From dc411baee38869510bf2049d5a0ed73175216d30 Mon Sep 17 00:00:00 2001 From: Carsten Schafer Date: Wed, 2 Jul 2025 12:06:49 -0400 Subject: [PATCH 1/3] Fix broken workflows Signed-off-by: Carsten Schafer --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d936da..d5b1621 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: echo "tag=$(git tag | grep -v RC | tail -2 | head -1)" >> $GITHUB_OUTPUT trigger-docker-compose-testing: - if: startsWith(github.ref, 'refs/pull/') + if: startsWith(github.ref, 'DISABLEDrefs/pull/') runs-on: ubuntu-latest needs: envs steps: @@ -67,7 +67,7 @@ jobs: inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}' trigger-k8s-testing: - if: startsWith(github.ref, 'refs/pull/') + if: startsWith(github.ref, 'DISABLEDrefs/pull/') runs-on: ubuntu-latest needs: envs steps: @@ -90,7 +90,7 @@ jobs: inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}' trigger-docker-compose-upgrade-testing: - if: startsWith(github.ref, 'refs/tags/v') + if: startsWith(github.ref, 'DISABLEDrefs/tags/v') runs-on: ubuntu-latest needs: envs steps: From b9a294bfd5143940b14c7245baf840b69255578b Mon Sep 17 00:00:00 2001 From: Carsten Schafer Date: Wed, 2 Jul 2025 12:07:56 -0400 Subject: [PATCH 2/3] Add Insta references where there are Digicert references Signed-off-by: Carsten Schafer --- docker-compose/cloudformation/README.md | 6 +++--- docker-compose/deploy.sh | 4 ++-- docker-compose/owls/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose/cloudformation/README.md b/docker-compose/cloudformation/README.md index 2c331a6..146bb84 100644 --- a/docker-compose/cloudformation/README.md +++ b/docker-compose/cloudformation/README.md @@ -3,7 +3,7 @@ With the YAML template included in this directory you can create an OpenWiFi Clo The template creates a CloudFormation stack based on the Docker Compose Let's Encrypt deployment (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/docker-compose#lb-deployment-with-letsencrypt-certificates). The created stack consists of an EC2 instance, and depending on the input parameters, also adds a Route53 hosted zone and a DNS record. ⚠️**Note**: Please be aware that you will be billed for the AWS resources if you create a stack from this template. 1. Login into the AWS Management Console (https://aws.amazon.com/de/console). -2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert-signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names. +2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert or Insta signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names. 3. Go to the CloudFormation service page and follow the instructions described here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-template.html to upload a template file and choose the template included in this repository. 4. In the next step you have to enter multiple input parameters required for a successful deployment. Here's an explanation of all parameters: @@ -15,6 +15,6 @@ The template creates a CloudFormation stack based on the Docker Compose Let's En **HostedZoneName**: If you didn't create the hosted zone yet which you want to use for your Route53 record, please specify the domain name of the hosted zone you want to create. Be aware that if you set **CreateRoute53Record** to `True`, you only have to specify either `ExistingHostedZoneId` or `HostedZoneName`. If you decide to create the DNS record yourself, you can leave both parameters empty. **SDKVersion**: The SDK version you want to use for your deployment. You can either use release names (e.g. `v2.6.0`) or Git branch names (for example `release/v2.6.0`). **SDKHostname**: Enter a valid public hostname which you want to use for your deployment. This has to resolve to the public IP address of the created EC2 instance. If you set **CreateRoute53Record** to `False`, don't forget to create a DNS entry manually afterwards. -**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert-signed websocket certificate. -**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert-signed websocket certificate. +**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert or Insta signed websocket certificate. +**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert or Insta signed websocket certificate. **TraefikAcmeEmail**: Enter a valid email address to complete Let's Encrypt ACME registration. diff --git a/docker-compose/deploy.sh b/docker-compose/deploy.sh index efb3e27..e7b3cfa 100755 --- a/docker-compose/deploy.sh +++ b/docker-compose/deploy.sh @@ -40,8 +40,8 @@ usage () { echo "- OWSUB_SYSTEM_URI_PUBLIC - public URL to be used for OWSub"; echo; echo "Optional environment variables:" - echo "- WEBSOCKET_CERT - Your Digicert-signed websocket certificate" - echo "- WEBSOCKET_KEY - The key to your Digicert-signed websocket certificate" + echo "- WEBSOCKET_CERT - Your Digicert or Insta signed websocket certificate" + echo "- WEBSOCKET_KEY - The key to your Digicert or Insta signed websocket certificate" echo; echo "- OWSEC_AUTHENTICATION_DEFAULT_USERNAME - username to be used for requests to OWSec"; echo "- OWSEC_AUTHENTICATION_DEFAULT_PASSWORD - hashed password for OWSec (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)"; diff --git a/docker-compose/owls/README.md b/docker-compose/owls/README.md index 9c453f6..a67fb12 100644 --- a/docker-compose/owls/README.md +++ b/docker-compose/owls/README.md @@ -1,6 +1,6 @@ # OpenWifi OWLS Docker Compose ## Deployment with self-signed certificates -To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. +To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host. 1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names. 2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host. @@ -16,7 +16,7 @@ Be aware that since the OWLS deployment partly exposes the same ports on the hos 12. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view. ## Deployment with Let's Encrypt certificates -To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host. +To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations. Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host. 1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names. 2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host. 3. Switch into the project directory with `cd docker-compose/owls`. From 0b75c528226bd5b1a67d5ed07026f46f7d14dc0c Mon Sep 17 00:00:00 2001 From: Carsten Schafer Date: Wed, 2 Jul 2025 12:08:08 -0400 Subject: [PATCH 3/3] Add PKI 2.0 README Signed-off-by: Carsten Schafer --- README.PKI2.0.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 README.PKI2.0.md diff --git a/README.PKI2.0.md b/README.PKI2.0.md new file mode 100644 index 0000000..a6be536 --- /dev/null +++ b/README.PKI2.0.md @@ -0,0 +1,16 @@ +# PKI 2.0 Upgrade + +## Overview +For PKI 2.0 we will need to: +- Add Insta chain certificates to the list of trusted certificates. +- Switch to using the Insta certifcates for the server certificate. + +## Docker Compose +The file `certs/clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.) +Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` files. +Restart the stack by running the appropriate `docker-compose` command. + +## Kubernetes +The file `charts/environment-values/values.openwifi-qa.yaml` under `clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.) Please make sure that this file gets updated in any existing deployments. It should be reflected in the `owgw-certs` secret under `clientcas.pem`. +Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` secrets in the same location. If you are making a change to the secret then a GW restart is also required (by deleting the owgw pod.) +Make sure the image for OWGW is `tip-tip-wlan-cloud-ucentral.jfrog.io/owgw:master` or a specific tag like `v4.1.0` (when version 4.1.0 is released.)