Skip to content
Permalink
secretsoptional
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

ShibbIdP_ConfigBuilder_Container/configBuilder.sh

Go to file
@pcaskey
pcaskey fix for Windows configs
Latest commit dc368ea May 21, 2018 History
1 contributor

Users who have contributed to this file

executable file 756 lines (666 sloc) 26.6 KB
Raw Blame
#!/bin/bash
echo ""
echo ""
#temp for container version
cd /scriptrun
# script config items
SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.3release.zip
TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
TMP_DIR_S=/tmp/3.3release
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
WINDOWS_BUILD_FILES_URL=https://github.internet2.edu/docker/ShibbIdP_noVM_Windows/archive/master.zip
# default directories
TOMCFG=config/tomcat
TOMLOG=logs/tomcat
TOMCERT=credentials/tomcat
TOMWWWROOT=wwwroot
SHBCFG=config/shib-idp/conf
SHBCREDS=credentials/shib-idp
SHBVIEWS=config/shib-idp/views
SHBEDWAPP=config/shib-idp/edit-webapp
SHBMSGS=config/shib-idp/messages
SHBMD=config/shib-idp/metadata
SHBLOG=logs/shib-idp
# logs
LOGFILE=${PWD}/setup.log
# script variables (do not edit)
ORACLE_JAVA_APPROVAL=None
FQDN=None
SCOPE=None
LDAPURL=None
LDAPBASEDN=None
LDAPDN=None
LDAPPWD=None
SEALERPWD=None
TIER_TESTBED=None
BURNMOUNT=None
USESECRETS=None
##################################
### ensure directory structure ###
##################################
mkdir -p config/tomcat
mkdir -p logs/tomcat
mkdir -p credentials/tomcat
mkdir -p wwwroot
mkdir -p config/shib-idp/conf
mkdir -p credentials/shib-idp
mkdir -p config/shib-idp/views
mkdir -p config/shib-idp/edit-webapp
mkdir -p config/shib-idp/messages
mkdir -p config/shib-idp/metadata
mkdir -p logs/shib-idp
###########################################################
### grab the docker build files, depending on OS choice ###
###########################################################
# first, check for wget
command -v wget >/dev/null 2>&1 || { echo >&2 "ERROR: wget is required, but doesn't appear to be installed. Aborting..."; exit 1; }
case "$BUILD_ENV" in
LINUX | linux)
echo "Getting build files for a Linux container"
wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null
unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
;;
WINDOWS | windows)
echo "Getting build files for a Windows container"
wget -q -O ${TMP_DIR_D}.zip ${WINDOWS_BUILD_FILES_URL} > /dev/null
unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
cp -rf ${TMP_DIR_D}/ShibbIdP_noVM_Windows-master/* /output
;;
*)
echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating."
exit 1
;;
esac
rm -f /output/configBuilder.sh > /dev/null 2>&1
rm -f /output/setup.log > /dev/null 2>&1
rm -f /output/README.md > /dev/null 2>&1
rm -rf /output/shib-idp-master/*
#grab copy of Dockerfile in working dir
cp -f /output/Dockerfile .
##############################################################
### download default/TIER config for both shibb and tomcat ###
##############################################################
#
echo "Downloading TIER default configs"
wget -q -O ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
wget -q -O ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
######################
### expand to /tmp ###
######################
unzip -o -d ${TMP_DIR_S} ${TMP_DIR_S}.zip > /dev/null 2>&1
unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
################################################################################
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/conf/* ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/views/* ${SHBVIEWS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/edit-webapp/* ${SHBEDWAPP}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/messages/* ${SHBMSGS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/metadata/* ${SHBMD}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/credentials/* ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
#####################################################
### ask setup questions to aid in config building ###
#####################################################
#
# Get Oracle license agreement from the user
#
echo ""
echo "The Shibboleth IdP requires that you use Oracle Java. The Docker container "
echo "should be configured to download it for you as part of the Docker image build "
echo "process, but, before we proceed, you must agree to the Oracle Binary Code "
echo "License Agreement for Java SE (\"Oracle License\"). Please review:"
echo ""
echo " http://www.oracle.com/technetwork/java/javase/terms/license/index.html"
echo ""
echo "By agreeing to the Oracle License, you acknowledge that Internet2 is not"
echo "distributing the Java software and, to the extent an issue arises"
echo "related to your use of Oracle Java in the TIER software package, you and"
echo "Internet2 agree to hold each other harmless from any third party claims."
