WIP: Kopano Konnect und Rest API (#72)

* add a new image for konnect
* add konnect to compose file
* adapt gencerts for konnect certs
* integrate gencerts into start.sh and adapt if to only skip individual parts
* add container for kapi
* use same config for webapp and z-push as https://stash.kopano.io/projects/KGOL/repos/kweb/browse/config/legacy.go
* use example compose file in make test target
* make compose file configurable through an env variable
* remove legacy links in compose
* write certificates first to a tempfile
* remove unnecessary paths
* add option to run kapi insecure for testing
* configure openid for kopano-server
* add local playground to test functionality of konnect and kapi
* print errors and logs to stdout in web
* add extrahosts to kopano_server
* adapt extrahosts for ip command on ubuntu 18.04
* add documentation

Signed-off-by: Felix Bartels <felix@host-consultants.de>

Makefile

@@ -19,13 +19,14 @@ KOPANO_ZPUSH_REPOSITORY_URL := http://repo.z-hub.io/z-push:/final/Debian_9.0/
 RELEASE_KEY_DOWNLOAD := 0
 DOWNLOAD_COMMUNITY_PACKAGES := 1
 
+COMPOSE_FILE := docker-compose.yml-example
 -include .env
 export
 
 # convert lowercase componentname to uppercase
 COMPONENT = $(shell echo $(component) | tr a-z A-Z)
 
-build-all: build-ssl build-base build-core build-utils build-webapp build-zpush build-kweb build-ldap-demo
+build-all: build-ssl build-base build-core build-utils build-webapp build-zpush build-kweb build-konnect build-playground build-ldap-demo
 
 build: component ?= base
 build:
@@ -66,6 +67,12 @@ build-ssl:
 build-kweb:
 	docker build -t $(docker_repo)/kopano_web kweb/
 
+build-konnect:
+	docker build -t $(docker_repo)/kopano_konnect konnect/
+
+build-playground:
+	docker build -t $(docker_repo)/kopano_playground playground/
+
 build-ldap-demo:
 	docker build -t $(docker_repo)/kopano_ldap_demo ldap-demo/
 
@@ -137,13 +144,13 @@ publish-kweb: build-kweb
 	docker push $(docker_repo)/kopano_web:latest
 
 test:
-	docker-compose down -v || true
+	docker-compose -f $(COMPOSE_FILE) down -v || true
 	make build-all
-	docker-compose build
+	docker-compose -f $(COMPOSE_FILE) build
-	docker-compose up -d
+	docker-compose -f $(COMPOSE_FILE) up -d
-	docker-compose ps
+	docker-compose -f $(COMPOSE_FILE) ps
 
 test-quick:
-	docker-compose stop || true
+	docker-compose -f $(COMPOSE_FILE) stop || true
-	docker-compose up -d
+	docker-compose -f $(COMPOSE_FILE) up -d
-	docker-compose ps
+	docker-compose -f $(COMPOSE_FILE) ps

README.md

@@ -69,11 +69,15 @@ While using kweb is recommended, this is of course possible.
 - The `kopano_webapp` image is accessible on port 80 and serves the WebApp both on `/` and `/webapp`.
 - The `kopano_zpush` image is accessible on port 80 and serves Z-Push on `/Microsoft-Server-ActiveSync` (additional urls may be needed in the future see #39).
 
+### What are and how can I use the Kapi Playground and OIDC Playground?
+
+This project includes a Docker container to easily inspect the data returned by the Kopano Rest API (KAPI), as well as the OpenID (Connect) Service Provider. To explore these applications you need to pass the URL of the "Issuer" when opening these. For the Kapi Playground this would for example be `https://kopano.demo/kapi-playground/?iss=https://kopano.demo`.
+
 ### I want to use these Docker images outside of an evaluation environment. What do I need to adjust to make this possible?
 
