376,135 @@ def spawn_acme(self): | |||
|
|||
self.deploy_acme_webapp(subsystem) | |||
|
|||
def create_est_subsystem(self): | |||
''' | |||
See also pki-server acme-create. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be pki-server est-create
.
base/est/shared/authorizer.conf
Outdated
@@ -0,0 +1,2 @@ | |||
class=org.dogtagpki.est.ExternalProcessRequestAuthorizer | |||
executable=/usr/local/libexec/estauthz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the path correct?
base/server/etc/default.cfg
Outdated
est_realm_users_dn=ou=people,dc=est,dc=pki,dc=example,dc=com | ||
est_realm_groups_dn=ou=groups,dc=est,dc=pki,dc=example,dc=com | ||
est_realm_statements=/usr/share/pki/est/conf/realm/statements.conf | ||
est_authorizer_exec_path=/usr/libexec/estauthz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path in authorizer.conf
is different.
BTW, the estauthz
script looks more like a sample script instead of a general purpose tool. Would it be better to install it somewhere under /usr/share/pki/est
instead of /usr/libexec
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved the script to /usr/share/pki/est/bin/estauthz
and update all the references.
|
||
else: | ||
# otherwise, deploy the subsystem and wait until it starts | ||
subsystem.enable( | ||
wait=True, | ||
max_wait=self.startup_timeout, | ||
timeout=self.request_timeout) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The self.instance.start()
in the original code is actually needed by spawn_acme()
to start the instance in case ACME is the only subsystem on the server. See the test for ACME on separate instance (it's currently failing). EST probably needs a similar code too later.
2f46def
to
3c77764
Compare
EST deployment is included in pkispwn. The installation does not perform all the steps done for CA and other subsystems so there is no security domain management and user administration. During the installation there is no DS or other DBs connection which has to be performed by the user before or after the installation.
3c77764
to
85a9a9a
Compare
Quality Gate passedIssues Measures |
@edewata Thanks! |
Yeah, rpminspect is a new but unrelated issue. |
This initial commit add est configuration for deployment in instance with existing CA.
Actually, several step are just skipped which could be required like creating initial users, reporting the status, etc....
The final installation is compliant with the page: https://github.com/dogtagpki/pki/blob/master/docs/installation/est/Installing_EST.md