echo ""${PWD}
#
while [ ${ORACLE_JAVA_APPROVAL} == "None" ]; do
echo -n "Do you agree to the terms of the Oracle license [Yes/No]? "
read response
case $response in
Yes)
ORACLE_JAVA_APPROVAL=$response
;;
No)
ORACLE_JAVA_APPROVAL=$response
;;
*)
echo "Please respond with Yes or No"
esac
done
if [ ${ORACLE_JAVA_APPROVAL} != "Yes" ]; then
echo ""
echo "In order to use this implementation of the Shibboleth IdP, you must"
echo "use Oracle Java and thus agree to the terms of the Oracle license."
exit 0
fi
#
# Get the FQDN of the server
#
echo ""
echo ""
echo "Please supply the Fully Qualified Domain Name (FQDN) of your Shibboleth IdP."
echo "We will use the information you enter here to configure your IdP."
echo "Note: for testing without DNS support (a common case), simply enter"
echo " the IPv4 address of your VM at the prompt below"
echo ""
while [ ${FQDN} == "None" ]; do
echo -n "Enter the FQDN or IP address of your server: "
read response
if [ ${#response} -lt 8 ]; then
echo "Remember, you need a FQDN or IP address"
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
FQDN=$response
;;
esac
done
#echo "FQDN is: $FQDN"
#
# Get the Scope used for this IdP
#
echo ""
echo ""
echo "Please supply the correct scope for this IdP."
echo "This is typically your base domain: domain.edu"
echo "Enter your IP address if you are just testing."
echo ""
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${SCOPE} == "None" ]; do
echo -n "Enter the Scope for your IdP: "
read response
if [ ${#response} -lt 5 ]; then
echo "Remember, you need domain - domain.edu or similar"
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
SCOPE=$response
;;
esac
done
#echo "Scope is: $SCOPE"
#
# Get the LDAP URL for this deployment
#
echo ""
echo ""
echo "Please supply the full LDAP URL for your backend authentication and/or "
echo "attribute store used by your Shibboleth IdP. (e.g. ldap://myldap.domain.edu)"
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${LDAPURL} == "None" ]; do
echo -n "Enter the LDAP URL used for your IdP: "
read response
if [ ${#response} -lt 10 ]; then
echo "Remember, you need a full LDAP URL (starts with ldap:// or ldaps://)"
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
LDAPURL=$response
;;
esac
done
#echo "LDAP URL is: $LDAPURL"
#
# Get the LDAP BaseDN for this deployment
#
echo ""
echo ""
echo "Please supply the LDAP Base DN for your LDAP Server "
echo " (e.g. ou=people,dc=example,dc=org)."
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${LDAPBASEDN} == "None" ]; do
echo -n "Enter the LDAP Base DN used for your LDAP Server: "
read response
if [ ${#response} -lt 10 ]; then
echo "Remember, you need the full LDAP Base DN."
