Docker: Add SAML configuration
To configure SAML, ENABLE_SAML must be set to True in .env. Additionally, the following files must be provided in ./secrets/saml/: - sp.crt - sp.key - saml_settings.json The files will be added as Docker secrets. Even though saml_settings.json does not contain secret information per se it is nonetheless added as a secret for simplicity. Technically, the file is equally suited to be configured as a "Docker config". Please note: - This patch has not been tested yet. - python3-saml's version should probably be pinned.
This commit is contained in:
parent
3cb3ef2974
commit
9a2d3a3760
@ -99,6 +99,9 @@ services:
|
||||
<< : *default-osserver-env
|
||||
secrets:
|
||||
- django
|
||||
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
|
||||
- saml_key
|
||||
- saml_config)
|
||||
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
|
||||
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
|
||||
|
||||
@ -111,6 +114,9 @@ services:
|
||||
- django
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
|
||||
- saml_key
|
||||
- saml_config)
|
||||
depends_on:
|
||||
- pgbouncer
|
||||
- redis
|
||||
@ -226,5 +232,11 @@ secrets:
|
||||
file: ./secrets/adminsecret.env)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||
file: ./secrets/usersecret.env)
|
||||
ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
|
||||
file: ./secrets/saml/sp.crt
|
||||
saml_key:
|
||||
file: ./secrets/saml/sp.key
|
||||
saml_config:
|
||||
file: ./secrets/saml/saml_settings.json)
|
||||
|
||||
# vim: set sw=2 et:
|
||||
|
@ -97,6 +97,9 @@ services:
|
||||
<< : *default-osserver-env
|
||||
secrets:
|
||||
- django
|
||||
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
|
||||
- saml_key
|
||||
- saml_config)
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
@ -112,6 +115,9 @@ services:
|
||||
- django
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
|
||||
- saml_key
|
||||
- saml_config)
|
||||
|
||||
client:
|
||||
image: FRONTEND_IMAGE
|
||||
@ -260,5 +266,11 @@ secrets:
|
||||
file: ./secrets/adminsecret.env)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||
file: ./secrets/usersecret.env)
|
||||
ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
|
||||
file: ./secrets/saml/sp.crt
|
||||
saml_key:
|
||||
file: ./secrets/saml/sp.key
|
||||
saml_config:
|
||||
file: ./secrets/saml/saml_settings.json)
|
||||
|
||||
# vim: set sw=2 et:
|
||||
|
@ -50,9 +50,15 @@ RUN apt-get install --no-install-recommends -y \
|
||||
RUN rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY requirements /app/requirements
|
||||
RUN pip install -r requirements/production.txt -r requirements/big_mode.txt && \
|
||||
RUN pip install -r requirements/production.txt -r requirements/big_mode.txt \
|
||||
-r requirements/saml.txt && \
|
||||
rm -rf /root/.cache/pip
|
||||
|
||||
# SAML
|
||||
COPY docker/saml-setup.sh /usr/local/lib/
|
||||
RUN mkdir -p /app/personal_data/var/certs/ && \
|
||||
chown -R openslides:openslides /app/personal_data/var/
|
||||
|
||||
USER openslides
|
||||
# the `empty` folder is used for the dummy http server für the migrate entrypoint to serve no files.
|
||||
RUN mkdir /app/empty
|
||||
|
@ -11,6 +11,9 @@ source /run/secrets/django
|
||||
}
|
||||
export SECRET_KEY="$DJANGO_SECRET_KEY"
|
||||
|
||||
# SAML setup
|
||||
. /usr/local/lib/saml-setup.sh
|
||||
|
||||
# TODO: env variable for this host
|
||||
wait-for-it -t 0 "server-setup:8000"
|
||||
|
||||
|
@ -82,5 +82,8 @@ if [[ -f /run/secrets/os_user ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# SAML setup
|
||||
. /usr/local/lib/saml-setup.sh
|
||||
|
||||
echo "Done migrating and setting up user accounts..."
|
||||
python -m http.server --directory /app/empty --bind 0.0.0.0 8000
|
||||
|
10
server/docker/saml-setup.sh
Normal file
10
server/docker/saml-setup.sh
Normal file
@ -0,0 +1,10 @@
|
||||
# SAML setup
|
||||
if [[ "$ENABLE_SAML" = True ]]; then
|
||||
echo "Setting up SAML"
|
||||
for i in /run/secrets/saml_{cert,key,config}; do
|
||||
[[ -f "$i" ]] || { echo "ERROR: $i not found!"; exit 3; }
|
||||
done
|
||||
ln -s /run/secrets/saml_cert /app/personal_data/var/certs/sp.crt
|
||||
ln -s /run/secrets/saml_key /app/personal_data/var/certs/sp.key
|
||||
ln -s /run/secrets/saml_config /app/personal_data/var/saml_settings.json
|
||||
fi
|
1
server/requirements/saml.txt
Normal file
1
server/requirements/saml.txt
Normal file
@ -0,0 +1 @@
|
||||
python3-saml
|
Loading…
Reference in New Issue
Block a user