From 53de9b32c182cfd8e010ac926ecc560f316fe1e6 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Sat, 5 Sep 2020 15:32:02 +0200
Subject: [PATCH] run-container: support connecting to koji via FQDN

Support connecting to koji via its fully qualified domain name, i.e.
org.osbuild.koji.koji. For this an extra SSL certificate is needed,
that has the FQDN as the subject, as well as a kerberos principal.

NB: This needs to have a apache VirtualHost section for the FQDN
that uses the new certificate as well.
---
 run-koji-container.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/run-koji-container.sh b/run-koji-container.sh
index c4060bd..920ead8 100755
--- a/run-koji-container.sh
+++ b/run-koji-container.sh
@@ -53,9 +53,15 @@ koji_start() {
   # generate self-signed certificates in the share directory
   openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org"
   openssl genrsa -out "${SHARE_DIR}/key.pem" 2048
+
+  # certificate for "localhost" hostname
   openssl req -new -sha256 -key "${SHARE_DIR}/key.pem"	-out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost"
   openssl x509 -req -in "${SHARE_DIR}/csr.pem"  -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem"
 
+  # certificate for "org.osbuild.koji.koji" hostname
+  openssl req -new -sha256 -key "${SHARE_DIR}/key.pem"	-out "${SHARE_DIR}/csr-fqdn.pem" -subj "/CN=org.osbuild.koji.koji"
+  openssl x509 -req -in "${SHARE_DIR}/csr-fqdn.pem"  -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt-fqdn.pem"
+
   ${CONTAINER_RUNTIME} network create org.osbuild.koji
 
   ${CONTAINER_RUNTIME} run -d --name org.osbuild.koji.postgres --network org.osbuild.koji \
@@ -74,6 +80,8 @@ koji_start() {
 
   # initialize krb pricipals and create keytabs for them
   # HTTP/localhost@LOCAL for kojihub
+  kdc_exec kadmin.local -r LOCAL add_principal -randkey HTTP/org.osbuild.koji.koji@LOCAL
+  kdc_exec kadmin.local -r LOCAL ktadd -k /share/koji.keytab HTTP/org.osbuild.koji.koji@LOCAL
   kdc_exec kadmin.local -r LOCAL add_principal -randkey HTTP/localhost@LOCAL
   kdc_exec kadmin.local -r LOCAL ktadd -k /share/koji.keytab HTTP/localhost@LOCAL
   kdc_exec chmod 644 /share/koji.keytab