automate OIDC setup for devicehub server & client
This commit is contained in:
parent
260ac90f86
commit
b423a53cfe
|
@ -1,15 +1,13 @@
|
||||||
version: "3.9"
|
version: "3.9"
|
||||||
services:
|
services:
|
||||||
|
|
||||||
devicehub:
|
devicehub-id-server:
|
||||||
init: true
|
init: true
|
||||||
# TODO
|
image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__54511e1b
|
||||||
image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__eafcac09
|
|
||||||
#build .
|
|
||||||
environment:
|
environment:
|
||||||
- DB_USER=${DB_USER}
|
- DB_USER=${DB_USER}
|
||||||
- DB_PASSWORD=${DB_PASSWORD}
|
- DB_PASSWORD=${DB_PASSWORD}
|
||||||
- DB_HOST=postgres
|
- DB_HOST=postgres-id-server
|
||||||
- DB_DATABASE=${DB_DATABASE}
|
- DB_DATABASE=${DB_DATABASE}
|
||||||
- HOST=${HOST}
|
- HOST=${HOST}
|
||||||
- EMAIL_DEMO=${EMAIL_DEMO}
|
- EMAIL_DEMO=${EMAIL_DEMO}
|
||||||
|
@ -19,15 +17,18 @@ services:
|
||||||
- API_DLT=${API_DLT}
|
- API_DLT=${API_DLT}
|
||||||
- API_RESOLVER=${API_RESOLVER}
|
- API_RESOLVER=${API_RESOLVER}
|
||||||
- API_DLT_TOKEN=${API_DLT_TOKEN}
|
- API_DLT_TOKEN=${API_DLT_TOKEN}
|
||||||
- DEVICEHUB_HOST=${DEVICEHUB_HOST}
|
- DEVICEHUB_HOST=${SERVER_ID_DEVICEHUB_HOST}
|
||||||
- ID_FEDERATED=${ID_FEDERATED}
|
- ID_FEDERATED=${SERVER_ID_FEDERATED}
|
||||||
- URL_MANUALS=${URL_MANUALS}
|
- URL_MANUALS=${URL_MANUALS}
|
||||||
|
- ID_SERVICE=${SERVER_ID_SERVICE}
|
||||||
|
- AUTHORIZED_CLIENT_URL=${CLIENT_ID_DEVICEHUB_HOST}
|
||||||
ports:
|
ports:
|
||||||
- 5000:5000
|
- 5000:5000
|
||||||
volumes:
|
volumes:
|
||||||
- ${SNAPSHOTS_PATH}:/mnt/snapshots:ro
|
- ${SNAPSHOTS_PATH}:/mnt/snapshots:ro
|
||||||
|
- shared:/shared:rw
|
||||||
|
|
||||||
postgres:
|
postgres-id-server:
|
||||||
image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09
|
image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09
|
||||||
# 4. To create the database.
|
# 4. To create the database.
|
||||||
# 5. Give permissions to the corresponding users in the database.
|
# 5. Give permissions to the corresponding users in the database.
|
||||||
|
@ -36,12 +37,59 @@ services:
|
||||||
- POSTGRES_PASSWORD=${DB_PASSWORD}
|
- POSTGRES_PASSWORD=${DB_PASSWORD}
|
||||||
- POSTGRES_USER=${DB_USER}
|
- POSTGRES_USER=${DB_USER}
|
||||||
- POSTGRES_DB=${DB_DATABASE}
|
- POSTGRES_DB=${DB_DATABASE}
|
||||||
|
# DEBUG
|
||||||
|
#ports:
|
||||||
|
# - 5432:5432
|
||||||
|
# TODO persistence
|
||||||
|
#volumes:
|
||||||
|
# - pg_data:/var/lib/postgresql/data
|
||||||
|
|
||||||
|
devicehub-id-client:
|
||||||
|
init: true
|
||||||
|
image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__54511e1b
|
||||||
|
environment:
|
||||||
|
- DB_USER=${DB_USER}
|
||||||
|
- DB_PASSWORD=${DB_PASSWORD}
|
||||||
|
- DB_HOST=postgres-id-client
|
||||||
|
- DB_DATABASE=${DB_DATABASE}
|
||||||
|
- HOST=${HOST}
|
||||||
|
- EMAIL_DEMO=${EMAIL_DEMO}
|
||||||
|
- PASSWORD_DEMO=${PASSWORD_DEMO}
|
||||||
|
- JWT_PASS=${JWT_PASS}
|
||||||
|
- SECRET_KEY=${SECRET_KEY}
|
||||||
|
- API_DLT=${API_DLT}
|
||||||
|
- API_RESOLVER=${API_RESOLVER}
|
||||||
|
- API_DLT_TOKEN=${API_DLT_TOKEN}
|
||||||
|
- DEVICEHUB_HOST=${CLIENT_ID_DEVICEHUB_HOST}
|
||||||
|
- SERVER_ID_HOST=${SERVER_ID_DEVICEHUB_HOST}
|
||||||
|
- ID_FEDERATED=${CLIENT_ID_FEDERATED}
|
||||||
|
- URL_MANUALS=${URL_MANUALS}
|
||||||
|
- ID_SERVICE=${CLIENT_ID_SERVICE}
|
||||||
ports:
|
ports:
|
||||||
- 5432:5432
|
- 5001:5001
|
||||||
|
volumes:
|
||||||
|
- ${SNAPSHOTS_PATH}:/mnt/snapshots:ro
|
||||||
|
- shared:/shared:ro
|
||||||
|
|
||||||
|
postgres-id-client:
