flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-07 16:06:14 +00:00
Code Issues Releases Wiki Activity

Add support for meet guest mode and make meet configurable through env (#105)

Browse Source 
* get settings for meet from env
* prepare ssl container for device registration for konnect/kwmserver
* move device registry modification to konnect container
* enable WebApp in the app switcher
* upstream docker container has been updated to alpine 3.9
* update konnect
* add further config for guest mode
* replace the check for the file with a check for konnect startup
* fix kwmserver wrapper
* add possibility to change logging in kwmserver
This commit is contained in:
Felix Bartels 2019-03-18 15:22:32 +01:00 committed by GitHub
parent 4e367badc5
commit 140506df7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 142 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docker-compose.yml
View File

@ -427,8 +427,11 @@ services:
volumes: volumes:
- kopanossl/:/kopano/ssl - kopanossl/:/kopano/ssl
- kopanosocket/:/run/kopano - kopanosocket/:/run/kopano
depends_on:
- kopano_ssl
environment: environment:
- FQDN=${FQDN} - FQDN=${FQDN}
- allow_client_guests=yes
env_file: env_file:
- kopano_konnect.env - kopano_konnect.env
networks: networks:
@ -438,6 +441,9 @@ services:
kopano_playground: kopano_playground:
image: ${docker_repo:-zokradonh}/kopano_playground image: ${docker_repo:-zokradonh}/kopano_playground
container_name: kopano_playground container_name: kopano_playground
depends_on:
- kopano_kapi
- kopano_konnect
networks: networks:
- kopano-net - kopano-net
- web-net - web-net
@ -446,9 +452,14 @@ services:
image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest} image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest}
container_name: kopano_kwmserver container_name: kopano_kwmserver
command: wrapper.sh command: wrapper.sh
depends_on:
- kopano_kapi
- kopano_konnect
environment: environment:
- INSECURE=${INSECURE} - INSECURE=${INSECURE}
- oidc_issuer_identifier=https://${FQDN} - oidc_issuer_identifier=https://${FQDN}
- enable_guest_api=yes
- public_guest_access_regexp=^group/public/.*
env_file: env_file:
- kopano_kwmserver.env - kopano_kwmserver.env
volumes: volumes:
@ -462,6 +473,8 @@ services:
environment: environment:
- SERVICE_TO_START=meet - SERVICE_TO_START=meet
- KCCONF_KWEBD_TLS=no - KCCONF_KWEBD_TLS=no
- KCCONF_MEET_guests_enabled=true
- KCCONF_MEET_disableFullGAB=false
env_file: env_file:
- kopano_meet.env - kopano_meet.env
depends_on: depends_on:

11
konnect/Dockerfile
View File

@ -1,16 +1,19 @@
ARG CODE_VERSION=0.19.1 ARG CODE_VERSION=0.20.0
FROM kopano/konnectd:${CODE_VERSION} FROM kopano/konnectd:${CODE_VERSION}
ARG CODE_VERSION ARG CODE_VERSION
ENV CODE_VERSION="${CODE_VERSION}" ENV CODE_VERSION="${CODE_VERSION}"
RUN apk add --no-cache \ RUN apk add --no-cache \
openssl jq \
moreutils \
openssl \
py-pip \
&& pip install yq==2.7.2
ENV DOCKERIZE_VERSION v0.6.1 ENV DOCKERIZE_VERSION v0.6.1
RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
&& tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
&& rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
RUN mkdir -p /etc/kopano/ COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
COPY konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
COPY wrapper.sh /usr/local/bin COPY wrapper.sh /usr/local/bin

23
konnect/wrapper.sh
View File

@ -2,6 +2,25 @@
set -e set -e
dockerize \
-wait file:///kopano/ssl/meet-kwmserver.pem \
-timeout 360s
cd /kopano/ssl/
konnectd utils jwk-from-pem --use sig /kopano/ssl/meet-kwmserver.pem > /tmp/jwk-meet.json
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
yq -y ".clients |= [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml
# shellcheck disable=SC2154
if [ -n "$log_level" ]; then
set -- "$@" --log-level="$log_level"
fi
# shellcheck disable=SC2154
if [ "$allow_client_guests" = "yes" ]; then
set -- "$@" "--allow-client-guests"
fi
dockerize \ dockerize \
-wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \ -wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \
-wait file:///kopano/ssl/konnectd-encryption.key \ -wait file:///kopano/ssl/konnectd-encryption.key \
@ -10,6 +29,6 @@ dockerize \
--signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \ --signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \
--encryption-secret=/kopano/ssl/konnectd-encryption.key \ --encryption-secret=/kopano/ssl/konnectd-encryption.key \
--iss=https://"$FQDN" \ --iss=https://"$FQDN" \
--identifier-registration-conf /etc/kopano/konnectd-identifier-registration.yaml \ --identifier-registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \
--identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml \ --identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml \
kc "$@" kc

