Skip to content

Bug2246422-(refinement of)ServerSideKeygen static SKID #4595

Bug2246422-(refinement of)ServerSideKeygen static SKID

Bug2246422-(refinement of)ServerSideKeygen static SKID #4595

Workflow file for this run

name: KRA Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
# docs/installation/kra/Installing_KRA.md
kra-test:
name: Testing KRA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install KRA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify KRA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin kra-user-show kraadmin
- name: Verify KRA connector in CA
run: |
docker exec pki bash -c "pki -n caadmin ca-kraconnector-show | sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' > ${PKIDIR}/kraconnector.host"
echo pki.example.com > kra.hostname
diff kra.hostname kraconnector.host
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove KRA
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: kra
path: |
/tmp/artifacts/pki
# docs/installation/kra/Installing_KRA_on_Separate_Instance.md
kra-separate-test:
name: Testing KRA on separate instance
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Setup CA container
run: |
IMAGE=pki-runner \
NAME=ca \
HOSTNAME=ca.example.com \
tests/bin/runner-init.sh
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com
- name: Install dependencies in CA container
run: docker exec ca dnf install -y 389-ds-base
- name: Install DS in CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in CA container
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup KRA container
run: |
IMAGE=pki-runner \
NAME=kra \
HOSTNAME=kra.example.com \
tests/bin/runner-init.sh
- name: Connect KRA container to network
run: docker network connect example kra --alias kra.example.com
- name: Install dependencies in KRA container
run: docker exec kra dnf install -y 389-ds-base
- name: Install DS in KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh
- name: Install KRA in KRA container
run: |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert
docker exec kra cp ${PKIDIR}/ca_signing.crt .
docker exec kra cp ${PKIDIR}/ca_admin.cert .
docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-separate.cfg -s KRA -v
- name: Install banner in KRA container
run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
# TODO: Fix DogtagKRAConnectivityCheck to work without CA
# - name: Run PKI healthcheck
# run: docker exec kra pki-healthcheck --failures-only
- name: Verify KRA admin
run: |
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec kra pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec kra pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec kra pki -n caadmin --ignore-banner kra-user-show kraadmin
- name: Verify KRA connector in CA
run: |
docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt
docker exec ca pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec ca bash pki -n caadmin --ignore-banner ca-kraconnector-show | tee output
sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' output > actual
echo kra.example.com > expected
diff expected actual
- name: Gather artifacts from CA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh ca
- name: Gather artifacts from KRA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh kra
tests/bin/pki-artifacts-save.sh kra
- name: Remove KRA from KRA container
run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v
- name: Remove DS from KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect KRA container from network
run: docker network disconnect example kra
- name: Remove CA from CA container
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect CA container from network
run: docker network disconnect example ca
- name: Remove network
run: docker network rm example
- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-separate-ca
path: |
/tmp/artifacts/ca
- name: Upload artifacts from KRA container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-separate-kra
path: |
/tmp/artifacts/kra
# docs/installation/kra/Installing_KRA_with_External_Certificates.md
kra-external-certs-test:
name: Testing KRA with external certificates
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Setup CA container
run: |
IMAGE=pki-runner \
NAME=ca \
HOSTNAME=ca.example.com \
tests/bin/runner-init.sh
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com
- name: Install dependencies in CA container
run: docker exec ca dnf install -y 389-ds-base
- name: Install DS in CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in CA container
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Initialize CA admin in CA container
run: |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt
docker exec ca pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
- name: Setup KRA container
run: |
IMAGE=pki-runner \
NAME=kra \
HOSTNAME=kra.example.com \
tests/bin/runner-init.sh
- name: Connect KRA container to network
run: docker network connect example kra --alias kra.example.com
- name: Install dependencies in KRA container
run: docker exec kra dnf install -y 389-ds-base
- name: Install DS in KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh
- name: Install KRA in KRA container (step 1)
run: |
docker exec kra cp ${PKIDIR}/ca_signing.crt .
docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-external-certs-step1.cfg -s KRA -v
- name: Issue KRA storage cert
run: |
docker exec kra cp kra_storage.csr ${PKIDIR}/kra_storage.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caStorageCert --csr-file ${PKIDIR}/kra_storage.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_storage.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_storage.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_storage.certid"
docker exec ca bash -c "pki ca-cert-export `cat kra_storage.certid` --output-file ${PKIDIR}/kra_storage.crt"
docker exec kra cp ${PKIDIR}/kra_storage.crt kra_storage.crt
- name: Issue KRA transport cert
run: |
docker exec kra cp kra_transport.csr ${PKIDIR}/kra_transport.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caTransportCert --csr-file ${PKIDIR}/kra_transport.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_transport.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_transport.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_transport.certid"
docker exec ca bash -c "pki ca-cert-export `cat kra_transport.certid` --output-file ${PKIDIR}/kra_transport.crt"
docker exec kra cp ${PKIDIR}/kra_transport.crt kra_transport.crt
- name: Issue subsystem cert
run: |
docker exec kra cp subsystem.csr ${PKIDIR}/subsystem.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${PKIDIR}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.certid"
docker exec ca bash -c "pki ca-cert-export `cat subsystem.certid` --output-file ${PKIDIR}/subsystem.crt"
docker exec kra cp ${PKIDIR}/subsystem.crt subsystem.crt
- name: Issue SSL server cert
run: |
docker exec kra cp sslserver.csr ${PKIDIR}/sslserver.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caServerCert --csr-file ${PKIDIR}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.certid"
docker exec ca bash -c "pki ca-cert-export `cat sslserver.certid` --output-file ${PKIDIR}/sslserver.crt"
docker exec kra cp ${PKIDIR}/sslserver.crt sslserver.crt
- name: Issue KRA audit signing cert
run: |
docker exec kra cp kra_audit_signing.csr ${PKIDIR}/kra_audit_signing.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${PKIDIR}/kra_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_audit_signing.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_audit_signing.certid"
docker exec ca bash -c "pki ca-cert-export `cat kra_audit_signing.certid` --output-file ${PKIDIR}/kra_audit_signing.crt"
docker exec kra cp ${PKIDIR}/kra_audit_signing.crt kra_audit_signing.crt
- name: Issue KRA admin cert
run: |
docker exec kra cp kra_admin.csr ${PKIDIR}/kra_admin.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caUserCert --csr-file ${PKIDIR}/kra_admin.csr --subject uid=kraadmin | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_admin.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_admin.certid"
docker exec ca bash -c "pki ca-cert-export `cat kra_admin.certid` --output-file ${PKIDIR}/kra_admin.crt"
docker exec kra cp ${PKIDIR}/kra_admin.crt kra_admin.crt
- name: Install KRA in KRA container (step 2)
run: |
docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-external-certs-step2.cfg -s KRA -v
# TODO: Fix DogtagKRAConnectivityCheck to work without CA
# - name: Run PKI healthcheck
# run: docker exec kra pki-healthcheck --failures-only
- name: Verify KRA admin
run: |
docker exec kra pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec kra pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
docker exec kra pki -n kraadmin kra-user-show kraadmin
- name: Verify KRA connector in CA
run: |
docker exec ca bash -c "pki -n caadmin ca-kraconnector-show | sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' > ${PKIDIR}/kraconnector.host"
echo kra.example.com > kra.hostname
diff kra.hostname kraconnector.host
- name: Gather artifacts from CA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh ca
- name: Gather artifacts from KRA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh kra
tests/bin/pki-artifacts-save.sh kra
- name: Remove KRA from KRA container
run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v
- name: Remove DS from KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect KRA container from network
run: docker network disconnect example kra
- name: Remove CA from CA container
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect CA container from network
run: docker network disconnect example ca
- name: Remove network
run: docker network rm example
- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-external-certs-ca
path: |
/tmp/artifacts/ca
- name: Upload artifacts from KRA container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-external-certs-kra
path: |
/tmp/artifacts/kra
# docs/installation/kra/Installing_KRA_Clone.md
kra-clone-test:
name: Testing KRA clone
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install dependencies in primary container
run: docker exec primary dnf install -y 389-ds-base
- name: Install DS in primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install primary CA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install primary KRA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v
- name: Setup secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install dependencies in secondary container
