Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

183 docker compose optimizazione #188

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

183 docker compose optimizazione #188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
197224c
short name for services, add "iam-proxy-italia" as project name (all …
MdreW Feb 20, 2025
a984d52
added -b flag to local build container
MdreW Feb 20, 2025
7d0eebe
renamed plugins to configuration
MdreW Feb 20, 2025
6914dbb
Removed `chmod 777` from run-docker-compose.sh; added entrypoint with…
MdreW Feb 21, 2025
9fea892
Removed `chmod 777` from run-docker-compose.sh; added entrypoint with…
MdreW Feb 21, 2025
4666dd0
disabled pyeudi backend on default
MdreW Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/python-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@ jobs:
cat Docker-compose/satosa-project/metadata/sp/djangosaml2_sp.xml
- name: Inspect Satosa status
run: |
docker container inspect iam-proxy-italia
docker container logs iam-proxy-italia
docker container inspect iam-proxy-italia-satosa-1
docker container logs iam-proxy-italia-satosa-1
- name: Copy Satosa IDP Metadata to djangosaml2 SP
run: |
wget -vd --no-check-certificate https://localhost/Saml2IDP/metadata -O Docker-compose/djangosaml2_sp/saml2_sp/saml2_config/iam-proxy-italia.xml
Expand Down
60 changes: 15 additions & 45 deletions Docker-compose/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
name: iam-proxy-italia
services:

satosa-mongo:
mongo:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there might be different containers about mongo, and this is the mongo within the satosa network with a specialized name

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The container name is composed by project name +service name + istance number = iam-proxy-italia-mongo-1
The image name is composed by project name +service name = iam-proxy-italia-mongo
But you can call it with the service name in composer

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The project name is defined in first docker-compose line with key name: iam-proxy-italia

profiles:
- demo
- mongo
- mongoexpress
image: mongo
container_name: satosa-mongo
environment:
MONGO_INITDB_DATABASE: oidcop
MONGO_INITDB_ROOT_USERNAME: "${MONGO_DBUSER:-satosa}"
Expand All @@ -18,66 +17,50 @@ services:
# - mongodata:/data/db # to be used for external volumes
ports:
- '27017-27019:27017-27019'
networks:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as per my previous comment

- iam-proxy-italia

satosa-mongo-express:
express:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as per my previous comment

profiles:
- demo
- mongoexpress
image: mongo-express
container_name: satosa-mongo-express
ports:
- 8082:8081
depends_on:
- satosa-mongo
- mongo
environment:
ME_CONFIG_BASICAUTH_USERNAME: "${EXPRESS_USER:-satosauser}"
ME_CONFIG_BASICAUTH_PASSWORD: "${EXPRESS_PASSWORD:-satosapw}"
ME_CONFIG_MONGODB_ADMINUSERNAME: "${MONGO_DBUSER:-satosa}"
ME_CONFIG_MONGODB_ADMINPASSWORD: "${MONGO_DBPASSWORD:-thatpassword}"
ME_CONFIG_MONGODB_URL: mongodb://${MONGO_DBUSER:-satosa}:${MONGO_DBPASSWORD:-thatpassword}@satosa-mongo:27017/
TZ: "${TZ:-Europe/Rome}"
networks:
- iam-proxy-italia

django_sp:
sp:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a django sp, therefore its name is django sp

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we haven't other SP, why distinguish them?
But if you prefer we can call this django-sp 😄
Remember: the container name will be iam-proxy-italia-django-sp-1
With a long project name a short service is useful

profiles:
- demo
- dev
build:
context: ../
args:
- NODE_ENV=local
dockerfile: example_sp/django.Dockerfile
container_name: django_sp
context: ../
dockerfile: example_sp/django.Dockerfile
working_dir: /django_sp
entrypoint: "sh ../entrypoint.sh"
volumes:
- ./djangosaml2_sp:/django_sp:rw
ports:
- "8000:8000"
networks:
- iam-proxy-italia

iam-proxy-italia:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iam-proxy-italia is the container name

