Clean up container startup scripts

dogtagpki · Jun 21, 2024 · c8d820f · c8d820f
1 parent d4f0105
commit c8d820f
Show file tree

Hide file tree

Showing 5 changed files with 363 additions and 331 deletions.
diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run
@@ -36,38 +36,6 @@ find /logs -type d -exec chmod +rwx -- {} +
 
 echo "################################################################################"
 
-if [ -f /certs/ca_signing.csr ]
-then
-    echo "INFO: Importing CA signing CSR"
-    cp /certs/ca_signing.csr /conf/certs/ca_signing.csr
-fi
-
-if [ -f /certs/ca_ocsp_signing.csr ]
-then
-    echo "INFO: Importing OCSP signing CSR"
-    cp /certs/ca_ocsp_signing.csr /conf/certs/ca_ocsp_signing.csr
-fi
-
-if [ -f /certs/ca_audit_signing.csr ]
-then
-    echo "INFO: Importing audit signing CSR"
-    cp /certs/ca_audit_signing.csr /conf/certs/ca_audit_signing.csr
-fi
-
-if [ -f /certs/subsystem.csr ]
-then
-    echo "INFO: Importing subsystem CSR"
-    cp /certs/subsystem.csr /conf/certs/subsystem.csr
-fi
-
-if [ -f /certs/sslserver.csr ]
-then
-    echo "INFO: Importing SSL server CSR"
-    cp /certs/sslserver.csr /conf/certs/sslserver.csr
-fi
-
-echo "################################################################################"
-
 if [ -f /certs/server.p12 ]
 then
     echo "INFO: Importing server certs and keys"
@@ -82,6 +50,12 @@ fi
 
 echo "################################################################################"
 
+if [ -f /certs/ca_signing.csr ]
+then
+    echo "INFO: Importing CA signing CSR"
+    cp /certs/ca_signing.csr /conf/certs/ca_signing.csr
+fi
+
 # check whether CA signing cert exists
 rc=0
 pki \
@@ -132,6 +106,12 @@ pki \
 
 echo "################################################################################"
 
+if [ -f /certs/ca_ocsp_signing.csr ]
+then
+    echo "INFO: Importing OCSP signing CSR"
+    cp /certs/ca_ocsp_signing.csr /conf/certs/ca_ocsp_signing.csr
+fi
+
 # check whether OCSP signing cert exists
 rc=0
 pki \
@@ -180,6 +160,12 @@ pki \
 
 echo "################################################################################"
 
+if [ -f /certs/ca_audit_signing.csr ]
+then
+    echo "INFO: Importing audit signing CSR"
+    cp /certs/ca_audit_signing.csr /conf/certs/ca_audit_signing.csr
+fi
+
 # check whether audit signing cert exists
 rc=0
 pki \
@@ -229,6 +215,12 @@ pki \
 
 echo "################################################################################"
 
+if [ -f /certs/subsystem.csr ]
+then
+    echo "INFO: Importing subsystem CSR"
+    cp /certs/subsystem.csr /conf/certs/subsystem.csr
+fi
+
 # check whether subsystem cert exists
 rc=0
 pki \
@@ -276,6 +268,12 @@ pki \
 
 echo "################################################################################"
 
+if [ -f /certs/sslserver.csr ]
+then
+    echo "INFO: Importing SSL server CSR"
+    cp /certs/sslserver.csr /conf/certs/sslserver.csr
+fi
+
 # check whether SSL server cert exists
 rc=0
 pki \
@@ -323,43 +321,54 @@ pki \
     "$PKI_SSLSERVER_NICKNAME"
 