run: docker exec secondary dnf install -y 389-ds-base
- name: Install DS in secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in secondary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ca_signing.crt .
docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v
- name: Install KRA in secondary container
run: |
docker exec primary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/kra-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone.cfg -s KRA -v
- name: Verify KRA admin in secondary container
run: |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki -n caadmin kra-user-show kraadmin
- name: Setup tertiary container
run: |
IMAGE=pki-runner \
NAME=tertiary \
HOSTNAME=tertiary.example.com \
tests/bin/runner-init.sh
- name: Connect tertiary container to network
run: docker network connect example tertiary --alias tertiary.example.com
- name: Install dependencies in tertiary container
run: docker exec tertiary dnf install -y 389-ds-base
- name: Install DS in tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in tertiary container
run: |
docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec tertiary cp ${PKIDIR}/ca_signing.crt .
docker exec tertiary cp ${PKIDIR}/ca-certs.p12 .
docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v
- name: Install KRA in tertiary container
run: |
docker exec secondary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123
docker exec tertiary cp ${PKIDIR}/kra-certs.p12 .
docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone-of-clone.cfg -s KRA -v
- name: Run PKI healthcheck in primary container
run: docker exec primary pki-healthcheck --failures-only
- name: Run PKI healthcheck in secondary container
run: docker exec secondary pki-healthcheck --failures-only
- name: Run PKI healthcheck in tertiary container
run: docker exec tertiary pki-healthcheck --failures-only
- name: Verify KRA admin in tertiary container
run: |
docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec tertiary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec tertiary pki -n caadmin kra-user-show kraadmin
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh primary
- name: Gather artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary
tests/bin/pki-artifacts-save.sh secondary
- name: Gather artifacts from tertiary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh tertiary
tests/bin/pki-artifacts-save.sh tertiary
- name: Remove KRA from tertiary container
run: docker exec tertiary pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA from tertiary container
run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect tertiary container from network
run: docker network disconnect example tertiary
- name: Remove KRA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect secondary container from network
run: docker network disconnect example secondary
- name: Remove KRA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect primary container from network
run: docker network disconnect example primary
- name: Remove network
run: docker network rm example
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-clone-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-clone-secondary
path: |
/tmp/artifacts/secondary
- name: Upload artifacts from tertiary container
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-clone-tertiary
path: |
/tmp/artifacts/tertiary
kra-standalone-test:
name: Testing standalone KRA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Create CA signing cert
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--serial 1 \
--cert ca_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
- name: Install KRA (step 1)
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra-standalone-step1.cfg -s KRA -v
- name: Issue KRA storage cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_storage.csr \
--ext /usr/share/pki/server/certs/kra_storage.conf \
--serial 2 \
--cert kra_storage.crt
- name: Issue KRA transport cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_transport.csr \
--ext /usr/share/pki/server/certs/kra_transport.conf \
--serial 3 \
--cert kra_transport.crt
- name: Issue subsystem cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr subsystem.csr \
--ext /usr/share/pki/server/certs/subsystem.conf \
--serial 4 \
--cert subsystem.crt
- name: Issue SSL server cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--serial 5 \
--cert sslserver.crt
- name: Issue KRA audit signing cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--serial 6 \
--cert kra_audit_signing.crt
- name: Issue KRA admin cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--serial 7 \
--cert kra_admin.crt
- name: Install KRA (step 2)
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra-standalone-step2.cfg -s KRA -v
# TODO: Fix DogtagKRAConnectivityCheck to work without CA
# - name: Run PKI healthcheck
# run: docker exec pki pki-healthcheck --failures-only
- name: Verify admin user
run: |
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
docker exec pki pki -n kraadmin kra-user-show kraadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove KRA
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-standalone
path: |
/tmp/artifacts/pki