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
LDAPBASEDN=$response
;;
esac
done
#echo "LDAP Base DN is: $LDAPBASEDN"
#
# Get the LDAP DN for this deployment
#
echo ""
echo ""
echo "Please supply the full LDAP DN (DistinguishedName) for the account "
echo "used to access your LDAP (only read access is necessary). "
echo "(e.g. uid=myservice,ou=system)"
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${LDAPDN} == "None" ]; do
echo -n "Enter the LDAP DN for the service account used by your IdP: "
read response
if [ ${#response} -lt 8 ]; then
echo "Remember, you need the full LDAP DN"
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
LDAPDN=$response
;;
esac
done
#echo "LDAP DN is: $LDAPDN"
#
# Get the LDAP PWD for this deployment
#
echo ""
echo ""
echo "Please supply the password for the LDAP DN just specified "
echo "for access your LDAP"
echo ""
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${LDAPPWD} == "None" ]; do
echo -n "Enter the password for the account just specified: "
read response
if [ ${#response} -lt 2 ]; then
echo "You should use a stronger password."
continue
fi
echo -n "You entered: ${response} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
LDAPPWD=$response
;;
esac
done
#######################
## ask about secrets ##
#######################
cat << EOF
***********************************************************************************
***********************************************************************************
==> The next question deals with the use of 'secrets' in your container.
Secrets are files that contain senstivie information such as passwords or keys. The following files are considered 'secrets':
idp.properties
ldap.properties
attribute-resolver.xml
attribute-filter.xml
relying-party.xml
metadata-providers.xml
idp-signing.key
idp-signing.crt
idp-encryption.key
idp-encryption.crt
sealer.jks
sealer.kver
keystore.jks (Tomcat SSL)
If you answer yes/y to this question, the files listed above will be removed from the directories containing the other configuration files (intended to be burned into the container), and placed into a folder named 'SECRETS'. You can then use these files with your container orchestration system to overlay the relevant files in your running containers.
If you answer no/n to this question, your configuration (intended to be burned into the container) will contain all config files, including those with sensitive information.
EOF
while [ ${USESECRETS} == "None" ]; do
echo -n "Would you like to isolate "secrets" from your generated Shibb IdP configuration? "
read yesno
case $yesno in
Yes|yes|Y|y)
USESECRETS=YES
BURNMOUNT=hybrid
;;
No|no|N|n)
USESECRETS=NO
BURNMOUNT=burn
;;
esac
done
############################################################
### generate credentials/certs for tomcat and shibboleth ###
############################################################
# ensure openssl
command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: openssl is required, but doesn't appear to be installed. Aborting..."; exit 1; }
echo ""
echo "Generating credentials..."
echo ""
#
mkdir -p crypto-work-tmp
cd crypto-work-tmp
#IdP Signing key/cert
openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-signing.key -out idp-signing.csr >> ${LOGFILE} 2>&1
echo '[SAN]' > extensions
echo "subjectAltName=DNS:${FQDN},URI:https://${FQDN}/idp/shibboleth" >>extensions
echo "subjectKeyIdentifier=hash" >> extensions
openssl x509 -req -days 1825 -in idp-signing.csr -signkey idp-signing.key -extensions SAN -extfile extensions -out idp-signing.crt >> ${LOGFILE} 2>&1
#
# IdP Encryption Key
openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-encryption.key -out idp-encryption.csr >> ${LOGFILE} 2>&1
openssl x509 -req -days 1825 -in idp-encryption.csr -signkey idp-encryption.key -extensions SAN -extfile extensions -out idp-encryption.crt >> ${LOGFILE} 2>&1
#
cp *.key *.crt ../${SHBCREDS}
# build self-signed cert for Tomcat to use with https
#
# ensure keytool
command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed. Aborting..."; exit 1; }
if test -f ssl_keystore.jks; then
mv ssl_keystore.jks ssl_keystore.jks.old
fi
cat > data.conf << EOF
${FQDN}
SUBJ_OU
SUBJ_O
SUBJ_CITY
SUBJ_STATE
SUBJ_COUNTRY
yes
EOF
STOREPWD=$(uuidgen)
keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1
cp ssl_keystore.jks ../${TOMCERT}/keystore.jks
#
# OK, next build the shibboleth sealer java keystore
#
echo ""
echo "Creating Shibboleth sealer keystore"
echo ""
#
rm -f mysealer.jks
SEALERPWD=$(uuidgen)
keytool -genseckey -storetype jceks -alias secret1 -providername SunJCE -keyalg AES -keysize 256 -storepass ${SEALERPWD} -keypass ${SEALERPWD} -keystore mysealer.jks >> ${LOGFILE} 2>&1
cp mysealer.jks ../${SHBCREDS}/sealer.jks
# return to previous work directory
cd ..