 echo "################################################################################"
-echo "INFO: Creating PKI CA"
-
-# Create CA with existing certs and keys, with existing database,
-# with existing database user, with RSNv3, without security manager,
-# and without systemd service.
-pkispawn \
-    --conf /conf \
-    --logs /logs \
-    -f /usr/share/pki/server/examples/installation/ca.cfg \
-    -s CA \
-    -D pki_group=root \
-    -D pki_ds_url=$PKI_DS_URL \
-    -D pki_ds_password=$PKI_DS_PASSWORD \
-    -D pki_ds_database=userroot \
-    -D pki_ds_setup=False \
-    -D pki_skip_ds_verify=True \
-    -D pki_share_db=True \
-    -D pki_import_system_certs=False \
-    -D pki_ca_signing_nickname="$PKI_CA_SIGNING_NICKNAME" \
-    -D pki_ca_signing_csr_path=/conf/certs/ca_signing.csr \
-    -D pki_ocsp_signing_nickname="$PKI_OCSP_SIGNING_NICKNAME" \
-    -D pki_ocsp_signing_csr_path=/conf/certs/ca_ocsp_signing.csr \
-    -D pki_audit_signing_nickname="$PKI_AUDIT_SIGNING_NICKNAME" \
-    -D pki_audit_signing_csr_path=/conf/certs/ca_audit_signing.csr \
-    -D pki_subsystem_nickname="$PKI_SUBSYSTEM_NICKNAME" \
-    -D pki_subsystem_csr_path=/conf/certs/subsystem.csr \
-    -D pki_sslserver_nickname="$PKI_SSLSERVER_NICKNAME" \
-    -D pki_sslserver_csr_path=/conf/certs/sslserver.csr \
-    -D pki_admin_setup=False \
-    -D pki_security_domain_setup=False \
-    -D pki_security_manager=False \
-    -D pki_systemd_service_create=False \
-    -D pki_registry_enable=False \
-    -v
+echo "INFO: Creating CA server"
+
+OPTIONS=()
+
+OPTIONS+=(--conf /conf)
+OPTIONS+=(--logs /logs)
+
+OPTIONS+=(-f /usr/share/pki/server/examples/installation/ca.cfg)
+OPTIONS+=(-s CA)
+
+OPTIONS+=(-D pki_group=root)
+
+OPTIONS+=(-D pki_ds_url=$PKI_DS_URL)
+OPTIONS+=(-D pki_ds_password=$PKI_DS_PASSWORD)
+OPTIONS+=(-D pki_ds_database=userroot)
+OPTIONS+=(-D pki_ds_setup=False)
+OPTIONS+=(-D pki_skip_ds_verify=True)
+OPTIONS+=(-D pki_share_db=True)
+
+OPTIONS+=(-D pki_import_system_certs=False)
+
+OPTIONS+=(-D pki_ca_signing_nickname="$PKI_CA_SIGNING_NICKNAME")
+OPTIONS+=(-D pki_ca_signing_csr_path=/conf/certs/ca_signing.csr)
+
+OPTIONS+=(-D pki_ocsp_signing_nickname="$PKI_OCSP_SIGNING_NICKNAME")
+OPTIONS+=(-D pki_ocsp_signing_csr_path=/conf/certs/ca_ocsp_signing.csr)
+
+OPTIONS+=(-D pki_audit_signing_nickname="$PKI_AUDIT_SIGNING_NICKNAME")
+OPTIONS+=(-D pki_audit_signing_csr_path=/conf/certs/ca_audit_signing.csr)
+
+OPTIONS+=(-D pki_subsystem_nickname="$PKI_SUBSYSTEM_NICKNAME")
+OPTIONS+=(-D pki_subsystem_csr_path=/conf/certs/subsystem.csr)
+
+OPTIONS+=(-D pki_sslserver_nickname="$PKI_SSLSERVER_NICKNAME")
+OPTIONS+=(-D pki_sslserver_csr_path=/conf/certs/sslserver.csr)
+
+OPTIONS+=(-D pki_admin_setup=False)
+OPTIONS+=(-D pki_security_domain_setup=False)
+OPTIONS+=(-D pki_security_manager=False)
+OPTIONS+=(-D pki_systemd_service_create=False)
+OPTIONS+=(-D pki_registry_enable=False)
+
+OPTIONS+=(-v)
+
+pkispawn "${OPTIONS[@]}"
 
 echo "################################################################################"
-echo "INFO: Configuring PKI CA"
+echo "INFO: Configuring CA server"
 
 pki-server ca-config-set internaldb.minConns 0
 pki-server ca-config-set ca.authorityMonitor.enable false
@@ -388,7 +397,7 @@ rm /tmp/subsystem.crt
 rm /tmp/sslserver.crt
 
 echo "################################################################################"
-echo "INFO: Starting PKI CA"
+echo "INFO: Starting CA server"
 
 if [ "$UID" = "0" ]; then
     # In Docker the server runs as root user but it will switch