Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

midPoint_container/demo/grouper/docker-compose.yml

Go to file
Slavek Licehammer Upgrade to midPoint 4.8.4
Latest commit a6d9407 Aug 21, 2024 History
2 contributors

Users who have contributed to this file

@mederly @ethan
638 lines (618 sloc) 27.7 KB
Raw Blame
Open in GitHub Desktop
version: "3.3"
services:
prereq:
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
command: >
bash -c "
echo ' - - - - - - -' ;
cd /mnt/security ;
if [ ! -e key.pem ] ;
then
echo 'Certificate has not been found. Generating of the new one...' ;
if [ -e /mnt/grouper-http/host-cert.pem -a -e /mnt/grouper-http/host-key.pem ] ;
then
echo 'Taking existing http certs... ';
cp /mnt/grouper-http/host-cert.pem cert.pem ;
cp /mnt/grouper-http/host-key.pem key.pem ;
else
echo 'Generating existing http certs... ';
openssl req -newkey rsa:2048 -keyout key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=midpoint.sp.example.org' -addext 'subjectAltName = DNS:midpoint.sp.example.org, DNS:midpoint_server, DNS:directory, DNS:idp, DNS: localhost, DNS: localhost.localdomain, IP:127.0.0.1, IP:::1' -out cert.pem -days 1825 -x509 -addext "basicConstraints=CA:FALSE";
fi ;
openssl req -newkey rsa:2048 -keyout sp-key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=sp.example.org' -out sp-cert.pem -days 3650 -x509 ;
openssl req -newkey rsa:3072 -keyout sp-signing-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-signing-cert.pem -days 3650 -x509 ;
openssl req -newkey rsa:2048 -keyout idp-backchannel.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-backchannel.crt -days 7300 -x509 ;
openssl req -newkey rsa:2048 -keyout idp-encryption.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-encryption.crt -days 7300 -x509 ;
openssl req -newkey rsa:2048 -keyout idp-signing.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-signing.crt -days 7300 -x509 ;
openssl req -newkey rsa:2048 -keyout idp-browser.key -nodes -subj '/CN=idp.ccc.local' -addext 'authorityKeyIdentifier = keyid:always,issuer:always' -out idp-browser.crt -days 10585 -x509 ;
openssl x509 -noout -fingerprint -sha256 -in cert.pem ;
openssl pkcs12 -export -in sp-signing-cert.pem -inkey sp-signing-key.pem -out signing-key.p12 -passout pass:password -name signing-key ;
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -passout pass:password -name selfsigned ;
keytool -importkeystore -srckeystore signing-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias signing-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias signing-key ;
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias selfsigned -destkeystore keystore.jks -deststoretype jks -deststorepass password -noprompt -destalias selfsigned ;
keytool -list -keystore shibboleth_sp_keys.jks -storetype jceks -storepass changeit ;
keytool -list -keystore keystore.jks -storetype jceks -storepass password ;
openssl pkcs12 -export -in idp-backchannel.crt -inkey idp-backchannel.key -out idp-backchannel.p12 -passout pass:password -name idptestbed ;
openssl pkcs12 -export -in idp-browser.crt -inkey idp-browser.key -out idp-browser.p12 -passout pass:password -name myAlias ;
for s in *ert.pem *.crt ; do echo ' - - - - - ' ; echo $${s} ; openssl x509 -noout -fingerprint -sha256 -in $${s} ; echo ; openssl x509 -noout -subject -subject_hash -dates -in $${s} ; done ;
echo ' - - - - - ' ;
mkdir /mnt/midpoint/var/shibboleth ;
cp shibboleth_sp_keys.jks /mnt/midpoint/var/shibboleth ;
cp cert.pem /mnt/midpoint/var ;
cp key.pem /mnt/midpoint/var ;
cp cert.pem /mnt/nginx-cert ;
cp key.pem /mnt/nginx-cert ;
echo ' server {' >> /mnt/nginx-conf/default.conf ;
echo ' listen 80 default_server;' >> /mnt/nginx-conf/default.conf ;
echo ' server_name localhost;' >> /mnt/nginx-conf/default.conf ;
echo '' >> /mnt/nginx-conf/default.conf ;
echo ' return 301 https://$server_name$request_uri;' >> /mnt/nginx-conf/default.conf ;
echo '}' >> /mnt/nginx-conf/default.conf ;