#remove work dir
rm -rf crypto-work-tmp/*
rmdir crypto-work-tmp
#############################
### generate new metadata ###
#############################
CERTFILE=${SHBCREDS}/idp-signing.crt
CERT="$(grep -v '^-----' $CERTFILE)"
ENTITYID=https://${FQDN}/idp/shibboleth
BASEURL=https://${FQDN}
cat > ${SHBMD}/idp-metadata.xml <<EOF
<EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">$SCOPE</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
$CERT
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="$BASEURL/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="$BASEURL/idp/profile/SAML2/SOAP/ECP"/>
</IDPSSODescriptor>
</EntityDescriptor>
EOF
##############################################################################
### make needed adjustments to IdP config and Dockerfile and Tomcat config ###
##############################################################################
#
#ensure sed
command -v sed >/dev/null 2>&1 || { echo >&2 "ERROR: sed is required, but doesn't appear to be installed. Aborting..."; exit 1; }
# set entityID, sealer pwd in idp.properties
echo ""
echo "Updating your IdP config and Dockerfile to match the info"
echo " you supplied and with the auto-generated key password."
echo ""
IDP_PROP=${SHBCFG}/idp.properties
if test \! -f ${IDP_PROP}.dist; then
cp ${IDP_PROP} ${IDP_PROP}.dist
fi
sed "s/example.org\/idp\/shibboleth/${FQDN}\/idp\/shibboleth/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp
sed "s/= example.org/= ${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP}.tmp2
sed "s#Password= changeit#Password= ${SEALERPWD}#" ${IDP_PROP}.tmp2 > ${IDP_PROP}
rm -f ${IDP_PROP}.tmp
rm -f ${IDP_PROP}.tmp2
#
# set ldap URL, baseDN, svcDN, pwd in ldap.properties
LDAP_PROP=${SHBCFG}/ldap.properties
if test \! -f ${LDAP_PROP}.dist; then
cp ${LDAP_PROP} ${LDAP_PROP}.dist
fi
sed "s/#idp.authn.LDAP.authenticator/idp.authn.LDAP.authenticator/" ${LDAP_PROP}.dist > ${LDAP_PROP}.tmp
sed "s/= anonSearchAuthenticator/= bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2
sed "s#ldap://localhost:10389#${LDAPURL}#" ${LDAP_PROP}.tmp2 > ${LDAP_PROP}.tmp3
sed "s#uid=myservice,ou=system#${LDAPDN}#" ${LDAP_PROP}.tmp3 > ${LDAP_PROP}.tmp4
sed "s#myServicePassword#${LDAPPWD}#" ${LDAP_PROP}.tmp4 > ${LDAP_PROP}.tmp5
sed "s#ou=people,dc=example,dc=org#${LDAPBASEDN}#" ${LDAP_PROP}.tmp5 > ${LDAP_PROP}
rm -f ${LDAP_PROP}.tmp
rm -f ${LDAP_PROP}.tmp2
rm -f ${LDAP_PROP}.tmp3
rm -f ${LDAP_PROP}.tmp4
rm -f ${LDAP_PROP}.tmp5
# adjust Dockerfile for java and for a burned-in config, if needed
#
#java first
if test \! -f Dockerfile.dist; then
cp Dockerfile Dockerfile.dist
fi
cat <<EOF > docker_edit.sed
s/^# ENV /ENV /
s/^# RUN /RUN /
s/^# yum/ yum/
s/^# rm/ rm/
s/^# alternatives/ alternatives/
s/^# http/ http/
s/^# \&\&/ \&\&/
EOF
rm -f Dockerfile
sed -f docker_edit.sed Dockerfile.dist > Dockerfile
rm -f docker_edit.sed
if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
echo "Configuring Docker for burned-in/hybrid configuration."