 To get a quick impression of Kopano this git repository bundles a locally build ldap image with some example users. When using the docker-compose.yml in a production environment make sure to:
 
-- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built ldap image or complelty remove the local ldap from the compose file
+- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built ldap image or complety remove the local ldap from the compose file
 - adapt ldap queries in .env to match you actual ldap server and users
 - all additional configuration of the Kopano components should be specified in the compose file and **not within the running container**
 

core/Dockerfile

@@ -29,6 +29,7 @@ RUN \
     set -x && \
     apt-get install --no-install-recommends -y \
         kopano-server-packages \
+	kopano-grapi kopano-kapid \
         ${ADDITIONAL_KOPANO_PACKAGES} \
         && \
     set +x && \

core/defaultconfigs/grapi.py

@@ -0,0 +1,5 @@
+import os
+import kcconf
+
+# Override configs from environment variables
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))

core/defaultconfigs/kapid.py

@@ -0,0 +1,18 @@
+import os
+import kcconf
+
+# Component specific configurations
+kcconf.configkopano({
+    r"/etc/kopano/kapid.cfg":
+    {
+        'log_level': "info",
+        'listen': "0.0.0.0:8039",
+        'DEFAULT_PLUGIN_PUBS_SECRET_KEY_FILE': "/kopano/ssl/kapid-pubs-secret.key",
+        'plugin_kvs_db_datasource': "/kopano/data/kapi-kvs/kvs.db",
+        'plugin_grapi_socket_path': "/var/run/kopano/grapi"
+
+    }
+})
+
+# Override configs from environment variables
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))

core/start-service.sh

@@ -16,7 +16,7 @@ fi
 	fi
 done
 
-mkdir -p /kopano/data/attachments /tmp/$SERVICE_TO_START /var/run/kopano
+mkdir -p /kopano/data/attachments /kopano/data/kapi-kvs /tmp/$SERVICE_TO_START /var/run/kopano
 
 echo "Configure core service '$SERVICE_TO_START'" | ts
 /usr/bin/python3 /kopano/$SERVICE_TO_START.py
@@ -72,6 +72,28 @@ ical)
 	unset "${!KCCONF_@}"
 	exec /usr/sbin/kopano-ical -F
 	;;
+grapi)
+	LC_CTYPE=en_US.UTF-8
+	export socket_path=/var/run/kopano/grapi
+	mkdir $socket_path
+	chown -R kapi:kopano $socket_path
+	# cleaning up env variables
+	unset "${!KCCONF_@}"
+	exec kopano-grapi serve
+	;;
+kapid)
+	dockerize \
+		-wait file://var/run/kopano/grapi/notify.sock \
+		-wait http://kopano_konnect:8777/.well-known/openid-configuration \
+		-timeout 360s
+	LC_CTYPE=en_US.UTF-8
+	sed -i s/\ *=\ */=/g /etc/kopano/kapid.cfg
+	export $(grep -v '^#' /etc/kopano/kapid.cfg | xargs -d '\n')
+	kopano-kapid setup
+	# cleaning up env variables
+	unset "${!KCCONF_@}"
+	exec kopano-kapid serve --log-timestamp=false
+	;;
 monitor)
 	dockerize \
 		-wait file://var/run/kopano/server.sock \

docker-compose.yml-example

@@ -5,9 +5,6 @@ services:
     image: ${docker_repo:?err}/kopano_web
     container_name: web
     restart: always
-    links:
-      - kopano_webapp
-      - kopano_zpush
     ports:
       - "2015:2015"
       - "${HTTP}:8080"
@@ -49,8 +46,6 @@ services:
       - PHPLDAPADMIN_LDAP_HOSTS=ldap
       - PHPLDAPADMIN_HTTPS=false
     command: -l debug
-    links:
-      - ldap
     networks:
       - ldap-net
       - web-net
@@ -63,8 +58,6 @@ services:
     container_name: mail
     depends_on:
       - ldap
-    links:
-      - ldap
     ports:
       - "25:25"
     volumes:
@@ -138,12 +131,9 @@ services:
       - kopanossl/:/kopano/ssl
 
