Build shibboleth-idp for testing purposes #91216
Conversation
|
slightly more readable diff: compare.pdf |
jakelandis
added
v7.17.8
:Security/Security
|
to test manually : |
|
Pinging @elastic/es-security (Team:Security) |
| - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf | ||
| - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials | ||
| - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata | ||
| - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini |
There was a problem hiding this comment.
these are now copied via the Dockerfile
| depends_on: | ||
| - openldap | ||
| environment: | ||
| - JETTY_MAX_HEAP=64m | ||
| - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret | ||
| - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret |
There was a problem hiding this comment.
this is now baked into the image
|
|
||
| [files] | ||
| # keystore originally sourced from https://github.com/eclipse/jetty.project/raw/jetty-9.3.x/jetty-server/src/main/config/etc/keystore | ||
| /opt/shib-jetty-base/etc/keystore |
There was a problem hiding this comment.
this is the only change in this file.
|
test failure : https://gradle-enterprise.elastic.co/s/donalxonp3lge might be related or could be a latent issue... looking now. |
This is only an issue for a brand new image build. i.e. if the image is already built then there are no issue. Further up in the log "Gateway cannot be read from container inspection - trying to read from network inspection" is unique for this container. When run in debug mode you can see an empty port mapping after a bit googling... I think this might be due to the docker plugin trying reading the build container, not the final container, so I added a "restart: always" which fixes the issue but now there is another issue. The other issue I believe is that the port from Fixed on |
| from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml', | ||
| 'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt'); | ||
| into outputDir | ||
| outputs.upToDateWhen { false } //ensure this copy is always done to prevent stale configuration |
There was a problem hiding this comment.
This is kinda hacky ... I think I can fix this, but would prefer to do so on a different PR.
There was a problem hiding this comment.
I saw the comments in slack. I dont' think this is necessary. A sync task will also do a delete, followed by a copy so in what scenario would there be stale content here?
There was a problem hiding this comment.
I think what is happening is
First run: this task not upto date, copies the files, next task creates new file (with the same name) in the output directory
Second run: this task reports up to date , even with sync because I think guess that the Sync task is only tracking the files it touches and did not touch the file was replaced by the other task (it has same name but it is a different file/inode), since it is up to date it does nothing and the elder file is still there and is used.
I didn't spent too much time with this, so I could be wrong. It is pretty to reproduce by echoing out the contents of $outputDir/idp-metadata.xml in a doFirst of the setupPorts task.
There was a problem hiding this comment.
Yeah, that's quite odd. If one of the output files is modified it should trigger the task to be out-of-date, in which case, it would be the same behavior as just being never up to date as we have here. Kinda gross but yeah, I have plans to ditch all this build logic around test fixtures. It's positively awful.
💔 Backport failed
You can use sqren/backport to manually backport by running |
We currently use unicon/shibboleth-idp:3.4.2 to help test our SAML integration.
That container is no longer actively supported and does not support
ARM architectures.
This commit is a partial clone from Unicon/shibboleth-idp-dockerized 3.4.3.
Changes from upstream include:
Use openjdk:11.0.16-jre as the base image for support for ARM architectures
Handle missing keystore download from Jetty
Fix URL paths for artifacts to download
Changes to this repository include:
Copied required Jetty configuration files from upstream project
Updates to docker compose
Placed the missing keystore Jetty downloads in a separate location (jetty-custom)
The final result is a bit messy. Mixing cloned files with custom files and mixing
Jetty and IDP concerns. However, it is not much messier than prior and now
that we control building the image we can more easily upgrade shibboleth IDP
The upgrade to the latest version is fairly involved and as such we will need to
deviate more from the clone which should allow some additional clean up.
part of: elastic#71378
related: elastic#91144
supersedes: elastic#89674
We currently use unicon/shibboleth-idp:3.4.2 to help test our SAML integration.
That container is no longer actively supported and does not support
ARM architectures.
This commit is a partial clone from Unicon/shibboleth-idp-dockerized 3.4.3.
Changes from upstream include:
Use openjdk:11.0.16-jre as the base image for support for ARM architectures
Handle missing keystore download from Jetty
Fix URL paths for artifacts to download
Changes to this repository include:
Copied required Jetty configuration files from upstream project
Updates to docker compose
Placed the missing keystore Jetty downloads in a separate location (jetty-custom)
The final result is a bit messy. Mixing cloned files with custom files and mixing
Jetty and IDP concerns. However, it is not much messier than prior and now
that we control building the image we can more easily upgrade shibboleth IDP
The upgrade to the latest version is fairly involved and as such we will need to
deviate more from the clone which should allow some additional clean up.
part of: #71378
related: #91144
supersedes: #89674
We currently use
unicon/shibboleth-idp:3.4.2to help test our SAML integration.That container is no longer actively supported and does not support
ARM architectures.
This commit is a partial clone from https://github.com/Unicon/shibboleth-idp-dockerized 3.4.3.
Changes from upstream include:
openjdk:11.0.16-jreas the base image for support for ARM architecturesChanges to this repository include:
The final result is a bit messy. Mixing cloned files with custom files and mixing
Jetty and IDP concerns. However, it is not much messier than prior and now
that we control building the image we can more easily upgrade shibboleth IDP
The upgrade to the latest version is fairly involved and as such we will need to
deviate more from the clone which should allow some additional clean up.
part of: #71378
related: #91144
supersedes: #89674
===
Below is a comparison report from this PR to the upstream Dockerfile.
compare.pdf
All files except build.gradle, docker-compose.yml, and Dockerfile are copy/pasted.