|
||||||
|
image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09
|
||||||
|
# 4. To create the database.
|
||||||
|
# 5. Give permissions to the corresponding users in the database.
|
||||||
|
# extra src https://github.com/docker-library/docs/blob/master/postgres/README.md#environment-variables
|
||||||
|
environment:
|
||||||
|
- POSTGRES_PASSWORD=${DB_PASSWORD}
|
||||||
|
- POSTGRES_USER=${DB_USER}
|
||||||
|
- POSTGRES_DB=${DB_DATABASE}
|
||||||
|
# DEBUG
|
||||||
|
#ports:
|
||||||
|
# - 5432:5432
|
||||||
# TODO persistence
|
# TODO persistence
|
||||||
#volumes:
|
#volumes:
|
||||||
# - pg_data:/var/lib/postgresql/data
|
# - pg_data:/var/lib/postgresql/data
|
||||||
|
|
||||||
|
|
||||||
# TODO https://testdriven.io/blog/dockerizing-django-with-postgres-gunicorn-and-nginx/
|
# TODO https://testdriven.io/blog/dockerizing-django-with-postgres-gunicorn-and-nginx/
|
||||||
#nginx
|
#nginx
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
shared:
|
||||||
|
|
|
@ -102,15 +102,48 @@ handle_federated_id() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
config_oidc() {
|
||||||
|
# TODO test allowing more than 1 client
|
||||||
|
if [ "${ID_SERVICE}" = "server_id" ]; then
|
||||||
|
|
||||||
gen_env_vars
|
client_description="client identity from docker compose demo"
|
||||||
|
|
||||||
wait_for_postgres
|
# in AUTHORIZED_CLIENT_URL we remove anything before ://
|
||||||
|
flask add_contract_oidc \
|
||||||
|
"${EMAIL_DEMO}" \
|
||||||
|
"${client_description}" \
|
||||||
|
"${AUTHORIZED_CLIENT_URL}" \
|
||||||
|
> /shared/client_id_${AUTHORIZED_CLIENT_URL#*://}
|
||||||
|
|
||||||
init_flagfile='/container_initialized'
|
elif [ "${ID_SERVICE}" = "client_id" ]; then
|
||||||
|
|
||||||
|
# in DEVICEHUB_HOST we remove anything before ://
|
||||||
|
CLIENT_ID_CONFIG="/shared/client_id_${DEVICEHUB_HOST#*://}"
|
||||||
|
|
||||||
|
# wait that the file generated by the server_id is readable
|
||||||
|
while true; do
|
||||||
|
if [ -f "${CLIENT_ID_CONFIG}" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
client_id="$(cat "${CLIENT_ID_CONFIG}" | jq -r '.client_id')"
|
||||||
|
client_secret="$(cat "${CLIENT_ID_CONFIG}" | jq -r '.client_secret')"
|
||||||
|
|
||||||
|
flask add_client_oidc \
|
||||||
|
"${SERVER_ID_HOST}" \
|
||||||
|
"${client_id}" \
|
||||||
|
"${client_secret}"
|
||||||
|
|
||||||
|
else
|
||||||
|
big_error "Something went wrong ${ID_SERVICE} is not server_id nor client_id"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
config_phase() {
|
||||||
|
init_flagfile='/already_configured'
|
||||||
if [ ! -f "${init_flagfile}" ]; then
|
if [ ! -f "${init_flagfile}" ]; then
|
||||||
|
|
||||||
# 7, 8, 9, 11
|
# 7, 8, 9, 11
|
||||||
init_data
|
init_data
|
||||||
|
|
||||||
|
@ -133,9 +166,21 @@ main() {
|
||||||
# # 16.
|
# # 16.
|
||||||
flask check_install "${EMAIL_DEMO}" ${PASSWORD_DEMO}
|
flask check_install "${EMAIL_DEMO}" ${PASSWORD_DEMO}
|
||||||
|
|
||||||
|
# config server or client ID
|
||||||
|
config_oidc
|
||||||
|
|
||||||
# remain next command as the last operation for this if conditional
|
# remain next command as the last operation for this if conditional
|
||||||
touch "${init_flagfile}"
|
touch "${init_flagfile}"
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
|
||||||
|
gen_env_vars
|
||||||
|
|
||||||
|
wait_for_postgres
|
||||||
|
|
||||||
|
config_phase
|
||||||
|
|
||||||
# 17. Use gunicorn
|
# 17. Use gunicorn
|
||||||
# thanks https://akira3030.github.io/formacion/articulos/python-flask-gunicorn-docker.html
|
# thanks https://akira3030.github.io/formacion/articulos/python-flask-gunicorn-docker.html
|
||||||
|
|
|
@ -9,7 +9,10 @@ API_RESOLVER='http://$IP_API_RESOLVER'
|
||||||
ID_FEDERATED='$ID'
|
ID_FEDERATED='$ID'
|
||||||
URL_MANUALS='http://$IP_MANUALS'
|
URL_MANUALS='http://$IP_MANUALS'
|
||||||
|
|
||||||
DEVICEHUB_HOST='http://devicehub.example.com'
|
SERVER_ID_DEVICEHUB_HOST='http://devicehub-server-id.example.com'
|
||||||
|
CLIENT_ID_DEVICEHUB_HOST='http://devicehub-client-id.example.com'
|
||||||
|
SERVER_ID_SERVICE='server_id'
|
||||||
|
CLIENT_ID_SERVICE='client_id'
|
||||||
HOST='localhost'
|
HOST='localhost'
|
||||||
|
|
||||||
SCHEMA='dbtest'
|
SCHEMA='dbtest'
|
||||||
|
|
Reference in New Issue