From 450041c7973c98fbfbdfbde2a2d16ca164b401cf Mon Sep 17 00:00:00 2001 From: Jesper Hess Nielsen Date: Fri, 15 Mar 2019 20:49:29 +0100 Subject: [PATCH 1/7] Add initial version of Gluu configuration --- roles/docker/defaults/main.yml | 4 + roles/docker/tasks/services/gluu.yml | 204 +++++++++++++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 roles/docker/tasks/services/gluu.yml diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 566abab..69f5ece 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -69,3 +69,7 @@ portainer: domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" +gluu: + domain: "gluu.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/gluu" + diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml new file mode 100644 index 0000000..878ec33 --- /dev/null +++ b/roles/docker/tasks/services/gluu.yml @@ -0,0 +1,204 @@ +- name: create gluu volume folders + file: + name: "{{ volume_root_folder }}/{{ volume }}" + state: directory + loop: + - "consul" + - "consul/data" + - "opendj" + - "opendj/config" + - "opendj/ldif" + - "opendj/logs" + - "opendj/db" + - "opendj/flag" + - "opendj/backup" + - "oxauth" + - "oxauth/custom" + - "oxauth/custom/pages" + - "oxauth/custom/static" + - "oxauth/lib" + - "oxauth/lib/ext" + - "oxauth/logs" + - "oxtrust" + - "oxtrust/custom" + - "oxtrust/custom/pages" + - "oxtrust/lib" + - "oxtrust/lib/ext" + - "oxtrust/logs" + - "shared-shibboleth-idp" + +- name: set up gluu + docker_service: + project_name: gluu + pull: yes + definition: + version: "2.3" + services: + consul: + image: consul + command: agent -server -bootstrap -ui + hostname: consul-1 + environment: + - CONSUL_BIND_INTERFACE=eth0 + - CONSUL_CLIENT_INTERFACE=eth0 + container_name: consul + restart: unless-stopped + volumes: + - "{{ volume_root_folder }}/consul:/consul/data" + labels: + - "SERVICE_IGNORE=yes" + restart: unless-stopped + + registrator: + image: gluufederation/registrator:dev + command: registrator -internal -cleanup -resync 30 -retry-attempts 5 -retry-interval 10 consul://consul:8500 + container_name: registrator + volumes: + - /var/run/docker.sock:/tmp/docker.sock + restart: unless-stopped + depends_on: + - consul + + # redis: + # image: redis:alpine + # # run cluster-enabled redis-server + # # command: redis-server --port 6379 --cluster-enabled yes --cluster-config-file nodes.conf --appendonly yes --cluster-node-timeout 5000 + # container_name: redis + # labels: + # - "SERVICE_IGNORE=yes" + # restart: unless-stopped + + nginx: + image: gluufederation/nginx:3.1.4_01 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - VIRTUAL_HOST="{{ gluu.domain }}" + - LETSENCRYPT_HOST="{{ gluu.domain }}" + - LETSENCRYPT_EMAIL="{{ letsencrypt_email }}" + ports: + - "80" + - "443" + container_name: nginx + restart: unless-stopped + labels: + - "SERVICE_IGNORE=yes" + + ldap: + image: gluufederation/opendj:3.1.4_04 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - GLUU_LDAP_INIT=true + - GLUU_LDAP_INIT_HOST=ldap + - GLUU_LDAP_INIT_PORT=1636 + - GLUU_LDAP_ADDR_INTERFACE=eth0 + - GLUU_OXTRUST_CONFIG_GENERATION=true + - GLUU_CACHE_TYPE=NATIVE_PERSISTENCE + # - GLUU_CACHE_TYPE=REDIS # don't forget to enable redis service + # - GLUU_REDIS_URL=redis:6379 + # - GLUU_REDIS_TYPE=STANDALONE + # the value must match service name `ldap` because other containers + # use this value as LDAP hostname + - GLUU_CERT_ALT_NAME=ldap + container_name: ldap + volumes: + - "{{ volume_root_folder }}/opendj/config:/opt/opendj/config" + - "{{ volume_root_folder }}/opendj/ldif:/opt/opendj/ldif" + - "{{ volume_root_folder }}/opendj/logs:/opt/opendj/logs" + - "{{ volume_root_folder }}/opendj/db:/opt/opendj/db" + - "{{ volume_root_folder }}/opendj/flag:/flag" + - "{{ volume_root_folder }}/opendj/backup:/opt/opendj/bak" + restart: unless-stopped + labels: + - "SERVICE_IGNORE=yes" + + oxauth: + image: gluufederation/oxauth:3.1.4_03 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - GLUU_LDAP_URL=ldap:1636 + extra_hosts: + - "${DOMAIN}:${HOST_IP}" + container_name: oxauth + volumes: + - "{{ volume_root_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" + - "{{ volume_root_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" + - "{{ volume_root_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext" + - "{{ volume_root_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs" + mem_limit: 1536M + restart: unless-stopped + labels: + - "SERVICE_NAME=oxauth" + - "SERVICE_8080_CHECK_HTTP=/oxauth/.well-known/openid-configuration" + - "SERVICE_8080_CHECK_INTERVAL=15s" + - "SERVICE_8080_CHECK_TIMEOUT=5s" + + oxtrust: + image: gluufederation/oxtrust:3.1.4_02 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - GLUU_LDAP_URL=ldap:1636 + - GLUU_OXAUTH_BACKEND=oxauth:8080 + extra_hosts: + - "${DOMAIN}:${HOST_IP}" + container_name: oxtrust + volumes: + - "{{ volume_root_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" + - "{{ volume_root_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static" + - "{{ volume_root_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext" + - "{{ volume_root_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs" + - "{{ volume_root_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + mem_limit: 1536M + restart: unless-stopped + labels: + - "SERVICE_NAME=oxtrust" + - "SERVICE_8080_CHECK_HTTP=/identity/restv1/scim-configuration" + - "SERVICE_8080_CHECK_INTERVAL=15s" + - "SERVICE_8080_CHECK_TIMEOUT=5s" + + oxshibboleth: + image: gluufederation/oxshibboleth:3.1.4_01 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - GLUU_LDAP_URL=ldap:1636 + extra_hosts: + - "${DOMAIN}:${HOST_IP}" + container_name: oxshibboleth + volumes: + - "{{ volume_root_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + mem_limit: 1024M + restart: unless-stopped + labels: + - "SERVICE_NAME=oxshibboleth" + - "SERVICE_8086_CHECK_HTTP=/idp" + - "SERVICE_8086_CHECK_INTERVAL=15s" + - "SERVICE_8086_CHECK_TIMEOUT=5s" + + oxpassport: + image: gluufederation/oxpassport:3.1.4_02 + environment: + - GLUU_CONFIG_ADAPTER=consul + - GLUU_CONSUL_HOST=consul + - GLUU_CONSUL_PORT=8500 + - GLUU_LDAP_URL=ldap:1636 + # required by wait-for-it script + - GLUU_OXAUTH_BACKEND=oxauth:8080 + - GLUU_OXTRUST_BACKEND=oxtrust:8080 + extra_hosts: + - "{{gluu.domain}}:85.235.225.231" + container_name: oxpassport + restart: unless-stopped + labels: + - "SERVICE_NAME=oxpassport" + - "SERVICE_8090_CHECK_HTTP=/passport" + - "SERVICE_8090_CHECK_INTERVAL=15s" + - "SERVICE_8090_CHECK_TIMEOUT=5s" \ No newline at end of file -- 2.43.4 From 19df47bc551b399605295ed0d8b56d9a15947370 Mon Sep 17 00:00:00 2001 From: Jesper Hess Nielsen Date: Fri, 15 Mar 2019 21:00:08 +0100 Subject: [PATCH 2/7] Fix copy-paste typos when setting hostname on gluu containers --- roles/docker/tasks/services/gluu.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index 878ec33..cc1e84c 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -26,6 +26,8 @@ - "oxtrust/lib/ext" - "oxtrust/logs" - "shared-shibboleth-idp" + loop_control: + loop_var: "volume" - name: set up gluu docker_service: @@ -123,7 +125,7 @@ - GLUU_CONSUL_PORT=8500 - GLUU_LDAP_URL=ldap:1636 extra_hosts: - - "${DOMAIN}:${HOST_IP}" + - "{{gluu.domain}}:85.235.225.231" container_name: oxauth volumes: - "{{ volume_root_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" @@ -147,7 +149,7 @@ - GLUU_LDAP_URL=ldap:1636 - GLUU_OXAUTH_BACKEND=oxauth:8080 extra_hosts: - - "${DOMAIN}:${HOST_IP}" + - "{{gluu.domain}}:85.235.225.231" container_name: oxtrust volumes: - "{{ volume_root_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" @@ -171,7 +173,7 @@ - GLUU_CONSUL_PORT=8500 - GLUU_LDAP_URL=ldap:1636 extra_hosts: - - "${DOMAIN}:${HOST_IP}" + - "{{gluu.domain}}:85.235.225.231" container_name: oxshibboleth volumes: - "{{ volume_root_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" -- 2.43.4 From 95a4310566d76ae60397f255f9fa913872bb7620 Mon Sep 