docker-compose: updates for ipa-tuura + keycloak

Test containers and Makefiles to build test environment included. 1. Container src/Containerfile -- defines systemd container to build src/Makefile -- defines container build steps in make form src/install/ipa-tuura.env -- ipa-tuura service env file for container src/install/ipa-tuura.service -- ipa-tuura systemd service file for container 2. Docker Compose Makefile -- defines test env setup steps in make form .env -- Variables for Makefile and docker-compose data/configs/dnsmasq.conf -- config for dns container data/configs/nm_zone_test.conf -- config for dns container env.containers -- env vars for containers. mostly used by keycloak src/install/setup_bridge.sh -- add SCIM plugin config to keycloak for ipa-tuura bridge docker-compose.yml -- defines containerized test env docker-compose.gating.yml -- defines minimal containerized test env for gating docker-compose.samba.yml -- defines containerized test env with samba *NOTE* docker-compose.yml relies on SSSD containers to provide ipa, dns, ldap. 3. README.md update to show how to start the container test environment Signed-off-by: Scott Poore <[email protected]>
freeipa · May 30, 2023 · 43536a1 · 43536a1
1 parent 1d3b5b9
commit 43536a1
Show file tree

Hide file tree

Showing 13 changed files with 567 additions and 34 deletions.
diff --git a/.env b/.env
@@ -1,4 +1,10 @@
 # This is the docker-compose environment file.
 # Copy it to .env or use --env-file=env.example on docker-compose command.
-REGISTRY=quay.io/ftrivino
+#REGISTRY=quay.io/ftrivino
+REGISTRY=localhost/sssd
 TAG=latest
+
+PLUGIN_TAG=kc19_intg
+PLUGIN_VER=0.0.1
+PLUGIN_DIR=scim-keycloak-user-storage-spi-${PLUGIN_TAG}
+PLUGIN_JAR=scim-user-spi-0.0.1-SNAPSHOT.jar
diff --git a/Makefile b/Makefile
@@ -0,0 +1,44 @@
+include .env
+
+up: datadir plugin
+	docker-compose up --detach --no-recreate
+
+up-gating:
+	docker-compose -f docker-compose.gating.yaml up --no-recreate --detach
+
+up-samba:
+	docker-compose -f docker-compose.samba.yaml up --no-recreate --detach
+
+stop:
+	docker-compose stop
+
+down: stop
+	docker-compose -f docker-compose.samba.yaml \
+	-f docker-compose.gating.yaml \
+	-f docker-compose.yml down
+
+datadir:
+ifeq (,$(wildcard data/keycloak))
+	mkdir -p data/keycloak
+endif
+
+container:
+	$(MAKE) -C src
+
+plugin: datadir
+ifeq (,$(wildcard data/keycloak/$(PLUGIN_JAR)))
+	cd data/keycloak && \
+	wget https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/archive/refs/tags/$(PLUGIN_TAG).tar.gz && \
+	tar zxvf $(PLUGIN_TAG).tar.gz && \
+	pushd $(PLUGIN_DIR) && \
+	JAVA_HOME=/usr/lib/jvm/java-11-openjdk mvn clean package && \
+	mv target/$(PLUGIN_JAR) ../ && \
+	chown 994:994 ../${PLUGIN_JAR}
+endif
+
+bridge:
+	source ./env.containers && \
+	bash -c "src/install/setup_bridge.sh"
+
+clean:
+	rm -rf data/keycloak/*
diff --git a/README.md b/README.md
@@ -100,3 +100,97 @@ make html
 ```
 
 The generated documentation will be available at `$IPA_TUURA/doc/_build/html/` folder.
+
+
+### Testing
+
+Provided is a docker-compose.yml container based test environment.  Running this
+environment on a system will provide the containers needed for testing some of the
+basic features of ipa-tuura:
+
+* ipa-tuura running SCIMv2 Bridge
+* Keycloak running with the SCIMv2 User Storage plugin
+* FreeIPA to provide IPA service
+* LDAP container to provide LDAP service
+* DNS container to provide static DNS for the test environment
+* Nextcloud to provide End to End application authentication testing
+
+
+First Install required packages needed to run container test environment:
+
+```bash
+sudo dnf -y install podman docker-compose podman-docker \
+                    java-17-openjdk-headless maven dnsmasq
+```
+
+Start podman service:
+
+```bash
+sudo systemctl start podman
+```
+
+Clone this repository:
+
+```bash
+git clone https://github.com/freeipa/ipa-tuura
+cd ipa-tuura
+```
+
+Set SELinux boolean:
+
+```bash
+sudo setsebool -P container_manage_cgroup true
+```
+
+OPTIONAL: Note if you want to setup your local DNS to resolve the container
+hostnames, you can follow these steps:
+
+```bash
+sudo cp data/configs/nm_enable_dnsmasq.conf /etc/NetworkManager/conf.d/
+sudo cp data/configs/nm_zone_test.conf /etc/NetworkManager/dnsmasq.d/
+sudo systemctl disable --now systemd-resolved
+sudo mv /etc/resolv.conf /etc/resolv.conf.ipa-tuura-backup
+sudo systemctl reload NetworkManager
+```
+
+Start containers:
+
+```bash
+sudo make up
