Telecominfraproject/wlan-cloud-ucentral-deploy
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.git synced 2026-01-27 02:22:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #295 from Telecominfraproject/WIFI-14521-add-pki2-readme

Browse Source 
Wifi 14521 add pki2 readme
This commit is contained in:
Carsten Schafer
2025-07-02 13:27:05 -04:00
committed by GitHub
parent a54fc0cf6a 0b75c52822
commit 77440e73bc
5 changed files with 26 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/ci.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
echo "tag=$(git tag | grep -v RC | tail -2 | head -1)" >> $GITHUB_OUTPUT
trigger-docker-compose-testing:
if: startsWith(github.ref, 'refs/pull/')
if: startsWith(github.ref, 'DISABLEDrefs/pull/')
runs-on: ubuntu-latest
needs: envs
steps:
@@ -67,7 +67,7 @@ jobs:
inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}'
trigger-k8s-testing:
if: startsWith(github.ref, 'refs/pull/')
if: startsWith(github.ref, 'DISABLEDrefs/pull/')
runs-on: ubuntu-latest
needs: envs
steps:
@@ -90,7 +90,7 @@ jobs:
inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}'
trigger-docker-compose-upgrade-testing:
if: startsWith(github.ref, 'refs/tags/v')
if: startsWith(github.ref, 'DISABLEDrefs/tags/v')
runs-on: ubuntu-latest
needs: envs
steps:

16
README.PKI2.0.md Normal file
View File

@@ -0,0 +1,16 @@
# PKI 2.0 Upgrade
## Overview
For PKI 2.0 we will need to:
- Add Insta chain certificates to the list of trusted certificates.
- Switch to using the Insta certifcates for the server certificate.
## Docker Compose
The file `certs/clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.)
Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` files.
Restart the stack by running the appropriate `docker-compose` command.
## Kubernetes
The file `charts/environment-values/values.openwifi-qa.yaml` under `clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.) Please make sure that this file gets updated in any existing deployments. It should be reflected in the `owgw-certs` secret under `clientcas.pem`.
Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` secrets in the same location. If you are making a change to the secret then a GW restart is also required (by deleting the owgw pod.)
Make sure the image for OWGW is `tip-tip-wlan-cloud-ucentral.jfrog.io/owgw:master` or a specific tag like `v4.1.0` (when version 4.1.0 is released.)

6
docker-compose/cloudformation/README.md
View File

@@ -3,7 +3,7 @@ With the YAML template included in this directory you can create an OpenWiFi Clo
The template creates a CloudFormation stack based on the Docker Compose Let's Encrypt deployment (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/docker-compose#lb-deployment-with-letsencrypt-certificates). The created stack consists of an EC2 instance, and depending on the input parameters, also adds a Route53 hosted zone and a DNS record.
⚠️**Note**: Please be aware that you will be billed for the AWS resources if you create a stack from this template.
1. Login into the AWS Management Console (https://aws.amazon.com/de/console).
2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert-signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names.
2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert or Insta signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names.
3. Go to the CloudFormation service page and follow the instructions described here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-template.html to upload a template file and choose the template included in this repository.
4. In the next step you have to enter multiple input parameters required for a successful deployment. Here's an explanation of all parameters:
@@ -15,6 +15,6 @@ The template creates a CloudFormation stack based on the Docker Compose Let's En
**HostedZoneName**: If you didn't create the hosted zone yet which you want to use for your Route53 record, please specify the domain name of the hosted zone you want to create. Be aware that if you set **CreateRoute53Record** to `True`, you only have to specify either `ExistingHostedZoneId` or `HostedZoneName`. If you decide to create the DNS record yourself, you can leave both parameters empty.
**SDKVersion**: The SDK version you want to use for your deployment. You can either use release names (e.g. `v2.6.0`) or Git branch names (for example `release/v2.6.0`).
**SDKHostname**: Enter a valid public hostname which you want to use for your deployment. This has to resolve to the public IP address of the created EC2 instance. If you set **CreateRoute53Record** to `False`, don't forget to create a DNS entry manually afterwards.
**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert-signed websocket certificate.
**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert-signed websocket certificate.
**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert or Insta signed websocket certificate.
**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert or Insta signed websocket certificate.
**TraefikAcmeEmail**: Enter a valid email address to complete Let's Encrypt ACME registration.

4
docker-compose/deploy.sh
View File

@@ -40,8 +40,8 @@ usage () {
echo "- OWSUB_SYSTEM_URI_PUBLIC - public URL to be used for OWSub";
echo;
echo "Optional environment variables:"
echo "- WEBSOCKET_CERT - Your Digicert-signed websocket certificate"
echo "- WEBSOCKET_KEY - The key to your Digicert-signed websocket certificate"
echo "- WEBSOCKET_CERT - Your Digicert or Insta signed websocket certificate"
echo "- WEBSOCKET_KEY - The key to your Digicert or Insta signed websocket certificate"
echo;
echo "- OWSEC_AUTHENTICATION_DEFAULT_USERNAME - username to be used for requests to OWSec";
echo "- OWSEC_AUTHENTICATION_DEFAULT_PASSWORD - hashed password for OWSec (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)";

4
docker-compose/owls/README.md
View File

@@ -1,6 +1,6 @@
# OpenWifi OWLS Docker Compose
## Deployment with self-signed certificates
To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.
To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.
Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
@@ -16,7 +16,7 @@ Be aware that since the OWLS deployment partly exposes the same ports on the hos
12. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view.
## Deployment with Let's Encrypt certificates
To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
3. Switch into the project directory with `cd docker-compose/owls`.