diff --git a/.github/workflows/kra-clone-shared-ds-test.yml b/.github/workflows/kra-clone-shared-ds-test.yml new file mode 100644 index 00000000000..5f41a431c8e --- /dev/null +++ b/.github/workflows/kra-clone-shared-ds-test.yml @@ -0,0 +1,272 @@ +name: KRA clone with shared DS + +on: + workflow_call: + inputs: + db-image: + required: false + type: string + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v3 + + - name: Retrieve PKI images + uses: actions/cache@v3 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + - name: Set up primary DS container + run: | + tests/bin/ds-container-create.sh ds + env: + IMAGE: ${{ inputs.db-image }} + HOSTNAME: ds.example.com + PASSWORD: Secret.123 + + - name: Connect DS container to network + run: docker network connect example ds --alias ds.example.com + + - name: Set up primary PKI container + run: | + tests/bin/runner-init.sh primary + env: + HOSTNAME: primary.example.com + + - name: Connect primary PKI container to network + run: docker network connect example primary --alias primary.example.com + + - name: Install CA in primary PKI container + run: | + docker exec primary pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_cert_id_generator=random \ + -D pki_request_id_generator=random \ + -v + + - name: Install KRA in primary PKI container + run: | + docker exec primary pkispawn \ + -f /usr/share/pki/server/examples/installation/kra.cfg \ + -s KRA \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_key_id_generator=random \ + -D pki_request_id_generator=random \ + -v + + - name: Install admin cert in primary PKI container + run: | + # install CA signing cert + docker exec primary pki-server cert-export ca_signing \ + --cert-file ${SHARED}/ca_signing.crt + docker exec primary pki client-cert-import ca_signing \ + --ca-cert ${SHARED}/ca_signing.crt + + # install admin cert + docker exec primary cp \ + /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + ${SHARED}/ca_admin_cert.p12 + docker exec primary pki pkcs12-import \ + --pkcs12 ${SHARED}/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + - name: Export certs and keys from primary PKI container + run: | + docker exec primary pki-server ca-clone-prepare \ + --pkcs12-file ${SHARED}/ca-certs.p12 \ + --pkcs12-password Secret.123 + + docker exec primary pki-server kra-clone-prepare \ + --pkcs12-file ${SHARED}/kra-certs.p12 \ + --pkcs12-password Secret.123 + + - name: Set up secondary PKI container + run: | + tests/bin/runner-init.sh secondary + env: + HOSTNAME: secondary.example.com + + - name: Connect secondary PKI container to network + run: docker network connect example secondary --alias secondary.example.com + + - name: Install CA in secondary PKI container + run: | + docker exec secondary pkispawn \ + -f /usr/share/pki/server/examples/installation/ca-clone.cfg \ + -s CA \ + -D pki_cert_chain_path=${SHARED}/ca_signing.crt \ + -D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \ + -D pki_clone_pkcs12_password=Secret.123 \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_ds_setup=False \ + -D pki_cert_id_generator=random \ + -D pki_request_id_generator=random \ + -v + + - name: Install KRA in secondary PKI container + run: | + # get CS.cfg from primary KRA before cloning + docker cp primary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.primary + + docker exec secondary pkispawn \ + -f /usr/share/pki/server/examples/installation/kra-clone.cfg \ + -s KRA \ + -D pki_cert_chain_path=${SHARED}/ca_signing.crt \ + -D pki_clone_pkcs12_path=${SHARED}/kra-certs.p12 \ + -D pki_clone_pkcs12_password=Secret.123 \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_ds_setup=False \ + -D pki_key_id_generator=random \ + -D pki_request_id_generator=random \ + -v + + - name: Check system certs in primary KRA and secondary KRA + run: | + # get system certs from primary KRA (except sslserver) + docker exec primary pki-server cert-show kra_storage > system-certs.primary + echo >> system-certs.primary + docker exec primary pki-server cert-show kra_transport >> system-certs.primary + echo >> system-certs.primary + docker exec primary pki-server cert-show kra_audit_signing >> system-certs.primary + echo >> system-certs.primary + docker exec primary pki-server cert-show subsystem >> system-certs.primary + + # get system certs from secondary KRA (except sslserver) + docker exec secondary pki-server cert-show kra_storage > system-certs.secondary + echo >> system-certs.secondary + docker exec secondary