docker-compose: updates for ipa-tuura + keycloak

Test containers and Makefiles to build test environment included. 1. Docker Compose Makefile -- defines test env setup steps in make form .env -- Variables for Makefile and docker-compose env.containers -- env vars for containers. mostly used by keycloak docker-compose.gating.yml -- defines minimal containerized test env for gating data/configs/dnsmasq.conf -- config for dns container data/configs/nm_zone_test.conf -- config for dns container 2. README.md update to show how to start the container test environment 3. .gitignore updates to ignore new files/dirs Signed-off-by: Scott Poore <[email protected]>
freeipa · Jul 7, 2023 · fa185cf · fa185cf
1 parent f9cf0c5
commit fa185cf
Show file tree

Hide file tree

Showing 8 changed files with 343 additions and 34 deletions.
diff --git a/.env b/.env
@@ -1,4 +1,14 @@
 # This is the docker-compose environment file.
 # Copy it to .env or use --env-file=env.example on docker-compose command.
-REGISTRY=quay.io/ftrivino
+# REGISTRY=quay.io/ftrivino
+# REGISTRY=localhost/sssd
+REGISTRY=quay.io/sssd
 TAG=latest
+
+#PLUGIN_ARCHIVE=archive/refs/heads
+#PLUGIN_TAG=http_https
+PLUGIN_ARCHIVE=archive/refs/tags
+PLUGIN_TAG=kc19_intg
+PLUGIN_VER=0.0.1
+PLUGIN_DIR=scim-keycloak-user-storage-spi-${PLUGIN_TAG}
+PLUGIN_JAR=scim-user-spi-0.0.1-SNAPSHOT.jar
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,9 @@ src/ipa-tuura/scimv2bridge/migrations/
 
