Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
midPoint_container/demo/grouper/docker-compose.yml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
638 lines (618 sloc)
27.7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.3" | |
services: | |
prereq: | |
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux | |
command: > | |
bash -c " | |
echo ' - - - - - - -' ; | |
cd /mnt/security ; | |
if [ ! -e key.pem ] ; | |
then | |
echo 'Certificate has not been found. Generating of the new one...' ; | |
if [ -e /mnt/grouper-http/host-cert.pem -a -e /mnt/grouper-http/host-key.pem ] ; | |
then | |
echo 'Taking existing http certs... '; | |
cp /mnt/grouper-http/host-cert.pem cert.pem ; | |
cp /mnt/grouper-http/host-key.pem key.pem ; | |
else | |
echo 'Generating existing http certs... '; | |
openssl req -newkey rsa:2048 -keyout key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=midpoint.sp.example.org' -addext 'subjectAltName = DNS:midpoint.sp.example.org, DNS:midpoint_server, DNS:directory, DNS:idp, DNS: localhost, DNS: localhost.localdomain, IP:127.0.0.1, IP:::1' -out cert.pem -days 1825 -x509 -addext "basicConstraints=CA:FALSE"; | |
fi ; | |
openssl req -newkey rsa:2048 -keyout sp-key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=sp.example.org' -out sp-cert.pem -days 3650 -x509 ; | |
openssl req -newkey rsa:3072 -keyout sp-signing-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-signing-cert.pem -days 3650 -x509 ; | |
openssl req -newkey rsa:2048 -keyout idp-backchannel.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-backchannel.crt -days 7300 -x509 ; | |
openssl req -newkey rsa:2048 -keyout idp-encryption.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-encryption.crt -days 7300 -x509 ; | |
openssl req -newkey rsa:2048 -keyout idp-signing.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-signing.crt -days 7300 -x509 ; | |
openssl req -newkey rsa:2048 -keyout idp-browser.key -nodes -subj '/CN=idp.ccc.local' -addext 'authorityKeyIdentifier = keyid:always,issuer:always' -out idp-browser.crt -days 10585 -x509 ; | |
openssl x509 -noout -fingerprint -sha256 -in cert.pem ; | |
openssl pkcs12 -export -in sp-signing-cert.pem -inkey sp-signing-key.pem -out signing-key.p12 -passout pass:password -name signing-key ; | |
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -passout pass:password -name selfsigned ; | |
keytool -importkeystore -srckeystore signing-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias signing-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias signing-key ; | |
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias selfsigned -destkeystore keystore.jks -deststoretype jks -deststorepass password -noprompt -destalias selfsigned ; | |
keytool -list -keystore shibboleth_sp_keys.jks -storetype jceks -storepass changeit ; | |
keytool -list -keystore keystore.jks -storetype jceks -storepass password ; | |
openssl pkcs12 -export -in idp-backchannel.crt -inkey idp-backchannel.key -out idp-backchannel.p12 -passout pass:password -name idptestbed ; | |
openssl pkcs12 -export -in idp-browser.crt -inkey idp-browser.key -out idp-browser.p12 -passout pass:password -name myAlias ; | |
for s in *ert.pem *.crt ; do echo ' - - - - - ' ; echo $${s} ; openssl x509 -noout -fingerprint -sha256 -in $${s} ; echo ; openssl x509 -noout -subject -subject_hash -dates -in $${s} ; done ; | |
echo ' - - - - - ' ; | |
mkdir /mnt/midpoint/var/shibboleth ; | |
cp shibboleth_sp_keys.jks /mnt/midpoint/var/shibboleth ; | |
cp cert.pem /mnt/midpoint/var ; | |
cp key.pem /mnt/midpoint/var ; | |
cp cert.pem /mnt/nginx-cert ; | |
cp key.pem /mnt/nginx-cert ; | |
echo ' server {' >> /mnt/nginx-conf/default.conf ; | |
echo ' listen 80 default_server;' >> /mnt/nginx-conf/default.conf ; | |
echo ' server_name localhost;' >> /mnt/nginx-conf/default.conf ; | |
echo '' >> /mnt/nginx-conf/default.conf ; | |
