make secrets optional

Dockerfile

@@ -7,9 +7,10 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
 
 #download/install JRE
 ENV JAVA_HOME /usr/java/latest
-RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=225344_090f390dda5b47b9b721c7dfaa008135" -O /tmp/jre-8u144-linux-x64.rpm && \
-     yum -y install /tmp/jre-8u144-linux-x64.rpm && \
-     rm -f /tmp/jre-8u144-linux-x64.rpm && \
+
+RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
+     yum -y install /tmp/jre-8u171-linux-x64.rpm && \
+     rm -f /tmp/jre-8u171-linux-x64.rpm && \
      alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
      alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
      alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000

common.bash

@@ -2,4 +2,4 @@ registry="docker.io"
 maintainer="tier"
 basename="shibbidp_configbuilder_container"
 imagename="shibbidp_configbuilder_container"
-version="0.1"
+version="0.2"

configBuilder.sh

@@ -43,6 +43,7 @@ LDAPPWD=None
 SEALERPWD=None
 TIER_TESTBED=None
 BURNMOUNT=None
+USESECRETS=None
 
 
 ##################################
@@ -73,7 +74,7 @@ LINUX | linux)
     echo "Getting build files for a Linux container"
     wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL}  > /dev/null
     unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
-    cp -rf ${TMP_DIR_D}/shib-idp_noVM-master/* /output
+    cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
     ;;
 WINDOWS | windows)
     echo "Getting build files for a Windows container"
@@ -90,7 +91,7 @@ esac
 rm -f /output/configBuilder.sh > /dev/null 2>&1
 rm -f /output/setup.log > /dev/null 2>&1
 rm -f /output/README.md > /dev/null 2>&1
-rm -rf /output/shib-idp_noVM-master/*
+rm -rf /output/shib-idp-master/*
 
 #grab copy of Dockerfile in working dir
 cp -f /output/Dockerfile .
@@ -325,34 +326,50 @@ while [ ${LDAPPWD} == "None" ]; do
 done
 
 
-#
-# Ask the installer about burned versus mountedd config
-#
-#echo ""
-#echo "Would you like your Shibboleth IdP containers to utilize a "
-#echo "Shibboleth config which has been \"burned\" (copied) into each "
-#echo "container, or would you like your IdP containers to instead "
-#echo "mount all of their configuration from the container host's local "
-#echo "filesystem or would you like to use a hybrid config utilizing secrets (requires a swarm)?"
-#echo ""
-#while [ ${BURNMOUNT} == "None" ]; do
-#    echo -n "Please select your choice (please enter either \"burn\" or \"mount\" or \"hybrid\", if you aren't sure, enter hybrid): "
-#    read response
-#    case $response in
-#        Mount|mount|M|m)
-#            BURNMOUNT=mount
-#            ;;
-#		Burn|burn|B|b)
-#			BURNMOUNT=burn
-#			;;
-#       Hybrid|hybrid|H|h)
-            BURNMOUNT=hybrid
-#            ;;
-#		*)
-#			echo "You must choose either \"burn\" or \"mount\" or \"hybrid\"."
-#    esac
-#done
-#echo "Burn/Mount option choice is: $BURNMOUNT"
+#######################
+## ask about secrets ##
+#######################
+cat << EOF
+
+
+***********************************************************************************
+***********************************************************************************
+ ==> The next question deals with the use of 'secrets' in your container.
+
+Secrets are files that contain senstivie information such as passwords or keys.  The following files are considered 'secrets':
+idp.properties
+ldap.properties
+attribute-resolver.xml
+attribute-filter.xml
+relying-party.xml
+metadata-providers.xml
+idp-signing.key
+idp-signing.crt
+idp-encryption.key
+idp-encryption.crt
+sealer.jks
+sealer.kver
+keystore.jks  (Tomcat SSL)
+
+If you answer yes/y to this question, the files listed above will be removed from the directories containing the other configuration files (intended to be burned into the container), and placed into a folder named 'SECRETS'.  You can then use these files with your container orchestration system to overlay the relevant files in your running containers.
+
+If you answer no/n to this question, your configuration (intended to be burned into the container) will contain all config files, including those with sensitive information.
+EOF
+while [ ${USESECRETS} == "None" ]; do
+    echo -n "Would you like to isolate "secrets" from your generated Shibb IdP configuration? "
+    read yesno
+    case $yesno in
+        Yes|yes|Y|y)
+            USESECRETS=YES
+	    BURNMOUNT=hybrid
+            ;;
+        No|no|N|n)
+            USESECRETS=NO
+	    BURNMOUNT=burn
+            ;;
+    esac
+done
+
 
 
 ############################################################
@@ -524,7 +541,7 @@ rm -f docker_edit.sed
 
 
 if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
-  echo "Configuring Docker for burned-in configuration."
+  echo "Configuring Docker for burned-in/hybrid configuration."
 