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iam-proxy-italia is the project name. Whe should call the service with a functional name for his work.
If you wont call it as satosa for don't make confusion we can call it iam-proxy? but the full container name will be iam-proxy-italia-iam-proxy-1... a really uncomfortable name, you don't think?

satosa:
image: ghcr.io/italia/iam-proxy-italia:latest
# image: iam-proxy-italia:latest
# build:
# context: ../
# args:
# - NODE_ENV=local
# dockerfile: Dockerfile
container_name: iam-proxy-italia
# depends_on:
# - satosa-mongo
build:
context: ../
dockerfile: Dockerfile
stdin_open: ${SATOSA_DEBUG:-false} # enables PDB when attach to the compose
tty: ${SATOSA_DEBUG:-false} # enables PDB when attach to the compose
environment:
- TZ=${TZ:-Europe/Rome}
- SATOSA_DEBUG=${SATOSA_DEBUG:-false}
- SATOSA_BY_DOCKER=1
- GET_IDEM_MDQ_KEY=${GET_IDEM_MDQ_KEY:-true}
- GET_METADATA_AND_KEY=${GET_IDEM_MDQ_KEY:-true}

- BASE_DIR=/satosa_proxy
- SATOSA_PRIVATE_KEY=${SATOSA_KEYS_FOLDER:-./pki}/${SATOSA_PRIVATE_KEY_FILENAME:-privkey.pem}
Expand Down Expand Up @@ -125,31 +108,24 @@ services:
- ./satosa-project:/satosa_proxy:rwx
# - ./eudi-wallet-it-python/pyeudiw:/.venv/lib/python3.12/site-packages/pyeudiw:rwx
# - iam-proxy-italia-data:/satosa_proxy # to be used for external volumes
working_dir: /satosa_proxy
entrypoint: "sh entrypoint.sh"
networks:
- iam-proxy-italia
healthcheck:
test: wget -O - https://satosa-nginx/Saml2IDP/metadata --no-check-certificate || exit 1
test: wget -O - https://nginx/Saml2IDP/metadata --no-check-certificate || exit 1
interval: 30s
retries: 10
start_period: 30s
timeout: 30s

satosa-nginx:
nginx:
image: nginx:alpine
container_name: satosa-nginx
depends_on:
- iam-proxy-italia
- satosa
ports:
- "443:443"
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d:ro
- ./nginx/html:/usr/share/nginx/html:ro
- ./nginx/certs:/etc/nginx/certs:ro
# - static:/usr/share/nginx/html # to be used for external volumes
networks:
- iam-proxy-italia
environment:
- NGINX_HOST=${SATOSA_HOSTNAME:-localhost}
- TZ=${TZ:-Europe/Rome}
Expand All @@ -159,14 +135,8 @@ services:
- demo
- dev
image: italia/spid-saml-check
container_name: spid-samlcheck
ports:
- "8443:8443"
networks:
- iam-proxy-italia
networks:
iam-proxy-italia:
name: iam-proxy-italia

## External volumes
# volumes:
Expand Down
6 changes: 3 additions & 3 deletions Docker-compose/env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
SATOSA_HOSTNAME=localhost
METADATA_ANDSATOSA_HOSTNAME=localhost
SATOSA_BASE=https://${SATOSA_HOSTNAME:-localhost}
SATOSA_BASE_STATIC=${SATOSA_BASE}/static
SATOSA_DISCO_SRV=${SATOSA_BASE_STATIC}/disco.html
Expand Down Expand Up @@ -55,5 +55,5 @@ SATOSA_UI_LOGO_URL="https://example_organization.org/logo.png"
SATOSA_UI_PRIVACY_URL_EN="https://example_organization.org/privacy"
SATOSA_UI_PRIVACY_URL_IT="https://example_organization.org/it/privacy"

