feat: use a container for creating the CA and server certificate

Author: fstagni

docs/source/DeveloperGuide/DevelopmentEnvironment/DeveloperInstallation/stuffThatRun.rst

@@ -93,13 +93,9 @@ the private key. You will need two different sets certificates and the CA certif
 The following commands should do the trick for you, by creating a fake CA, a fake user certificate, and a fake host certificate::
 
    cd $DEVROOT/DIRAC
-   git checkout release/integration
-   source tests/Jenkins/utilities.sh
-   generateCA
-   generateCertificates 365
-   generateUserCredentials 365
+   docker run ghcr.io/diracgrid/diracx/certificates-generation:latest
    mkdir -p ~/.globus/
-   cp $DEVROOT/user/*.{pem,key} ~/.globus/
+   docker cp certificates-generation:/ca/certs/client.{pem,key} ~/.globus/
    mv ~/.globus/client.key ~/.globus/userkey.pem
    mv ~/.globus/client.pem ~/.globus/usercert.pem
 

tests/CI/docker-compose.yml

@@ -1,4 +1,6 @@
 volumes:
+  # Volume used to store the certificates of dirac
+  certs_data:
   # Volume used to store the config of diracx
   diracx-cs-store:
   # Volume used to store the pair of keys to sign the tokens
@@ -111,6 +113,15 @@ services:
       /entrypoint.sh
     pull_policy: always
 
+  dirac-init-certificates:
+    image: ghcr.io/diracgrid/management/certificates-generation:latest
+    container_name: dirac-init-certificates
+    volumes:
+      - certs_data:/ca/certs/
+    entrypoint: |
+      /entrypoint.sh
+    pull_policy: always
+
   dirac-server:
     image: ${CI_REGISTRY_IMAGE}/${HOST_OS}-dirac
     container_name: server
@@ -126,21 +137,24 @@ services:
         condition: service_started
       iam-login-service:
         condition: service_healthy
+      dirac-init-certificates:
+        condition: service_completed_successfully # Let the init container create the certificates
       diracx-init-key:
         condition: service_completed_successfully # Let the init container create the signing key
       diracx-init-cs:
         condition: service_completed_successfully # Let the init container create the cs
     ulimits:
       nofile: 8192
     volumes:
+      - certs_data:/ca/certs
       - diracx-cs-store:/cs_store
       - diracx-key-store:/signing-key
       - certs_data:/ca/certs
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
       - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
-    pull_policy: always
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
+    pull_policy: always
 
 
   dirac-client:
@@ -154,8 +168,10 @@ services:
       - certs_data:/ca/certs
     ulimits:
       nofile: 8192
-    pull_policy: always
+    volumes:
+      - certs_data:/ca/certs
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
+    pull_policy: always
 
   dirac-pilot:
     image: ${CI_REGISTRY_IMAGE}/${HOST_OS}-dirac
@@ -165,6 +181,7 @@ services:
     depends_on:
       - dirac-server
     volumes:
+      - certs_data:/ca/certs
       - type: bind
         source: ${CVMFS_DIR}
         target: /cvmfs

tests/Jenkins/config/ci/openssl_config_ca.cnf

@@ -90,10 +90,7 @@ source "${TESTCODE}/DIRAC/tests/Jenkins/utilities.sh"
 installSite() {
   echo "==> [installSite]"
 
-  generateCA
-  generateCertificates
-
-  echo -n > "${SERVERINSTALLDIR}/dirac-ci-install.cfg"
+  # echo -n > "${SERVERINSTALLDIR}/dirac-ci-install.cfg"
   getCFGFile
 
   echo "==> Fixing install.cfg file"
@@ -127,7 +124,30 @@ installSite() {
   bash "installer.sh"
   rm "installer.sh"
   echo "source \"$PWD/diracos/diracosrc\"" > "$PWD/bashrc"
-  mv "${SERVERINSTALLDIR}/etc/grid-security/"* "${SERVERINSTALLDIR}/diracos/etc/grid-security/"
+
+  mkdir -p "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/"
+  mkdir -p "${SERVERINSTALLDIR}/user/"
+
+  echo "==> CAs and certificates"
+
+  # Copy the CA to the list of trusted CA
+  cp "/ca/certs/ca.cert.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/"
+
+  # Copy the cert and host key to the certificates directory
+  cp /ca/certs/hostcert.pem "${SERVERINSTALLDIR}/diracos/etc/grid-security/"
+  cp /ca/certs/hostkey.pem "${SERVERINSTALLDIR}/diracos/etc/grid-security/"
+
+  # Generate the hash link file required by openSSL to index CA certificates
+  caHash=$(openssl x509 -in "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/ca.cert.pem" -noout -hash)
+  # We make a relative symlink on purpose (i.e. not the full path to ca.cert.pem)
+  # because otherwise the BundleDeliveryClient will send the full path, which
+  # will be wrong on the client
+  ln -s "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/ca.cert.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/$caHash.0"
+
+  # Copy the user cert and key to the correct directory
+  cp /ca/certs/client.pem "${SERVERINSTALLDIR}/user/"
+  cp /ca/certs/client.key "${SERVERINSTALLDIR}/user/"
+
   rm -rf "${SERVERINSTALLDIR}/etc"
   ln -s "${SERVERINSTALLDIR}/diracos/etc" "${SERVERINSTALLDIR}/etc"
   source diracos/diracosrc
@@ -136,7 +156,6 @@ installSite() {
   done
   cd -
 
-
   echo "==> Sourcing bashrc"
   source "${SERVERINSTALLDIR}/bashrc"
 
@@ -212,13 +231,6 @@ fullInstallDIRAC() {
     cat "${SERVERINSTALLDIR}/diracos/etc/Production.cfg"
   fi
 
-  # Dealing with security stuff
-  # generateCertificates
-  if ! generateUserCredentials; then
-    echo "ERROR: generateUserCredentials failed" >&2
-    exit 1
-  fi
-
   if ! diracCredentials; then
     echo "ERROR: diracCredentials failed" >&2
     exit 1