diff --git a/.gitignore b/.gitignore index f032e7a..b57b526 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,12 @@ .DS_Store local/* !*.keep +*.swp +ISAM-Trial-IBM.cer +*pyenv/* +*.pem +*.crt +*.key +*.p12 +config.yml +*.log diff --git a/README.md b/README.md index 25532cd..2ae76da 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ The docker compose scripts will create a `$HOME/dockershare` directory. If you All passwords set by these scripts are `Passw0rd`. Obviously this is not a secure password! # Create Keystores -Before running any other scripts, run `verify-access-container-deployment/common/create-ldap-and-postgres-isvaop-keys.sh` +Before running any other scripts, run `verify-access-container-deployment/common/create-ivia-pki.sh` -This will create the `verify-access-container-deployment/local/dockerkeys` directory and populate it with keystores for PostgreSQL and OpenLDAP containers. +This will create the `verify-access-container-deployment/local/dockerkeys` directory and populate it with keystores for PostgreSQL, OpenLDAP, IVIA WebSEAL Reverse proxy, IVIA OIDC Provider, and IVIA Digital Credential containers. # Native Docker To set up a native Docker environment, use the files in `verify-access-container-deployment/docker`. @@ -74,6 +74,8 @@ These scripts assume that you have the `kubectl` utility installed and that it i First, run `./create-secrets.sh` command to create the secrets required for the environment. +Next, run `./create-configmap.sh` command to create the config map required for the environment. + Then, run `kubectl create -f ` to define the resources required. There are YAML files for the following environments: diff --git a/common/create-ivia-pki.sh b/common/create-ivia-pki.sh new file mode 100755 index 0000000..9d81645 --- /dev/null +++ b/common/create-ivia-pki.sh @@ -0,0 +1,102 @@ +#!/bin/bash + +# Get directory for this script +RUNDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +if [ -z "$RUNDIR" ] ; then + echo "Failed to get local path" + exit 1 # fail +fi + +# Get environment from common/env-config.sh +. $RUNDIR/env-config.sh + +LDAP_CERT_DN="/CN=openldap/O=ibm/C=us" +POSTGRES_CERT_DN="/CN=postgresql/O=ibm/C=us" +ISVAOP_CERT_DN="/CN=isvaop.ibm.com/O=ibm/C=us" +ISVADC_CERT_DN="/CN=iviadc.ibm.com/O=ibm/C=us" +ISVAWRP_CERT_DN="/CN=isvawrp.ibm.com/O=ibm/C=us" +if [ ! -d "$DOCKERKEYS" ]; then mkdir $DOCKERKEYS; fi +if [ ! -d "$DOCKERKEYS/openldap" ]; then mkdir $DOCKERKEYS/openldap; fi +if [ ! -d "$DOCKERKEYS/postgresql" ]; then mkdir $DOCKERKEYS/postgresql; fi +if [ ! -d "$DOCKERKEYS/isvaop" ]; then mkdir $DOCKERKEYS/isvaop; fi +if [ ! -d "$DOCKERKEYS/isvaop/personal" ]; then mkdir $DOCKERKEYS/isvaop/personal; fi +if [ ! -d "$DOCKERKEYS/isvaop/signer" ]; then mkdir $DOCKERKEYS/isvaop/signer; fi +if [ ! -d "$DOCKERKEYS/iviadc" ]; then mkdir $DOCKERKEYS/iviadc; fi +if [ ! -d "$DOCKERKEYS/isvawrp" ]; then mkdir $DOCKERKEYS/isvawrp; fi + +# Create a key/cert we can use for webseal which can be imported by the OP and DC containers +# The PKCS12 needs to be imported to the default WebSEAL runtime keystore (pdsrv) once the ivia-config +# container has started. +if [ ! -f "$DOCKERKEYS/isvawrp/isvawrp.pem" ] || [ ! -f "$DOCKERKEYS/isvawrp/isvawrp.key" ] +then + echo "Creating IVIA WebSEAL Reverse Proxy certificate files" + openssl req -newkey rsa:4096 -nodes -inform PEM -keyout $DOCKERKEYS/isvawrp/isvawrp.key -x509 -days 3650 -out $DOCKERKEYS/isvawrp/isvawrp.pem -subj $ISVAWRP_CERT_DN -addext "subjectAltName = DNS:www.iamlab.ibm.com, DNS:iviawrprp1, DNS:iviawrprp1:9443" + openssl pkcs12 -export -out $DOCKERKEYS/isvawrp/isvawrp.p12 -inkey $DOCKERKEYS/isvawrp/isvawrp.key -name wrp.ibm.com -in $DOCKERKEYS/isvawrp/isvawrp.pem --passout pass:Passw0rd +else + echo "ISVADC PKI files found - using existing certificate and key files" +fi +cp "$DOCKERKEYS/isvawrp/isvawrp.pem" ${IVIAOPCONFIG} +cp "$DOCKERKEYS/isvawrp/isvawrp.pem" ${IVIADCCONFIG} + + +if [ ! -f "$DOCKERKEYS/openldap/ldap.key" ] || [ ! -f "$DOCKERKEYS/openldap/ldap.crt" ] +then + echo "Creating LDAP certificate files" + openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/openldap/ldap.key -out $DOCKERKEYS/openldap/ldap.crt -days 3650 -subj $LDAP_CERT_DN -nodes +else + echo "LDAP certificate files found - using existing certificate files" +fi + +# Same for dhparam.pem file +if [ ! -f "$DOCKERKEYS/openldap/dhparam.pem" ] +then + echo "Creating LDAP dhparam.pem" + openssl dhparam -out "$DOCKERKEYS/openldap/dhparam.pem" 2048 +else + echo "LDAP dhparam.pem file