 # In-tree build files
 *~
+
+# env files with secrets
+env.secrets
+
+# keycloak container plugin files
+data/keycloak
diff --git a/Makefile b/Makefile
@@ -0,0 +1,40 @@
+include .env
+
+up: datadir plugin
+	docker-compose up --detach --no-recreate
+
+up-gating:
+	docker-compose -f docker-compose.gating.yaml up --no-recreate --detach
+
+stop:
+	docker-compose stop
+
+down: stop
+	docker-compose -f docker-compose.gating.yaml \
+	-f docker-compose.yml down
+
+datadir:
+ifeq (,$(wildcard data/keycloak))
+	mkdir -p data/keycloak
+endif
+
+container:
+	$(MAKE) -C src
+
+plugin: datadir
+ifeq (,$(wildcard data/keycloak/$(PLUGIN_JAR)))
+	cd data/keycloak && \
+	wget https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/${PLUGIN_ARCHIVE}/$(PLUGIN_TAG).tar.gz && \
+	tar zxvf $(PLUGIN_TAG).tar.gz && \
+	pushd $(PLUGIN_DIR) && \
+	mvn clean package && \
+	mv target/$(PLUGIN_JAR) ../ && \
+	chown 994:994 ../${PLUGIN_JAR}
+endif
+
+bridge:
+	source ./env.containers && \
+	bash -c "src/install/setup_bridge.sh"
+
+clean:
+	rm -rf data/keycloak/*
diff --git a/README.md b/README.md
@@ -100,3 +100,97 @@ make html
 ```
 
 The generated documentation will be available at `$IPA_TUURA/doc/_build/html/` folder.
+
+
+### Testing
+
+Provided is a docker-compose.yml container based test environment.  Running this
+environment on a system will provide the containers needed for testing some of the
+basic features of ipa-tuura:
+
+* ipa-tuura running SCIMv2 Bridge
+* Keycloak running with the SCIMv2 User Storage plugin
+* FreeIPA to provide IPA service
+* LDAP container to provide LDAP service
+* DNS container to provide static DNS for the test environment
+* Nextcloud to provide End to End application authentication testing
+
+
+First Install required packages needed to run container test environment:
+
+```bash
+sudo dnf -y install podman docker-compose podman-docker \
+                    java-17-openjdk-headless maven dnsmasq
+```
+
+Start podman service:
+
+```bash
+sudo systemctl start podman
+```
+
+Clone this repository:
+
+```bash
+git clone https://github.com/freeipa/ipa-tuura
+cd ipa-tuura
+```
+
+Set SELinux boolean:
+
+```bash
+sudo setsebool -P container_manage_cgroup true
+```
+
+OPTIONAL: Note if you want to setup your local DNS to resolve the container
+hostnames, you can follow these steps:
+
+```bash
+sudo cp data/configs/nm_enable_dnsmasq.conf /etc/NetworkManager/conf.d/
+sudo cp data/configs/nm_zone_test.conf /etc/NetworkManager/dnsmasq.d/
+sudo systemctl disable --now systemd-resolved
+sudo mv /etc/resolv.conf /etc/resolv.conf.ipa-tuura-backup
+sudo systemctl reload NetworkManager
+```
+
+Start containers:
+
+```bash
+sudo make up
+sudo make bridge
+```
+
+Note that `make bridge` runs `src/install/setup_bridge.sh` which allows you to
+override the keycloak and/or ipa-tuura hostnames if you wish to use this elsewhere.
+To do this, just set variables before manually running the script:
+
+```bash
+export KC_HOSTNAME=<keycloak server hostname>
+export TUURA_HOSTNAME=<ipa-tuura server hostname>
+bash src/install/setup_bridge.sh
+```
+
+Note that the container names all start with "kite-" which stands for Keycloak
+Integration Test Environment.  Each container is named after the service it
+provides to make access easier.
+
+Now you can access the containers with either:
+
+```bash
+sudo podman exec -it kite-<service> bash
+```
+
+Or for some containers, you can access with ssh.  To do so, lookup IP from 
+docker-compose.yml file.
+
+```bash
+ssh root@<IP>
+```
+
+To run Keycloak or IPA commands, you can alias the commands like this:
+
+```bash
+alias kcadm='sudo podman exec -it kite-keycloak /opt/keycloak/bin/kcadm.sh'
+alias ipa='sudo podman exec -it kite-ipa ipa'
+```
+
diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf
@@ -9,19 +9,25 @@ local=/test/
 
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
-server=/samba.test/172.16.100.30
 server=/ad.test/172.16.200.10
 
 # Add A records for LDAP and client machines
 address=/master.ldap.test/172.16.100.20
 address=/client.test/172.16.100.40
+address=/master.keycloak.test/172.16.100.70
+address=/master.nextcloud.test/172.16.100.12
+address=/master.mariadb.test/172.16.100.13
+address=/bridge.ipa.test/172.16.100.100
 
 # Add SRV record for LDAP
 srv-host=_ldap._tcp.ldap.test,master.ldap.test,389
 
 # Add PTR records for all machines
 ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test
+ptr-record=12.100.16.172.in-addr.arpa,master.nextcloud.test
+ptr-record=13.100.16.172.in-addr.arpa,master.mariadb.test
 ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test
-ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
+ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=100.100.16.172.in-addr.arpa,bridge.ipa.test
 ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
diff --git a/docker-compose.gating.yaml b/docker-compose.gating.yaml
@@ -0,0 +1,118 @@
+services:
+  dns:
+    restart: always
+    image: ${REGISTRY}/ci-dns:${TAG}
+    container_name: dns
+    env_file: ./env.containers
+    volumes:
+    - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
+    cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - SYS_CHROOT
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.2
+  ipa:
+    image: ${REGISTRY}/ci-ipa:${TAG}
+    container_name: ipa
+    hostname: master.ipa.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.10
+
+  bridge:
+    #image: localhost/ipa-tuura/base:latest
+    #image: quay.io/ftrivino/bridge-prod
+    image: quay.io/ftrivino/bridge-devel
+    container_name: bridge
+    hostname: bridge.ipa.test
+    dns: 172.16.100.2
+    #command: /usr/sbin/httpd -DFOREGROUND
+    command: python3 manage.py runserver 0.0.0.0:8000
+    env_file:
+    - ./env.containers
+    - ./env.secrets
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    ports:
+    - 8005:8000
+    - 3501:3500
+    - 4701:81
+    - 4430:443
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.100
+
+  keycloak:
+    image: ${REGISTRY}/ci-keycloak:${TAG}
+    container_name: keycloak
+    hostname: master.keycloak.test
+    dns: 172.16.100.2
+    env_file:
+    - ./env.containers
+    - ./env.secrets
+    volumes:
+    - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar
+    #- ./data/keycloak/rootCA.crt:/etc/pki/ca-trust/source/anchors/rootCA.crt
+    #- ./data/keycloak/server.crt:/data/certs/master.keycloak.test.crt
+    #- ./data/keycloak/server.key:/data/certs/master.keycloak.test.key
+    #- ./data/keycloak/server.keystore:/data/certs/master.keycloak.test.keystore
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    ports:
+    - 8080:8080
+    - 8443:8443
+    - 9090:9090
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.70
+
+networks:
+  sssd:
+    name: sssd-ci
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.16.100.0/24
+         gateway: 172.16.100.1
+     options:
+        driver: host-local