echo ' return 301 https://$server_name$request_uri;' >> /mnt/nginx-conf/default.conf ; | |
echo '}' >> /mnt/nginx-conf/default.conf ; | |
echo ' server {' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' listen 443 ssl default_server;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' server_name localhost;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' ssl_certificate /etc/nginx/certs/cert.pem;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' ssl_certificate_key /etc/nginx/certs/key.pem;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' location / {' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' rewrite ^/$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' rewrite ^/midpoint$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_set_header X-Real-IP $$remote_addr;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_set_header X-Forwarded-Host: $$host;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_set_header X-Forwarded-Proto: $$scheme;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_pass http://midpoint-container:8080/;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' }' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' location /idp {' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_set_header Host localhost;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' proxy_pass https://idp:443/idp ;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' }' >> /mnt/nginx-conf/midpoint.conf ; | |
echo '' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' location /grouper {' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' }' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' location /grouperSSO {' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' }' >> /mnt/nginx-conf/midpoint.conf ; | |
echo ' }' >> /mnt/nginx-conf/midpoint.conf ; | |
cp idp-backchannel.crt /mnt/shibboleth-idp/credentials ; | |
cp idp-backchannel.p12 /mnt/shibboleth-idp/credentials ; | |
cp idp-browser.p12 /mnt/shibboleth-idp/credentials ; | |
cp idp-encryption.crt /mnt/shibboleth-idp/credentials ; | |
cp idp-encryption.key /mnt/shibboleth-idp/credentials ; | |
cp idp-signing.crt /mnt/shibboleth-idp/credentials ; | |
cp idp-signing.key /mnt/shibboleth-idp/credentials ; | |
cp sp-signing-cert.pem /mnt/shibboleth-idp/credentials ; | |
cp sp-cert.pem /mnt/shibboleth-idp/credentials ; | |
cp keystore.jks /mnt/shibboleth/certs ; | |
cp cert.pem /mnt/grouper-http/host-cert.pem ; | |
cp key.pem /mnt/grouper-http/host-key.pem ; | |
chmod -R 744 /mnt/grouper-http ; | |
chown -R --reference=/mnt/grouper-http /mnt/grouper-http ; | |
cp sp-cert.pem /mnt/grouper-shibboleth/sp-cert.pem ; | |
cp sp-key.pem /mnt/grouper-shibboleth/sp-key.pem ; | |
chmod -R 744 /mnt/grouper-shibboleth ; | |
chown -R --reference=/mnt/grouper-shibboleth /mnt/grouper-shibboleth ; | |
echo ' - - - - - ' ; | |
find -type f ; | |
echo ' - - - - - - -' ; | |
find /mnt/shibboleth-idp/ -type f ; | |
echo ' - - - - - - -' ; | |
find /mnt/shibboleth -type f ; | |
echo ' - - - - - - -' ; | |
find /mnt/midpoint/ -type f ; | |
echo ' - - - - - - -' ; | |
find /mnt/grouper*/ -type f ; | |
echo ' - - - - - - -' ; | |
else echo 'certificate already exists... (skip new cert generation)' ; | |
fi ; | |
if [ ! -e /mnt/shared_pw/db_pass ] ; then | |
echo 'Generating password for DB connection...'; | |
dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d -c [0-9a-z] | cut -c 1-32 | tr -d [[:space:]] > /mnt/shared_pw/db_pass ; | |
fi ; | |
" | |
networks: | |
- net | |
volumes: | |
- security_object:/mnt/security | |
- shared_pw:/mnt/shared_pw | |
- idp_credentials:/mnt/shibboleth-idp/credentials | |
- idp_certs:/mnt/shibboleth/certs | |
- proxy_conf:/mnt/nginx-conf | |
- proxy_cert:/mnt/nginx-cert | |
- midpoint_home:/mnt/midpoint/var | |
- ./configs-and-secrets/grouper/httpd:/mnt/grouper-http | |
- ./configs-and-secrets/grouper/shibboleth:/mnt/grouper-shibboleth | |
grouper_daemon: | |
image: i2incommon/grouper:4.12.0 | |