found - using existing file" +fi + +cp "$DOCKERKEYS/openldap/ldap.crt" "$DOCKERKEYS/openldap/ca.crt" + +if [ ! -f "$DOCKERKEYS/postgresql/postgres.key" ] || [ ! -f "$DOCKERKEYS/postgresql/postgres.crt" ] +then + echo "Creating postgres certificate files" + openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/postgresql/postgres.key -out $DOCKERKEYS/postgresql/postgres.crt -days 3650 -subj $POSTGRES_CERT_DN -nodes -addext "subjectAltName = DNS:postgresql" +else + echo "Postgres certificate files found - using existing certificate files" +fi + +cat "$DOCKERKEYS/postgresql/postgres.crt" "$DOCKERKEYS/postgresql/postgres.key" > "$DOCKERKEYS/postgresql/server.pem" +cp "$DOCKERKEYS/postgresql/postgres.crt" ${IVIAOPCONFIG} + +if [ ! -f "$DOCKERKEYS/isvaop/personal/isvaop.key" ] || [ ! -f "$DOCKERKEYS/isvaop/signer/isvaop.pem" ] +then + echo "Creating ISVAOP certificate files" + openssl req -newkey rsa:2048 -nodes -inform PEM -keyout $DOCKERKEYS/isvaop/personal/isvaop.key -x509 -days 3650 -out $DOCKERKEYS/isvaop/signer/isvaop.pem -subj $ISVAOP_CERT_DN -addext "subjectAltName = DNS:isvaop" + chmod g+r $DOCKERKEYS/isvaop/personal/isvaop.key +else + echo "ISVAOP certificate files found - using existing certificate files" +fi +cp "$DOCKERKEYS/isvaop/personal/isvaop.key" ${IVIAOPCONFIG} +cp "$DOCKERKEYS/isvaop/signer/isvaop.pem" ${IVIAOPCONFIG} + +if [ ! -f "$DOCKERKEYS/iviadc/iviadc.pem" ] || [ ! -f "$DOCKERKEYS/iviadc/iviadc.key" ] +then + echo "Creating IVIADC certificate files" + openssl req -newkey rsa:4096 -nodes -inform PEM -keyout $DOCKERKEYS/iviadc/iviadc.key -x509 -days 3650 -out $DOCKERKEYS/iviadc/iviadc.pem -subj $ISVADC_CERT_DN -addext "subjectAltName = DNS:iviadc" + chmod g+r $DOCKERKEYS/iviadc/iviadc.key +else + echo "ISVADC PKI files found - using existing certificate and key files" +fi +#cat "$DOCKERKEYS/iviadc/iviadc.key" "$DOCKERKEYS/iviadc/iviadc.pem" > ${IVIADCCONFIG}/keydb.pem +cp "$DOCKERKEYS/iviadc/iviadc.pem" ${IVIADCCONFIG}/ +cp "$DOCKERKEYS/iviadc/iviadc.key" ${IVIADCCONFIG}/ +cp "$DOCKERKEYS/postgresql/postgres.crt" ${IVIADCCONFIG}/ + +if [ ! -f "${IVIADCCONFIG}/config.yml" ] && [ -f "${IVIADCCONFIG}/config.template" ]; then + read -p "Digital Credential License Code: [invalid_dc_code]" DC_CODE + if [ -z "$DC_CODE" ]; then + DC_CODE="invalid_dc_code" + fi + sed -e "s|@@ISVADC_LICENSE@@|$DC_CODE|g" "${IVIADCCONFIG}/config.template" > "${IVIADCCONFIG}/config.yml" +fi diff --git a/common/create-ldap-and-postgres-isvaop-keys.sh b/common/create-ldap-and-postgres-isvaop-keys.sh deleted file mode 100755 index 7626ad7..0000000 --- a/common/create-ldap-and-postgres-isvaop-keys.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash - -# Get directory for this script -RUNDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -if [ -z "$RUNDIR" ] ; then - echo "Failed to get local path" - exit 1 # fail -fi - -# Get environment from common/env-config.sh -. $RUNDIR/env-config.sh - -LDAP_CERT_DN="/CN=openldap/O=ibm/C=us" -POSTGRES_CERT_DN="/CN=postgresql/O=ibm/C=us" -ISVAOP_CERT_DN="/CN=isvaop.ibm.com/O=ibm/C=us" - -if [ ! -d "$DOCKERKEYS" ]; then mkdir $DOCKERKEYS; fi -if [ ! -d "$DOCKERKEYS/openldap" ]; then mkdir $DOCKERKEYS/openldap; fi -if [ ! -d "$DOCKERKEYS/postgresql" ]; then mkdir $DOCKERKEYS/postgresql; fi -if [ ! -d "$DOCKERKEYS/isvaop" ]; then mkdir $DOCKERKEYS/isvaop; fi -if [ ! -d "$DOCKERKEYS/isvaop/personal" ]; then mkdir $DOCKERKEYS/isvaop/personal; fi -if [ ! -d "$DOCKERKEYS/isvaop/signer" ]; then mkdir $DOCKERKEYS/isvaop/signer; fi - -if [ ! -f "$DOCKERKEYS/openldap/ldap.key" ] || [ ! -f "$DOCKERKEYS/openldap/ldap.crt" ] -then - echo "Creating LDAP certificate files" - openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/openldap/ldap.key -out $DOCKERKEYS/openldap/ldap.crt -days 3650 -subj $LDAP_CERT_DN -nodes -else - echo "LDAP certificate files found - using existing certificate files" -fi - -# Same for dhparam.pem file -if [ ! -f "$DOCKERKEYS/openldap/dhparam.pem" ] -then - echo "Creating LDAP dhparam.pem" - openssl dhparam -out "$DOCKERKEYS/openldap/dhparam.pem" 2048 -else - echo "LDAP dhparam.pem file found - using existing file" -fi - -cp "$DOCKERKEYS/openldap/ldap.crt" "$DOCKERKEYS/openldap/ca.crt" - -if [ ! -f "$DOCKERKEYS/postgresql/postgres.key" ] || [ ! -f "$DOCKERKEYS/postgresql/postgres.crt" ] -then - echo "Creating postgres certificate files" - openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/postgresql/postgres.key -out $DOCKERKEYS/postgresql/postgres.crt -days 3650 -subj $POSTGRES_CERT_DN -nodes -addext "subjectAltName = DNS:postgresql" -else - echo "Postgres certificate files found - using existing certificate files" -fi - -cat "$DOCKERKEYS/postgresql/postgres.crt" "$DOCKERKEYS/postgresql/postgres.key" > "$DOCKERKEYS/postgresql/server.pem" -cp "$DOCKERKEYS/postgresql/postgres.crt" ${IVIAOPCONFIG} - -if [ ! -f "$DOCKERKEYS/isvaop/personal/isvaop.key" ] || [ ! -f "$DOCKERKEYS/isvaop/signer/isvaop.pem" ] -then - echo "Creating ISVAOP certificate files" - openssl req -newkey rsa:2048 -nodes -inform PEM -keyout $DOCKERKEYS/isvaop/personal/isvaop_key.pem -x509 -days 3650 -out $DOCKERKEYS/isvaop/signer/isvaop.pem -subj $ISVAOP_CERT_DN -else - echo "ISVAOP certificate files found - using existing certificate files" -fi -cp "$DOCKERKEYS/isvaop/personal/isvaop_key.pem" ${IVIAOPCONFIG} -cp "$DOCKERKEYS/isvaop/signer/isvaop.pem" ${IVIAOPCONFIG} diff --git a/common/env-config.sh b/common/env-config.sh index 2e8ae8b..ba57dda 100755 --- a/common/env-config.sh +++ b/common/env-config.sh @@ -20,10 +20,11 @@ MY_WEB2_IP=127.0.0.4 # Versions CONTAINER_BASE=icr.io/ivia/ivia -ISVA_VERSION=11.0.0.0 +ISVA_VERSION=11.0.1.0 LDAP_VERSION=latest -DB_VERSION=11.0.0.0 -IVIAOP_VERSION=24.12 +DB_VERSION=11.0.1.0 +IVIAOP_VERSION=25.03 +IVIADC_VERSION=25.03 # Get directory for this script PARENT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && cd .. && pwd )" @@ -35,8 +36,10 @@ fi # Location where Keystores will be created DOCKERKEYS=${PARENT}/local/dockerkeys IVIAOPCONFIG=${PARENT}/common/isvaop-config +IVIADCCONFIG=${PARENT}/common/iviadc-config # Location where Docker Shares will be created # Note that this directory is also hardcoded into YAML files DOCKERSHARE=${HOME}/dockershare export DOCKERSHARE export IVIAOPCONFIG +export IVIADCCONFIG diff --git a/common/isvaop-config/provider.yml b/common/isvaop-config/provider.yml index 6479804..a1ebdd5 100755 --- a/common/isvaop-config/provider.yml +++ b/common/isvaop-config/provider.yml @@ -35,4 +35,4 @@ keystore: content: '@postgres.crt' key: - label: httpserverkey - content: '@isvaop_key.pem' \ No newline at end of file + content: '@isvaop.key' diff --git a/common/iviadc-config/config.template b/common/iviadc-config/config.template new file mode 100644 index 0000000..cd56f16 --- /dev/null +++ b/common/iviadc-config/config.template @@ -0,0 +1,64 @@ +general: + log_level: "debug" + name: "onpremise" + license: + accept: true + key: "@@ISVADC_LICENSE@@" + url: "https://iviadc:9720" + request_log: + enabled: false + format: ":date[iso] :method :url :http-version :status" + enable_doc_cache: false + tls: + private_key: !file "/var/config/iviadc.key" + cert: !file "/var/config/iviadc.pem" + wallet: + name: "ivia" + encryption_key: "my-key" + auth: + jwt: + header_name: my-jwt + cert: !file "/var/config/iviadc.pem" + dynamic_client_registration: + endpoint: "https://iviawrprp1:9443/isvaop/oauth2" + ca_cert: !file "/var/config/isvawrp.pem" + client_id: "admin" + client_secret: "secret" + cache_access_token: true + introspection: + cache: + max_entries: 101 + max_age: 102 + providers: + - name: "my-provider" + endpoint: "https://iviawrprp1:9443/isvaop/oauth2" + oid4vci: + default_wallet_client_id: "default_oid4vci_wallet" + claims: + - name: "active" + value: "true" + type: remote + remote: + introspect_sub_path: "/introspect" + client_id: "admin" + client_secret: "secret" + status_registry: + type: "internal" + min_statuslist_size: 131072 + max_statuslist_size: 131072 + max_random_allocation_attempts: 100 +database: + postgresql: + hosts: + - postgresql + port: 5432 + user: "postgres" + password: "Passw0rd" + ssl: true + skip_hostname_verify: true + ca_cert: !file "/var/config/postgres.crt" + pool: + min_connections: 5 + max_connections: 20 + max_idle_time: 10000 + connection_timeout: 10000 diff --git a/compose/base_layer/README.md b/compose/base_layer/README.md new file mode 100644 index 0000000..818ff45 --- /dev/null +++ b/compose/base_layer/README.md @@ -0,0 +1,45 @@ +# Configuration +This readme documents how to configure the various Verify Access containers to a "base layer" configuration. +In this state, containers have sufficient configuration to bootstrap correctly, but likely still cannot do +anything particularly useful. + +# Requirements +- generate required PKI and configuration files and have copies of them in your current working directory + * required files: `ldap.crt`, `postgres.crt`, `isvawrp.p12`, `isvaop.pem`, `req_openid_config.lua` + and `rsp_openid_config.lua` +- deploy Verify Identity Access