Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove redundant files in containers #4772

Merged
merged 1 commit into from
Jun 10, 2024
+380 −192
Merged

Remove redundant files in containers #4772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/acme-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,16 @@ jobs:
- name: Install CA signing cert
run: |
docker exec acme pki \
-d /conf/alias \
-f /conf/password.conf \
nss-cert-export \
--output-file /conf/certs/ca_signing.crt \
ca_signing
docker exec client pki \
nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--cert $SHARED/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down
63 changes: 48 additions & 15 deletions .github/workflows/ca-container-basic-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,12 @@ jobs:
- name: Check CA info
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec client pki nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--cert $SHARED/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down Expand Up @@ -192,73 +196,97 @@ jobs:
- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--csr /conf/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--cert /conf/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID
- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ocsp_signing.crt \
ca_ocsp_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--csr /conf/certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--cert /conf/certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--csr /conf/certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--cert /conf/certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID
- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/subsystem.crt \
subsystem
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--csr /conf/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--cert /conf/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID
- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/sslserver.crt \
sslserver
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--csr /conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--cert /conf/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID
- name: Import admin cert into CA database
run: |
docker exec ca pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--csr /conf/certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID
Expand All @@ -279,7 +307,7 @@ jobs:
# assign admin cert to CA admin user
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -288,8 +316,13 @@ jobs:
- name: Check CA admin user
run: |
docker exec ca pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/certs/admin.p12 \
--pkcs12 $SHARED/conf/certs/admin.p12 \
--pkcs12-password Secret.123
docker exec client pki \
Expand Down
22 changes: 19 additions & 3 deletions .github/workflows/ca-container-system-service-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,8 +217,13 @@ jobs:
- name: Check CA info
run: |
docker exec pki podman exec systemd-pki-ca \
pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec pki pki nss-cert-import \
--cert /home/pkiuser/certs/ca_signing.crt \
--cert /home/pkiuser/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down Expand Up @@ -248,10 +253,15 @@ jobs:
--type adminType \
admin
docker exec pki podman exec systemd-pki-ca \
pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
# assign admin cert to CA admin user
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -262,8 +272,14 @@ jobs:
- name: Check CA admin user
run: |
docker exec pki podman exec systemd-pki-ca \
pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec pki pki pkcs12-import \
--pkcs12 /home/pkiuser/certs/admin.p12 \
--pkcs12 /home/pkiuser/conf/certs/admin.p12 \
--password Secret.123
docker exec pki pki \
Expand Down
69 changes: 49 additions & 20 deletions .github/workflows/kra-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,73 +98,97 @@ jobs:
- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--csr /conf/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--cert /conf/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID
- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ocsp_signing.crt \
ca_ocsp_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--csr /conf/certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--cert /conf/certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--csr /conf/certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--cert /conf/certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/subsystem.crt \
subsystem
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--csr /conf/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--cert /conf/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID
- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/sslserver.crt \
sslserver
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--csr /conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--cert /conf/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID
- name: Import admin cert into CA database
run: |
docker exec ca pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--csr /conf/certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID
Expand All @@ -179,7 +203,7 @@ jobs:
- name: Assign admin cert to CA admin user
run: |
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
- name: Add admin user into CA groups
Expand All @@ -189,8 +213,13 @@ jobs:
- name: Install admin cert
run: |
docker exec ca pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/ca/certs/admin.p12 \
--pkcs12 $SHARED/ca/conf/certs/admin.p12 \
--password Secret.123
docker exec client pki \
Expand Down Expand Up @@ -293,7 +322,7 @@ jobs:
- name: Prepare KRA certs and keys
run: |
# export CA signing cert
docker exec client cp $SHARED/ca/certs/ca_signing.crt $SHARED/kra/certs
docker exec client cp $SHARED/ca/conf/certs/ca_signing.crt $SHARED/kra/certs
docker exec client pki nss-cert-find
Expand All @@ -312,7 +341,7 @@ jobs:
--password Secret.123 \
# export admin cert and key
docker exec client cp $SHARED/ca/certs/admin.p12 $SHARED/kra/certs
docker exec client cp $SHARED/ca/conf/certs/admin.p12 $SHARED/kra/certs
docker exec client pki pkcs12-cert-find \
--pkcs12 $SHARED/kra/certs/admin.p12 \
Expand Down Expand Up @@ -463,8 +492,9 @@ jobs:
- name: Assign admin cert to KRA admin user
run: |
cp ca/conf/certs/admin.crt kra/conf/certs/admin.crt
docker exec kra pki-server kra-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
- name: Add KRA admin user into KRA groups
Expand All @@ -490,10 +520,9 @@ jobs:
- name: Assign CA subsystem cert to CA subsystem user
run: |
docker cp ca/certs/subsystem.crt kra:ca_subsystem.crt
docker exec kra ls -la
cp ca/conf/certs/subsystem.crt kra/conf/certs/ca_subsystem.crt
docker exec kra pki-server kra-user-cert-add \
--cert ca_subsystem.crt \
--cert /conf/certs/ca_subsystem.crt \
CA-ca.example.com-8443
- name: Assign roles to CA subsystem user
Expand Down
Loading
Loading