diff --git a/wiki/PKI_CA_OpenShift.mediawiki b/wiki/PKI_CA_OpenShift.mediawiki index 09d492875..325523322 100644 --- a/wiki/PKI_CA_OpenShift.mediawiki +++ b/wiki/PKI_CA_OpenShift.mediawiki @@ -1,443 +1 @@ -= Overview = - -This page describes the procedure to deploy a PKI instance on OpenShift. - -= Current Issues = - -* This is still a work in progress. -* The PKI instance cannot be created in OpenShift yet. The instance needs to be created locally then uploaded to OpenShift. -* The database configuration needs to be updated. -* The auth-method.properties needs to be fixed. -* The SSL certificate needs to be regenerated. -* Log files need to be cleaned up. - -= Creating Local PKI Instance = - -Create a [[PKI 10 Installation|PKI instance]] in the local machine. - -Then create a [[PKI Server Backup|backup]]: - -
-$ pki-server stop -$ tar czvf pki-tomcat.tar.gz -C / \ - etc/pki/pki-tomcat \ - etc/sysconfig/pki-tomcat \ - etc/sysconfig/pki/tomcat/pki-tomcat \ - etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service \ - var/lib/pki/pki-tomcat \ - var/log/pki/pki-tomcat -- -Put the pki-tomcat.tar.gz in a backup dir. - -= Creating Persistent Storage = - -Prepare a configuration file (e.g. pki-pvc.yaml): - -
-apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: pki -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi -- -Then execute the following command: - -
-$ oc create -f pki-pvc.yaml -- -= Uploading PKI Instance Files = - -Deploy a temporary application (e.g. [[Fedora OpenShift]]). - -Mount the storage into the application's pod into /data. - -Upload the backup file: - -
-$ oc rsync- -Open a remote shell: - -:/data -
-$ oc rsh- -Execute the following commands: - --
-$ cd /data -$ tar xvf pki-tomcat.tar.gz -$ rm pki-tomcat.tar.gz -- -Edit /data/etc/pki/pki-tomcat/ca/CS.cfg: - -
-internaldb.ldapconn.host=ds.pki-demo.svc -internaldb.ldapconn.port=10389 -- -Unmount the storage. The temporary application can be undeployed as well. - -= Dockerfile = - -
-FROM fedora:30 - -EXPOSE 8080 8443 - -RUN dnf install -y dnf-plugins-core && dnf copr enable -y edewata/pki -RUN dnf install -y abrt-java-connector dogtag-pki && dnf clean all - -RUN ln -s /data/etc/pki/pki-tomcat /etc/pki/pki-tomcat && \ - ln -s /data/etc/sysconfig/pki-tomcat /etc/sysconfig/pki-tomcat && \ - ln -s /data/etc/sysconfig/pki/tomcat/pki-tomcat /etc/sysconfig/pki/tomcat/pki-tomcat && \ - ln -s /data/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service \ - /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service && \ - ln -s /data/var/lib/pki/pki-tomcat /var/lib/pki/pki-tomcat && \ - ln -s /data/var/log/pki/pki-tomcat /var/log/pki/pki-tomcat - -USER pkiuser - -VOLUME /data - -CMD [ "pki-server", "run", "--as-current-user", "--debug" ] -- -= Building Container Image = - -
-$ docker build -t pki . -- -= Publishing Container Image = - -
-$ docker tag pki:latest- -= Available Images = - -* [https://cloud.docker.com/repository/docker/edewata/pki edewata/pki] - -= Creating PKI Image Stream = - -Prepare a configuration file (e.g. pki-is.yaml): - -/pki:latest -$ docker push /pki:latest -
-apiVersion: v1 -kind: ImageStream -metadata: - labels: - app: ca - name: pki -spec: - lookupPolicy: - local: false - tags: - - from: - kind: DockerImage - name: 'edewata/pki:latest' - name: latest - referencePolicy: - type: Source -- -Then execute the following command: - -
-$ oc create -f pki-is.yaml -- -= Creating PKI Application = - -Prepare a configuration file (e.g. pki-dc.yaml): - -
-apiVersion: v1 -kind: DeploymentConfig -metadata: - labels: - app: pki - name: pki -spec: - selector: - app: pki - deploymentconfig: pki - template: - metadata: - labels: - app: pki - deploymentconfig: pki - spec: - containers: - - image: edewata/pki - name: pki - ports: - - containerPort: 8080 - protocol: TCP - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: pki - test: false - triggers: - - type: ConfigChange - - imageChangeParams: - automatic: true - containerNames: - - pki - from: - kind: ImageStreamTag - name: 'pki:latest' - type: ImageChange -- -Then execute the following command: - -
-$ oc create -f pki-dc.yaml -- -= Starting PKI Application = - -
-$ oc scale dc pki --replicas=1 -- -= Generating Internal SSL Certificate = - -Generate a new CSR for the PKI service (e.g. pki.pki-demo.svc): - -