containers using `ivia-minikube.yaml` or equivalent +- get a trial license from [IVIA trial site](https://isva-trial.verify.ibm.com/) + +## Configuration steps performed on the ivia-config container +- accept eula +- import PKI for database, ldap, iviaop and iviadc containers +- set the High-Volume Database connection +- import the trial license +- configure the WebSEAL user registry / policy server +- create the `rp1` reverse proxy instance +- create a junction to the `iviaop` container +- create LUA http transformation rules for the .well-known endpoints required by the `iviadc` container +- configure the distributed session cache service + +This automated configuration assumes that the Verify Identity Access containers have been deployed with +the configuration defined in the `iamlab/docker-compose.yaml` file. If your environment differs from this, you +may need to update the provided configuration. + +The provided automation also assumes that you have set up host/domain names `lmi.iamlab.ibm.com` for the +management interface and `www.iamlab.ibm.com` for the `rp1` reverse proxy instance. + +# Running the configuration tool +Once you have copies of the required configuration files, you can install and run the configuration tool +as follows: + +```bash +pip install ibmvia_autoconf +export IVIA_CONFIG_YAML=base_layer.yaml +export IVIA_MGMT_URL=https://lmi.iamlab.ibm.com +export MGMT_OLD_PWD=admin +export MGMT_PWD=betterThanPassw0rd +export IVIA_CONFIG_BASE=$(pwd) +python -m ibmvia_autoconf +``` + +An example shell script which automates the above steps is provided at `base_layer.sh` diff --git a/compose/base_layer/base_layer.yaml b/compose/base_layer/base_layer.yaml new file mode 100644 index 0000000..950b861 --- /dev/null +++ b/compose/base_layer/base_layer.yaml @@ -0,0 +1,125 @@ +container: + compose_services: + - iviawrprp1 + - iviaruntime + - iviadsc + - iviadsc-replica + docker_compose_yaml: "iamlab/docker-compose.yaml" + ssl_certificates: + - name: "lmi_trust_store" + signer_certificates: + - "postgres.crt" + - "ldap.crt" + - name: "rt_profile_keys" + signer_certificates: + - "postgres.crt" + - name: "pdsrv" + personal_certificates: + - name: "WRP" + p12_file: "isvawrp.p12" + secret: "Passw0rd" + signer_certificates: + - "isvaop.pem" + cluster: + runtime_database: + host: "postgresql" + port: 5432 + type: "postgresql" + user: "postgres" + password: "Passw0rd" + ssl: True + db_name: "ivia" + dsc: + client_grace: 600 + connection_idle_timeout: 0 + max_session_lifetime: 3600 + service_port: 9443 + replication_port: 9444 + worker_threads: 64 + servers: + - ip: "iviadsc" + service_port: 9443 + replication_port: 9444 + - ip: "iviadsc-replica" + service_port: 9443 + replication_port: 9444 + activation: #Activation codes + trial_license: "ISAM-Trial-IBM.cer" +webseal: + runtime: + policy_server: "ldap" + user_registry: "ldap" + ldap: + host: "openldap" + port: 636 + dn: "cn=root,secAuthority=Default" + dn_password: "Passw0rd" + key_file: "lmi_trust_store" + clean_ldap: True + domain: "Default" + admin_user: "sec_master" + admin_password: "Passw0rd" + admin_cert_lifetime: 1460 + ssl_compliance: "fips" + http_transforms: + lua: + - "req_openid_config.lua" + - "rsp_openid_config.lua" + pdadmin: + acls: + - name: "unauth" + users: + - name: "sec_master" + permissions: "TcmdbsvaBRrxl" + any_other: "Tr" + unauthenticated: "Tr" + reverse_proxies: + - host: "www.iamlab.ibm.com" + instance: "rp1" + acls: + - name: "unauth" + junctions: + - "/isvaop/oauth2/.well-known" + reverse_proxy: + - name: "rp1" + host: "www.iamlab.ibm.com" + http: + enabled: "no" + https: + enabled: "yes" + domain: "Default" + ldap: + ssl: "yes" + port: 636 + key_file: "lmi_trust_store" + junctions: + - junction_point: "/isvaop" + description: "Verify Identiy Access OIDC OP Container" + junction_type: "ssl" + server_hostname: "iviaop" + server_port: 8436 + stanza_configuration: + - stanza: "ssl" + entry_id: "webseal-cert-keyfile-label" + value: "WRP" + operation: "update" + - stanza: "http-transformations" + entry_id: "req_openid" + value: "req_openid_config.lua" + operation: "add" + - stanza: "http-transformations" + entry_id: "rsp_openid" + value: "rsp_openid_config.lua" + operation: "add" + - stanza: "http-transformations:req_openid" + operation: "add" + - stanza: "http-transformations:req_openid" + operation: "add" + entry_id: "request-match" + value: "request:GET /isvaop/oauth2/.well-known/oauth-authorization-server *" + - stanza: "http-transformations:rsp_openid" + operation: "add" + - stanza: "http-transformations:rsp_openid" + operation: "add" + entry_id: "request-match" + value: "response:GET /isvaop/oauth2/.well-known/oauth-authorization-server *" diff --git a/compose/base_layer/config.sh b/compose/base_layer/config.sh new file mode 100755 index 0000000..1317f5c --- /dev/null +++ b/compose/base_layer/config.