# If set to true, satosa downloads IDEM's keys and IDPs from registry.spid.gov.it
GET_IDEM_MDQ_KEY=true
# If set to true, satosa downloads IDEM's keys and SPID / CIE / eIDAS metadata
GET_METADATA_AND_KEY=true
2 changes: 1 addition & 1 deletion Docker-compose/nginx/conf.d/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ server {
rewrite /.well-known/jwt-vc-issuer/OpenID4VP /OpenID4VP/.well-known/jwt-vc-issuer break;
include /etc/nginx/uwsgi_params;

uwsgi_pass iam-proxy-italia:10000;
uwsgi_pass satosa:10000;
uwsgi_param Host $host;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
Expand Down
15 changes: 10 additions & 5 deletions Docker-compose/run-docker-compose.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,6 @@ function initialize_satosa {
if [ ! -f ./satosa-project/proxy_conf.yaml ]; then cp -R ../example/* ./satosa-project/ ; rm -R ./satosa/static/ ; else echo 'satosa-project directory is already initialized' ; fi
if [ ! -f ./djangosaml2_sp/run.sh ]; then cp -R ../example_sp/djangosaml2_sp/* ./djangosaml2_sp ; else echo 'djangosaml2_sp directory is already initialided' ; fi
if [ ! -f ./nginx/html/static/disco.html ]; then cp -R ../example/static/* ./nginx/html/static ; else echo 'nginx directory is already initialized' ; fi

chmod -R 777 ./satosa-project
echo "WARNING: satosa-project permission folder set recursively to 777"
}

function update {
Expand All @@ -41,7 +38,11 @@ function update {
}

function start {
docker compose -f docker-compose.yml up --wait --wait-timeout 60 --remove-orphans
if [[ -z $BUILD ]]; then
docker compose -f docker-compose.yml up --wait --wait-timeout 60 --remove-orphans
else
docker compose -f docker-compose.yml up --wait --wait-timeout 60 --remove-orphans --build
fi
echo -e "\n"
echo -e "Completato. Per visionare i logs: 'docker-compose -f docker-compose.yml logs -f'"
exit 0
Expand All @@ -61,11 +62,12 @@ function help {
echo "-m Set 'mongo' compose profile. Run: satosa, nginx, mongo"
echo "-M Set 'mongoexpress' compose profile. Run: satosa, nginx, mongo, mongo-express"
echo "-d Set 'dev' compose profile. Run: satosa, nginx, django-sp, spid-saml-check"
echo "-b Set '--build' option in docker compose for local images generation"
echo " if isn't set any of -p, -m, -M, -d, is used 'demo' compose profile"
echo " demo compose profile start: satosa, nginx, mongo, mongo-express, django-sp, spid-saml-check"
}

while getopts ":fpimMdsh" opt; do
while getopts ":fpimMdsbh" opt; do
case ${opt} in
f)
clean_data
Expand All @@ -85,6 +87,9 @@ while getopts ":fpimMdsh" opt; do
s)
SKIP_UPDATE=true
;;
b)
BUILD=true
;;
h)
help
exit 0
Expand Down
1 change: 1 addition & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,4 @@ RUN poetry install
RUN poetry add setuptools

