docker-compose: updates for ipa-tuura + keycloak

Test containers and Makefiles to build test environment included.

1. Container

src/Containerfile -- defines systemd container to build
src/Makefile -- defines container build steps in make form
src/install/ipa-tuura.env -- ipa-tuura service env file for container
src/install/ipa-tuura.service -- ipa-tuura systemd service file for
                                 container

2. Docker Compose

docker-compose.yml -- defines containerized test env
Makefile -- defines test env setup steps in make form
.env -- Variables for Makefile
data/configs/dnsmasq.conf -- config for dns container
data/configs/nm_zone_test.conf -- config for dns container
env.containers -- env vars for containers.  mostly used by keycloak
src/install/setup_bridge.sh -- add SCIM plugin config to keycloak for
                               ipa-tuura bridge

.env

@@ -2,3 +2,11 @@
 # Copy it to .env or use --env-file=env.example on docker-compose command.
 REGISTRY=quay.io/ftrivino
 TAG=latest
+KC_TAG=19.0.3
+# KITE = Keycloak Integration Test Environment
+CI_PREFIX=kite
+PLUGIN_TAG=kc19
+PLUGIN_VER=0.0.1
+PLUGIN_DIR=scim-keycloak-user-storage-spi-${PLUGIN_TAG}
+PLUGIN_JAR=scim-user-spi-0.0.1-SNAPSHOT.jar
+KCADM="podman exec -it kite-keycloak /opt/keycloak/bin/kcadm.sh"

Makefile

@@ -0,0 +1,47 @@
+include .env
+
+up: datadir cert plugin
+	docker-compose up --detach
+
+stop:
+	docker-compose stop
+
+down: stop
+	docker-compose down
+
+datadir:
+ifeq (,$(wildcard data/keycloak))
+	mkdir -p data/keycloak
+endif
+
+cert: datadir
+ifeq (,$(wildcard data/keycloak/server.crt))
+	cd data/configs && \
+	openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key \
+		-out server.crt -sha256 -days 365 -subj '/CN=master.keycloak.kite' && \
+	mv server.* ../keycloak && \
+	cd ../keycloak && \
+	keytool -import -keystore server.keystore \
+		-file server.crt -alias truststore \
+		-trustcacerts -storepass Secret123 -noprompt && \
+	chown 1000 server.*
+endif
+
+container:
+	$(MAKE) -C src
+
+plugin: datadir
+ifeq (,$(wildcard data/keycloak/$(PLUGIN_JAR)))
+	cd data/keycloak && \
+	wget https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/archive/refs/tags/$(PLUGIN_TAG).tar.gz && \
+	tar zxvf $(PLUGIN_TAG).tar.gz && \
+	pushd $(PLUGIN_DIR) && \
+	mvn clean package && \
+	mv target/$(PLUGIN_JAR) ../
+endif
+
+bridge:
+	bash -c "src/install/setup_bridge.sh"
+
+clean:
+	rm -rf data/keycloak/*

data/configs/dnsmasq.conf

@@ -5,23 +5,29 @@
 
 log-queries
 log-facility=-
-local=/test/
+local=/kite/
 
 # These zones have their own DNS server
-server=/ipa.test/172.16.100.10
-server=/samba.test/172.16.100.30
-server=/ad.test/172.16.200.10
+server=/ipa.kite/172.16.101.10
+server=/ad.kite/172.16.201.10
 
 # Add A records for LDAP and client machines
-address=/master.ldap.test/172.16.100.20
-address=/client.test/172.16.100.40
+address=/master.ldap.kite/172.16.101.20
+address=/client.kite/172.16.101.40
+address=/master.keycloak.kite/172.16.101.11
+address=/master.nextcloud.kite/172.16.101.12
+address=/master.mariadb.kite/172.16.101.13
+address=/ipa-tuura.bridge.kite/172.16.101.14
 
 # Add SRV record for LDAP
-srv-host=_ldap._tcp.ldap.test,master.ldap.test,389
+srv-host=_ldap._tcp.ldap.kite,master.ldap.kite,389
 
 # Add PTR records for all machines
-ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test
-ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test
-ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
-ptr-record=40.100.16.172.in-addr.arpa,client.test
-ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
+ptr-record=10.101.16.172.in-addr.arpa,master.ipa.kite
+ptr-record=11.101.16.172.in-addr.arpa,master.keycloak.kite
+ptr-record=12.101.16.172.in-addr.arpa,master.nextcloud.kite
+ptr-record=13.101.16.172.in-addr.arpa,master.mariadb.kite
+ptr-record=14.101.16.172.in-addr.arpa,ipa-tuura.bridge.kite
+ptr-record=20.101.16.172.in-addr.arpa,master.ldap.kite
+ptr-record=40.101.16.172.in-addr.arpa,client.kite
+ptr-record=10.201.16.172.in-addr.arpa,dc.ad.kite

data/configs/nm_zone_test.conf

@@ -3,4 +3,4 @@
 # This makes sure that all machines are accessible through DNS including
 # SRV and PTR records.
 