echo ' server {' >> /mnt/nginx-conf/midpoint.conf ;
echo ' listen 443 ssl default_server;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' server_name localhost;' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' ssl_certificate /etc/nginx/certs/cert.pem;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' ssl_certificate_key /etc/nginx/certs/key.pem;' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' location / {' >> /mnt/nginx-conf/midpoint.conf ;
echo ' rewrite ^/$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' rewrite ^/midpoint$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_set_header X-Real-IP $$remote_addr;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_set_header X-Forwarded-Host: $$host;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_set_header X-Forwarded-Proto: $$scheme;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_pass http://midpoint-container:8080/;' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' location /idp {' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_set_header Host localhost;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' proxy_pass https://idp:443/idp ;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
echo '' >> /mnt/nginx-conf/midpoint.conf ;
echo ' location /grouper {' >> /mnt/nginx-conf/midpoint.conf ;
echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
echo ' location /grouperSSO {' >> /mnt/nginx-conf/midpoint.conf ;
echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ;
echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
cp idp-backchannel.crt /mnt/shibboleth-idp/credentials ;
cp idp-backchannel.p12 /mnt/shibboleth-idp/credentials ;
cp idp-browser.p12 /mnt/shibboleth-idp/credentials ;
cp idp-encryption.crt /mnt/shibboleth-idp/credentials ;
cp idp-encryption.key /mnt/shibboleth-idp/credentials ;
cp idp-signing.crt /mnt/shibboleth-idp/credentials ;
cp idp-signing.key /mnt/shibboleth-idp/credentials ;
cp sp-signing-cert.pem /mnt/shibboleth-idp/credentials ;
cp sp-cert.pem /mnt/shibboleth-idp/credentials ;
cp keystore.jks /mnt/shibboleth/certs ;
cp cert.pem /mnt/grouper-http/host-cert.pem ;
cp key.pem /mnt/grouper-http/host-key.pem ;
chmod -R 744 /mnt/grouper-http ;
chown -R --reference=/mnt/grouper-http /mnt/grouper-http ;
cp sp-cert.pem /mnt/grouper-shibboleth/sp-cert.pem ;
cp sp-key.pem /mnt/grouper-shibboleth/sp-key.pem ;
chmod -R 744 /mnt/grouper-shibboleth ;
chown -R --reference=/mnt/grouper-shibboleth /mnt/grouper-shibboleth ;
echo ' - - - - - ' ;
find -type f ;
echo ' - - - - - - -' ;
find /mnt/shibboleth-idp/ -type f ;
echo ' - - - - - - -' ;
find /mnt/shibboleth -type f ;
echo ' - - - - - - -' ;
find /mnt/midpoint/ -type f ;
echo ' - - - - - - -' ;
find /mnt/grouper*/ -type f ;
echo ' - - - - - - -' ;
else echo 'certificate already exists... (skip new cert generation)' ;
fi ;
if [ ! -e /mnt/shared_pw/db_pass ] ; then
echo 'Generating password for DB connection...';
dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d -c [0-9a-z] | cut -c 1-32 | tr -d [[:space:]] > /mnt/shared_pw/db_pass ;
fi ;
"
networks:
- net
volumes:
- security_object:/mnt/security
- shared_pw:/mnt/shared_pw
- idp_credentials:/mnt/shibboleth-idp/credentials
- idp_certs:/mnt/shibboleth/certs
- proxy_conf:/mnt/nginx-conf
- proxy_cert:/mnt/nginx-cert
- midpoint_home:/mnt/midpoint/var
- ./configs-and-secrets/grouper/httpd:/mnt/grouper-http
- ./configs-and-secrets/grouper/shibboleth:/mnt/grouper-shibboleth
grouper_daemon:
image: i2incommon/grouper:4.12.0
command: [ "daemon" ]
depends_on:
grouper_data:
condition: service_healthy
grouper_data_init:
condition: service_completed_successfully
directory:
condition: service_healthy
sources:
condition: service_started
environment:
- ENV
- USERTOKEN
- GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE=password
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- RABBITMQ_PASSWORD=password