17 00:00:00 2001 From: Jesper Hess Nielsen Date: Fri, 15 Mar 2019 21:22:46 +0100 Subject: [PATCH 3/7] Use volume folder instead of root folder.... --- roles/docker/tasks/services/gluu.yml | 46 ++++++++++++---------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index cc1e84c..1bc3beb 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -1,28 +1,22 @@ - name: create gluu volume folders file: - name: "{{ volume_root_folder }}/{{ volume }}" + name: "{{ gluu.volume_folder }}/{{ volume }}" state: directory loop: - - "consul" + - "config-init/db" - "consul/data" - - "opendj" - "opendj/config" - "opendj/ldif" - "opendj/logs" - "opendj/db" - "opendj/flag" - "opendj/backup" - - "oxauth" - "oxauth/custom" - "oxauth/custom/pages" - "oxauth/custom/static" - - "oxauth/lib" - "oxauth/lib/ext" - "oxauth/logs" - - "oxtrust" - - "oxtrust/custom" - "oxtrust/custom/pages" - - "oxtrust/lib" - "oxtrust/lib/ext" - "oxtrust/logs" - "shared-shibboleth-idp" @@ -41,12 +35,12 @@ command: agent -server -bootstrap -ui hostname: consul-1 environment: - - CONSUL_BIND_INTERFACE=eth0 + - CONSUL_BIND_INTER FACE=eth0 - CONSUL_CLIENT_INTERFACE=eth0 container_name: consul restart: unless-stopped volumes: - - "{{ volume_root_folder }}/consul:/consul/data" + - "{{ gluu.volume_folder }}/consul:/consul/data" labels: - "SERVICE_IGNORE=yes" restart: unless-stopped @@ -107,12 +101,12 @@ - GLUU_CERT_ALT_NAME=ldap container_name: ldap volumes: - - "{{ volume_root_folder }}/opendj/config:/opt/opendj/config" - - "{{ volume_root_folder }}/opendj/ldif:/opt/opendj/ldif" - - "{{ volume_root_folder }}/opendj/logs:/opt/opendj/logs" - - "{{ volume_root_folder }}/opendj/db:/opt/opendj/db" - - "{{ volume_root_folder }}/opendj/flag:/flag" - - "{{ volume_root_folder }}/opendj/backup:/opt/opendj/bak" + - "{{ gluu.volume_folder }}/opendj/config:/opt/opendj/config" + - "{{ gluu.volume_folder }}/opendj/ldif:/opt/opendj/ldif" + - "{{ gluu.volume_folder }}/opendj/logs:/opt/opendj/logs" + - "{{ gluu.volume_folder }}/opendj/db:/opt/opendj/db" + - "{{ gluu.volume_folder }}/opendj/flag:/flag" + - "{{ gluu.volume_folder }}/opendj/backup:/opt/opendj/bak" restart: unless-stopped labels: - "SERVICE_IGNORE=yes" @@ -128,10 +122,10 @@ - "{{gluu.domain}}:85.235.225.231" container_name: oxauth volumes: - - "{{ volume_root_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" - - "{{ volume_root_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" - - "{{ volume_root_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext" - - "{{ volume_root_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs" + - "{{ gluu.volume_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" + - "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" + - "{{ gluu.volume_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext" + - "{{ gluu.volume_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs" mem_limit: 1536M restart: unless-stopped labels: @@ -152,11 +146,11 @@ - "{{gluu.domain}}:85.235.225.231" container_name: oxtrust volumes: - - "{{ volume_root_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" - - "{{ volume_root_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static" - - "{{ volume_root_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext" - - "{{ volume_root_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs" - - "{{ volume_root_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + - "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" + - "{{ gluu.volume_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static" + - "{{ gluu.volume_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext" + - "{{ gluu.volume_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs" + - "{{ gluu.volume_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp" mem_limit: 1536M restart: unless-stopped labels: @@ -176,7 +170,7 @@ - "{{gluu.domain}}:85.235.225.231" container_name: oxshibboleth volumes: - - "{{ volume_root_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + - "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" mem_limit: 1024M restart: unless-stopped labels: -- 2.43.4 From d5ff1c4e9dca046fd4d6c13a937e410691372f3e Mon Sep 17 00:00:00 2001 From: Jesper Hess Nielsen Date: Fri, 15 Mar 2019 22:01:10 +0100 Subject: [PATCH 4/7] Add network for gluu --- roles/docker/tasks/services/gluu.