WORKDIR $BASEDIR/
ENTRYPOINT ["sh", "entrypoint.sh"]
0 ...le/plugins/backends/ciesaml2_backend.yaml → ...figuration/backends/ciesaml2_backend.yaml
View file
Open in desktop
File renamed without changes.
0 ...ple/plugins/backends/pyeudiw_backend.yaml → ...nfiguration/backends/pyeudiw_backend.yaml
View file
Open in desktop
File renamed without changes.
0 example/plugins/backends/saml2_backend.yaml → ...configuration/backends/saml2_backend.yaml
View file
Open in desktop
File renamed without changes.
0 ...e/plugins/backends/spidsaml2_backend.yaml → ...iguration/backends/spidsaml2_backend.yaml
View file
Open in desktop
File renamed without changes.
0 ...le/plugins/frontends/oidcop_frontend.yaml → ...figuration/frontends/oidcop_frontend.yaml
View file
Open in desktop
File renamed without changes.
0 ...ends/openid_connect_frontend.yaml.example → ...ends/openid_connect_frontend.yaml.example
View file
Open in desktop
File renamed without changes.
0 example/plugins/frontends/ping_frontend.yaml → ...onfiguration/frontends/ping_frontend.yaml
View file
Open in desktop
File renamed without changes.
0 ...ple/plugins/frontends/saml2_frontend.yaml → ...nfiguration/frontends/saml2_frontend.yaml
View file
Open in desktop
File renamed without changes.
0 ...microservices/custom_logging_service.yaml → ...microservices/custom_logging_service.yaml
View file
Open in desktop
File renamed without changes.
0 ...microservices/disco_to_target_issuer.yaml → ...microservices/disco_to_target_issuer.yaml
View file
Open in desktop
File renamed without changes.
0 example/plugins/microservices/hasher.yaml → ...e/configuration/microservices/hasher.yaml
View file
Open in desktop
File renamed without changes.
0 ...le/plugins/microservices/idp_hinting.yaml → ...figuration/microservices/idp_hinting.yaml
View file
Open in desktop
File renamed without changes.
0 ...s/microservices/ldap_attribute_store.yaml → ...n/microservices/ldap_attribute_store.yaml
View file
Open in desktop
File renamed without changes.
0 ...oservices/multi_ldap_attribute_store.yaml → ...oservices/multi_ldap_attribute_store.yaml
View file
Open in desktop
File renamed without changes.
0 ...rvices/multiple_ldap_attribute_store.yaml → ...rvices/multiple_ldap_attribute_store.yaml
View file
Open in desktop
File renamed without changes.
0 ...services/spid_unical_account_linking.yaml → ...services/spid_unical_account_linking.yaml
View file
Open in desktop
File renamed without changes.
0 ...gins/microservices/static_attributes.yaml → ...tion/microservices/static_attributes.yaml
View file
Open in desktop
File renamed without changes.
0 ...s/microservices/target_based_routing.yaml → ...n/microservices/target_based_routing.yaml
View file
Open in desktop
File renamed without changes.
27 changes: 7 additions & 20 deletions example/entrypoint.sh
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,15 @@
#!/bin/bash
. /.venv/bin/activate

MAX_RETRY=10
REMOTE_DATA_LOCATION="https://registry.spid.gov.it/entities-idp -O ./spid-entities-idps.xml"

# get IDEM MDQ key
if [[ $GET_IDEM_MDQ_KEY == true ]]; then
wget https://mdx.idem.garr.it/idem-mdx-service-crt.pem -O $SATOSA_KEYS_FOLDER/idem-mdx-service-crt.pem

wget $REMOTE_DATA_LOCATION
status=$?
while [[ $status != 0 && $MAX_RETRY -gt 0 ]]; do
echo "Retrying download from registry.spid.gov.it ..."
wget $REMOTE_DATA_LOCATION
status=$?
MAX_RETRY=$((MAX_RETRY-1))
done

if [ $MAX_RETRY == 0 ]; then
echo "Cannot fetch identity providers data from remote registry, aborting..."
exit 1
fi

echo "Downloaded IDEM MDQ key"
# update federation key and metadata
if [[ $GET_METADATA_AND_KEY == true ]]; then
TMP = `mktemp`
wget https://mdx.idem.garr.it/idem-mdx-service-crt.pem -nv -t3 -O $TMP && cp $TMP $SATOSA_KEYS_FOLDER/idem-mdx-service-crt.pem
wget https://registry.spid.gov.it/entities-idp -nv -t3 -O $TMP && cp $TMP ./metadata/idp/spid-entities-idps.xml
wget https://sp-proxy.eid.gov.it/metadata -nv -t3 -O $TMP && cp $TMP ./metadata/idp/ficep.xml
wget https://idserver.servizicie.interno.gov.it/idp/shibboleth?Metadata -nv -t3 -O $TMP && cp $TMP ./metadata/idp/cie-production.xml
fi

poetry show
Expand Down
82 changes: 41 additions & 41 deletions example/proxy_conf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,27 +21,27 @@ USER_ID_HASH_SALT: !ENV SATOSA_SALT
ERROR_URL: !ENV SATOSA_UNKNOW_ERROR_REDIRECT_PAGE