command: [ "daemon" ] | |
depends_on: | |
grouper_data: | |
condition: service_healthy | |
grouper_data_init: | |
condition: service_completed_successfully | |
directory: | |
condition: service_healthy | |
sources: | |
condition: service_started | |
environment: | |
- ENV | |
- USERTOKEN | |
- GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE=password | |
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt | |
- RABBITMQ_PASSWORD=password | |
- SUBJECT_SOURCE_LDAP_PASSWORD=password | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
networks: | |
net: | |
aliases: | |
- grouper-daemon | |
healthcheck: | |
test: gsh | |
interval: 30s | |
timeout: 30s | |
retries: 3 | |
secrets: | |
- g_database_password.txt | |
volumes: | |
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties | |
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties | |
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties | |
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties | |
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties | |
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties | |
grouper_ui: | |
image: i2incommon/grouper:4.12.0 | |
command: [ "ui" ] | |
depends_on: | |
grouper_data: | |
condition: service_healthy | |
grouper_data_init: | |
condition: service_completed_successfully | |
directory: | |
condition: service_healthy | |
environment: | |
- ENV | |
- USERTOKEN | |
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt | |
- SUBJECT_SOURCE_LDAP_PASSWORD=password | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
networks: | |
net: | |
aliases: | |
- grouper-ui | |
ports: | |
- 4443:443 | |
healthcheck: | |
test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1 | |
interval: 30s | |
timeout: 30s | |
retries: 3 | |
secrets: | |
- g_database_password.txt | |
volumes: | |
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties | |
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties | |
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties | |
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties | |
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties | |
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties | |
- ./configs-and-secrets/grouper/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml | |
- ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem | |
- ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem | |
- ./configs-and-secrets/grouper/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml | |
# Note: due to a bug in https://github.internet2.edu/docker/grouper/blob/2.5.57/container_files/usr-local-bin/librarySetupFilesForProcess.sh#L72 | |
# This file had to be mounted as shib2.conf, instead of shib.conf (bind mounts don't want to be moved) | |
- ./configs-and-secrets/grouper/httpd/shib.conf:/etc/httpd/conf.d/shib2.conf | |
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem | |
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem | |
- ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem | |
grouper_ws: | |
image: i2incommon/grouper:4.12.0 | |
command: [ "ws" ] | |
depends_on: | |
grouper_data: | |
condition: service_healthy | |
directory: | |
condition: service_healthy | |
prereq: | |
condition: service_completed_successfully | |
idp_vol_init: | |
condition: service_completed_successfully | |
grouper_data_init: | |
condition: service_completed_successfully | |
environment: | |
- ENV | |
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt | |
- SUBJECT_SOURCE_LDAP_PASSWORD=password | |
- USERTOKEN | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
networks: | |
net: | |
aliases: | |
- grouper-ws | |
ports: | |
- 9443:443 | |
healthcheck: | |
test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1 | |
interval: 30s | |
timeout: 30s | |
retries: 3 | |
secrets: | |
- g_database_password.txt | |
# - source: g_sp-key.pem | |
# target: shib_sp-key.pem | |
# - source: g_host-key.pem | |
# target: host-key.pem | |
volumes: | |
- ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties | |
- ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties | |
- ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties | |
- ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties | |
- ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties | |
- ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties | |
- ./grouper_ws/web.xml:/opt/grouper/grouperWebapp/WEB-INF/web.xml | |
- ./grouper_ws/tomcat-users.xml:/opt/tomee/conf/tomcat-users.xml | |
- ./grouper_ws/server.xml:/opt/tomee/conf/server.xml | |
- ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem | |
- ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem | |
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem | |
- ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem | |
- ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem | |
grouper_data_init: | |
image: i2incommon/grouper:4.12.0 | |
command: > | |
bash -c " | |
if [ ! -e /var/lib/postgresql/data/initialized ] ; then | |
echo 'processing init...' ; | |
echo ' - - - - - -'; | |
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt && | |
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/initialize.gsh && | |
/opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/set-prov.gsh && | |
touch /var/lib/postgresql/data/initialized ; | |
else echo 'init skipped....' ; | |
fi | |
" | |
depends_on: | |
grouper_data: | |
condition: service_healthy | |
networks: | |
- net | |
volumes: | |
- ./grouper_data_init/bootstrap:/tmp-bin | |
- ./grouper_data_init/conf/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties | |
- ./grouper_data_init/conf/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties | |
- grouper_data:/var/lib/postgresql/data | |
grouper_data: | |
image: postgres:16-alpine | |
networks: | |
net: | |
aliases: | |
- grouper-data | |
environment: | |
- POSTGRES_HOST_AUTH_METHOD=trust | |
- POSTGRES_USER=postgres | |
- POSTGRES_PASSWORD=password | |
- PGDATA=/var/lib/postgresql/data/pgdata | |
healthcheck: | |
test: [ "CMD-SHELL", "pg_isready -d grouper -U grouper" ] | |
interval: 1s | |
timeout: 5s | |
retries: 10 | |
volumes: | |
- grouper_data:/var/lib/postgresql/data | |
- ./grouper_data_init/sql:/docker-entrypoint-initdb.d | |
sources: | |
build: ./sources/ | |
ports: | |
- 13306:3306 | |
networks: | |
- net | |
volumes: | |
- source_mysql:/var/lib/mysql | |
- source_data:/var/lib/mysqlmounted | |
environment: | |
- CREATE_NEW_DATABASE=if_needed | |
midpoint_data: | |
image: postgres:16-alpine | |
depends_on: | |
prereq: | |
condition: service_completed_successfully | |
environment: | |
- POSTGRES_PASSWORD_FILE=/mnt/shared_pw/db_pass | |
- POSTGRES_USER=midpoint | |
- POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8 | |
healthcheck: | |
test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ] | |
interval: 1s | |
timeout: 5s | |
retries: 10 | |
networks: | |
- net | |
volumes: | |
- midpoint_data:/var/lib/postgresql/data | |
- shared_pw:/mnt/shared_pw | |
data_init: | |
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux | |
depends_on: | |
prereq: | |
condition: service_completed_successfully | |
midpoint_data: | |
condition: service_healthy | |
command: > | |
bash -c " | |
cd /opt/midpoint ; | |
bin/midpoint.sh init-native ; | |
echo ' - - - - - - ' ; | |
bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ; | |
grep -q \"ERROR\" /tmp/ninja.log && ( | |
bin/ninja.sh run-sql --create --mode REPOSITORY ; | |
bin/ninja.sh run-sql --create --mode AUDIT ; | |
tar -cC /opt/midpoint-init . | tar -xvC /opt/midpoint/var ; | |
) || | |
echo -e '\\n Repository init is not needed...' ; | |
if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw | grep -c 'local_gen_cert') -eq 0 ] ; | |
then | |
keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw -trustcacerts -alias 'local_gen_cert' -file /opt/midpoint/var/cert.pem -noprompt ; | |
