Skip to content
Permalink
Browse files

make secrets optional

  • Loading branch information
pcaskey committed Apr 26, 2018
1 parent 07323ef commit eeda69876347a6e4459b07776f894496c70604ec
Showing with 82 additions and 75 deletions.
  1. +4 −3 Dockerfile
  2. +1 −1 common.bash
  3. +77 −71 configBuilder.sh
@@ -7,9 +7,10 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=

#download/install JRE
ENV JAVA_HOME /usr/java/latest
RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=225344_090f390dda5b47b9b721c7dfaa008135" -O /tmp/jre-8u144-linux-x64.rpm && \
yum -y install /tmp/jre-8u144-linux-x64.rpm && \
rm -f /tmp/jre-8u144-linux-x64.rpm && \

RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
yum -y install /tmp/jre-8u171-linux-x64.rpm && \
rm -f /tmp/jre-8u171-linux-x64.rpm && \
alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
@@ -2,4 +2,4 @@ registry="docker.io"
maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
version="0.1"
version="0.2"
@@ -43,6 +43,7 @@ LDAPPWD=None
SEALERPWD=None
TIER_TESTBED=None
BURNMOUNT=None
USESECRETS=None


##################################
@@ -73,7 +74,7 @@ LINUX | linux)
echo "Getting build files for a Linux container"
wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null
unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
cp -rf ${TMP_DIR_D}/shib-idp_noVM-master/* /output
cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
;;
WINDOWS | windows)
echo "Getting build files for a Windows container"
@@ -90,7 +91,7 @@ esac
rm -f /output/configBuilder.sh > /dev/null 2>&1
rm -f /output/setup.log > /dev/null 2>&1
rm -f /output/README.md > /dev/null 2>&1
rm -rf /output/shib-idp_noVM-master/*
rm -rf /output/shib-idp-master/*

#grab copy of Dockerfile in working dir
cp -f /output/Dockerfile .
@@ -325,34 +326,50 @@ while [ ${LDAPPWD} == "None" ]; do
done


#
# Ask the installer about burned versus mountedd config
#
#echo ""
#echo "Would you like your Shibboleth IdP containers to utilize a "
#echo "Shibboleth config which has been \"burned\" (copied) into each "
#echo "container, or would you like your IdP containers to instead "
#echo "mount all of their configuration from the container host's local "
#echo "filesystem or would you like to use a hybrid config utilizing secrets (requires a swarm)?"
#echo ""
#while [ ${BURNMOUNT} == "None" ]; do
# echo -n "Please select your choice (please enter either \"burn\" or \"mount\" or \"hybrid\", if you aren't sure, enter hybrid): "
# read response
# case $response in
# Mount|mount|M|m)
# BURNMOUNT=mount
# ;;
# Burn|burn|B|b)
# BURNMOUNT=burn
# ;;
# Hybrid|hybrid|H|h)
BURNMOUNT=hybrid
# ;;
# *)
# echo "You must choose either \"burn\" or \"mount\" or \"hybrid\"."
# esac
#done
#echo "Burn/Mount option choice is: $BURNMOUNT"
#######################
## ask about secrets ##
#######################
cat << EOF
***********************************************************************************
***********************************************************************************
==> The next question deals with the use of 'secrets' in your container.
Secrets are files that contain senstivie information such as passwords or keys. The following files are considered 'secrets':
idp.properties
ldap.properties
attribute-resolver.xml
attribute-filter.xml
relying-party.xml
metadata-providers.xml
idp-signing.key
idp-signing.crt
idp-encryption.key
idp-encryption.crt
sealer.jks
sealer.kver
keystore.jks (Tomcat SSL)
If you answer yes/y to this question, the files listed above will be removed from the directories containing the other configuration files (intended to be burned into the container), and placed into a folder named 'SECRETS'. You can then use these files with your container orchestration system to overlay the relevant files in your running containers.
If you answer no/n to this question, your configuration (intended to be burned into the container) will contain all config files, including those with sensitive information.
EOF
while [ ${USESECRETS} == "None" ]; do
echo -n "Would you like to isolate "secrets" from your generated Shibb IdP configuration? "
read yesno
case $yesno in
Yes|yes|Y|y)
USESECRETS=YES
BURNMOUNT=hybrid
;;
No|no|N|n)
USESECRETS=NO
BURNMOUNT=burn
;;
esac
done