-server=/test/172.16.100.2
+server=/test/172.16.101.2

docker-compose.yml

@@ -2,7 +2,7 @@ services:
   dns:
     restart: always
     image: ${REGISTRY}/ci-dns:latest
-    container_name: dns
+    container_name: ${CI_PREFIX}-dns
     env_file: ./env.containers
     volumes:
     - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
@@ -14,14 +14,14 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.2
+      ipa-tuura:
+        ipv4_address: 172.16.101.2
 
   ipa:
     image: ${REGISTRY}/ci-ipa:${TAG}
-    container_name: ipa
-    hostname: master.ipa.test
-    dns: 172.16.100.2
+    container_name: ${CI_PREFIX}-ipa
+    hostname: master.ipa.kite
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -34,14 +34,17 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.10
+      ipa-tuura:
+        ipv4_address: 172.16.101.10
 
-  keycloak:
-    image: ${REGISTRY}/keycloak:${TAG}
-    container_name: keycloak
-    hostname: master.keycloak.test
-    dns: 172.16.100.2
+  ipa-tuura:
+    #image: quay.io/idmops/bridge:init
+    image: localhost/ipa-tuura/base:latest
+    container_name: ${CI_PREFIX}-ipa-tuura
+    hostname: ipa-tuura.bridge.kite
+    ports:
+    - 8000:8000
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -54,13 +57,45 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.11
+      ipa-tuura:
+        ipv4_address: 172.16.101.14
+
+  keycloak:
+    #image: ${REGISTRY}/keycloak:${TAG}
+    image: quay.io/keycloak/keycloak:${KC_TAG}
+    container_name: ${CI_PREFIX}-keycloak
+    hostname: master.keycloak.kite
+    ports:
+    - 8443:8443
+    dns: 172.16.101.2
+    env_file: ./env.containers
+    volumes:
+    #- ./shared:/shared:rw
+    - ./data/keycloak/server.crt:/opt/keycloak/conf/server.crt
+    - ./data/keycloak/server.key:/opt/keycloak/conf/server.key
+    - ./data/keycloak/server.keystore:/opt/keycloak/conf/server.keystore
+    - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    entrypoint:
+    - /opt/keycloak/bin/kc.sh
+    - start
+    - --log-level=INFO,org.apache.http.wire:debug,org.keycloak:debug
+    networks:
+      ipa-tuura:
+        ipv4_address: 172.16.101.11
+
   nextcloud:
     image: ${REGISTRY}/nextcloud:${TAG}
-    container_name: nextcloud
-    hostname: master.nextcloud.test
-    dns: 172.16.100.2
+    container_name: ${CI_PREFIX}-nextcloud
+    hostname: master.nextcloud.kite
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -73,13 +108,13 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.12
+      ipa-tuura:
+        ipv4_address: 172.16.101.12
   mariadb:
     image: ${REGISTRY}/mariadb:${TAG}
-    container_name: mariadb
-    hostname: master.mariadb.test
-    dns: 172.16.100.2
+    container_name: ${CI_PREFIX}-mariadb
+    hostname: master.mariadb.kite
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -92,13 +127,14 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.13
+      ipa-tuura:
+        ipv4_address: 172.16.101.13
+
   ldap:
     image: ${REGISTRY}/ci-ldap:${TAG}
-    container_name: ldap
-    hostname: master.ldap.test
-    dns: 172.16.100.2
+    container_name: ${CI_PREFIX}-ldap
+    hostname: master.ldap.kite
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -110,13 +146,14 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.20
+      ipa-tuura:
+        ipv4_address: 172.16.101.20
+
   client:
     image: ${REGISTRY}/ci-client:${TAG}
-    container_name: client
-    hostname: client.test
-    dns: 172.16.100.2
+    container_name: ${CI_PREFIX}-client
+    hostname: client.kite
+    dns: 172.16.101.2
     env_file: ./env.containers
     volumes:
     - ./shared:/shared:rw
@@ -129,13 +166,14 @@ services:
     - label=disable
     - seccomp=unconfined
     networks:
-      sssd:
-        ipv4_address: 172.16.100.40
+      ipa-tuura:
+        ipv4_address: 172.16.101.40
+
 networks:
-  sssd:
-    name: sssd-ci
+  ipa-tuura:
+    name: ipa-tuura-ci
     driver: bridge
     ipam:
      config:
-       - subnet: 172.16.100.0/24
-         gateway: 172.16.100.1
+       - subnet: 172.16.101.0/24
+         gateway: 172.16.101.1