   kopano_server:
-    image: ${docker_repo}/kopano_core:${CORE_VERSION}
+    image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     hostname: kopano_server
     container_name: kopano_server
-    links:
-      - db
-      - ldap
     depends_on:
       - db
       - ldap
@@ -155,7 +145,7 @@ services:
       - SERVICE_TO_START=server
       - TZ=${TZ}
       - KCCONF_SERVER_COREDUMP_ENABLED=no
-      - KCCONF_SERVER_LOG_LEVEL=4
+      - KCCONF_SERVER_LOG_LEVEL=3
       - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
       - KCCONF_SERVER_MYSQL_PORT=3306
       - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}
@@ -175,9 +165,15 @@ services:
       - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1}
       - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
       - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
+      - KCCONF_SERVER_ENABLE_SSO=yes
+      - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN}
+      - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE}
+      - KCCONF_SERVER_KCOIDC_INITIALIZE_TIMEOUT=360
     networks:
       - kopano-net
       - ldap-net
+    extra_hosts:
+      - ${EXTRAHOSTS}
     volumes:
       - kopanodata/:/kopano/data
       - kopanossl/:/kopano/ssl
@@ -187,8 +183,6 @@ services:
     image: ${docker_repo:?err}/kopano_webapp:${WEBAPP_VERSION}
     hostname: kopano_webapp
     container_name: kopano_webapp
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -203,8 +197,6 @@ services:
     image: ${docker_repo:?err}/kopano_zpush:${ZPUSH_VERSION}
     hostname: kopano_zpush
     container_name: kopano_zpush
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -215,18 +207,46 @@ services:
       - web-net
       - kopano-net
 
+  kopano_grapi:
+    image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
+    container_name: kopano_grapi
+    volumes:
+      - kopanosocket/:/run/kopano
+    environment:
+      - SERVICE_TO_START=grapi
+      - TZ=${TZ}
+    networks:
+      - kopano-net
+
+  kopano_kapi:
+    image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
+    container_name: kopano_kapi
+    volumes:
+      - kopanodata/:/kopano/data
+      - kopanossl/:/kopano/ssl
+      - kopanosocket/:/run/kopano
+    environment:
+      - SERVICE_TO_START=kapid
+      - TZ=${TZ}
+      - KCCONF_KAPID_LOG_LEVEL=DEBUG
+      - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN}
+      - KCCONF_KAPID_INSECURE=${INSECURE}
+    extra_hosts:
+      - ${EXTRAHOSTS}
+    networks:
+      - kopano-net
+      - web-net
+
   kopano_dagent:
     image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     container_name: kopano_dagent
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
     environment:
       - SERVICE_TO_START=dagent
       - TZ=${TZ}
-      - KCCONF_DAGENT_LOG_LEVEL=6
+      - KCCONF_DAGENT_LOG_LEVEL=3
       - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kdagent.pem
     networks:
       - kopano-net
@@ -236,15 +256,13 @@ services:
     container_name: kopano_spooler
     hostname: spooler
     domainname: ${LDAP_DOMAIN}
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
     environment:
       - SERVICE_TO_START=spooler
       - TZ=${TZ}
-      - KCCONF_SPOOLER_LOG_LEVEL=4
+      - KCCONF_SPOOLER_LOG_LEVEL=3
       - KCCONF_SPOOLER_SMTP_SERVER=mail
       - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kspooler.pem
     networks:
@@ -253,8 +271,6 @@ services:
   kopano_gateway:
     image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     container_name: kopano_gateway
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -269,8 +285,6 @@ services:
   kopano_ical:
     image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     container_name: kopano_ical
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -284,8 +298,6 @@ services:
   kopano_monitor:
     image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     container_name: kopano_monitor
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -298,8 +310,6 @@ services:
   kopano_search:
     image: ${docker_repo:?err}/kopano_core:${CORE_VERSION}
     container_name: kopano_search
-    links:
-      - kopano_server
     volumes:
       - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
@@ -309,6 +319,27 @@ services:
       - TZ=${TZ}
     networks:
       - kopano-net
+
+  kopano_konnect:
+    image: ${docker_repo:?err}/kopano_konnect
+    container_name: kopano_konnect
+    command: wrapper.sh
+    volumes:
+     - kopanossl/:/kopano/ssl
+     - kopanosocket/:/run/kopano
+    environment:
+     - FQDN=${FQDN}
+    networks:
+     - kopano-net
+     - web-net
+
+  kopano_playground:
+    image: ${docker_repo:?err}/kopano_playground
+    container_name: kopano_playground
+    networks:
+     - kopano-net
+     - web-net
+
 volumes:
   web:
   ldap:

