test/koji: use the same X.509 generation logic as for other purposes

There's no reason to have 2 CAs and 2 places where we generate certificates, this commit merges them together.
2020-11-02 13:37:22 +01:00 · 2020-11-02 13:37:22 +01:00 · 3583399f4e
commit 3583399f4e
parent 765f599753
3 changed files with 20 additions and 9 deletions
--- a/test/cases/koji.sh
+++ b/test/cases/koji.sh
@ -46,10 +46,10 @@ sudo cp \
    "${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \
    /etc/krb5.conf.d/local

-greenprint "Adding generated CA cert for Koji"
+greenprint "Adding the testsuite's CA cert to the system trust store"
 sudo cp \
-    /tmp/osbuild-composer-koji-test/ca-crt.pem \
-    /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
+    /etc/osbuild-composer/ca-crt.pem \
+    /etc/pki/ca-trust/source/anchors/osbuild-composer-tests-ca-crt.pem
 sudo update-ca-trust

 greenprint "Restarting composer to pick up new config"
@ -77,5 +77,5 @@ sudo /usr/libexec/osbuild-composer-test/run-koji-container.sh stop

 greenprint "Removing generated CA cert"
 sudo rm \
-    /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
+    /etc/pki/ca-trust/source/anchors/osbuild-composer-tests-ca-crt.pem
 sudo update-ca-trust
--- a/tools/provision.sh
+++ b/tools/provision.sh
@ -80,6 +80,19 @@ pushd $CADIR
    # Client keys are used by tests to access the composer APIs. Allow all users access.
    sudo chmod 644 "$CERTDIR"/client-key.pem

+    # Generate a kojihub certificate.
+    sudo openssl req -config $OPENSSL_CONFIG \
+        -keyout "$CERTDIR"/kojihub-key.pem \
+        -new -nodes \
+        -out /tmp/kojihub-csr.pem \
+        -subj "/CN=localhost/emailAddress=osbuild@example.com" \
+        -addext "subjectAltName=DNS:localhost"
+
+    sudo openssl ca -batch -config $OPENSSL_CONFIG \
+        -extensions osbuild_server_ext \
+        -in /tmp/kojihub-csr.pem \
+        -out "$CERTDIR"/kojihub-crt.pem
+
 popd

 sudo systemctl start osbuild-remote-worker.socket
--- a/tools/run-koji-container.sh
+++ b/tools/run-koji-container.sh
@ -47,11 +47,9 @@ koji_start() {
  # create a share directory which is used to share files between the host and containers
  mkdir "${SHARE_DIR}"

-  # generate self-signed certificates in the share directory
-  openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org"
-  openssl genrsa -out "${SHARE_DIR}/key.pem" 2048
-  openssl req -new -sha256 -key "${SHARE_DIR}/key.pem"	-out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost"
-  openssl x509 -req -in "${SHARE_DIR}/csr.pem"  -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem"
+  cp /etc/osbuild-composer/kojihub-key.pem "${SHARE_DIR}/key.pem"
+  cp /etc/osbuild-composer/kojihub-crt.pem "${SHARE_DIR}/crt.pem"
+  cp /etc/osbuild-composer/ca-crt.pem "${SHARE_DIR}/ca-crt.pem"

  ${CONTAINER_RUNTIME} network create org.osbuild.koji