pki-server cert-show kra_transport >> system-certs.secondary + echo >> system-certs.secondary + docker exec secondary pki-server cert-show kra_audit_signing >> system-certs.secondary + echo >> system-certs.secondary + docker exec secondary pki-server cert-show subsystem >> system-certs.secondary + + cat system-certs.primary + diff system-certs.primary system-certs.secondary + + - name: Check CS.cfg in primary KRA after cloning + run: | + # get CS.cfg from primary KRA after cloning + docker cp primary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.primary.after + + # normalize expected result: + # - remove params that cannot be compared + sed -e '/^dbs.beginReplicaNumber=/d' \ + -e '/^dbs.endReplicaNumber=/d' \ + -e '/^dbs.nextBeginReplicaNumber=/d' \ + -e '/^dbs.nextEndReplicaNumber=/d' \ + CS.cfg.primary \ + | sort > expected + + # normalize actual result: + # - remove params that cannot be compared + sed -e '/^dbs.beginReplicaNumber=/d' \ + -e '/^dbs.endReplicaNumber=/d' \ + -e '/^dbs.nextBeginReplicaNumber=/d' \ + -e '/^dbs.nextEndReplicaNumber=/d' \ + CS.cfg.primary.after \ + | sort > actual + + diff expected actual + + - name: Check CS.cfg in secondary KRA + run: | + # get CS.cfg from secondary KRA + docker cp secondary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.secondary + + # normalize expected result: + # - remove params that cannot be compared + # - replace primary.example.com with secondary.example.com + # - set securitydomain.host to primary.example.com + sed -e '/^installDate=/d' \ + -e '/^dbs.beginReplicaNumber=/d' \ + -e '/^dbs.endReplicaNumber=/d' \ + -e '/^dbs.nextBeginReplicaNumber=/d' \ + -e '/^dbs.nextEndReplicaNumber=/d' \ + -e '/^kra.sslserver.cert=/d' \ + -e '/^kra.sslserver.certreq=/d' \ + -e 's/primary.example.com/secondary.example.com/' \ + -e 's/^\(securitydomain.host\)=.*$/\1=primary.example.com/' \ + CS.cfg.primary.after \ + | sort > expected + + # normalize actual result: + # - remove params that cannot be compared + sed -e '/^installDate=/d' \ + -e '/^dbs.beginReplicaNumber=/d' \ + -e '/^dbs.endReplicaNumber=/d' \ + -e '/^dbs.nextBeginReplicaNumber=/d' \ + -e '/^dbs.nextEndReplicaNumber=/d' \ + -e '/^kra.sslserver.cert=/d' \ + -e '/^kra.sslserver.certreq=/d' \ + CS.cfg.secondary \ + | sort > actual + + diff expected actual + + - name: Install admin cert in secondary PKI container + run: | + # install CA signing cert + docker exec secondary pki client-cert-import ca_signing \ + --ca-cert ${SHARED}/ca_signing.crt + + # install admin cert + docker exec secondary pki pkcs12-import \ + --pkcs12 ${SHARED}/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + - name: Check users in primary KRA and secondary KRA + run: | + docker exec primary pki -n caadmin kra-user-find | tee kra-users.primary + docker exec secondary pki -n caadmin kra-user-find > kra-users.secondary + diff kra-users.primary kra-users.secondary + + - name: Run PKI healthcheck in primary container + run: docker exec primary pki-healthcheck --failures-only + + - name: Run PKI healthcheck in secondary container + run: docker exec secondary pki-healthcheck --failures-only + + - name: Gather artifacts + if: always() + run: | + tests/bin/ds-artifacts-save.sh ds + tests/bin/pki-artifacts-save.sh primary + tests/bin/pki-artifacts-save.sh secondary + continue-on-error: true + + - name: Remove KRA from secondary PKI container + run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v + + - name: Remove CA from secondary PKI container + run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v + + - name: Remove KRA from primary PKI container + run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v + + - name: Remove CA from primary PKI container + run: docker exec primary pkidestroy -i pki-tomcat -s CA -v + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@v3 + with: + name: kra-clone-shared-ds + path: | + /tmp/artifacts/ds + /tmp/artifacts/primary + /tmp/artifacts/secondary diff --git a/.github/workflows/kra-tests.yml b/.github/workflows/kra-tests.yml index 73bc3c22290..d9682dd3cd2 100644 --- a/.github/workflows/kra-tests.yml +++ b/.github/workflows/kra-tests.yml @@ -63,6 +63,13 @@ jobs: with: db-image: ${{ needs.init.outputs.db-image }} + kra-clone-shared-ds-test: + name: KRA clone with shared DS + needs: [init, build] + uses: ./.github/workflows/kra-clone-shared-ds-test.yml + with: + db-image: ${{ needs.init.outputs.db-image }} + kra-standalone-test: name: Standalone KRA needs: [init, build]