Add est to pkispawn #4844
Add est to pkispawn #4844
Conversation
fmarco76
force-pushed
the
EST_pkispawn
branch
from
f61256e
to
dfb98e1
Compare
|
I noticed that there are some database changes. I think we should provide a database upgrade procedure for someone who already has a CA from an older PKI version then upgrades to the new PKI version to add EST into their system. |
|
About the |
Actually, this path is not needed, it could be inside I have added a first CI test for this deployment but there are many items not working and requiring some thinking before to move on with this PR. |
fmarco76
force-pushed
the
EST_pkispawn
branch
9 times, most recently
from
1e5944c
to
e01ae7b
Compare
fmarco76
force-pushed
the
EST_pkispawn
branch
7 times, most recently
from
a8ec1a7
to
2af054b
Compare
|
@edewata after a lot of effort to make it works like other subsystem I gave up and make it more like |
There was a problem hiding this comment.
In general it looks good, but there is a change that broke one of the ACME tests, and I also have some minor comments. Feel free to update & merge.
Just FYI, I'm working on adding support for ACME removal using pkidestroy. I suppose EST removal will be similar.
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ca-basic |
There was a problem hiding this comment.
The artifacts name should match the test name to prevent conflicts and to make it easier to find, but gathering and uploading the artifacts is actually optional since the previous steps are already displaying the important logs so feel free to remove it if you want.
base/server/etc/default.cfg
Outdated
| acme_realm_bind_password | ||
| acme_realm_password | ||
| est_realm_bind_password | ||
| est_realm_password | ||
| est_ca_password |
There was a problem hiding this comment.
I think we need to keep the acme_* params here since they are still used in configure_acme_realm(). If we want to merge the realm params for ACME & EST we probably should use something like pki_realm_* or maybe just realm_*.
There was a problem hiding this comment.
This is a mistake moving between different implementations. Thanks!
| @@ -5376,15 +5376,135 @@ def spawn_acme(self): | |||
|
|
|||
| self.deploy_acme_webapp(subsystem) | |||
|
|
|||
| def create_est_subsystem(self): | |||
| ''' | |||
| See also pki-server acme-create. | |||
There was a problem hiding this comment.
Should be pki-server est-create.
base/est/shared/authorizer.conf
Outdated
| @@ -0,0 +1,2 @@ | |||
| class=org.dogtagpki.est.ExternalProcessRequestAuthorizer | |||
| executable=/usr/local/libexec/estauthz | |||
base/server/etc/default.cfg
Outdated
| est_realm_users_dn=ou=people,dc=est,dc=pki,dc=example,dc=com | ||
| est_realm_groups_dn=ou=groups,dc=est,dc=pki,dc=example,dc=com | ||
| est_realm_statements=/usr/share/pki/est/conf/realm/statements.conf | ||
| est_authorizer_exec_path=/usr/libexec/estauthz |
There was a problem hiding this comment.
The path in authorizer.conf is different.
BTW, the estauthz script looks more like a sample script instead of a general purpose tool. Would it be better to install it somewhere under /usr/share/pki/est instead of /usr/libexec?
There was a problem hiding this comment.
Moved the script to /usr/share/pki/est/bin/estauthz and update all the references.
|
|
||
| else: | ||
| # otherwise, deploy the subsystem and wait until it starts | ||
| subsystem.enable( | ||
| wait=True, | ||
| max_wait=self.startup_timeout, | ||
| timeout=self.request_timeout) |
There was a problem hiding this comment.
The self.instance.start() in the original code is actually needed by spawn_acme() to start the instance in case ACME is the only subsystem on the server. See the test for ACME on separate instance (it's currently failing). EST probably needs a similar code too later.
fmarco76
force-pushed
the
EST_pkispawn
branch
2 times, most recently
from
2f46def
to
3c77764
Compare
EST deployment is included in pkispwn. The installation does not perform all the steps done for CA and other subsystems so there is no security domain management and user administration. During the installation there is no DS or other DBs connection which has to be performed by the user before or after the installation.
fmarco76
force-pushed
the
EST_pkispawn
branch
from
3c77764
to
85a9a9a
Compare
|
|
@edewata Thanks! |
|
Yeah, rpminspect is a new but unrelated issue. |
This initial commit add est configuration for deployment in instance with existing CA.
Actually, several step are just skipped which could be required like creating initial users, reporting the status, etc....
The final installation is compliant with the page: https://github.com/dogtagpki/pki/blob/master/docs/installation/est/Installing_EST.md