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -x +# Get directory for this script +RUNDIR="`dirname "$0"`" # relative +RUNDIR="`cd "$RUNDIR" && pwd`" # absolutized and normalized +if [ -z "$RUNDIR" ] ; then + echo "Failed to get local path" + exit 1 +fi + +. ${RUNDIR}/../../common/env-config.sh +# Collect current PKI +cp $DOCKERKEYS/isvawrp/isvawrp.p12 $RUNDIR/isvawrp.p12 +cp $DOCKERKEYS/isvaop/signer/isvaop.pem $RUNDIR/isvaop.pem +cp $DOCKERKEYS/postgresql/postgres.crt $RUNDIR/postgres.crt +cp $DOCKERKEYS/openldap/ldap.crt $RUNDIR/ldap.crt + +for FILE in base_layer.yaml postgres.crt ldap.crt isvawrp.p12 isvaop.pem req_openid_config.lua rsp_openid_config.lua; do + if [ ! -f "$FILE" ]; then + echo "$FILE configuration file missing from project; not added to working dir [$(pwd)]" + exit 1 + fi +done + +if [ ! -f "ISAM-Trial-IBM.cer" ]; then + echo "Missing IVIA trial license in $(pwd); obtain a trial from https://isva-trial.verify.ibm.com/" + echo "Alternatively, obtain product activation codes and update this check" + exit 1 +fi + + +#echo "Installing configuration tool" +#virtualenv $DOCKERSHARE/pyenv +#source $DOCKERSHARE/pyenv/bin/activate +#pip install ibmvia_autoconf +export IVIA_CONFIG_YAML=base_layer.yaml +export IVIA_MGMT_BASE_URL=https://127.0.0.2:9443 +export IVIA_MGMT_OLD_PWD=admin +export IVIA_MGMT_PWD=Passw0rd +export IVIA_MGMT_USER=admin +export IVIA_CONFIG_BASE=$(pwd) +#export IVIA_KUBERNETES_YAML_CONFIG=/tmp/tmp.gLU9O86U74 +echo "Running configuration tool" +python -m ibmvia_autoconf | tee base_layer.log diff --git a/compose/base_layer/iamlab b/compose/base_layer/iamlab new file mode 120000 index 0000000..8315bf8 --- /dev/null +++ b/compose/base_layer/iamlab @@ -0,0 +1 @@ +../iamlab \ No newline at end of file diff --git a/compose/base_layer/req_openid_config.lua b/compose/base_layer/req_openid_config.lua new file mode 100644 index 0000000..fc51e41 --- /dev/null +++ b/compose/base_layer/req_openid_config.lua @@ -0,0 +1,2 @@ +-- Simply route the request to .well-known/openid-configuration +HTTPRequest.setURL("/isvaop/oauth2/.well-known/openid-configuration") diff --git a/compose/base_layer/rsp_openid_config.lua b/compose/base_layer/rsp_openid_config.lua new file mode 100644 index 0000000..d4ddeb6 --- /dev/null +++ b/compose/base_layer/rsp_openid_config.lua @@ -0,0 +1,10 @@ +-- We're going to inject "code_challenge_methods_supported": [ "plain" ] +-- into the response payload + +local cjson = require "cjson" +local payload = cjson.decode(HTTPResponse.getBody()) + +local pkceMethods = { "plain" } +setmetatable(pkceMethods, cjson.array_mt) +payload["code_challenge_methods_supported"] = pkceMethods +HTTPResponse.setBody(cjson.encode(payload)) diff --git a/compose/create-keyshares.sh b/compose/create-keyshares.sh index ede38bd..20d5037 100755 --- a/compose/create-keyshares.sh +++ b/compose/create-keyshares.sh @@ -1,5 +1,4 @@ #!/bin/bash - # Get directory for this script RUNDIR="`dirname \"$0\"`" # relative RUNDIR="`( cd \"$RUNDIR\" && pwd )`" # absolutized and normalized @@ -12,23 +11,43 @@ fi . $RUNDIR/../common/env-config.sh KEY_DIR=${DOCKERSHARE}/composekeys -CONFIG_DIR=${DOCKERSHARE}/isvaop-config +OPCONF_DIR=${DOCKERSHARE}/isvaop-config +DCCONF_DIR=${DOCKERSHARE}/iviadc-config if [ ! -d "$KEY_DIR" ]; then mkdir -p $KEY_DIR; fi -if [ ! -d "$CONFIG_DIR" ]; then mkdir -p $CONFIG_DIR; fi +if [ ! -d "$OPCONF_DIR" ]; then mkdir -p $OPCONF_DIR; fi +if [ ! -d "$DCCONF_DIR" ]; then mkdir -p $DCCONF_DIR; fi + +if [ ! -f "$DOCKERKEYS/openldap/ldap.key" ] || [ ! -f "$DOCKERKEYS/openldap/ldap.crt" ] || [ ! -f "$DOCKERKEYS/openldap/ca.crt" ] || [ ! -f "$DOCKERKEYS/openldap/dhparam.pem" ] || [ ! -f "$DOCKERKEYS/postgresql/server.pem" ] || [ ! -f "$DOCKERKEYS/isvaop/personal/isvaop.key" ] || [ ! -f "$DOCKERKEYS/isvaop/signer/isvaop.pem" ] || [ ! -f "$DOCKERKEYS/iviadc/iviadc.key" ] || [ ! -f "$DOCKERKEYS/iviadc/iviadc.pem" ] -if [ ! -f "$DOCKERKEYS/openldap/ldap.key" ] || [ ! -f "$DOCKERKEYS/openldap/ldap.crt" ] || [ ! -f "$DOCKERKEYS/openldap/ca.crt" ] || [ ! -f "$DOCKERKEYS/openldap/dhparam.pem" ] || [ ! -f "$DOCKERKEYS/postgresql/server.pem" ] || [ ! -f "$DOCKERKEYS/isvaop/personal/isvaop_key.pem" ] || [ ! -f "$DOCKERKEYS/isvaop/signer/isvaop.pem" ] then echo "Key files not found. Restore or create keys before running this script." exit 1 fi -echo "Creating key shares at $KEY_DIR" -cp -R $DOCKERKEYS/* $KEY_DIR +echo -n "Creating key shares at $KEY_DIR . . . " +cp -R $DOCKERKEYS/* $KEY_DIR/ +echo "Done." + +echo -n "Creating isvaop config shares at $OPCONF_DIR . . . " +cp -R $IVIAOPCONFIG/* $OPCONF_DIR/ echo "Done." +echo -n "Creating isvadc config shares at $DCCONF_DIR . . . " +cp -R $IVIADCCONFIG/* $DCCONF_DIR/ +echo "Done." +read -p "Digital Credential License Activation Code: " DC_LICENSE +if [ ! -z "${DC_LICENSE}" ]; then + sed -e "s|@@ISVADC_LICENSE@@|${DC_LICENSE}|g" $DCCONF_DIR/config.template > $DCCONF_DIR/config.yml +else + echo "Not updating \"general.license.key\" property in Digital Credential config.yml" + if [ ! -f $DCCONF_DIR/config.yml ]; then + cp $DCCONF_DIR/config.template $DCCONF_DIR/config.yml + fi +fi -echo "Creating isvaop config shares at $CONFIG_DIR" -cp -R $IVIAOPCONFIG/* $CONFIG_DIR -cp $DOCKERKEYS/isvaop/personal/* $CONFIG_DIR -cp $DOCKERKEYS/isvaop/signer/* $CONFIG_DIR -cp $DOCKERKEYS/postgresql/postgres.crt $CONFIG_DIR -echo "Done." \ No newline at end of file +echo "Done." +cp $DOCKERKEYS/isvaop/personal/* $OPCONF_DIR +cp $DOCKERKEYS/isvaop/signer/* $OPCONF_DIR +cp $DOCKERKEYS/postgresql/postgres.crt $OPCONF_DIR +cp $DOCKERKEYS/postgresql/postgres.crt $DCCONF_DIR +cp $DOCKERKEYS/isvawrp/isvawrp.pem $DCCONF_DIR +echo "Done." diff --git a/compose/iamlab/.env b/compose/iamlab/.env index be9e2ef..1477dcf 100644 --- a/compose/iamlab/.env +++ b/compose/iamlab/.env @@ -1,10 +1,11 @@ TIMEZONE=Australia/Brisbane ADMIN_PASSWORD=Passw0rd CONTAINER_BASE=icr.io/ivia/ivia -ISVA_VERSION=11.0.0.0 -LDAP_VERSION=11.0.0.0 -DB_VERSION=11.0.0.0 +ISVA_VERSION=11.0.1.0 +LDAP_VERSION=latest +DB_VERSION=11.0.1.0 LMI_IP=127.0.0.2 WEB1_IP=127.0.0.3 WEB2_IP=127.0.0.4 -IVIAOP_VERSION=24.12 +IVIAOP_VERSION=25.03 +IVIADC_VERSION=25.03 diff --git a/compose/iamlab/docker-compose.yaml b/compose/iamlab/docker-compose.yaml index 8f43c89..214f1ce 100644 --- a/compose/iamlab/docker-compose.yaml +++ b/compose/iamlab/docker-compose.yaml @@ -186,6 +186,22 @@ services: environment: - CONTAINER_TIMEZONE=${TIMEZONE} volumes: - - ${HOME}/dockershare/isvaop-config:/var/isvaop/config + - ${HOME}/dockershare/isvaop-config:/var/isvaop/config:Z depends_on: - postgresql + + iviadc: + image: ${CONTAINER_BASE}-digital-credentials:${IVIADC_VERSION} + networks: + - ivia-network + hostname: iviadc + restart: always + environment: +# - NODE_TLS_REJECT_UNAUTHORIZED=0 + - YAML_FILE=/var/config/config.yml + - IBM_API_EXPLORER=1 + volumes: + - ${HOME}/dockershare/iviadc-config:/var/config:Z + depends_on: + - postgresql + - iviaop diff --git a/compose/update-env-file.sh b/compose/update-env-file.sh index 23603c8..132dab0 100755 --- a/compose/update-env-file.sh +++ b/compose/update-env-file.sh @@ -27,6 +27,8 @@ mv .env .env.original sed '/DB_VERSION/d' .env.original > .env mv .env .env.original sed '/CONTAINER_BASE/d' .env.original > .env +mv .env .env.original +sed '/IVIADC_VERSION/d' .env.original > .env rm .env.original cat >> .env < /dev/null && pwd )" if [ -z "$RUNDIR" ] ; then echo "Failed to get local path" exit 1 # fail @@ -12,13 +11,22 @@ fi if [ ! -d "${IVIAOPCONFIG}" ] then - echo "Configuration files not found. " + echo "OIDC OP configuration files not found at ${IVIAOPCONFIG}" + exit 1 +fi + +if [ ! -d "${IVIADCCONFIG}" ] +then + echo "Digital Credential configuration files not found at ${IVIADCCONFIG}" exit 1 fi # Create secret for TLS certificates used by this container echo "Deleting confimap" -kubectl delete configmap isvaop-config -echo "Creating confimap for isvaop" -kubectl create configmap isvaop-config --from-file=${IVIAOPCONFIG} -echo "Done." \ No newline at end of file +kubectl delete configmap iviaop-config +kubectl delete configmap iviadc-config +echo "Creating confimap for iviaop" +kubectl create configmap iviaop-config --from-file=${IVIAOPCONFIG} +echo "Creating confimap for iviadc" +kubectl create configmap iviadc-config --from-file=${IVIADCCONFIG} +echo "Done." diff --git a/kubernetes/create-docker-store-secret.sh b/kubernetes/create-docker-store-secret.sh deleted file mode 100755 index 26b8fbb..0000000 --- a/kubernetes/create-docker-store-secret.sh +++ /dev/null @@ -1,12 +0,0 @@ -echo -n "Docker Username: " -read dusername -echo -n "Docker Password: " -read -s dpassword -echo -echo -n "Docker E-mail: " -read demail -kubectl delete secret dockerlogin &> /dev/null -kubectl create secret docker-registry dockerlogin \ - --docker-username=$dusername \ - --docker-password=$dpassword \ - --docker-email=$demail diff --git a/kubernetes/create-secrets.sh b/kubernetes/create-secrets.sh index dcded85..3656b66 100755 --- a/kubernetes/create-secrets.sh +++ b/kubernetes/create-secrets.sh @@ -1,8 +1,7 @@ #!/bin/bash # Get directory for this script -RUNDIR="`dirname \"$0\"`" # relative -RUNDIR="`( cd \"$RUNDIR\" && pwd )`" # absolutized and normalized +RUNDIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" if [ -z "$RUNDIR" ] ; then echo "Failed to get local path" exit 1 # fail diff --git a/kubernetes/ivia-google.yaml b/kubernetes/ivia-google.yaml index 6b775a9..ec8092d 100644 --- a/kubernetes/ivia-google.yaml +++ b/kubernetes/ivia-google.yaml @@ -167,7 +167,7 @@ spec: secretName: postgresql-keys containers: - name: postgresql - image: icr.io/ivia/ivia-postgresql:11.0.0.0 + image: icr.io/ivia/ivia-postgresql:11.0.1.0 livenessProbe: tcpSocket: port: 5432 @@ -240,7 +240,7 @@ spec: emptyDir: {} containers: - name: iviaconfig - image: icr.io/ivia/ivia:11.0.0.0 + image: icr.io/ivia/ivia:11.0.1.0 volumeMounts: - mountPath: /var/shared name: iviaconfig @@ -321,7 +321,7 @@ spec: emptyDir: {} containers: - name: iviawrprp1 - image: icr.io/ivia/ivia-wrp:11.0.0.0 + image: icr.io/ivia/ivia-wrp:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -402,7 +402,7 @@ spec: emptyDir: {} containers: - name: iviaruntime - image: icr.io/ivia/ivia-runtime:11.0.0.0 + image: icr.io/ivia/ivia-runtime:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -485,7 +485,7 @@ spec: emptyDir: {} containers: - name: iviadsc - image: icr.io/ivia/ivia-dsc:11.0.0.0 + image: icr.io/ivia/ivia-dsc:11.0.1.0 ports: - containerPort: 9443 - containerPort: 9444 diff --git a/kubernetes/ivia-ibmcloud-pvc.yaml b/kubernetes/ivia-ibmcloud-pvc.yaml index 3edd9ce..9d6665f 100644 --- a/kubernetes/ivia-ibmcloud-pvc.yaml +++ b/kubernetes/ivia-ibmcloud-pvc.yaml @@ -187,7 +187,7 @@ spec: secretName: postgresql-keys containers: - name: postgresql - image: icr.io/ivia/ivia-postgresql:11.0.0.0 + image: icr.io/ivia/ivia-postgresql:11.0.1.0 livenessProbe: tcpSocket: port: 5432 @@ -260,7 +260,7 @@ spec: emptyDir: {} containers: - name: iviaconfig - image: icr.io/ivia/verify-access-config:11.0.0.0 + image: icr.io/ivia/verify-access-config:11.0.1.0 volumeMounts: - mountPath: /var/shared name: iviaconfig @@ -341,7 +341,7 @@ spec: emptyDir: {} containers: - name: iviawrprp1 - image: icr.io/ivia/ivia-wrp:11.0.0.0 + image: icr.io/ivia/ivia-wrp:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -422,7 +422,7 @@ spec: emptyDir: {} containers: - name: iviaruntime - image: icr.io/ivia/ivia-runtime:11.0.0.0 + image: icr.io/ivia/ivia-runtime:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -505,7 +505,7 @@ spec: emptyDir: {} containers: - name: iviadsc - image: icr.io/ivia/ivia-dsc:11.0.0.0 + image: icr.io/ivia/ivia-dsc:11.0.1.0 ports: - containerPort: 9443 - containerPort: 9444 diff --git a/kubernetes/ivia-ibmcloud.yaml b/kubernetes/ivia-ibmcloud.yaml index 8245b8e..6fe279f 100644 --- a/kubernetes/ivia-ibmcloud.yaml +++ b/kubernetes/ivia-ibmcloud.yaml @@ -108,7 +108,7 @@ spec: secretName: postgresql-keys containers: - name: postgresql - image: icr.io/ivia/ivia-postgresql:11.0.0.0 + image: icr.io/ivia/ivia-postgresql:11.0.1.0 livenessProbe: tcpSocket: port: 5432 @@ -180,7 +180,7 @@ spec: emptyDir: {} containers: - name: iviaconfig - image: icr.io/ivia/ivia-config:11.0.0.0 + image: icr.io/ivia/ivia-config:11.0.1.0 volumeMounts: - mountPath: /var/shared name: iviaconfig @@ -261,7 +261,7 @@ spec: emptyDir: {} containers: - name: iviawrprp1 - image: icr.io/.ivia/ivia-wrp:11.0.0.0 + image: icr.io/.ivia/ivia-wrp:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -342,7 +342,7 @@ spec: emptyDir: {} containers: - name: iviaruntime - image: icr.io/ivia/ivia-runtime:11.0.0.0 + image: icr.io/ivia/ivia-runtime:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -425,7 +425,7 @@ spec: emptyDir: {} containers: - name: iviadsc - image: icr.io/ivia/ivia-dsc:11.0.0.0 + image: icr.io/ivia/ivia-dsc:11.0.1.0 ports: - containerPort: 9443 - containerPort: 9444 diff --git a/kubernetes/ivia-minikube.yaml b/kubernetes/ivia-minikube.yaml index 0d2db7a..6a673ce 100644 --- a/kubernetes/ivia-minikube.yaml +++ b/kubernetes/ivia-minikube.yaml @@ -1,4 +1,4 @@ -#Assumes create-secrets.sh used to create key file, iviaadmin, and cfgsvc secrets +#Assumes create-secrets.sh used to create key file, iviaadmin, and cfgsvc secrets, and the iviaop configmap apiVersion: v1 kind: PersistentVolumeClaim @@ -66,6 +66,7 @@ spec: matchLabels: app: openldap replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -149,6 +150,7 @@ spec: matchLabels: app: postgresql replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -167,7 +169,7 @@ spec: secretName: postgresql-keys containers: - name: postgresql - image: icr.io/ivia/ivia-postgresql:11.0.0.0 + image: icr.io/ivia/ivia-postgresql:11.0.1.0 livenessProbe: tcpSocket: port: 5432 @@ -224,6 +226,7 @@ spec: matchLabels: app: iviaconfig replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -240,7 +243,7 @@ spec: emptyDir: {} containers: - name: iviaconfig - image: icr.io/ivia/ivia-config:11.0.0.0 + image: icr.io/ivia/ivia-config:11.0.1.0 volumeMounts: - mountPath: /var/shared name: iviaconfig @@ -278,8 +281,6 @@ spec: periodSeconds: 10 timeoutSeconds: 2 # command: [ "/sbin/bootstrap.sh" ] - imagePullSecrets: - - name: dockerlogin --- # for external service access, see https://console.bluemix.net/docs/containers/cs_apps.html#cs_apps_public_nodeport apiVersion: v1 @@ -309,6 +310,7 @@ spec: matchLabels: app: iviawrprp1 replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -321,7 +323,7 @@ spec: emptyDir: {} containers: - name: iviawrprp1 - image: icr.io/ivia/ivia-wrp:11.0.0.0 + image: icr.io/ivia/ivia-wrp:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -360,8 +362,6 @@ spec: periodSeconds: 10 timeoutSeconds: 2 failureThreshold: 2 - imagePullSecrets: - - name: dockerlogin --- # for external service access, see https://console.bluemix.net/docs/containers/cs_apps.html#cs_apps_public_nodeport apiVersion: v1 @@ -390,6 +390,7 @@ spec: matchLabels: app: iviaruntime replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -402,7 +403,7 @@ spec: emptyDir: {} containers: - name: iviaruntime - image: icr.io/ivia/ivia-runtime:11.0.0.0 + image: icr.io/ivia/ivia-runtime:11.0.1.0 ports: - containerPort: 9443 volumeMounts: @@ -447,8 +448,6 @@ spec: failureThreshold: 30 periodSeconds: 10 timeoutSeconds: 2 - imagePullSecrets: - - name: dockerlogin --- apiVersion: v1 kind: Service @@ -473,6 +472,7 @@ spec: matchLabels: app: iviadsc replicas: 1 + revisionHistoryLimit: 2 template: metadata: labels: @@ -485,7 +485,7 @@ spec: emptyDir: {} containers: - name: iviadsc - image: icr.io/ivia/ivia-dsc:11.0.0.0 + image: icr.io/ivia/ivia-dsc:11.0.1.0 ports: - containerPort: 9443 - containerPort: 9444 @@ -525,8 +525,6 @@ spec: periodSeconds: 10 timeoutSeconds: 2 failureThreshold: 2 - imagePullSecrets: - - name: dockerlogin --- apiVersion: v1 kind: Service @@ -565,10 +563,9 @@ spec: name: iviawrprp1 port: number: 9443 ---- +--- apiVersion: apps/v1 kind: Deployment - metadata: name: iviaop labels: @@ -579,32 +576,26 @@ spec: selector: matchLabels: app: iviaop - replicas: 1 - - template: + revisionHistoryLimit: 2 + template: metadata: labels: app: iviaop - spec: volumes: - - name: iviaop-config configMap: name: iviaop-config - containers: - - name: isvaop - + - name: iviaop # The fully qualified name of the IVIAOP image. - image: icr.io/ivia/ivia-oidc-provider:24.12 + image: icr.io/ivia/ivia-oidc-provider:25.06 imagePullPolicy: Always # Mount our volumes to the expected configuration directory volumeMounts: - name: iviaop-config mountPath: /var/isvaop/config - readinessProbe: httpGet: path: /healthcheck/ready @@ -615,7 +606,6 @@ spec: periodSeconds: 30 successThreshold: 1 failureThreshold: 2 - livenessProbe: httpGet: path: /healthcheck/alive @@ -641,3 +631,58 @@ spec: selector: app: iviaop type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: iviadc + labels: + app: iviadc + annotations: + version: "2.0" +spec: + selector: + matchLabels: + app: iviadc + replicas: 1 + revisionHistoryLimit: 2 + template: + metadata: + labels: + app: iviadc + spec: + volumes: + - name: iviadc-config + configMap: + name: iviadc-config + containers: + - name: iviadc + # The fully qualified name of the IVIADC image. + image: icr.io/ivia/ivia-digital-credentials:25.06 + imagePullPolicy: Always + # Mount our volumes to the expected configuration directory + volumeMounts: + - name: iviadc-config + mountPath: /var/config + env: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + - name: YAML_FILE + value: "/var/config/config.yml" + - name: IBM_API_EXPLORER + value: "1" +--- +apiVersion: v1 +kind: Service +metadata: + name: iviadc + labels: + app: iviadc +spec: + ports: + - port: 9720 + name: iviadc + nodePort: 30972 + selector: + app: iviadc + type: NodePort