   mv -f Dockerfile Dockerfile.setup
   cat <<EOF > docker_edit.sed
@@ -550,43 +567,32 @@ fi
 sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
 
 
-# if the user chose a hybrid config, then generate a directory containing the config with secrets removed
-# copy files
-if [ ${BURNMOUNT} == "hybrid" ]; then
+# if the user chose to use secrets, then generate a directory containing the config with secrets removed
+if [ ${USESECRETS} == "YES" ]; then
  echo ""
- echo "Creating sanitized config for hybrid build..."
+ echo "Creating sanitized config for use with secrets..."
  echo ""
  destPath=${PWD}
- #destPathName=ConfigNoSecrets
- # check for rsync
- #command -v rsync >/dev/null 2>&1 || { echo >&2 "ERROR: rsync is required, but doesn't appear to be installed.  Aborting..."; exit 1; }
- #rsync -a . ${destPath} --exclude ${destPathName}
  mkdir -p ${destPath}/SECRETS
 
-# rm -f ${destPath}/Dockerfile
-# rm -f ${destPath}/configBuilder.sh
-# rm -f ${destPath}/setup.log
-
-
 # move secrets
-mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
-mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
-mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
-mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
-mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
-mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
-mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
-mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
-mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
-mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
-mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
-mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
-mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null
-
-echo ""
-echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
-echo ""
+ mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
+ mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
+ mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
+ mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
+ mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
+ mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
+ mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
+ mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
+ mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
+ mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
+ mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
+ mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
+ mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null
 
+ echo ""
+ echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
+ echo ""
 fi
 
 #copy files directly instead of zipping
@@ -625,13 +631,13 @@ echo "Your initial configuration has been successfully setup."
 echo ""
 echo ""
 if [ ${BURNMOUNT} == "burn" ]; then
-  echo "Since you have elected to use a burned-in config, the steps for "
+  echo "Since you have elected to use a completely burned-in config, the steps for "
   echo "  you to build and run a TIER Shibboleth-IdP container are below."
-  echo "BUILD"
+  echo "1. BUILD"
   echo " It will be necessary to specify where to find your config at build-time, "
   echo "      so that it can be copied into the container."
   echo ""
-  echo " If you are using the default config locations (used/created by the configBuilder.sh script), then the following command would be correct:"
+  echo " If you are using the default config locations (used/created by the ConfigBuilder service), then the following command would be correct:"
   echo "          docker build --rm -t my/shibb-idp-tier ."
   echo ""
   echo " If you have an existing config or otherwise need to supply non-default paths for your config bits, "
@@ -651,15 +657,15 @@ if [ ${BURNMOUNT} == "burn" ]; then
 			           --build-arg SHBLOG=logs/shib-idp ."
   echo ""
   echo ""
-  echo "RUN"
+  echo "2. RUN"
   echo ""
-  echo "           docker run -d --name shib-idp -p 8443:8443 my/shibb-idp-tier"
+  echo "           docker run -d --name shib-idp -p 443:443 my/shibb-idp-tier"
 elif [ ${BURNMOUNT} == "hybrid" ]; then
-  echo "Since you have elected to use a hybrid config, the steps for "
+  echo "Since you have elected to use a hybrid config (with secrets), the steps for "
   echo "  you to build and run a TIER Shibboleth-IdP container are below."
-  echo "BUILD"
+  echo "1. BUILD"
   echo " It will be necessary to specify where to find your config at build-time, but with a hybrid config, "
-  echo "      you'll want to point it to a config that has no \"secrets\""
+  echo "      you'll want to point it to a set of config files that have no \"secrets\""
   echo ""
   echo "To do this, point an environment variable at the alternate location (created by this script):"
   echo "          export ALTCFG=ConfigNoSecrets"
@@ -676,7 +682,7 @@ elif [ ${BURNMOUNT} == "hybrid" ]; then
                    --build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \\
                    --build-arg SHBLOG=${ALTCFG}/logs/shib-idp ."
   echo ""
-  echo "Next, you would create the appropriate docker secrets and run as a swarm service.  See documentation wiki for more info."
+  echo "Next, you would create the appropriate secrets/overlays in your container orchestration system and run the container.  See documentation wiki for more info."
   echo ""
 else 
   echo "Since you have elected to use a mounted config, the steps for "
@@ -691,7 +697,7 @@ else
   echo "RUN"
   echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)."
   echo ""
-  echo "           docker run -d --name shib-test1 -p 8443:8443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
+  echo "           docker run -d --name shib-test1 -p 443:443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
                       -v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT \\
                       -v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs \\
                       -v ${PWD}/${TOMCERT}:/opt/certs \\