############################################################
@@ -524,7 +541,7 @@ rm -f docker_edit.sed


if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
echo "Configuring Docker for burned-in configuration."
echo "Configuring Docker for burned-in/hybrid configuration."

mv -f Dockerfile Dockerfile.setup
cat <<EOF > docker_edit.sed
@@ -550,43 +567,32 @@ fi
sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml


# if the user chose a hybrid config, then generate a directory containing the config with secrets removed
# copy files
if [ ${BURNMOUNT} == "hybrid" ]; then
# if the user chose to use secrets, then generate a directory containing the config with secrets removed
if [ ${USESECRETS} == "YES" ]; then
echo ""
echo "Creating sanitized config for hybrid build..."
echo "Creating sanitized config for use with secrets..."
echo ""
destPath=${PWD}
#destPathName=ConfigNoSecrets
# check for rsync
#command -v rsync >/dev/null 2>&1 || { echo >&2 "ERROR: rsync is required, but doesn't appear to be installed. Aborting..."; exit 1; }
#rsync -a . ${destPath} --exclude ${destPathName}
mkdir -p ${destPath}/SECRETS

# rm -f ${destPath}/Dockerfile
# rm -f ${destPath}/configBuilder.sh
# rm -f ${destPath}/setup.log


# move secrets
mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null

echo ""
echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
echo ""
mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null

echo ""
echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
echo ""
fi

#copy files directly instead of zipping
@@ -625,13 +631,13 @@ echo "Your initial configuration has been successfully setup."
echo ""
echo ""
if [ ${BURNMOUNT} == "burn" ]; then
echo "Since you have elected to use a burned-in config, the steps for "
echo "Since you have elected to use a completely burned-in config, the steps for "
echo " you to build and run a TIER Shibboleth-IdP container are below."
echo "BUILD"
echo "1. BUILD"
echo " It will be necessary to specify where to find your config at build-time, "
echo " so that it can be copied into the container."
echo ""
echo " If you are using the default config locations (used/created by the configBuilder.sh script), then the following command would be correct:"
echo " If you are using the default config locations (used/created by the ConfigBuilder service), then the following command would be correct:"
echo " docker build --rm -t my/shibb-idp-tier ."
echo ""
echo " If you have an existing config or otherwise need to supply non-default paths for your config bits, "
@@ -651,15 +657,15 @@ if [ ${BURNMOUNT} == "burn" ]; then
--build-arg SHBLOG=logs/shib-idp ."
echo ""
echo ""
echo "RUN"
echo "2. RUN"
echo ""
echo " docker run -d --name shib-idp -p 8443:8443 my/shibb-idp-tier"
echo " docker run -d --name shib-idp -p 443:443 my/shibb-idp-tier"
elif [ ${BURNMOUNT} == "hybrid" ]; then
echo "Since you have elected to use a hybrid config, the steps for "
echo "Since you have elected to use a hybrid config (with secrets), the steps for "
echo " you to build and run a TIER Shibboleth-IdP container are below."
echo "BUILD"
echo "1. BUILD"
echo " It will be necessary to specify where to find your config at build-time, but with a hybrid config, "
echo " you'll want to point it to a config that has no \"secrets\""
echo " you'll want to point it to a set of config files that have no \"secrets\""
echo ""
echo "To do this, point an environment variable at the alternate location (created by this script):"
echo " export ALTCFG=ConfigNoSecrets"
@@ -676,7 +682,7 @@ elif [ ${BURNMOUNT} == "hybrid" ]; then
--build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \\
--build-arg SHBLOG=${ALTCFG}/logs/shib-idp ."
echo ""
echo "Next, you would create the appropriate docker secrets and run as a swarm service. See documentation wiki for more info."
echo "Next, you would create the appropriate secrets/overlays in your container orchestration system and run the container. See documentation wiki for more info."
echo ""
else
echo "Since you have elected to use a mounted config, the steps for "
@@ -691,7 +697,7 @@ else
echo "RUN"
echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)."
echo ""
echo " docker run -d --name shib-test1 -p 8443:8443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
echo " docker run -d --name shib-test1 -p 443:443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
-v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT \\
-v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs \\
-v ${PWD}/${TOMCERT}:/opt/certs \\

0 comments on commit eeda698

Please sign in to comment.
You can’t perform that action at this time.