- SUBJECT_SOURCE_LDAP_PASSWORD=password
ulimits:
nofile:
soft: 1024
hard: 2048
networks:
net:
aliases:
- grouper-daemon
healthcheck:
test: gsh
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
volumes:
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
grouper_ui:
image: i2incommon/grouper:4.12.0
command: [ "ui" ]
depends_on:
grouper_data:
condition: service_healthy
grouper_data_init:
condition: service_completed_successfully
directory:
condition: service_healthy
environment:
- ENV
- USERTOKEN
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- SUBJECT_SOURCE_LDAP_PASSWORD=password
ulimits:
nofile:
soft: 1024
hard: 2048
networks:
net:
aliases:
- grouper-ui
ports:
- 4443:443
healthcheck:
test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
volumes:
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
- ./configs-and-secrets/grouper/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml
- ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
- ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
- ./configs-and-secrets/grouper/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
# Note: due to a bug in https://github.internet2.edu/docker/grouper/blob/2.5.57/container_files/usr-local-bin/librarySetupFilesForProcess.sh#L72
# This file had to be mounted as shib2.conf, instead of shib.conf (bind mounts don't want to be moved)
- ./configs-and-secrets/grouper/httpd/shib.conf:/etc/httpd/conf.d/shib2.conf
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem
- ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem
grouper_ws:
image: i2incommon/grouper:4.12.0
command: [ "ws" ]
depends_on:
grouper_data:
condition: service_healthy
directory:
condition: service_healthy
prereq:
condition: service_completed_successfully
idp_vol_init:
condition: service_completed_successfully
grouper_data_init:
condition: service_completed_successfully
environment:
- ENV
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- SUBJECT_SOURCE_LDAP_PASSWORD=password
- USERTOKEN
ulimits:
nofile:
soft: 1024
hard: 2048
networks:
net:
aliases:
- grouper-ws
ports:
- 9443:443
healthcheck:
test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
# - source: g_sp-key.pem
# target: shib_sp-key.pem
# - source: g_host-key.pem
# target: host-key.pem
volumes:
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
- ./grouper_ws/web.xml:/opt/grouper/grouperWebapp/WEB-INF/web.xml
- ./grouper_ws/tomcat-users.xml:/opt/tomee/conf/tomcat-users.xml
- ./grouper_ws/server.xml:/opt/tomee/conf/server.xml
- ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
- ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem
- ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem
grouper_data_init:
image: i2incommon/grouper:4.12.0
command: >
bash -c "
if [ ! -e /var/lib/postgresql/data/initialized ] ; then
echo 'processing init...' ;
echo ' - - - - - -';
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt &&
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/initialize.gsh &&
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/set-prov.gsh &&
touch /var/lib/postgresql/data/initialized ;
else echo 'init skipped....' ;
fi
"
depends_on:
grouper_data:
condition: service_healthy
networks:
- net
volumes:
- ./grouper_data_init/bootstrap:/tmp-bin
- ./grouper_data_init/conf/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
- ./grouper_data_init/conf/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
- grouper_data:/var/lib/postgresql/data
grouper_data:
image: postgres:16-alpine
networks:
net:
aliases:
- grouper-data
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=password
- PGDATA=/var/lib/postgresql/data/pgdata
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d grouper -U grouper" ]
interval: 1s
timeout: 5s
retries: 10
volumes:
- grouper_data:/var/lib/postgresql/data
- ./grouper_data_init/sql:/docker-entrypoint-initdb.d
sources:
build: ./sources/
ports:
- 13306:3306
networks:
- net
volumes:
- source_mysql:/var/lib/mysql
