For now, keep using HAProxy's name in most places, e.g.,
DOCKER_OPENSLIDES_HAPROXY_NAME. To avoid confusion, the specific
mentions of HAProxy should be made more generic, e.g.,
DOCKER_OPENSLIDES_PROXY_NAME.
- Removing channels. Going back to a wsgi deployment
- Removed server projector code
- Autoupdate throttling is now in the client
- New communication stack in the client
- Adopted all deployment methods: Docker stack and docker compose (prod and dev)
- Added autoupdate service as submodule
To configure SAML, ENABLE_SAML must be set to True in .env.
Additionally, the following files must be provided in ./secrets/saml/:
- sp.crt
- sp.key
- saml_settings.json
The files will be added as Docker secrets.
Even though saml_settings.json does not contain secret information
per se it is nonetheless added as a secret for simplicity. Technically,
the file is equally suited to be configured as a "Docker config".
Please note:
- This patch has not been tested yet.
- python3-saml's version should probably be pinned.
This setup chooses to avoid the env_file option available for Docker
Compose files. Docker has a peculiar way of parsing variables which
makes it, for example, include quotes verbatim.
This is both confusing and incompatible with shells parsing the same
file which is a requirement. For this reason, the configuration does
not import the complete environment using env_file but assigns variables
explicitly on a need-to-know basis in the YAML file, much like Docker
secrets.
Since the configuration is generated automatically, the burden on users
is the same as with env_file: they only need to edit .env for
customizations.
build.sh replaces docker-compose as an image build tool. Instead, all
OpenSlides services can be built using this script which offers various
important options such as tagging and configurable defaults.
The now-redundant build instructions have been removed from the YAML
templates.
The almost identical server and client build scripts have been made
fully identical.
We have decided against including an insecure default key with a mere
warning. Therefore, unlike the admin and user secrets, the availability
of this secret is a hard requirement. The instance will not be able to
start before a secret has been generated manually or by a management
tool.