+sudo make bridge
+```
+
+Note that `make bridge` runs `src/install/setup_bridge.sh` which allows you to
+override the keycloak and/or ipa-tuura hostnames if you wish to use this elsewhere.
+To do this, just set variables before manually running the script:
+
+```bash
+export KC_HOSTNAME=<keycloak server hostname>
+export TUURA_HOSTNAME=<ipa-tuura server hostname>
+bash src/install/setup_bridge.sh
+```
+
+Note that the container names all start with "kite-" which stands for Keycloak
+Integration Test Environment.  Each container is named after the service it
+provides to make access easier.
+
+Now you can access the containers with either:
+
+```bash
+sudo podman exec -it kite-<service> bash
+```
+
+Or for some containers, you can access with ssh.  To do so, lookup IP from 
+docker-compose.yml file.
+
+```bash
+ssh root@<IP>
+```
+
+To run Keycloak or IPA commands, you can alias the commands like this:
+
+```bash
+alias kcadm='sudo podman exec -it kite-keycloak /opt/keycloak/bin/kcadm.sh'
+alias ipa='sudo podman exec -it kite-ipa ipa'
+```
+
diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf
@@ -9,19 +9,25 @@ local=/test/
 
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
-server=/samba.test/172.16.100.30
 server=/ad.test/172.16.200.10
 
 # Add A records for LDAP and client machines
 address=/master.ldap.test/172.16.100.20
 address=/client.test/172.16.100.40
+address=/master.keycloak.test/172.16.100.70
+address=/master.nextcloud.test/172.16.100.12
+address=/master.mariadb.test/172.16.100.13
+address=/ipa-tuura.bridge.test/172.16.100.14
 
 # Add SRV record for LDAP
 srv-host=_ldap._tcp.ldap.test,master.ldap.test,389
 
 # Add PTR records for all machines
 ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test
+ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=12.100.16.172.in-addr.arpa,master.nextcloud.test
+ptr-record=13.100.16.172.in-addr.arpa,master.mariadb.test
+ptr-record=14.100.16.172.in-addr.arpa,ipa-tuura.bridge.test
 ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test
-ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
 ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
diff --git a/docker-compose.gating.yaml b/docker-compose.gating.yaml
@@ -0,0 +1,99 @@
+services:
+  dns:
+    restart: always
+    image: ${REGISTRY}/ci-dns:${TAG}
+    container_name: dns
+    env_file: ./env.containers
+    volumes:
+    - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
+    cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.2
+
+  ipa:
+    image: ${REGISTRY}/ci-ipa:${TAG}
+    container_name: ipa
+    hostname: master.ipa.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.10
+
+  ipa-tuura:
+    #image: quay.io/idmops/bridge:latest
+    image: localhost/ipa-tuura/base:latest
+    container_name: ipa-tuura
+    hostname: ipa-tuura.bridge.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.14
+
+  keycloak:
+    image: ${REGISTRY}/ci-keycloak:${TAG}
+    #image: quay.io/keycloak/keycloak:${KC_TAG}
+    container_name: keycloak
+    hostname: master.keycloak.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.70
+
+networks:
+  ipa-tuura:
+    name: ipa-tuura-ci
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.16.100.0/24
+         gateway: 172.16.100.1
+     options:
+        driver: host-local
diff --git a/docker-compose.samba.yaml b/docker-compose.samba.yaml
@@ -0,0 +1,100 @@
+services:
+  dns:
+    restart: always
+    image: ${REGISTRY}/ci-dns:${TAG}
+    container_name: dns
+    env_file: ./env.containers
+    volumes:
+    - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
+    cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.2
+
+  ipa-tuura:
+    #image: quay.io/idmops/bridge:latest
+    image: localhost/ipa-tuura/base:latest
+    container_name: ipa-tuura
+    hostname: ipa-tuura.bridge.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.14
+
+  keycloak:
+    image: ${REGISTRY}/ci-keycloak:${TAG}
+    #image: quay.io/keycloak/keycloak:${KC_TAG}
+    container_name: keycloak
+    hostname: master.keycloak.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.70
+
+  samba:
+    image: ${REGISTRY}/ci-samba:${TAG}
+    container_name: samba
+    hostname: dc.samba.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.100.30
+
+networks:
+  ipa-tuura:
+    name: ipa-tuura-ci
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.16.100.0/24
+         gateway: 172.16.100.1
+     options:
+        driver: host-local