CUSTOM_PLUGIN_MODULE_PATHS:
#- "plugins/ping"
- "plugins/backends"
- "plugins/frontends"
- "plugins/micro_services"
#- "configuration/ping"
- "configuration/backends"
- "configuration/frontends"
- "configuration/micro_services"
BACKEND_MODULES:
- "plugins/backends/saml2_backend.yaml"
- "plugins/backends/spidsaml2_backend.yaml"
- "plugins/backends/ciesaml2_backend.yaml"
- "plugins/backends/pyeudiw_backend.yaml"
- "configuration/backends/saml2_backend.yaml"
- "configuration/backends/spidsaml2_backend.yaml"
- "configuration/backends/ciesaml2_backend.yaml"
# - "configuration/backends/pyeudiw_backend.yaml"
FRONTEND_MODULES:
- "plugins/frontends/saml2_frontend.yaml"
# - "plugins/frontends/oidcop_frontend.yaml"
- "configuration/frontends/saml2_frontend.yaml"
# - "configuration/frontends/oidcop_frontend.yaml"
MICRO_SERVICES:
# - "plugins/microservices/spid_unical_account_linking.yaml"
# - "plugins/microservices/multiple_ldap_attribute_store.yaml"
# - "plugins/microservices/ldap_attribute_store.yaml"
# - "configuration/microservices/spid_unical_account_linking.yaml"
# - "configuration/microservices/multiple_ldap_attribute_store.yaml"
# - "configuration/microservices/ldap_attribute_store.yaml"
# re-process again after new attributes beign pushed (or not) from ldap store
# - "plugins/microservices/spid_unical_account_linking.yaml"
- "plugins/microservices/idp_hinting.yaml"
- "plugins/microservices/disco_to_target_issuer.yaml"
- "plugins/microservices/target_based_routing.yaml"
# - "configuration/microservices/spid_unical_account_linking.yaml"
- "configuration/microservices/idp_hinting.yaml"
- "configuration/microservices/disco_to_target_issuer.yaml"
- "configuration/microservices/target_based_routing.yaml"
LOGGING:
version: 1
formatters:
Expand All @@ -50,14 +50,6 @@ LOGGING:
syslog:
format: "[SATOSA] [%(name)s] [%(levelname)s]: %(message)s"
handlers:
spid_daily:
class: logging.handlers.TimedRotatingFileHandler
level: INFO
formatter: simple
filename: logs/spid.log
when: D
interval: 1
backupCount: 860
syslog:
class: logging.handlers.SysLogHandler
level: INFO
Expand All @@ -67,22 +59,30 @@ LOGGING:
level: DEBUG
formatter: simple
stream: ext://sys.stdout
saml2_debug_file:
class: logging.handlers.RotatingFileHandler
level: DEBUG
formatter: simple
filename: logs/saml2_debug.log
maxBytes: 104857600 # 100MB
backupCount: 20
encoding: utf8
oidcop_debug_file:
class: logging.handlers.RotatingFileHandler
level: DEBUG
formatter: simple
filename: logs/oidcop_debug.log
maxBytes: 104857600 # 100MB
backupCount: 20
encoding: utf8
# spid_daily:
# class: logging.handlers.TimedRotatingFileHandler
# level: INFO
# formatter: simple
# filename: logs/spid.log
# when: D
# interval: 1
# backupCount: 860
Comment on lines +62 to +69
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why?

let's keep cie and spid policy retention configured by default

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In docker spid daily is not used, the log are sended to docker logs from STDOUT. Spid daily handler is used only for local installation and must be configured manually in proxy_conf.yaml.
If remain uncommented the image require an un-necessary write access right to logs/spid.log empty file.

If someone want use this must uncommented this and change the handler loggers from [console] to [spid_daily]. If you want to use spid-daily you still need to edit the proxy-conf file.

# saml2_debug_file:
# class: logging.handlers.RotatingFileHandler
# level: DEBUG
# formatter: simple
# filename: logs/saml2_debug.log
# maxBytes: 104857600 # 100MB
# backupCount: 20
# encoding: utf8
# oidcop_debug_file:
# class: logging.handlers.RotatingFileHandler
# level: DEBUG
# formatter: simple
# filename: logs/oidcop_debug.log
# maxBytes: 104857600 # 100MB
# backupCount: 20
# encoding: utf8
loggers:
satosa:
level: INFO
Expand Down
Loading