modify tls-gen to also copy the ca certificate to the workflow directory

rgl · rgl · commit 130ca6ea249e · 2021-11-18T06:04:30.000Z
this simplifies the compose file

Signed-off-by: Rui Lopes &lt;rgl@ruilopes.com&gt;
diff --git a/deploy/compose/docker-compose.yml b/deploy/compose/docker-compose.yml
@@ -59,20 +59,6 @@ services:
       registry:
         condition: service_healthy
 
-  # registry ca.crt download
-  registry-ca-crt-download:
-    image: alpine
-    entrypoint: wget
-    working_dir: /code
-    command: ["http://$TINKERBELL_HOST_IP:42114/cert", "-O", "ca.pem"]
-    volumes:
-      - ${REPO_TOP_LEVEL:-.}/state/webroot/workflow:/code
-    depends_on:
-      tink-server:
-        condition: service_healthy
-      db:
-        condition: service_healthy
-
   # Create hardware, template, and workflow records in tink-server
   create-tink-records:
     image: ${TINK_CLI_IMAGE}
diff --git a/deploy/compose/tls/generate.sh b/deploy/compose/tls/generate.sh
@@ -1,12 +1,13 @@
 #!/usr/bin/env bash
 # This script handles the generation of the TLS certificates.
-# The output is 4 files:
+# This generates the files:
 # 1. /certs/${FACILITY:-onprem}/ca-crt.pem (CA TLS public certificate)
 # 2. /certs/${FACILITY:-onprem}/server-crt.pem (server TLS certificate)
 # 3. /certs/${FACILITY:-onprem}/server-key.pem (server TLS private key)
 # 4. /certs/${FACILITY:-onprem}/bundle.pem (server TLS certificate; backward compat)
+# 5. /code/state/webroot/workflow/ca.pem (CA TLS public certificate)
 
-set -xo pipefail
+set -euxo pipefail
 
 # update_csr will add the sans_ip, as a valid host domain in the csr
 update_csr() {
@@ -36,6 +37,7 @@ gen() {
 main() {
 	local sans_ip="$1"
 	local csr_file="/code/tls/csr.json"
+	local ca_crt_workflow_file="/code/state/webroot/workflow/ca.pem"
 	local ca_crt_file="/certs/${FACILITY:-onprem}/ca-crt.pem"
 	local server_crt_file="/certs/${FACILITY:-onprem}/server-crt.pem"
 	local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
@@ -55,6 +57,11 @@ main() {
 	else
 		echo "Files [${ca_crt_file}, ${server_crt_file}, ${server_key_file}] already exist"
 	fi
+	if [ ! -f "${ca_crt_workflow_file}" ]; then
+		cp "${ca_crt_file}" "${ca_crt_workflow_file}"
+	else
+		echo "File ${ca_crt_workflow_file} already exist"
+	fi
 	cleanup
 }
 
