particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge-composer/tools/provision.sh
Ondřej Budai 3583399f4e test/koji: use the same X.509 generation logic as for other purposes 
There's no reason to have 2 CAs and 2 places where we generate certificates,
this commit merges them together.
2020-11-05 13:48:48 +01:00

113 lines
3.9 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
set -euxo pipefail
sudo mkdir -p /etc/osbuild-composer
sudo cp -a /usr/share/tests/osbuild-composer/composer/*.toml \
/etc/osbuild-composer/
# Copy Fedora rpmrepo snapshots for use in weldr tests. RHEL's are usually more
# stable, and not available publically from rpmrepo.
sudo mkdir -p /etc/osbuild-composer/repositories
sudo cp -a /usr/share/tests/osbuild-composer/repositories/fedora-*.json \
/etc/osbuild-composer/repositories/
# Generate all X.509 certificates for the tests
# The whole generation is done in a $CADIR to better represent how osbuild-ca
# it.
CERTDIR=/etc/osbuild-composer
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
CADIR=/etc/osbuild-composer-test/ca
# The $CADIR might exist from a previous test (current Schutzbot's imperfection)
sudo rm -rf $CADIR || true
sudo mkdir -p $CADIR
pushd $CADIR
sudo mkdir certs private
sudo touch index.txt
# Generate a CA.
sudo openssl req -config $OPENSSL_CONFIG \
-keyout private/ca.key.pem \
-new -nodes -x509 -extensions osbuild_ca_ext \
-out ca.cert.pem -subj "/CN=osbuild.org"
# Copy the private key to the location expected by the tests
sudo cp ca.cert.pem "$CERTDIR"/ca-crt.pem
# Generate a composer certificate.
sudo openssl req -config $OPENSSL_CONFIG \
-keyout "$CERTDIR"/composer-key.pem \
-new -nodes \
-out /tmp/composer-csr.pem \
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
-addext "subjectAltName=DNS:localhost"
sudo openssl ca -batch -config $OPENSSL_CONFIG \
-extensions osbuild_server_ext \
-in /tmp/composer-csr.pem \
-out "$CERTDIR"/composer-crt.pem
sudo chown _osbuild-composer "$CERTDIR"/composer-*.pem
# Generate a worker certificate.
sudo openssl req -config $OPENSSL_CONFIG \
-keyout "$CERTDIR"/worker-key.pem \
-new -nodes \
-out /tmp/worker-csr.pem \
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
-addext "subjectAltName=DNS:localhost"
sudo openssl ca -batch -config $OPENSSL_CONFIG \
-extensions osbuild_client_ext \
-in /tmp/worker-csr.pem \
-out "$CERTDIR"/worker-crt.pem
# Generate a client certificate.
sudo openssl req -config $OPENSSL_CONFIG \
-keyout "$CERTDIR"/client-key.pem \
-new -nodes \
-out /tmp/client-csr.pem \
-subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \
-addext "subjectAltName=DNS:client.osbuild.org"
sudo openssl ca -batch -config $OPENSSL_CONFIG \
-extensions osbuild_client_ext \
-in /tmp/client-csr.pem \
-out "$CERTDIR"/client-crt.pem
# Client keys are used by tests to access the composer APIs. Allow all users access.
sudo chmod 644 "$CERTDIR"/client-key.pem
# Generate a kojihub certificate.
sudo openssl req -config $OPENSSL_CONFIG \
-keyout "$CERTDIR"/kojihub-key.pem \
-new -nodes \
-out /tmp/kojihub-csr.pem \
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
-addext "subjectAltName=DNS:localhost"
sudo openssl ca -batch -config $OPENSSL_CONFIG \
-extensions osbuild_server_ext \
-in /tmp/kojihub-csr.pem \
-out "$CERTDIR"/kojihub-crt.pem
popd
sudo systemctl start osbuild-remote-worker.socket
sudo systemctl start osbuild-composer.socket
sudo systemctl start osbuild-composer-api.socket
# The keys were regenerated but osbuild-composer might be already running.
# Let's try to restart it. In ideal world, this shouldn't be needed as every
# test case is supposed to run on a pristine machine. However, this is
# currently not true on Schutzbot
sudo systemctl try-restart osbuild-composer
# Basic verification
sudo composer-cli status show
sudo composer-cli sources list
for SOURCE in $(sudo composer-cli sources list); do
sudo composer-cli sources info "$SOURCE"
done
Reference in a new issue View git blame Copy permalink