konnect/Dockerfile

@@ -0,0 +1,14 @@
+FROM kopano/konnectd:0.16.1
+
+RUN apk add --update \
+	openssl \
+	&& rm -rf /var/cache/apk/*
+
+ENV DOCKERIZE_VERSION v0.6.1
+RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
+
+RUN mkdir -p /etc/kopano/
+COPY identifier-registration.yaml /etc/kopano
+COPY wrapper.sh /usr/local/bin

konnect/identifier-registration.yaml

@@ -0,0 +1,54 @@
+---
+
+# OpenID Connect client registry.
+clients:
+#  - id: oidc-client-example.js
+#    name: OIDC Playground
+#    application_type: web
+#    redirect_uris:
+#       - https://devmail.kopano.com/kapi-playground/
+#  - id: playground.js
+#    name: OIDC Playground
+#    application_type: web
+#    redirect_uris:
+#       - https://my-host:8509/
+
+#  - id: playground-trusted.js
+#    name: Trusted OIDC Playground
+#    trusted: yes
+#    application_type: web
+#    redirect_uris:
+#       - https://my-host:8509/
+
+#  - id: playground-trusted.js
+#    name: Trusted Insecure OIDC Playground
+#    trusted: yes
+#    application_type: web
+#    insecure: yes
+
+#  - id: client-with-keys
+#    secret: super
+#    application_type: native
+#    redirect_uris:
+#      - http://localhost
+#    jwks:
+#      keys:
+#        - kty: EC
+#          use: sig
+#          kid: client-with-keys-key-1
+#          crv: P-256
+#          x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c
+#          y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0
+#    request_object_signing_alg: ES256
+
+#  - id: first
+#    secret: lala
+#    application_type: native
+#    redirect_uris:
+#      - my://app
+
+#  - id: second
+#    secret: lulu
+#    application_type: native
+#    redirect_uris:
+#      - http://localhost

konnect/wrapper.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+dockerize \
+	-wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \
+	-wait file:///kopano/ssl/konnectd-encryption.key \
+	-timeout 360s
+exec konnectd serve \
+	--signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \
+	--encryption-secret=/kopano/ssl/konnectd-encryption.key \
+	--iss=https://$FQDN \
+	--identifier-registration-conf /etc/kopano/identifier-registration.yaml \
+	kc

kweb/kweb.cfg

@@ -3,22 +3,119 @@
 }
 
 *, :8443 {
+    log stdout
+    errors stdout
+
     gzip
+    header / Server kweb
 
     tls {%EMAIL%}
 
+    limits {
+        header 1MB
+        body   50MB
+    }
+
     redir 302 {
         if {path} is /
         / /webapp/
     }
 
-    proxy /webapp/ kopano_webapp:80 {
+    # Config
+    configjson /api/config/v1/kopano/ config/kopano
+
+    # Konnect
+    proxy /upstreams/konnect/ {
+        without /upstreams/konnect/
+        upstream kopano_konnect:8777
+        policy least_conn
+        health_check /health-check
+        fail_timeout 10s
+        try_duration 30s
+        keepalive 100
         transparent
+        header_downstream Feature-Policy "midi 'none'"
+        header_downstream X-Frame-Options "sameorigin"
     }
-    redir /webapp /webapp/
+    ratelimit * 100 200 minute {
+        /upstreams/konnect/v1/
+        /signin/v1/identifier/_/
+        whitelist 127.0.0.1/8
+    }
+    rewrite /.well-known/openid-configuration {
+        to /upstreams/konnect/{path}
+    }
+    rewrite /konnect/v1/ {
+        to /upstreams/konnect/{path}
+    }
+    rewrite /signin/v1/ {
+        to /upstreams/konnect/{path}
+    }
+    redir /signin /signin/v1/identifier
+
+    # Kapi
+    proxy /upstreams/kapi/ {
+        without /upstreams/kapi/
+        upstream kopano_kapi:8039
+        policy least_conn
+        health_check /health-check
+        fail_timeout 10s
+        try_duration 30s
+        keepalive 100
+        transparent
+        websocket
+    }
+    ratelimit * 100 200 minute {
+        /upstreams/kapi/api/
+        whitelist 127.0.0.1/8
+    }
+    rewrite /api/gc/v1/ {
+        to /upstreams/kapi/{path}
+    }
+    rewrite /api/pubs/v1/ {
+        to /upstreams/kapi/{path}
+    }
+    rewrite /api/kvs/v1/ {
+        to /upstreams/kapi/{path}
+    }
+
+    # playground for oidc
+    proxy /oidc-playground/ http://kopano_playground:8888/ {
+        fail_timeout 10s
+        try_duration 30s
+        transparent
+        keepalive 100
+    }
+    folderish /oidc-playground
+
+    # playground for Kapi
+    proxy /kapi-playground/ http://kopano_playground:8888/ {
+        fail_timeout 10s
+        try_duration 30s
+        transparent
+        keepalive 100
+    }
+    folderish /kapi-playground
+
+    proxy /webapp/ kopano_webapp:80 {
+        fail_timeout 10s
+        try_duration 30s
+        transparent
+        keepalive 100
+    }
+    folderish /webapp
 