env.containers

@@ -1,2 +1,11 @@
 # Environment variables set in all started containers
 CONTAINER=yes
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=Secret123
+KC_HOSTNAME=master.keycloak.kite
+KC_HOSTNAME_PORT=8443
+KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt
+KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key
+KC_HTTPS_TRUST_STORE_FILE=/opt/keycloak/conf/server.keystore
+KC_HTTPS_TRUST_STORE_PASSWORD=Secret123
+KC_HTTP_RELATIVE_PATH=/auth

src/Containerfile

@@ -0,0 +1,36 @@
+FROM fedora:latest
+
+MAINTAINER Scott Poore <[email protected]>
+
+ENV DJANGO_SUPERUSER_PASSWORD: Secret123 \
+    DJANGO_SUPERUSER_USERNAME: scim \
+    DJANGO_SUPERUSER_EMAIL: [email protected]
+
+EXPOSE 8000
+
+WORKDIR /ipa-tuura
+
+COPY ipa-tuura /ipa-tuura
+COPY install/ipa-tuura.service /etc/systemd/system/ipa-tuura.service
+COPY install/ipa-tuura.env /etc/sysconfig/ipa-tuura.env
+COPY install/requirements.txt /ipa-tuura/requirements.txt
+
+# Need to install packages before linking service file so that the
+# proper filesystem structure is in place for systemd
+RUN dnf -y install sssd ipa-client realmd java-11-openjdk-headless \
+           openssl maven unzip python3-pip git python3-netifaces \
+           python3-devel krb5-devel gcc sssd-dbus wget openldap-clients \
+           sssd sssd-ldap oddjob-mkhomedir realmd \
+           --nodocs
+           # --setopt install_weak_deps=0
+RUN dnf clean all -y
+RUN ln -s /etc/systemd/system/ipa-tuura.service \
+          /etc/systemd/system/multi-user.target.wants/ipa-tuura.service
+RUN ls -Fal /etc/systemd/system/multi-user.target.wants/*
+RUN pip install -r /ipa-tuura/requirements.txt && \
+    source /etc/sysconfig/ipa-tuura.env && \
+    python3 /ipa-tuura/manage.py makemigrations ipatuura && \
+    python3 /ipa-tuura/manage.py migrate && \
+    python3 /ipa-tuura/manage.py createsuperuser --scim_username scim --noinput
+
+CMD ["/usr/sbin/init"]

src/Makefile

@@ -0,0 +1,18 @@
+default: build
+
+build:
+	podman build -t ipa-tuura/base .
+
+run:
+	podman run --name bridge -d -p 8000:8000 ipa-tuura/base && \
+	podman start bridge
+
+start:
+	podman start bridge
+
+exec:
+	podman exec -it bridge bash
+
+clean:
+	podman rm -f bridge && \
+	podman image rm ipa-tuura/base

src/install/ipa-tuura.env

@@ -0,0 +1,5 @@
+DJANGO_SUPERUSER_USERNAME=scim
+DJANGO_SUPERUSER_PASSWORD=Secret123
+DJANGO_SUPERUSER_EMAIL=[email protected]
+export DJANGO_SUPERUSER_USERNAME DJANGO_SUPERUSER_PASSWORD DJANGO_SUPERUSER_EMAIL
+

src/install/ipa-tuura.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=SCIMv2 Bridge Server
+After=network.target
+
+[Service]
+Type=idle
+WorkingDirectory=/ipa-tuura/
+EnvironmentFile=/etc/sysconfig/ipa-tuura.env
+# Fix this later
+# User=scim
+# Group=scim
+ExecStart=/usr/bin/python3 /ipa-tuura/manage.py runserver 0.0.0.0:8000
+TimeoutStartSec=600
+TimeoutStopSec=600
+
+[Install]
+WantedBy=multi-user.target