Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip importing certs and requests when pki_ds_setup=False #4655

Merged
merged 2 commits into from
Jan 16, 2024
Merged

Skip importing certs and requests when pki_ds_setup=False #4655

merged 2 commits into from
Jan 16, 2024

Conversation

edewata
Copy link
Contributor

@edewata edewata commented Jan 15, 2024
edited
Loading

If pki_ds_setup is set to False pkispawn should not modify the DS during installation, so the PKIDeployer.setup_system_cert() has been modified to skip importing the certs and the requests into CA database in that scenario. With this change the certs and the requests need to be imported separately.

The CA installation test with existing DS has been modified to import the certs and the requests into CA database before calling pkispawn.

The CA container test has been modified to export the certs and requests provided to the container during startup such that they can be imported into CA database after startup.

https://github.com/dogtagpki/pki/wiki/Installing-CA-with-Existing-DS-Database

@edewata
Skip importing certs and requests when pki_ds_setup=False
8a33077 
If pki_ds_setup is set to False pkispawn should not modify the
DS during installation, so the PKIDeployer.setup_system_cert()
has been modified to skip importing the certs and the requests
into CA database in that scenario. With this change the certs
and the requests need to be imported separately.

The CA installation test with existing DS has been modified to
import the certs and the requests into CA database before
calling pkispawn.

https://github.com/dogtagpki/pki/wiki/Installing-CA-with-Existing-DS-Database
@edewata
Update CA container test
15c9bb3 
The CA container test has been modified to export the certs and
requests provided to the container during startup such that they
can be imported into CA database after startup.

https://github.com/dogtagpki/pki/wiki/Deploying-CA-on-Podman
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@edewata edewata requested a review from fmarco76 January 16, 2024 09:42
fmarco76
fmarco76 approved these changes Jan 16, 2024
View reviewed changes
Copy link
Member

@fmarco76 fmarco76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I have a question but your can merge as it is. In the ca-existing-ds-test last configuration step is pkispawn. I am wondering what are the remaining operations performed by this command since almost everything was already configured. Is it needed or could be replaced with other more explicit steps?

@edewata
Copy link
Contributor Author

edewata commented Jan 16, 2024

@fmarco76 Thanks!

Even with certs & DS database already set up, pkispawn will still need to create the rest of the subsystem files & folders, configure the params in CS.cfg, configure SSL server cert for Tomcat, join the security domain (for non-CA), retrieve master config params (for clones), add connectors (for KRA, TKS, TPS), add publisher (for OCSP), create systemd service, etc. I'm hoping that eventually we will have CLIs for those operations so we can have more control of the installation process without making pkispawn more complicated than it already is. So we can continue to use pkispawn for common scenarios, but we can also use the CLIs if we need to do something different.

I'll merge this PR, but feel free to continue the discussion. Thanks!

@edewata edewata merged commit 4dba7bf into dogtagpki:master Jan 16, 2024
132 checks passed
@fmarco76
Copy link
Member

Thanks @edewata for the clarification. I was thinking some of these operations were done with pki-server ca-create so not understanding.

@edewata
Copy link
Contributor Author

edewata commented Jan 16, 2024
edited
Loading

Yeah, ideally the pki-server ca-create should be able to replace subsystem_layout.py, but it's not quite complete yet, there are operations that pki-server ca-create cannot do yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fmarco76 fmarco76 fmarco76 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edewata @fmarco76