Rework the generation of certificates, in order to make use of
the SubjectAltName (SAN) extension, that is required for modern
usage of TLS (see RFC 2818, or [1]) and now enforced by default
for go version 1.15[2] (Fedora 33). For this a different config
file is used, originally written by Lars, and assign SANs to
the server and client certificates. Additionally, the correct
extensions are used for each of those, so that their usage is
limited to the server or client use case. The client certificate
is renamed from "worker" to "client".
The lifetime of the certificates is increased, as a side effect of
the new config file.
[1] https://github.com/urllib3/urllib3/issues/497
[2] https://golang.org/doc/go1.15#commonname
Co-authored-by: Lars Karlitski <lars@karlitski.net>
Upstream composer has introduce a few changes that we need to
adapt for:
- the koji composer API is now exposed on the standard https
port (443). Thus koji hub and web need to move to a different
pair: 8080 (http) and 4343 (https). Change the scripts and
tests for that
- the koji API gained a prefix 'api/composer-koji/v1/'. Change
client and unit tests to use that prefix. Use urljoin to
create new APIs
- composer configuration format (osbuild-composer.toml) has
changed and now also includes configuration for the CA
and allowed domains
- update the composer RPM repositories to the commit for the
21 upstream release.
Check that passing `--cert` as a command line option works, for
this we use real working certificates because this will actually
be parsed by requests.
This script is intended to be called between "run-koji-container"
and "run-builder". It will copy the kerberos keytabs out of the
temporary directory generated by "run-koji-container" as well as
copying the SSL/TLS certificates from host to the share dir so
that the plugin ca use it to authenticate itself to composer.
This will create the a certificate authority (CA) and then create
a cert for composer and another one for the worker. The worker
one can also be used by the koji plugin.
The configuration file is needed to get subjectAltName working.