mv -f Dockerfile Dockerfile.setup
cat <<EOF > docker_edit.sed
s/^## ADD /ADD /
/^VOLUME/,+10 s/^/#/
EOF
rm -f Dockerfile
sed -f docker_edit.sed Dockerfile.setup > Dockerfile
rm -f Dockerfile.setup
rm -f docker_edit.sed
fi
if [ ${USESECRETS} == "YES" ] && [ ${BUILD_ENV} == "WINDOWS" ]; then
echo "Configuring Dockerfile for use of secrets in a Windows container."
mv -f Dockerfile Dockerfile.setup
cat <<EOF > docker_edit.sed
s/^#!# RUN /RUN /
EOF
rm -f Dockerfile
sed -f docker_edit.sed Dockerfile.setup > Dockerfile
rm -f Dockerfile.setup
rm -f docker_edit.sed
fi
# configure SSL keystore password in tomcat's config file:
# conf/tomcat/server.xml replace: keystorePass="password"
#
echo "Updating Tomcat's server.xml with the generated password"
if test \! -f ${TOMCFG}/server.xml.dist; then
cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist
fi
sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
# if the user chose to use secrets, then generate a directory containing the config with secrets removed
if [ ${USESECRETS} == "YES" ]; then
echo ""
echo "Creating sanitized config for use with secrets..."
echo ""
destPath=${PWD}
mkdir -p ${destPath}/SECRETS
# move secrets
mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null
echo ""
echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
echo ""
fi
#copy files directly instead of zipping
mkdir -p /output-tmp
cp -R ./* /output-tmp
rm -f /output-tmp/configBuilder.sh
rm -f /output-tmp/setup.log
cp -Rf /output-tmp/* /output
rm -rf /output-tmp/*
rmdir /output-tmp
#echo ""
#echo "Archiving generated config..."
#echo ""
##ensure zip
#command -v zip >/dev/null 2>&1 || { echo >&2 "ERROR: zip is required, but doesn't appear to be installed. Aborting..."; exit 1; }
#FILENAME=./shib-idp-config_`date +%m%d%Y-%H%M%S`.zip
#zip -r ${FILENAME} ./* > /dev/null
#special for the special-purpose container
#cp ${FILENAME} /output
#zip -d /output/${FILENAME:2} "configBuilder.sh"
#zip -d /output/${FILENAME:2} "Dockerfile"
#zip -d /output/${FILENAME:2} "setup.log"
echo "wrote config to output location (typically PWD)"...
############################################################################################################################
### notify user of next steps (docker build and docker run commands, based on burn/mount and chosen directory locations) ###
############################################################################################################################
echo ""
echo "Your initial configuration has been successfully setup."
echo ""
echo ""
if [ ${BURNMOUNT} == "burn" ]; then
echo "Since you have elected to use a completely burned-in config, the steps for "
echo " you to build and run a TIER Shibboleth-IdP container are below."
echo "1. BUILD"
echo " It will be necessary to specify where to find your config at build-time, "
echo " so that it can be copied into the container."
echo ""
echo " If you are using the default config locations (used/created by the ConfigBuilder service), then the following command would be correct:"
echo " docker build --rm -t my/shibb-idp-tier ."
echo ""
echo " If you have an existing config or otherwise need to supply non-default paths for your config bits, "
echo " that can be done by overriding the default values in the build command like this "
echo " (the values below are all the default values - modify as appropriate):"
echo ""
echo " docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=config/tomcat \\
--build-arg TOMLOG=logs/tomcat \\
--build-arg TOMCERT=credentials/tomcat \\
--build-arg TOMWWWROOT=wwwroot \\
--build-arg SHBCFG=config/shib-idp/conf \\
--build-arg SHBCREDS=credentials/shib-idp \\
--build-arg SHBVIEWS=config/shib-idp/views \\
--build-arg SHBEDWAPP=config/shib-idp/edit-webapp \\
--build-arg SHBMSGS=config/shib-idp/messages \\
--build-arg SHBMD=config/shib-idp/metadata \\
--build-arg SHBLOG=logs/shib-idp ."
