Deploying KRA on Podman - dogtagpki/pki GitHub Wiki
|
Note
|
This page is still under construction. |
This document describes the process to deploy KRA container on Podman with PKI 11.6 or later.
Current limitations:
-
Replication is not yet supported (i.e. no scaling)
-
HSM is not yet supported
-
No security domain (i.e. other subsystems need to be set up manually)
-
Long startup time (due to certs import and instance creation)
Create a network for the containers, for example:
$ podman network create example
Alternatively, use an existing network.
To deploy the KRA container, prepare the following files:
-
server.p12which contains:-
ca_signingcertificate (see Generating CA Signing Certificate) -
kra_storagecertificate and key (see Generating KRA Storage Certificate) -
kra_transportcertificate and key (see Generating KRA Transport Certificate) -
sslservercertificate and key (see Generating SSL Server Certificate)
-
-
kra_storage.csrcertificate request -
kra_transport.csrcertificate request -
sslserver.csrcertificate request
Then store the files in a location that will be mapped to the /certs folder in the KRA container.
See also:
Run the KRA container with the following command:
$ podman run \
--name kra \
--hostname kra.example.com \
--network example \
--network-alias kra.example.com \
-v $PWD/certs:/certs \
-v $PWD/conf:/conf \
-v $PWD/logs:/logs \
-e PKI_DS_URL=ldap://ds.example.com:3389 \
-e PKI_DS_PASSWORD=Secret.123 \
-d \
quay.io/dogtagpki/pki-kra:latest
Wait until the KRA service is running:
$ podman logs -f kra
If the KRA container is no longer needed, it can be removed with the following command:
$ podman rm -f kra