     proxy /Microsoft-Server-ActiveSync kopano_zpush:80 {
         transparent
+        keepalive 0
+        timeout 3540s
+    }
+
+    proxy /AutoDiscover/AutoDiscover.xml kopano_zpush:80 {
+        transparent
+        keepalive 0
+        fail_timeout 10s
+        try_duration 30s
     }
 
     proxy /ldap-admin/ ldap-admin:80 {

playground/Dockerfile

@@ -0,0 +1,14 @@
+from alpine:3.8 as builder
+RUN apk add --update \
+        git make \
+        && rm -rf /var/cache/apk/*
+RUN mkdir -p /web/oidc-playground /web/kapi-playground
+RUN git clone https://stash.kopano.io/scm/~seisenmann/oidc-playground.git
+RUN mv oidc-playground/www/* /web/oidc-playground
+RUN git clone https://stash.kopano.io/scm/kc/kapi.git
+RUN mv kapi/examples/* /web/kapi-playground
+RUN cd /web/kapi-playground && rm Makefile && ln -s oidc-client-example.html index.html
+
+from halverneus/static-file-server:v1.5.2
+env PORT 8888
+COPY --from=builder /web /web

setup.sh

@@ -50,6 +50,10 @@ if [ ! -e ./.env ]; then
 	read -p "Which tag do you want to use for Z-Push? [$value_default]: " new_value
 	ZPUSH_VERSION=${new_value:-$value_default}
 
+	value_default=latest
+	read -p "Which tag do you want to use for Kopano Konnect? [$value_default]: " new_value
+	KONNECT_VERSION=${new_value:-$value_default}
+
 	value_default="Kopano Demo"
 	read -p "Name of the Organisation for LDAP [$value_default]: " new_value
 	LDAP_ORGANISATION=${new_value:-$value_default}
@@ -62,6 +66,13 @@ if [ ! -e ./.env ]; then
 	read -p "Email address to use for Lets Encrypt. Use 'self_signed' as your email to create self signed certificates [$value_default]: " new_value
 	EMAIL=${new_value:-$value_default}
 
+	# Let Kapi accept self signed certs if required
+	if [ "$EMAIL" == "self_signed" ]; then
+		INSECURE="yes"
+	else
+		INSECURE="no"
+	fi
+
 	LDAP_BASE_DN=$(fqdn_to_dn $FQDN)
 	value_default="$LDAP_BASE_DN"
 	read -p "Name of the BASE DN for LDAP [$value_default]: " new_value
@@ -191,6 +202,7 @@ if [ ! -e ./.env ]; then
 CORE_VERSION=$CORE_VERSION
 WEBAPP_VERSION=$WEBAPP_VERSION
 ZPUSH_VERSION=$ZPUSH_VERSION
+KONNECT_VERSION=$KONNECT_VERSION
 
 LDAP_ORGANISATION="$LDAP_ORGANISATION"
 LDAP_DOMAIN=$FQDN
@@ -230,8 +242,13 @@ EMAIL=$EMAIL
 HTTP=80
 HTTPS=443
 
-# Docker Repository to push to
+# Settings for test environments
+EXTRAHOSTS=$FQDN:$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p')
+INSECURE=$INSECURE
+
+# Docker Repository to push to/pull from
 docker_repo=zokradonh
+COMPOSE_PROJECT_NAME=kopano
 