echo ""
echo ""
echo "2. RUN"
echo ""
echo " docker run -d --name shib-idp -p 443:443 my/shibb-idp-tier"
elif [ ${BURNMOUNT} == "hybrid" ]; then
echo "Since you have elected to use a hybrid config (with secrets), the steps for "
echo " you to build and run a TIER Shibboleth-IdP container are below."
echo "1. BUILD"
echo " It will be necessary to specify where to find your config at build-time, but with a hybrid config, "
echo " you'll want to point it to a set of config files that have no \"secrets\""
echo ""
echo "To do this, point an environment variable at the alternate location (created by this script):"
echo " export ALTCFG=ConfigNoSecrets"
echo ""
echo " docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=${ALTCFG}/config/tomcat \\
--build-arg TOMLOG=${ALTCFG}/logs/tomcat \\
--build-arg TOMCERT=${ALTCFG}/credentials/tomcat \\
--build-arg TOMWWWROOT=${ALTCFG}/wwwroot \\
--build-arg SHBCFG=${ALTCFG}/config/shib-idp/conf \\
--build-arg SHBCREDS=${ALTCFG}/credentials/shib-idp \\
--build-arg SHBVIEWS=${ALTCFG}/config/shib-idp/views \\
--build-arg SHBEDWAPP=${ALTCFG}/config/shib-idp/edit-webapp \\
--build-arg SHBMSGS=${ALTCFG}/config/shib-idp/messages \\
--build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \\
--build-arg SHBLOG=${ALTCFG}/logs/shib-idp ."
echo ""
echo "Next, you would create the appropriate secrets/overlays in your container orchestration system and run the container. See documentation wiki for more info."
echo ""
else
echo "Since you have elected to use a mounted config, the steps for "
echo " you to build and run a TIER Shibboleth-IdP container are below."
echo "BUILD"
echo " You can build an image for a mounted config quite simply using a command like this:"
echo " (optionally substitute any tag name (after -t) that is appropriate) "
echo ""
echo " docker build --rm -t my/shibb-idp-tier ."
echo ""
echo ""
echo "RUN"
echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)."
echo ""
echo " docker run -d --name shib-test1 -p 443:443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
-v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT \\
-v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs \\
-v ${PWD}/${TOMCERT}:/opt/certs \\
-v ${PWD}/${SHBCFG}:/opt/shibboleth-idp/conf \\
-v ${PWD}/${SHBCREDS}:/opt/shibboleth-idp/credentials \\
-v ${PWD}/${SHBVIEWS}:/opt/shibboleth-idpviews \\
-v ${PWD}/${SHBEDWAPP}:/opt/shibboleth-idp/edit-webapp \\
-v ${PWD}/${SHBMSGS}:/opt/shibboleth-idp/messages \\
-v ${PWD}/${SHBMD}:/opt/shibboleth-idp/metadata \\
-v ${PWD}/${SHBLOG}:/opt/shibboleth-idp/logs \\
my/shibb-idp-tier"
fi
#################################
### cleanup/remove temp files ###
#################################
rm -f ${TMP_DIR_S}.zip
rm -rf ${TMP_DIR_S}/*
rmdir ${TMP_DIR_S}
rm -f ${TMP_DIR_T}.zip
rm -rf ${TMP_DIR_T}/*
rmdir ${TMP_DIR_T}
rm -f ${TMP_DIR_D}.zip
rm -rf ${TMP_DIR_D}/*
rmdir ${TMP_DIR_D}
#copy config to output directory
#cp -rfn config/. /output/config/
#cp -rfn logs/. /output/logs/
#cp -rfn credentials/. /output/credentials/
#cp -rfn wwwroot/. /output/wwwroot/
#
#echo config saved to ${FILENAME:2}
echo config saved to configured local directory
#sleep 3
echo ""
echo ""