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index 1bc3beb..9face84 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -41,6 +41,8 @@ restart: unless-stopped volumes: - "{{ gluu.volume_folder }}/consul:/consul/data" + networks: + - "gluu" labels: - "SERVICE_IGNORE=yes" restart: unless-stopped @@ -51,6 +53,8 @@ container_name: registrator volumes: - /var/run/docker.sock:/tmp/docker.sock + networks: + - "gluu" restart: unless-stopped depends_on: - consul @@ -76,6 +80,9 @@ ports: - "80" - "443" + networks: + - "external_services" + - "gluu" container_name: nginx restart: unless-stopped labels: @@ -107,6 +114,8 @@ - "{{ gluu.volume_folder }}/opendj/db:/opt/opendj/db" - "{{ gluu.volume_folder }}/opendj/flag:/flag" - "{{ gluu.volume_folder }}/opendj/backup:/opt/opendj/bak" + networks: + - "gluu" restart: unless-stopped labels: - "SERVICE_IGNORE=yes" @@ -126,6 +135,8 @@ - "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" - "{{ gluu.volume_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext" - "{{ gluu.volume_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs" + networks: + - "gluu" mem_limit: 1536M restart: unless-stopped labels: @@ -151,6 +162,8 @@ - "{{ gluu.volume_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext" - "{{ gluu.volume_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs" - "{{ gluu.volume_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + networks: + - "gluu" mem_limit: 1536M restart: unless-stopped labels: @@ -171,6 +184,8 @@ container_name: oxshibboleth volumes: - "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" + networks: + - "gluu" mem_limit: 1024M restart: unless-stopped labels: @@ -192,9 +207,17 @@ extra_hosts: - "{{gluu.domain}}:85.235.225.231" container_name: oxpassport + networks: + - "gluu" restart: unless-stopped labels: - "SERVICE_NAME=oxpassport" - "SERVICE_8090_CHECK_HTTP=/passport" - "SERVICE_8090_CHECK_INTERVAL=15s" - - "SERVICE_8090_CHECK_TIMEOUT=5s" \ No newline at end of file + - "SERVICE_8090_CHECK_TIMEOUT=5s" + + networks: + external_services: + external: true + gluu: + name: "gluu" \ No newline at end of file -- 2.43.4 From f2d9554385ca1f724d90ca6dd07cdfee4cfc61e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Thu, 21 Mar 2019 09:41:14 +0100 Subject: [PATCH 5/7] Some stuff. --- group_vars/all/secrets.yml | 110 ++++++++++++++------------- roles/docker/tasks/services/gluu.yml | 9 +-- 2 files changed, 61 insertions(+), 58 deletions(-) diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml index 38e524d..d75cca4 100644 --- a/group_vars/all/secrets.yml +++ b/group_vars/all/secrets.yml @@ -1,54 +1,58 @@ $ANSIBLE_VAULT;1.1;AES256 -62313439613039363637356330653731356138373839373435306535656137646266633764393537 -3737663637343865303232643632613934313137613536640a633634356338353764366365626266 -66323064346539663435646265346665616465353363623732303563303838356364643734393231 -3161633362383363390a376530393463643838303238386139313661366335386439373734333835 -63323034303732386430313265306465636630356330303431663761363461623530643933393831 -62666438316266396432353663633331343137643265333966636436373730343938623732653030 -62383536373139366239363535353463643961313839376436663830613738303262646639396131 -66656532616231636537623162373965356537336436613130366464393461343730646664356466 -38313439373332306265643039666532363863333364666233333861363832316637383432343464 -64366536613364363265333938643438313837643936323536636335613064623639393437303466 -31333539373130376230323964636335393166306662626131636462656632623635393036663437 -37333735616665383431623266393365613433323335313161316161373637616563626637333861 -37326532303638653139383639383166323361363334306361663261366661613038633464323337 -31393538653830333865373064383837626261663163623664653938303230616334363861346132 -63353036313164313265313134633861633937323335303830336232363939613635303764313063 -33666161356366636139633138653736333662303364333838663033633163613136616639376532 -31373131326264383666326566303930636166653463313630376235663638663937663765306439 -31663039323663633735326266393263633937373339383537623835306431333636316664303864 -63653564313339376135303237626366666164623738626439613562616338663539393635396437 -30333036353035613131613034666262346233336563343531633033343163326264326563643235 -62663538623532333432656435306462663362353630346133373262633630306262626362653733 -65363031346339393632396664363362346236373035376632663466343034376566666563353231 -36623538303262323265616237326630666662646634383962656533636165326665316366643231 -39303465313135616238653664366637356361393165356430636137366236643938316430613838 -65353331636564373136393930303537386335653766363632646433353962613033656434313063 -35653365366332316434373665316230646665613166656230313832356136346439326232343166 -38323934396561386138323739396166303132396234386435633965663139643234396434333163 -66346634393330306638383430616433333361623861623864356563366162313830393334616138 -32346633396662636633373637363262656165316434333139346530303562356236306637643365 -65613361373637383936633431396636356634656333343537353762383537353035616131633732 -38303736636136393039613537613831633139363338656239613261383637653332333737323034 -61303839636330396139346436336663643531613364383134613061646136646236636364636662 -33666564623731343264306638303333326463323363306439333762306434306235643530663931 -63623932373737373539393230326538643739653734306131366365303638313263316635633439 -34343231663761393266636537353330643361306139653734383466666662623931616665663239 -65633136636333316266616433396166326333303033646162656466363931313539343035623666 -63346162386533373334633261383237376330643738663761636166653033303933613630653835 -66313439663732356539363833616338356337666335316136623231383161656362653561653565 -33616437643533386263393733636666373237663132343432636664633535653535316134313266 -66363362383662313632633535613635656364323939313466303634646237653061353766373831 -62303366366564653231613863633564303637346262336535386366663034663832663762666132 -64333630666463653266333430386135386436643939393964303230366538336562333737616639 -65646566663363313430396132653832646263393739656564653138353637373362613261366230 -62616561303735316230626134353266613938326563326232623361656364623062326365343534 -62346433373965336430326632333634306463343934393830393165393933323439393534386665 -32373235353037626638343066386563663431356465353039353338643835653166333761386433 -64333338306661346436373238646134653233666565653834303935303235653661343366653563 -63356566633730303033376230356363326561663232386161333566616334623236663562613234 -63646561623565366332313837353461313566653531356662613663323065613035323731323832 -31386166623935373139356239353037633363313531396466363735613332653430396161303366 -37376238333831306231393433313734303839376132656532616461356662383430303532373937 -39303634303762373736626439323830353665343162363531376134616466303762633535343866 -3162 +63333365303665346136333263333734363333616230313931356131633966646263316436356536 +3565366362616366393362636336383565366531333839620a333939613332646665633236343336 +36633835396234643233643936396565636564343538633838343438353030306433346262393739 +6339346565653237370a313237653734353130343334306366323633636639383261306166306530 +32326636653937633233353639663035383437636638653932653639373763623433633431643231 +34396237653832616638623137666530326466393966323533313261353030343165636330396631 +62386331323336326665343262363232376131613365393465613334643936326263316137396633 +63336135356264613461616461316630636533373961373263373165356632643738366338373366 +36663432386538323836613665646664313330336363633064373337383764663937316261636661 +38373632316136636337396561373738376466613165653266313434393264646130663938653739 +36393933326231626466613665373964313661663464383735663765336639663436336261613834 +39616239366637373462363934656239653731383063373536363338326161633831343031636565 +61616133333539393464323032636235633934343339356562343234373062353830336138386138 +31393661303930656334343637646335656565303161363033353762623638323537643863643134 +39393539393263313836623161633465386338653336633263633336316431666333393565386435 +64363631316432636637633364646365323838386630626164383266386534316639393961663534 +65666166653737646336303732333063313932336261323631306661613662643334316566666434 +37623463646231346461643839386365333431353738626264663535366635623634653431356463 +32356232383837666466383765353561666236363337666434623335363230363966323362666536 +62646238633632626162363134373036353234393134626636366565353935333339346431316461 +38306430663532396132656663313964346434656462373663616639323234306330666664383166 +38346430613338303136643666613765333636306537346534633162323739343537303039353938 +38613264666339303436353133323763306134343935396230396639623937376634666133393133 +32643832313561613138656633306236383933303365626161373366313265626639383662356634 +65353366613162616366343766333830633930323433643434366635646664636362666636336435 +39343236636166653736623833386333356533326266633131666262353839306538656335643230 +37656430663962333666376138326662376436383736643065316163396264663830356337323339 +31346130613665656438623666363764643466366331303064386237363331383030373036633637 +35323437383066323962353132383462383631633435306530336666623133306636643835653837 +36646438623437333566633663613932616163666137313734666137376565626334323539623637 +33633435303131656538616165643238313433316534616337316464383263633430663662323933 +35323766303564643237316166646539396266633765653266663861653031346139316561326239 +63373939363564353563623836373831303862306637323738396434363166653433323431343837 +65363437623461383936626331636138373035666264363363313034613235643864336365643464 +39306433333131306136313432646464613565346536353430326264363632316661333632343862 +37653138666662663632303535623737633765323731633439323664363834333262326461366463 +36323339643434636134356434353332313639376164373237396562396630353433373136623332 +62366638623664333765323565393464373333366332623065653034626463313336633932316637 +36323465623330643731303561336366303337626432356538643561343162326339643735323061 +61303237306164353339663137386337363166303935363438373733386238636463653536313733 +39363063393739663030376464616661393638333030633061653466396234656530343762346663 +36313664316130643837313364656230386539633330363937333132623363633161376633636134 +33383764356638376135633538646638626130646530386261313964353661656335376230346430 +37383263646463623166633932376335633536383131343664646336326436316637376661396466 +31356461656439306436646264626265356561333264323166303165346565376237663835323536 +35663935393165656365323138346236363161353161333338363632333832636536646139656532 +61633666306433343332343762373061316134396130653635663435396265363933626138353338 +38363331396136343065633631626663306537376461643131636532313931356666633331333231 +61663338313165663734356636323732336434396465316436383961313033313965303833636162 +36333937623130653062613334353438306137653238356635313132666535643131323763636137 +39636462393662633765626238636136636637643335373535653436376666326134376264323539 +39353437303262343664313238306364353964633161366630663233633064313163386338643662 +63303830643230303334336362653639323463336631323663613433336334383962663664303764 +33653635626136633530356435383164383865633333353133346564666531303735643664313530 +63333831343666623364623834396162636439396639343430313064303739636465323937653634 +33333963326131353335326138326530393938353533383832656335623536643064643762636462 +6262 diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index 9face84..c014227 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -12,7 +12,7 @@ - "opendj/flag" - "opendj/backup" - "oxauth/custom" - - "oxauth/custom/pages" + - "oxauth/custom/pages" - "oxauth/custom/static" - "oxauth/lib/ext" - "oxauth/logs" @@ -35,7 +35,7 @@ command: agent -server -bootstrap -ui hostname: consul-1 environment: - - CONSUL_BIND_INTER FACE=eth0 + - CONSUL_BIND_INTERFACE=eth0 - CONSUL_CLIENT_INTERFACE=eth0 container_name: consul restart: unless-stopped @@ -45,7 +45,6 @@ - "gluu" labels: - "SERVICE_IGNORE=yes" - restart: unless-stopped registrator: image: gluufederation/registrator:dev @@ -215,9 +214,9 @@ - "SERVICE_8090_CHECK_HTTP=/passport" - "SERVICE_8090_CHECK_INTERVAL=15s" - "SERVICE_8090_CHECK_TIMEOUT=5s" - + networks: external_services: external: true gluu: - name: "gluu" \ No newline at end of file + name: "gluu" -- 2.43.4 From 44b5d0830f9e9bf889be0b2fea6664f67d08a876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Sat, 31 Aug 2019 18:43:14 +0200 Subject: [PATCH 6/7] Update to new stuff --- roles/docker/tasks/services/gluu.yml | 101 +++++++++++++++------------ 1 file changed, 56 insertions(+), 45 deletions(-) diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index c014227..f142cf2 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -20,6 +20,9 @@ - "oxtrust/lib/ext" - "oxtrust/logs" - "shared-shibboleth-idp" + - "vault/config:/vault/config" + - "vault/data:/vault/data" + - "vault/logs:/vault/logs" loop_control: loop_var: "volume" @@ -32,12 +35,12 @@ services: consul: image: consul + container_name: consul command: agent -server -bootstrap -ui hostname: consul-1 environment: - CONSUL_BIND_INTERFACE=eth0 - CONSUL_CLIENT_INTERFACE=eth0 - container_name: consul restart: unless-stopped volumes: - "{{ gluu.volume_folder }}/consul:/consul/data" @@ -46,10 +49,34 @@ labels: - "SERVICE_IGNORE=yes" + vault: + container_name: vault + image: vault:1.0.1 + command: vault server -config=/vault/config + volumes: + - "{{ gluu.volume_folder }}/vault/config:/vault/config" + - "{{ gluu.volume_folder }}/vault/data:/vault/data" + - "{{ gluu.volume_folder }}/vault/logs:/vault/logs" + - "{{ gluu.volume_folder }}/vault/vault_gluu_policy.hcl:/vault/config/policy.hcl" + - "{{ gluu.volume_folder }}/vault/gcp_kms_stanza.hcl:/vault/config/stanza.hcl" + - "{{ gluu.volume_folder }}/vault/gcp_kms_creds.json:/vault/config/creds.json" + cap_add: + - IPC_LOCK + environment: + - VAULT_REDIRECT_INTERFACE=eth0 + - VAULT_CLUSTER_INTERFACE=eth0 + - VAULT_ADDR=http://0.0.0.0:8200 + - VAULT_LOCAL_CONFIG={"backend":{"consul":{"address":"consul:8500","path":"vault/"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}} + restart: unless-stopped + depends_on: + - consul + labels: + - "SERVICE_IGNORE=yes" + registrator: + container_name: registrator image: gluufederation/registrator:dev command: registrator -internal -cleanup -resync 30 -retry-attempts 5 -retry-interval 10 consul://consul:8500 - container_name: registrator volumes: - /var/run/docker.sock:/tmp/docker.sock networks: @@ -58,45 +85,34 @@ depends_on: - consul - # redis: - # image: redis:alpine - # # run cluster-enabled redis-server - # # command: redis-server --port 6379 --cluster-enabled yes --cluster-config-file nodes.conf --appendonly yes --cluster-node-timeout 5000 - # container_name: redis - # labels: - # - "SERVICE_IGNORE=yes" - # restart: unless-stopped - nginx: - image: gluufederation/nginx:3.1.4_01 + container_name: nginx + image: gluufederation/nginx:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - VIRTUAL_HOST="{{ gluu.domain }}" - LETSENCRYPT_HOST="{{ gluu.domain }}" - LETSENCRYPT_EMAIL="{{ letsencrypt_email }}" ports: - - "80" - - "443" + - "80:80" + - "443:443" networks: - "external_services" - "gluu" - container_name: nginx restart: unless-stopped labels: - "SERVICE_IGNORE=yes" ldap: - image: gluufederation/opendj:3.1.4_04 + container_name: ldap + image: gluufederation/opendj:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_INIT=true - GLUU_LDAP_INIT_HOST=ldap - GLUU_LDAP_INIT_PORT=1636 - - GLUU_LDAP_ADDR_INTERFACE=eth0 - GLUU_OXTRUST_CONFIG_GENERATION=true - GLUU_CACHE_TYPE=NATIVE_PERSISTENCE # - GLUU_CACHE_TYPE=REDIS # don't forget to enable redis service @@ -105,7 +121,6 @@ # the value must match service name `ldap` because other containers # use this value as LDAP hostname - GLUU_CERT_ALT_NAME=ldap - container_name: ldap volumes: - "{{ gluu.volume_folder }}/opendj/config:/opt/opendj/config" - "{{ gluu.volume_folder }}/opendj/ldif:/opt/opendj/ldif" @@ -120,15 +135,14 @@ - "SERVICE_IGNORE=yes" oxauth: - image: gluufederation/oxauth:3.1.4_03 + container_name: oxauth + image: gluufederation/oxauth:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=consul - GLUU_LDAP_URL=ldap:1636 extra_hosts: - - "{{gluu.domain}}:85.235.225.231" - container_name: oxauth + - "{{ gluu.domain }}:85.235.225.231" volumes: - "{{ gluu.volume_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages" - "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static" @@ -145,15 +159,14 @@ - "SERVICE_8080_CHECK_TIMEOUT=5s" oxtrust: - image: gluufederation/oxtrust:3.1.4_02 + image: gluufederation/oxtrust:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 - GLUU_OXAUTH_BACKEND=oxauth:8080 extra_hosts: - - "{{gluu.domain}}:85.235.225.231" + - "{{ gluu.domain }}:85.235.225.231" container_name: oxtrust volumes: - "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" @@ -172,15 +185,14 @@ - "SERVICE_8080_CHECK_TIMEOUT=5s" oxshibboleth: - image: gluufederation/oxshibboleth:3.1.4_01 + container_name: oxshibboleth + image: gluufederation/oxshibboleth:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 extra_hosts: - "{{gluu.domain}}:85.235.225.231" - container_name: oxshibboleth volumes: - "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp" networks: @@ -194,18 +206,17 @@ - "SERVICE_8086_CHECK_TIMEOUT=5s" oxpassport: - image: gluufederation/oxpassport:3.1.4_02 + container_name: oxpassport + image: gluufederation/oxpassport:3.1.5_02 environment: - - GLUU_CONFIG_ADAPTER=consul - - GLUU_CONSUL_HOST=consul - - GLUU_CONSUL_PORT=8500 + - GLUU_CONFIG_CONSUL_HOST=consul + - GLUU_SECRET_VAULT_HOST=vault - GLUU_LDAP_URL=ldap:1636 # required by wait-for-it script - GLUU_OXAUTH_BACKEND=oxauth:8080 - GLUU_OXTRUST_BACKEND=oxtrust:8080 extra_hosts: - "{{gluu.domain}}:85.235.225.231" - container_name: oxpassport networks: - "gluu" restart: unless-stopped -- 2.43.4 From 03b12aa32e8e30d19d5a8562dab57e3eb61e3a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Sat, 31 Aug 2019 19:58:04 +0200 Subject: [PATCH 7/7] Small fixes. .. --- roles/docker/tasks/services/gluu.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/docker/tasks/services/gluu.yml b/roles/docker/tasks/services/gluu.yml index f142cf2..c4545d7 100644 --- a/roles/docker/tasks/services/gluu.yml +++ b/roles/docker/tasks/services/gluu.yml @@ -68,6 +68,8 @@ - VAULT_ADDR=http://0.0.0.0:8200 - VAULT_LOCAL_CONFIG={"backend":{"consul":{"address":"consul:8500","path":"vault/"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}} restart: unless-stopped + networks: + - "gluu" depends_on: - consul labels: @@ -95,8 +97,8 @@ - LETSENCRYPT_HOST="{{ gluu.domain }}" - LETSENCRYPT_EMAIL="{{ letsencrypt_email }}" ports: - - "80:80" - - "443:443" + - "80" + - "443" networks: - "external_services" - "gluu" @@ -159,6 +161,7 @@ - "SERVICE_8080_CHECK_TIMEOUT=5s" oxtrust: + container_name: oxtrust image: gluufederation/oxtrust:3.1.5_02 environment: - GLUU_CONFIG_CONSUL_HOST=consul @@ -167,7 +170,6 @@ - GLUU_OXAUTH_BACKEND=oxauth:8080 extra_hosts: - "{{ gluu.domain }}:85.235.225.231" - container_name: oxtrust volumes: - "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages" - "{{ gluu.volume_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static" -- 2.43.4