else | |
echo 'Certificate exists in the cert store' ; | |
fi ; | |
" | |
environment: | |
- MP_SET_midpoint_repository_jdbcUsername=midpoint | |
- MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass | |
- MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint | |
- MP_SET_midpoint_repository_database=postgresql | |
- MP_INIT_CFG=/opt/midpoint/var | |
- MP_PW_DEF=/opt/midpoint/var/keystorepw | |
- MP_KEYSTORE=/opt/midpoint/var/keystore.jceks | |
networks: | |
- net | |
volumes: | |
- midpoint_home:/opt/midpoint/var | |
- shared_pw:/mnt/shared_pw | |
- ./midpoint_server:/opt/midpoint-init:ro | |
midpoint_server: | |
image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux | |
container_name: midpoint_server | |
hostname: midpoint-container | |
depends_on: | |
data_init: | |
condition: service_completed_successfully | |
idp_vol_init: | |
condition: service_completed_successfully | |
midpoint_data: | |
condition: service_healthy | |
command: [ "/opt/midpoint/bin/midpoint.sh", "container" ] | |
ports: | |
- 8080:8080 | |
environment: | |
- MP_SET_midpoint_repository_jdbcUsername=midpoint | |
- MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass | |
- MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint | |
- MP_SET_midpoint_repository_database=postgresql | |
- MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/midpoint/var/keystorepw | |
- MP_SET_midpoint_administrator_initialPassword=Test5ecr3t | |
- MP_UNSET_midpoint_repository_hibernateHbm2ddl=1 | |
- MP_NO_ENV_COMPAT=1 | |
networks: | |
net: | |
aliases: | |
- midpoint-server | |
volumes: | |
- midpoint_home:/opt/midpoint/var | |
- shared_pw:/mnt/shared_pw | |
directory: | |
build: ./directory/ | |
ports: | |
- 389:389 | |
networks: | |
- net | |
healthcheck: | |
test: [ "CMD-SHELL", "cat > /dev/tcp/localhost/389" ] | |
interval: 30s | |
timeout: 5s | |
retries: 10 | |
volumes: | |
- ldap:/var/lib/ldap | |
idp_vol_init: | |
image: tier/shib-idp:3.4.6_20191002 | |
depends_on: | |
prereq: | |
condition: service_completed_successfully | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
command: > | |
bash -c " | |
echo 'Updating configuration...' ; | |
if [ -e /mnt/shibboleth-diff/conf ] ; | |
then | |
cp -vu /mnt/shibboleth-diff/conf/* /opt/shibboleth-idp/conf ; | |
fi ; | |
if [ -e /mnt/shibboleth-diff/credentials ] ; | |
then | |
cp -vu /mnt/shibboleth-diff/credentials/* /opt/shibboleth-idp/credentials ; | |
fi ; | |
if [ -e /mnt/shibboleth-diff/metadata ] ; | |
then | |
cp -vu /mnt/shibboleth-diff/metadata/* /opt/shibboleth-idp/metadata ; | |
fi ; | |
echo ' - - - - - - -' ; | |
echo 'Updating idp-metadata.xml file...' ; | |
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ; | |
wc -l /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ; | |
current_line=1 ; | |
id=0 ; | |
file_path=( - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - ) ; | |
rm /opt/shibboleth-idp/metadata/idp-metadata.xml ; | |
cat /tmp/checkpoints | while read line ; do | |
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then | |
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/idp-metadata.xml >> /opt/shibboleth-idp/metadata/idp-metadata.xml ; | |
else | |
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/idp-metadata.xml ; | |
fi ; | |
current_line=$${line}; | |
id=$$(( $${id} + 1 )) ; | |
done ; | |
cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/midpoint/var/shibboleth/idp-metadata.xml ; | |
cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/grouper/idp-metadata.xml ; | |
chown --reference=/opt/grouper /opt/grouper/idp-metadata.xml ; | |
echo ' - - - - - - -' ; | |
echo 'Updating midpoint-sp.xml...'; | |
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ; | |
wc -l /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ; | |
current_line=1 ; | |
id=0 ; | |
file_path=( - sp-signing-cert.pem - ) ; | |