- source_data:/var/lib/mysqlmounted
environment:
- CREATE_NEW_DATABASE=if_needed
midpoint_data:
image: postgres:16-alpine
depends_on:
prereq:
condition: service_completed_successfully
environment:
- POSTGRES_PASSWORD_FILE=/mnt/shared_pw/db_pass
- POSTGRES_USER=midpoint
- POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ]
interval: 1s
timeout: 5s
retries: 10
networks:
- net
volumes:
- midpoint_data:/var/lib/postgresql/data
- shared_pw:/mnt/shared_pw
data_init:
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
depends_on:
prereq:
condition: service_completed_successfully
midpoint_data:
condition: service_healthy
command: >
bash -c "
cd /opt/midpoint ;
bin/midpoint.sh init-native ;
echo ' - - - - - - ' ;
bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
grep -q \"ERROR\" /tmp/ninja.log && (
bin/ninja.sh run-sql --create --mode REPOSITORY ;
bin/ninja.sh run-sql --create --mode AUDIT ;
tar -cC /opt/midpoint-init . | tar -xvC /opt/midpoint/var ;
) ||
echo -e '\\n Repository init is not needed...' ;
if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw | grep -c 'local_gen_cert') -eq 0 ] ;
then
keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw -trustcacerts -alias 'local_gen_cert' -file /opt/midpoint/var/cert.pem -noprompt ;
else
echo 'Certificate exists in the cert store' ;
fi ;
"
environment:
- MP_SET_midpoint_repository_jdbcUsername=midpoint
- MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
- MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
- MP_SET_midpoint_repository_database=postgresql
- MP_INIT_CFG=/opt/midpoint/var
- MP_PW_DEF=/opt/midpoint/var/keystorepw
- MP_KEYSTORE=/opt/midpoint/var/keystore.jceks
networks:
- net
volumes:
- midpoint_home:/opt/midpoint/var
- shared_pw:/mnt/shared_pw
- ./midpoint_server:/opt/midpoint-init:ro
midpoint_server:
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
container_name: midpoint_server
hostname: midpoint-container
depends_on:
data_init:
condition: service_completed_successfully
idp_vol_init:
condition: service_completed_successfully
midpoint_data:
condition: service_healthy
command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
ports:
- 8080:8080
environment:
- MP_SET_midpoint_repository_jdbcUsername=midpoint
- MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
- MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
- MP_SET_midpoint_repository_database=postgresql
- MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/midpoint/var/keystorepw
- MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
- MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
- MP_NO_ENV_COMPAT=1
networks:
net:
aliases:
- midpoint-server
volumes:
- midpoint_home:/opt/midpoint/var
- shared_pw:/mnt/shared_pw
directory:
build: ./directory/
ports:
- 389:389
networks:
- net
healthcheck:
test: [ "CMD-SHELL", "cat > /dev/tcp/localhost/389" ]
interval: 30s
timeout: 5s
retries: 10
volumes:
- ldap:/var/lib/ldap
idp_vol_init:
image: tier/shib-idp:3.4.6_20191002
depends_on:
prereq:
condition: service_completed_successfully
ulimits:
nofile:
soft: 1024
hard: 2048
command: >
bash -c "
echo 'Updating configuration...' ;
if [ -e /mnt/shibboleth-diff/conf ] ;
then
cp -vu /mnt/shibboleth-diff/conf/* /opt/shibboleth-idp/conf ;
fi ;
if [ -e /mnt/shibboleth-diff/credentials ] ;
then
cp -vu /mnt/shibboleth-diff/credentials/* /opt/shibboleth-idp/credentials ;
fi ;
if [ -e /mnt/shibboleth-diff/metadata ] ;
then
cp -vu /mnt/shibboleth-diff/metadata/* /opt/shibboleth-idp/metadata ;
fi ;
echo ' - - - - - - -' ;
echo 'Updating idp-metadata.xml file...' ;
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
wc -l /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
current_line=1 ;
id=0 ;
file_path=( - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - ) ;
rm /opt/shibboleth-idp/metadata/idp-metadata.xml ;
cat /tmp/checkpoints | while read line ; do