 # Modify below to build a different version, than the kopano nightly release
 #KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_9.0/

ssl/Dockerfile

@@ -16,8 +16,7 @@ RUN apk add --update \
     && rm -rf /var/cache/apk/*
 
 COPY start.sh /start.sh
-COPY gencerts.sh /gencerts.sh
 
-RUN chmod a+x /start.sh /gencerts.sh
+RUN chmod a+x /start.sh
 
 CMD ["/start.sh"]

ssl/gencerts.sh

@@ -1,20 +0,0 @@
-#!/bin/sh
-# https://github.com/google/easypki
-
-# TODO integrate this directly into start.sh?
-
-echo "Creating CA and Server certificates..."
-easypki create --filename internalca --organizational-unit primary --expire 3650 --ca "Internal Kopano System"
-
-mkdir -p /kopano/ssl/clients/
-cp /kopano/easypki/internalca/certs/internalca.crt /kopano/ssl/ca.pem
-
-for s in kserver kdagent kmonitor ksearch kspooler kwebapp
-  do
-    easypki create --ca-name internalca --organizational-unit $s --expire 3650 $s
-    cp /kopano/easypki/internalca/keys/$s.key /kopano/ssl/$s.pem
-    cat /kopano/easypki/internalca/certs/$s.crt >> /kopano/ssl/$s.pem
-    openssl x509 -in /kopano/easypki/internalca/certs/$s.crt -pubkey -noout > /kopano/ssl/clients/$s-public.pem
-done
-
-ls -l /kopano/ssl/*.pem

ssl/start.sh

@@ -1,7 +1,47 @@
 #!/bin/sh
 
-if [ -f /kopano/ssl/ca.pem ]; then
+mkdir -p /kopano/ssl/clients/
-	exit 0
+
+if [ ! -f /kopano/ssl/ca.pem ]; then
+	# https://github.com/google/easypki
+	echo "Creating CA and server certificates..."
+	easypki create --filename internalca --organizational-unit primary --expire 3650 --ca "Internal Kopano System"
+
+	for s in kserver kdagent kmonitor ksearch kspooler kwebapp; do
+		easypki create --ca-name internalca --organizational-unit $s --expire 3650 $s
+		cp /kopano/easypki/internalca/keys/$s.key /kopano/ssl/$s.pem.tmp
+		cat /kopano/easypki/internalca/certs/$s.crt >> /kopano/ssl/$s.pem.tmp
+		openssl x509 -in /kopano/easypki/internalca/certs/$s.crt -pubkey -noout >  /kopano/ssl/clients/$s-public.pem.tmp
+		mv /kopano/ssl/$s.pem.tmp /kopano/ssl/$s.pem
+		mv /kopano/ssl/clients/$s-public.pem.tmp /kopano/ssl/clients/$s-public.pem
+	done
+
+	cp /kopano/easypki/internalca/certs/internalca.crt /kopano/ssl/ca.pem.tmp
+	mv /kopano/ssl/ca.pem.tmp /kopano/ssl/ca.pem
 fi
 
-/gencerts.sh
+# Konnect - create encryption key if not already present
+enckey="/kopano/ssl/konnectd-encryption.key"
+if [ ! -f $enckey ]; then
+	echo "creating new encryption key"
+	openssl rand -out $enckey.tmp 32
+	mv $enckey.tmp $enckey
+fi
+
+# Konnect - create token signing key if not already present
+signkey="/kopano/ssl/konnectd-tokens-signing-key.pem"
+if [ ! -f $signkey ]; then
+	echo "creating new token signing key"
+	openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096
+	mv $signkey.tmp $signkey
+fi
+
+# Kapi
+secretkey="/kopano/ssl/kapid-pubs-secret.key"
+if [ ! -f $secretkey ]; then
+	openssl rand -out $secretkey.tmp -hex 64
+	mv $secretkey.tmp $secretkey
+fi
+
+ls -l /kopano/ssl/*.pem
+ls -l /kopano/ssl/*.key