9
kwmserver/Dockerfile
View File

@ -3,4 +3,13 @@ FROM kopano/kwmserverd:${CODE_VERSION}
ARG CODE_VERSION ARG CODE_VERSION
ENV CODE_VERSION="${CODE_VERSION}" ENV CODE_VERSION="${CODE_VERSION}"
USER root
ENV DOCKERIZE_VERSION v0.6.1
RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
&& tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
&& rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
COPY wrapper.sh /usr/local/bin COPY wrapper.sh /usr/local/bin
USER nobody

60
kwmserver/wrapper.sh
View File

@ -2,14 +2,72 @@
set -e set -e
# shellcheck disable=SC2154
if [ -n "$log_level" ]; then
set -- "$@" --log-level="$log_level"
fi
# shellcheck disable=SC2154 # shellcheck disable=SC2154
if [ -n "$oidc_issuer_identifier" ]; then if [ -n "$oidc_issuer_identifier" ]; then
set -- "$@" --iss="$oidc_issuer_identifier" set -- "$@" --iss="$oidc_issuer_identifier"
fi fi
# shellcheck disable=SC2154
if [ "$enable_guest_api" = "yes" ]; then
set -- "$@" --enable-guest-api
fi
if [ "$INSECURE" = "yes" ]; then if [ "$INSECURE" = "yes" ]; then
set -- "$@" --insecure set -- "$@" --insecure
fi fi
exec /usr/local/bin/docker-entrypoint.sh serve "$@" # kwmserver turn
# shellcheck disable=SC2154
if [ -z "$turn_service_url" ]; then
turn_service_url=https://turnauth.kopano.com/turnserverauth/
fi
if [ -n "$turn_service_url" ]; then
set -- "$@" --turn-service-url="$turn_service_url"
fi
# shellcheck disable=SC2154
if [ -n "$turn_service_credentials" ]; then
set -- "$@" --turn-service-credentials="$$turn_service_credentials"
fi
# shellcheck disable=SC2154
if [ -n "$turn_server_shared_secret" ]; then
set -- "$@" --turn-server-shared-secret="$turn_server_shared_secret"
fi
# shellcheck disable=SC2154
if [ -n "$turn_uris" ]; then
for uri in $turn_uris; do
set -- "$@" --turn-uri="$uri"
done
fi
# kwmserver guest
# shellcheck disable=SC2154
if [ "$allow_guest_only_channels" = "yes" ]; then
set -- "$@" --allow-guest-only-channels
fi
# shellcheck disable=SC2154
if [ -n "$public_guest_access_regexp" ]; then
set -- "$@" --public-guest-access-regexp="$public_guest_access_regexp"
fi
# shellcheck disable=SC2034
export registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
# originally I wanted to wait for $registration_conf, but I needed to precreate the file
# so the konnect container (since the startup is running as nobody) can write to it.
exec dockerize \
-wait http://kopano_konnect:8777/.well-known/openid-configuration \
-timeout 360s \
/usr/local/bin/docker-entrypoint.sh serve \
--registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \
"$@"

14
meet/start-service.sh
View File

@ -18,7 +18,18 @@ if [ $# -gt 0 ]; then
exit exit
fi fi
# TODO use jq to modify /usr/share/kopano-kweb/www/config/kopano/meet.json CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json"
echo "Updating $CONFIG_JSON"
for setting in $(compgen -A variable KCCONF_MEET); do
setting2=${setting#KCCONF_MEET_}
# dots in setting2 need to be escaped to not be handled as separate entities in the json file
jq ".\"${setting2//_/\".\"}\" = \"${!setting}\"" $CONFIG_JSON | sponge $CONFIG_JSON
done
# enable Kopano WebApp in the app switcher
jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON
#cat $CONFIG_JSON
sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg
# shellcheck disable=SC2046 # shellcheck disable=SC2046
@ -26,4 +37,3 @@ export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n')
# cleaning up env variables # cleaning up env variables
unset "${!KCCONF_@}" unset "${!KCCONF_@}"
exec kopano-kwebd serve exec kopano-kwebd serve

21
ssl/start.sh
View File

@ -53,6 +53,27 @@ if [ ! -f $secretkey ]; then
mv $secretkey.tmp $secretkey mv $secretkey.tmp $secretkey
fi fi
# Meet guest mode
ecparam="/kopano/ssl/ecparam.pem"
if [ ! -f $ecparam ]; then
echo "Creating ec param key for Meet..."
openssl ecparam -name prime256v1 -genkey -noout -out $ecparam.tmp >/dev/null 2>&1
mv $ecparam.tmp $ecparam
fi
# create registration.yml so that konnect can write to it
touch /kopano/ssl/konnectd-identifier-registration.yaml
# chown to the numerical representation of nobody/nogroup
chown 65534:65534 /kopano/ssl/konnectd-identifier-registration.yaml
eckey="/kopano/ssl/meet-kwmserver.pem"
if [ ! -f $eckey ]; then
echo "Creating ec key for Meet..."
openssl ec -in $ecparam -out $eckey.tmp >/dev/null 2>&1
chown 65534:65534 $eckey.tmp
mv $eckey.tmp $eckey
fi
echo "SSL certs:" echo "SSL certs:"
ls -l /kopano/ssl/*.* ls -l /kopano/ssl/*.*