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/idp-metadata.xml >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
else
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
fi ;
current_line=$${line};
id=$$(( $${id} + 1 )) ;
done ;
cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/midpoint/var/shibboleth/idp-metadata.xml ;
cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/grouper/idp-metadata.xml ;
chown --reference=/opt/grouper /opt/grouper/idp-metadata.xml ;
echo ' - - - - - - -' ;
echo 'Updating midpoint-sp.xml...';
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
wc -l /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
current_line=1 ;
id=0 ;
file_path=( - sp-signing-cert.pem - ) ;
rm /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
cat /tmp/checkpoints | while read line ; do
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-sp.xml >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
else
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
fi ;
current_line=$${line};
id=$$(( $${id} + 1 )) ;
done ;
sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
echo ' - - - - - - -' ;
echo 'Updating grouper-sp.xml...';
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
wc -l /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
current_line=1 ;
id=0 ;
file_path=( - sp-cert.pem - sp-cert.pem - ) ;
rm /opt/shibboleth-idp/metadata/grouper-sp.xml ;
cat /tmp/checkpoints | while read line ; do
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/grouper-sp.xml >> /opt/shibboleth-idp/metadata/grouper-sp.xml ;
else
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/grouper-sp.xml ;
fi ;
current_line=$${line};
id=$$(( $${id} + 1 )) ;
done ;
sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/grouper-sp.xml ;
echo ' - - - - - - -' ;
echo 'Generating sealer key...' ;
rm /opt/shibboleth-idp/credentials/sealer.* ;
/opt/shibboleth-idp/bin/rotateSealerKey.sh ;
echo ' - - - - - - -' ;
echo 'DONE.' ;
"
volumes:
- idp_conf:/opt/shibboleth-idp/conf
- idp_credentials:/opt/shibboleth-idp/credentials
- idp_metadata:/opt/shibboleth-idp/metadata
- ./shibboleth-idp:/mnt/shibboleth-diff:ro
- midpoint_home:/opt/midpoint/var
- ./configs-and-secrets/grouper/shibboleth:/opt/grouper
idp:
image: tier/shib-idp:3.4.6_20191002
depends_on:
directory:
condition: service_started
idp_vol_init:
condition: service_completed_successfully
ulimits:
nofile:
soft: 1024
hard: 2048
environment:
- JETTY_MAX_HEAP=64m
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
- JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
networks:
- net
volumes:
- idp_conf:/opt/shibboleth-idp/conf
- idp_credentials:/opt/shibboleth-idp/credentials
- idp_metadata:/opt/shibboleth-idp/metadata
- idp_certs:/opt/certs
beacon:
build: ./beacon/
networks:
- net
environment:
- TIER_RELEASE=not-released-yet
- TIER_MAINTAINER=tier
- MP_VERSION=4.8
- TIER_BEACON_OPT_OUT=true
proxy:
image: nginx:stable
depends_on:
prereq:
condition: service_completed_successfully
midpoint_server:
condition: service_started
idp:
condition: service_started
ports:
- 8180:80
- 443:443
networks:
- net
volumes:
- proxy_conf:/etc/nginx/conf.d
- proxy_cert:/etc/nginx/certs
mq:
build: ./mq/
environment:
- RABBITMQ_NODENAME=docker-rabbit
hostname: rabbitmq
ulimits:
nofile:
soft: 1024
hard: 2048
networks:
- net
ports:
- 15672:15672
volumes:
- mq:/var/lib/rabbitmq
networks:
net:
driver: bridge
secrets:
# grouper
# g_host-key.pem:
# file: ./configs-and-secrets/grouper/httpd/host-key.pem
# g_sp-key.pem:
# file: ./configs-and-secrets/grouper/shibboleth/sp-key.pem
g_database_password.txt:
file: ./configs-and-secrets/grouper/application/database_password.txt
# rabbitmq_password.txt:
# file: ./configs-and-secrets/grouper/application/rabbitmq_password.txt
volumes:
security_object:
midpoint_data:
midpoint_home:
idp_conf:
idp_credentials:
idp_metadata:
idp_certs:
proxy_conf:
proxy_cert:
ldap:
shared_pw:
grouper_data:
source_data:
source_mysql:
target_data:
mq:
grouper-external_data: