refactor(docker-jans): reusable assets for custom images (#6098)

* refactor(docker-jans-fido2): reusable fido2 assets for custom image * refactor(docker-jans-link): reusable link assets for custom image * refactor(docker-jans-scim): reusable scim assets for custom image * refactor(docker-jans-auth-server): reusable auth assets for custom image * refactor(docker-jans-config-api): reusable config-api assets for custom image * refactor(docker-jans-config-api): change default jetty port * refactor(docker-jans): reusable assets for custom images
JanssenProject · Sep 23, 2023 · 94666e9 · 94666e9
1 parent f8f9591
commit 94666e9
Show file tree

Hide file tree

Showing 104 changed files with 436 additions and 375 deletions.
diff --git a/docker-jans-auth-server/.dockerignore b/docker-jans-auth-server/.dockerignore
@@ -8,3 +8,5 @@
 !scripts
 !LICENSE
 !requirements.txt
+!templates
+!static
diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile
@@ -25,9 +25,6 @@ RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${JETTY_
     && mv /opt/jetty-home-${JETTY_VERSION} ${JETTY_HOME} \
     && rm -rf /tmp/jetty.tar.gz
 
-# Ports required by jetty
-EXPOSE 8080
-
 # ======
 # Jython
 # ======
@@ -58,7 +55,7 @@ ENV CN_BUILD_DATE='2023-09-17 16:04'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war
 
 # Install Jans Auth
-COPY jetty/jetty-env.xml /tmp/WEB-INF/jetty-env.xml
+COPY static/jetty-env.xml /tmp/WEB-INF/jetty-env.xml
 RUN mkdir -p ${JETTY_BASE}/jans-auth/webapps \
     && wget -q ${CN_SOURCE_URL} -O /tmp/jans-auth.war \
     && cd /tmp \
@@ -72,23 +69,20 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/webapps \
 # Custom libs
 # ===========
 
-RUN mkdir -p /usr/share/java
+RUN mkdir -p /usr/share/java \
+    ${JETTY_BASE}/jans-auth/_libs
 
 ARG TWILIO_VERSION=7.17.0
-RUN wget -q https://repo1.maven.org/maven2/com/twilio/sdk/twilio/${TWILIO_VERSION}/twilio-${TWILIO_VERSION}.jar -P /usr/share/java/
-
 ARG JSMPP_VERSION=2.3.7
-RUN wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmpp-${JSMPP_VERSION}.jar -P /usr/share/java/
-
-# This will later be refactored and moved to be pulled from persitence or a central bucket
 ARG CASA_CONFIG_VERSION=5.0.0-SNAPSHOT
 ARG CASA_CONFIG_BUILD_DATE="2023-02-13 11:44"
-RUN wget -q https://jenkins.gluu.org/maven/org/gluu/casa-config/${CASA_CONFIG_VERSION}/casa-config-${CASA_CONFIG_VERSION}.jar -P /usr/share/java/
-
-# A workaround for Fido2 integration
 ARG FIDO2_CLIENT_VERSION=1.0.18-SNAPSHOT
 ARG FIDO2_CLIENT_BUILD_DATE="2023-01-31 15:04"
-RUN wget -q https://jenkins.jans.io/maven/io/jans/jans-fido2-client/${FIDO2_CLIENT_VERSION}/jans-fido2-client-${FIDO2_CLIENT_VERSION}.jar -P /usr/share/java/
+
+RUN wget -q https://repo1.maven.org/maven2/com/twilio/sdk/twilio/${TWILIO_VERSION}/twilio-${TWILIO_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs/ \
+    && wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmpp-${JSMPP_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs/ \
+    && wget -q https://jenkins.gluu.org/maven/org/gluu/casa-config/${CASA_CONFIG_VERSION}/casa-config-${CASA_CONFIG_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs \
+    && wget -q https://jenkins.jans.io/maven/io/jans/jans-fido2-client/${FIDO2_CLIENT_VERSION}/jans-fido2-client-${FIDO2_CLIENT_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs
 
 # =====================
 # Casa external scripts
@@ -115,7 +109,10 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/agama/fl \
     ${JETTY_BASE}/jans-auth/agama/ftl \
     ${JETTY_BASE}/jans-auth/agama/scripts
 
-# janssenproject/jans SHA commit
+# =====================
+# jans-linux-setup sync
+# =====================
+
 ENV JANS_SOURCE_VERSION=0f3cf5d6c679f02b5a385b72003de2669f2bfb66
 
 # note that as we're pulling from a monorepo (with multiple project in it)
@@ -128,8 +125,7 @@ RUN git clone --filter blob:none --no-checkout https://github.com/janssenproject
     && git sparse-checkout add jans-linux-setup/jans_setup/static/auth/conf
 
 RUN cp -R /tmp/jans/agama/misc/* ${JETTY_BASE}/jans-auth/agama/ \
-    && cp -R /tmp/jans/jans-linux-setup/jans_setup/static/auth/conf /etc/certs \
-    && rm -rf /tmp/jans
+    && cp -R /tmp/jans/jans-linux-setup/jans_setup/static/auth/conf /etc/certs
 
 # ======
 # Python
@@ -138,21 +134,21 @@ RUN cp -R /tmp/jans/agama/misc/* ${JETTY_BASE}/jans-auth/agama/ \
 COPY requirements.txt /app/requirements.txt
 RUN python3 -m ensurepip \
     && pip3 install --no-cache-dir -U pip wheel setuptools \
-    && pip3 install --no-cache-dir --default-timeout=300 -r /app/requirements.txt \
+    && pip3 install --no-cache-dir -r /app/requirements.txt \
     && pip3 uninstall -y pip wheel
 
 # ==========
 # Prometheus
 # ==========
 
-COPY conf/prometheus-config.yaml /opt/prometheus/
+COPY static/prometheus-config.yaml /opt/prometheus/
 
 # =======
 # Cleanup
 # =======
 
 RUN apk del .build-deps \
-    && rm -rf /var/cache/apk/*
+    && rm -rf /var/cache/apk/* /tmp/jans
 
 # =======
 # License
@@ -232,24 +228,31 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \
     CN_JACKRABBIT_URL=http://localhost:8080 \
     CN_JACKRABBIT_ADMIN_ID=admin \
     CN_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/jans/conf/jackrabbit_admin_password \
-    CN_JAVA_OPTIONS="" \
+    CN_AUTH_JAVA_OPTIONS="" \
     CN_SYNC_JKS_ENABLED=false \
     CN_SYNC_JKS_INTERVAL=30 \
     GOOGLE_PROJECT_ID="" \
+    CN_GOOGLE_SECRET_MANAGER_PASSPHRASE=secret \
     CN_GOOGLE_SECRET_VERSION_ID=latest \
     CN_GOOGLE_SECRET_NAME_PREFIX=jans \
-    CN_GOOGLE_SECRET_MANAGER_PASSPHRASE=secret \
-    ADMIN_UI_JWKS=http://0.0.0.0:8080/jans-auth/restv1/jwks \
     CN_JETTY_REQUEST_HEADER_SIZE=8192 \
     CN_PROMETHEUS_PORT="" \
     CN_AWS_SECRETS_ENDPOINT_URL="" \
     CN_AWS_SECRETS_PREFIX=jans \
-    CN_AWS_SECRETS_REPLICA_FILE=""
+    CN_AWS_SECRETS_REPLICA_FILE="" \
+    CN_AUTH_JETTY_PORT=8080 \
+    CN_AUTH_JETTY_HOST=0.0.0.0 \
+    CN_SHARE_AUTH_CONF=true
+
+# @TODO: revisit the usage (if any)
+ENV ADMIN_UI_JWKS=http://${CN_AUTH_JETTY_HOST}:${CN_AUTH_JETTY_PORT}/jans-auth/restv1/jwks
 
 # ==========
 # misc stuff
 # ==========
 
+EXPOSE $CN_AUTH_JETTY_PORT
+
 LABEL org.opencontainers.image.url="ghcr.io/janssenproject/jans/auth-server" \
     org.opencontainers.image.authors="Janssen Project <support@jans.io>" \
     org.opencontainers.image.vendor="Janssen Project" \
@@ -264,14 +267,15 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/custom/pages \
     ${JETTY_BASE}/jans-auth/logs \
     ${JETTY_BASE}/common/libs/spanner \
     ${JETTY_BASE}/common/libs/couchbase \
+    ${JETTY_HOME}/temp \
     /etc/jans/conf \
     /app/templates \
     /etc/certs
 
-COPY jetty/jans-auth_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/
-COPY jetty/agama_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/
-COPY jetty/log4j2.xml /app/templates
-COPY conf/*.tmpl /app/templates/
+COPY templates /app/templates/
+RUN cp /app/templates/jans-auth/jans-auth.xml ${JETTY_BASE}/jans-auth/webapps/ \
+    && cp /app/templates/jans-auth/jans-auth_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/ \
+    && cp /app/templates/jans-auth/agama_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/
 COPY scripts /app/scripts
 RUN chmod +x /app/scripts/entrypoint.sh
 
@@ -282,8 +286,6 @@ RUN ln -sf /usr/lib/jvm/jdk /opt/java
 # create non-root user
 RUN adduser -s /bin/sh -h /home/1000 -D -G root -u 1000 jetty
 
-COPY --chown=1000:0 jetty/jans-auth.xml ${JETTY_BASE}/jans-auth/webapps/
-
 # adjust ownership and permission
 RUN chmod -R g=u ${JETTY_BASE}/jans-auth/custom \
     && chmod 664 ${JETTY_BASE}/jans-auth/resources/log4j2.xml \
@@ -296,7 +298,10 @@ RUN chmod -R g=u ${JETTY_BASE}/jans-auth/custom \
     && chown -R 1000:0 /opt/jans/python/libs \
     && chown -R 1000:0 ${JETTY_BASE}/common/libs \
     && chown -R 1000:0 /usr/share/java \
-    && chown -R 1000:0 /opt/prometheus
+    && chown -R 1000:0 /opt/prometheus \
+    && chown 1000:0 ${JETTY_BASE}/jans-auth/webapps/jans-auth.xml \
+    && chown -R 1000:0 ${JETTY_HOME}/temp \
+    && chown -R 1000:0 ${JETTY_BASE}/jans-auth/_libs
 
 USER 1000
 

diff --git a/docker-jans-auth-server/README.md b/docker-jans-auth-server/README.md
@@ -63,7 +63,7 @@ The following environment variables are supported by the container:
 - `CN_COUCHBASE_TRUSTSTORE_ENABLE`: Enable truststore for encrypted Couchbase connection (default to `true`).
 - `CN_COUCHBASE_KEEPALIVE_INTERVAL`: Keep-alive interval for Couchbase connection (default to `30000` milliseconds).
 - `CN_COUCHBASE_KEEPALIVE_TIMEOUT`: Keep-alive timeout for Couchbase connection (default to `2500` milliseconds).
-- `CN_JAVA_OPTIONS`: Java options passed to entrypoint, i.e. `-Xmx1024m` (default to empty-string).
+- `CN_AUTH_JAVA_OPTIONS`: Java options passed to entrypoint, i.e. `-Xmx1024m` (default to empty-string).
 - `CN_DOCUMENT_STORE_TYPE`: Document store type (one of `LOCAL` or `JCA`; default to `LOCAL`).
 - `CN_JACKRABBIT_URL`: URL to remote repository (default to `http://localhost:8080`).
 - `CN_JACKRABBIT_SYNC_INTERVAL`: Interval between files sync (default to `300` seconds).

diff --git a/docker-jans-auth-server/scripts/auth_conf.py b/docker-jans-auth-server/scripts/auth_conf.py
@@ -1,13 +1,15 @@
+import logging.config
+import os
 from hashlib import sha256
 from pathlib import Path
 
 from jans.pycloudlib import get_manager
+from jans.pycloudlib.utils import as_boolean
 
-import logging.config
 from settings import LOGGING_CONFIG
 
 logging.config.dictConfig(LOGGING_CONFIG)
-logger = logging.getLogger("entrypoint")
+logger = logging.getLogger("auth")
 
 
 manager = get_manager()
@@ -37,4 +39,5 @@ def digest_equals(val1: str, val2: str) -> bool:
 
 
 if __name__ == "__main__":
-    push_auth_conf()
+    if as_boolean(os.environ.get("CN_SHARE_AUTH_CONF", "false")):
+        push_auth_conf()
diff --git a/docker-jans-auth-server/scripts/bootstrap.py b/docker-jans-auth-server/scripts/bootstrap.py
@@ -1,6 +1,6 @@
 import json
+import logging.config
 import os
-import re
 from string import Template
 
 from jans.pycloudlib import get_manager
@@ -17,21 +17,20 @@
 from jans.pycloudlib.utils import cert_to_truststore
 from jans.pycloudlib.utils import as_boolean
 
-import logging.config
 from settings import LOGGING_CONFIG
 from hooks import get_auth_keys_hook
 
 logging.config.dictConfig(LOGGING_CONFIG)
-logger = logging.getLogger("entrypoint")
+logger = logging.getLogger("auth")
 
 manager = get_manager()
 
 
 def main():
     persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
 
-    render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt")
-    render_base_properties("/app/templates/jans.properties.tmpl", "/etc/jans/conf/jans.properties")
+    render_salt(manager, "/app/templates/salt", "/etc/jans/conf/salt")
+    render_base_properties("/app/templates/jans.properties", "/etc/jans/conf/jans.properties")
 
     mapper = PersistenceMapper()
     persistence_groups = mapper.groups().keys()
@@ -44,15 +43,15 @@ def main():
     if "ldap" in persistence_groups:
         render_ldap_properties(
             manager,
-            "/app/templates/jans-ldap.properties.tmpl",
+            "/app/templates/jans-ldap.properties",
             "/etc/jans/conf/jans-ldap.properties",
         )
         sync_ldap_truststore(manager)
 
     if "couchbase" in persistence_groups:
         render_couchbase_properties(
             manager,
-            "/app/templates/jans-couchbase.properties.tmpl",
+            "/app/templates/jans-couchbase.properties",
             "/etc/jans/conf/jans-couchbase.properties",
         )
         # need to resolve whether we're using default or user-defined couchbase cert
@@ -63,14 +62,14 @@ def main():
 
         render_sql_properties(
             manager,
-            f"/app/templates/jans-{db_dialect}.properties.tmpl",
+            f"/app/templates/jans-{db_dialect}.properties",
             "/etc/jans/conf/jans-sql.properties",
         )
 
     if "spanner" in persistence_groups:
         render_spanner_properties(
             manager,
-            "/app/templates/jans-spanner.properties.tmpl",
+            "/app/templates/jans-spanner.properties",
             "/etc/jans/conf/jans-spanner.properties",
         )
 
@@ -172,7 +171,7 @@ def configure_logging():
     ]):
         config["log_prefix"] = "${sys:auth.log.console.prefix}%X{auth.log.console.group} - "
 
-    with open("/app/templates/log4j2.xml") as f:
+    with open("/app/templates/jans-auth/log4j2.xml") as f:
         txt = f.read()
 
     logfile = "/opt/jans/jetty/jans-auth/resources/log4j2.xml"

diff --git a/docker-jans-auth-server/scripts/entrypoint.sh b/docker-jans-auth-server/scripts/entrypoint.sh
@@ -1,9 +1,9 @@
 #!/bin/sh
+
 set -e
 
-# =========
-# FUNCTIONS
-# =========
+# get script directory
+basedir=$(dirname "$(readlink -f -- "$0")")
 
 get_debug_opt() {
     debug_opt=""
@@ -16,8 +16,8 @@ get_debug_opt() {
 }
 
 move_builtin_jars() {
-    #twilio, jsmpp, casa-config, jans-fido2-client
-    for src in /usr/share/java/*.jar; do
+    # twilio, jsmpp, casa-config, jans-fido2-client
+    for src in /opt/jans/jetty/jans-auth/_libs/*.jar; do
         fname=$(basename "$src")
         cp "$src" "/opt/jans/jetty/jans-auth/custom/libs/$fname"
     done
@@ -44,35 +44,48 @@ get_prometheus_lib() {
     fi
 }
 
-# ==========
-# ENTRYPOINT
-# ==========
+get_java_options() {
+    if [ -n "${CN_AUTH_JAVA_OPTIONS}" ]; then
+        echo " ${CN_AUTH_JAVA_OPTIONS} "
+    else
+        # backward-compat
+        echo " ${CN_JAVA_OPTIONS} "
+    fi
+}
+
+get_max_ram_percentage() {
+    if [ -n "${CN_MAX_RAM_PERCENTAGE}" ]; then
+        echo " -XX:MaxRAMPercentage=$CN_MAX_RAM_PERCENTAGE "
+    fi
+}
 
 move_builtin_jars
 get_prometheus_lib
-python3 /app/scripts/wait.py
-python3 /app/scripts/bootstrap.py
-python3 /app/scripts/jks_sync.py &
-python3 /app/scripts/mod_context.py jans-auth
-python3 /app/scripts/auth_conf.py
+python3 "$basedir/wait.py"
+python3 "$basedir/bootstrap.py"
+python3 "$basedir/jks_sync.py" &
+python3 "$basedir/mod_context.py" jans-auth
+python3 "$basedir/auth_conf.py"
 
-# run auth-server
 cd /opt/jans/jetty/jans-auth
+# shellcheck disable=SC2046
 exec java \
     -server \
     -XX:+DisableExplicitGC \
     -XX:+UseContainerSupport \
-    -XX:MaxRAMPercentage=$CN_MAX_RAM_PERCENTAGE \
     -Djans.base=/etc/jans \
     -Dserver.base=/opt/jans/jetty/jans-auth \
     -Dlog.base=/opt/jans/jetty/jans-auth \
-    -Dpython.home=/opt/jython \
-    -Djava.io.tmpdir=/tmp \
+    -Djava.io.tmpdir=/opt/jetty/temp \
     -Dlog4j2.configurationFile=resources/log4j2.xml \
+    -Dpython.home=/opt/jython \
     $(get_debug_opt) \
+    $(get_max_ram_percentage) \
     $(get_prometheus_opt) \
-    ${CN_JAVA_OPTIONS} \
+    $(get_java_options) \
     -jar /opt/jetty/start.jar \
+        jetty.http.host="${CN_AUTH_JETTY_HOST}" \
+        jetty.http.port="${CN_AUTH_JETTY_PORT}" \
         jetty.deploy.scanInterval=0 \
         jetty.httpConfig.sendServerVersion=false \
         jetty.httpConfig.requestHeaderSize=$CN_JETTY_REQUEST_HEADER_SIZE
diff --git a/docker-jans-auth-server/scripts/healthcheck.py b/docker-jans-auth-server/scripts/healthcheck.py
@@ -1,10 +1,13 @@
+import os
 import sys
 
 import requests
 
 
 def main():
-    req = requests.get("http://0.0.0.0:8080/jans-auth/sys/health-check")
+    host = os.environ.get("CN_AUTH_JETTY_HOST", "0.0.0.0")  # nosec: B104
+    port = os.environ.get("CN_AUTH_JETTY_PORT", "8080")
+    req = requests.get(f"http://{host}:{port}/jans-auth/sys/health-check", timeout=5)
     if not req.ok:
         sys.exit(1)