diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index c014227b..f142cf2b 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -20,6 +20,9 @@ - "oxtrust/lib/ext" - "oxtrust/logs" - "shared-shibboleth-idp" + - "vault/config:/vault/config" + - "vault/data:/vault/data" + - "vault/logs:/vault/logs" loop_control: loop_var: "volume" @@ -32,12 +35,12 @@ services: consul: image: consul + container_name: consul command: agent -server -bootstrap -ui hostname: consul-1 environment: - CONSUL_BIND_INTERFACE=eth0 - CONSUL_CLIENT_INTERFACE=eth0 - container_name: consul restart: unless-stopped volumes: - "{{ gluu.volume_folder }}/consul:/consul/data" @@ -46,10 +49,34 @@ labels: - "SERVICE_IGNORE=yes" + vault: + container_name: vault + image: vault:1.0.1 + command: vault server -config=/vault/config + volumes: + - "{{ gluu.volume_folder }}/vault/config:/vault/config" + - "{{ gluu.volume_folder }}/vault/data:/vault/data" + - "{{ gluu.volume_folder }}/vault/logs:/vault/logs" + - "{{ gluu.volume_folder }}/vault/vault_gluu_policy.hcl:/vault/config/policy.hcl" + - "{{ gluu.volume_folder }}/vault/gcp_kms_stanza.hcl:/vault/config/stanza.hcl" + - "{{ gluu.volume_folder }}/vault/gcp_kms_creds.json:/vault/config/creds.json" + cap_add: + - IPC_LOCK + environment: + - VAULT_REDIRECT_INTERFACE=eth0 + - VAULT_CLUSTER_INTERFACE=eth0 + - VAULT_ADDR=http://0.0.0.0:8200 + - VAULT_LOCAL_CONFIG={"backend":{"consul":{"address":"consul:8500","path":"vault/"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}} + restart: unless-stopped + depends_on: + - consul + labels: + - "SERVICE_IGNORE=yes" + registrator: + container_name: registrator image: gluufederation/registrator:dev command: registrator -internal -cleanup -resync 30 -retry-attempts 5 -retry-interval 10 consul://consul:8500 - container_name: registrator volumes: - /var/run/docker.sock:/tmp/docker.sock networks: @@ -58,45 +85,34 @@ depends_on: - consul - # redis: - # image: redis:alpine - # # run cluster-enabled redis-server - # # command: redis-server --port 6379 --cluster-enabled yes --cluster-config-file nodes.conf --appendonly yes --cluster-node-timeout 5000 - # container_name: redis - # labels: - # - "SERVICE_IGNORE=yes" - # restart: unless-stopped - nginx: - image: gluufederation/nginx:3.1.4_01 + container_name: nginx + image: gluufederation/nginx:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - VIRTUAL_HOST="{{ gluu.domain }}" - LETSENCRYPT_HOST="{{ gluu.domain }}" - LETSENCRYPT_EMAIL="{{ letsencrypt_email }}" ports: - - "80" - - "443" + - "80:80" + - "443:443" networks: - "external_services" - "gluu" - container_name: nginx restart: unless-stopped labels: - "SERVICE_IGNORE=yes" ldap: - image: gluufederation/opendj:3.1.4_04 + container_name: ldap + image: gluufederation/opendj:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_INIT=true - GLUU_LDAP_INIT_HOST=ldap - GLUU_LDAP_INIT_PORT=1636 - - GLUU_LDAP_ADDR_INTERFACE=eth0 - GLUU_OXTRUST_CONFIG_GENERATION=true - GLUU_CACHE_TYPE=NATIVE_PERSISTENCE # - GLUU_CACHE_TYPE=REDIS # don't forget to enable redis service @@ -105,7 +121,6 @@ # the value must match service name `ldap` because other containers # use this value as LDAP hostname - GLUU_CERT_ALT_NAME=ldap - container_name: ldap volumes: - "{{ gluu.volume_folder }}/opendj/config:/opt/opendj/config" - "{{ gluu.volume_folder }}/opendj/ldif:/opt/opendj/ldif" @@ -120,15 +135,14 @@ - "SERVICE_IGNORE=yes" oxauth: - image: gluufederation/oxauth:3.1.4_03 + container_name: oxauth + image: gluufederation/oxauth:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=consul - GLUU_LDAP_URL=ldap:1636 extra_hosts: - - "{{gluu.domain}}:85.235.225.231" - container_name: oxauth + - "{{ gluu.domain }}:85.235.225.231" volumes: - "{{ gluu.volume_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" - "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" @@ -145,15 +159,14 @@ - "SERVICE_8080_CHECK_TIMEOUT=5s" oxtrust: - image: gluufederation/oxtrust:3.1.4_02 + image: gluufederation/oxtrust:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 - GLUU_OXAUTH_BACKEND=oxauth:8080 extra_hosts: - - "{{gluu.domain}}:85.235.225.231" + - "{{ gluu.domain }}:85.235.225.231" container_name: oxtrust volumes: - "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" @@ -172,15 +185,14 @@ - "SERVICE_8080_CHECK_TIMEOUT=5s" oxshibboleth: - image: gluufederation/oxshibboleth:3.1.4_01 + container_name: oxshibboleth + image: gluufederation/oxshibboleth:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 extra_hosts: - "{{gluu.domain}}:85.235.225.231" - container_name: oxshibboleth volumes: - "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" networks: @@ -194,18 +206,17 @@ - "SERVICE_8086_CHECK_TIMEOUT=5s" oxpassport: - image: gluufederation/oxpassport:3.1.4_02 + container_name: oxpassport + image: gluufederation/oxpassport:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 # required by wait-for-it script - GLUU_OXAUTH_BACKEND=oxauth:8080 - GLUU_OXTRUST_BACKEND=oxtrust:8080 extra_hosts: - "{{gluu.domain}}:85.235.225.231" - container_name: oxpassport networks: - "gluu" restart: unless-stopped