rm /opt/shibboleth-idp/metadata/midpoint-sp.xml ; | |
cat /tmp/checkpoints | while read line ; do | |
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then | |
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-sp.xml >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ; | |
else | |
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ; | |
fi ; | |
current_line=$${line}; | |
id=$$(( $${id} + 1 )) ; | |
done ; | |
sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-sp.xml ; | |
echo ' - - - - - - -' ; | |
echo 'Updating grouper-sp.xml...'; | |
grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ; | |
wc -l /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ; | |
current_line=1 ; | |
id=0 ; | |
file_path=( - sp-cert.pem - sp-cert.pem - ) ; | |
rm /opt/shibboleth-idp/metadata/grouper-sp.xml ; | |
cat /tmp/checkpoints | while read line ; do | |
if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then | |
sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/grouper-sp.xml >> /opt/shibboleth-idp/metadata/grouper-sp.xml ; | |
else | |
sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/grouper-sp.xml ; | |
fi ; | |
current_line=$${line}; | |
id=$$(( $${id} + 1 )) ; | |
done ; | |
sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/grouper-sp.xml ; | |
echo ' - - - - - - -' ; | |
echo 'Generating sealer key...' ; | |
rm /opt/shibboleth-idp/credentials/sealer.* ; | |
/opt/shibboleth-idp/bin/rotateSealerKey.sh ; | |
echo ' - - - - - - -' ; | |
echo 'DONE.' ; | |
" | |
volumes: | |
- idp_conf:/opt/shibboleth-idp/conf | |
- idp_credentials:/opt/shibboleth-idp/credentials | |
- idp_metadata:/opt/shibboleth-idp/metadata | |
- ./shibboleth-idp:/mnt/shibboleth-diff:ro | |
- midpoint_home:/opt/midpoint/var | |
- ./configs-and-secrets/grouper/shibboleth:/opt/grouper | |
idp: | |
image: tier/shib-idp:3.4.6_20191002 | |
depends_on: | |
directory: | |
condition: service_started | |
idp_vol_init: | |
condition: service_completed_successfully | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
environment: | |
- JETTY_MAX_HEAP=64m | |
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password | |
- JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password | |
networks: | |
- net | |
volumes: | |
- idp_conf:/opt/shibboleth-idp/conf | |
- idp_credentials:/opt/shibboleth-idp/credentials | |
- idp_metadata:/opt/shibboleth-idp/metadata | |
- idp_certs:/opt/certs | |
beacon: | |
build: ./beacon/ | |
networks: | |
- net | |
environment: | |
- TIER_RELEASE=not-released-yet | |
- TIER_MAINTAINER=tier | |
- MP_VERSION=4.8 | |
- TIER_BEACON_OPT_OUT=true | |
proxy: | |
image: nginx:stable | |
depends_on: | |
prereq: | |
condition: service_completed_successfully | |
midpoint_server: | |
condition: service_started | |
idp: | |
condition: service_started | |
ports: | |
- 8180:80 | |
- 443:443 | |
networks: | |
- net | |
volumes: | |
- proxy_conf:/etc/nginx/conf.d | |
- proxy_cert:/etc/nginx/certs | |
mq: | |
build: ./mq/ | |
environment: | |
- RABBITMQ_NODENAME=docker-rabbit | |
hostname: rabbitmq | |
ulimits: | |
nofile: | |
soft: 1024 | |
hard: 2048 | |
networks: | |
- net | |
ports: | |
- 15672:15672 | |
volumes: | |
- mq:/var/lib/rabbitmq | |
networks: | |
net: | |
driver: bridge | |
secrets: | |
# grouper | |
# g_host-key.pem: | |
# file: ./configs-and-secrets/grouper/httpd/host-key.pem | |
# g_sp-key.pem: | |
# file: ./configs-and-secrets/grouper/shibboleth/sp-key.pem | |
g_database_password.txt: | |
file: ./configs-and-secrets/grouper/application/database_password.txt | |
# rabbitmq_password.txt: | |
# file: ./configs-and-secrets/grouper/application/rabbitmq_password.txt | |
volumes: | |
security_object: | |
midpoint_data: | |
midpoint_home: | |
idp_conf: | |
idp_credentials: | |
idp_metadata: | |
idp_certs: | |
proxy_conf: | |
proxy_cert: | |
ldap: | |
shared_pw: | |
grouper_data: | |
source_data: | |
source_mysql: | |
target_data: | |
mq: | |
grouper-external_data: | |