-$ cd /etc/pki/pki-tomcat/alias -$ openssl rand -out noise.bin 2048 -$ echo Secret.123 > password.txt -$ certutil -R \ - -d . \ - -f password.txt \ - -z noise.bin \ - -k rsa \ - -g 2048 \ - -Z SHA256 \ - -s "CN=pki.pki-demo.svc,O=EXAMPLE" \ - --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ - --extKeyUsage serverAuth \ - -o sslserver.csr.der -$ openssl req -inform der -in sslserver.csr.der -out sslserver.csr -- -Get the SKID and OCSP URL from the CA signing certificate: - -
-$ pki-server cert-export ca_signing --cert-file ca_signing.crt -$ openssl x509 -text -noout -in ca_signing.crt -$ SKID=0x`openssl x509 -text -noout -in ca_signing.crt | grep "keyid:" | sed -e 's/ *keyid://g' -e 's/://g'` -$ OCSP=http://pki.pki-demo.svc:8080/ca/ocsp -- -Issue a new certificate for the SSL server certificate: - -
-$ echo -e "y\n${SKID}\n\n\nn\n2\n7\n${OCSP}\n\n\n\n" | \ - certutil -C \ - -d . \ - -f password.txt \ - -m $RANDOM \ - -a \ - -i sslserver.csr \ - -o sslserver.crt \ - -c "ca_signing" \ - -v 12 \ - -3 \ - --extAIA \ - --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ - --extKeyUsage serverAuth -- -Replace the server certificate: - -
-$ certutil -F -d . -f password.txt -n "sslserver" -$ certutil -A -d . -f password.txt -n "sslserver" -i sslserver.crt -t ",," -- -= Restarting PKI Application = - -
-$ oc scale dc pki --replicas=0 -$ sleep 10 -$ oc scale dc pki --replicas=1 -- -= Creating PKI Service = - -Prepare a configuration file (e.g. pki-svc.yaml): - -
-apiVersion: v1 -kind: Service -metadata: - labels: - app: pki - name: pki -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - - name: 8443-tcp - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: pki - deploymentconfig: pki - sessionAffinity: None - type: ClusterIP -- -Then execute the following command: - -
-$ oc create -f pki-svc.yaml -- -= Creating DNS Record = - -Create a CNAME record for the public hostname (e.g. pki.demo.dogtagpki.org) pointing to the router's canonical hostname provided by OpenShift. - -= Creating PKI Route = - -Prepare a configuration file (e.g. pki-route.yaml): - -
-apiVersion: v1 -kind: Route -metadata: - labels: - app: pki - name: pki -spec: - host: pki.demo.dogtagpki.org - port: - targetPort: 8080-tcp - to: - kind: Service - name: pki - weight: 100 - wildcardPolicy: None -- -Then execute the following command: - -
-$ oc create -f pki-route.yaml -- -= Generating External SSL Certificate = - -Run the following command to request a certificate from Let's Encrypt: - -
-$ certbot certonly --manual -d pki.demo.dogtagpki.org --register-unsafely-without-email -- -Create the ACME response: - -
-$ oc rsh- -Create an unsecure HTTP route for port 8080 of the PKI CA service, then complete the ACME validation. -The results will be stored in: - -* certificate: /etc/letsencrypt/live/pki.demo.dogtagpki.org/fullchain.pem -* key: /etc/letsencrypt/live/pki.demo.dogtagpki.org/privkey.pem - -= Installing External SSL Certificate = - -Remove the current route: - -mkdir -p /var/lib/pki/pki-tomcat/webapps/.well-known/acme-challenge -$ oc rsync acme-challenge/ :/var/lib/pki/pki-tomcat/webapps/.well-known/acme-challenge -
-$ oc delete routes/pki -- -Prepare a configuration file (e.g. pki-route-secure.yaml): - -
-apiVersion: v1 -kind: Route -metadata: - labels: - app: pki - name: pki -spec: - host: pki.demo.dogtagpki.org - port: - targetPort: 8443-tcp - tls: - caCertificate: |- - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - certificate: |- - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - destinationCACertificate: |- - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - insecureEdgeTerminationPolicy: Redirect - key: |- - -----BEGIN PRIVATE KEY----- - ... - -----END PRIVATE KEY----- - termination: reencrypt - to: - kind: Service - name: pki - weight: 100 - wildcardPolicy: None -- -Then execute the following command: - -
-$ oc create -f pki-route-secure.yaml -- -To validate, open https://pki.demo.dogtagpki.org with a browser. - -= Updating Container Image = - -If newer container image is available, it can be deployed with the following command: - -
-$ oc import-image- -= See Also = - -* [[PKI CA Container]] -* [https://blog.openshift.com/jupyter-on-openshift-part-6-running-as-an-assigned-user-id/ Running as an Assigned User ID] -* [https://github.com/dogtagpki/pki/wiki/PKI-ACME-Responder-on-OpenShift PKI ACME Responder on OpenShift] -* [[Fedora OpenShift]] -* [[DS OpenShift]] -* [https://github.com/dogtagpki/pki/wiki/Certbot Certbot] \ No newline at end of file +This page has been moved to https://github.com/dogtagpki/pki/wiki/PKI-CA-OpenShift. \ No newline at end of file/ca -