mirror of
https://github.com/zokradonh/kopano-docker
synced 2025-10-31 10:27:14 +00:00
Further tweaks for univention app (#264)
* add option to change base path * fix env name * add kweb configuration for using konnect in a subpath * make webapp display configurable * more explicit startup messages * add ability to use an external oidc provider * install the grapi ldap backend in the image when building with a recent enough kopano version * add the ability to run test in the konnect container * the startup script gets more and more complicated, there should be a way to test it * test some values and add test helper * do not simply cat the registration, but call with yq * update kweb and konnect
This commit is contained in:
Felix Bartels
GitHub
parent
d13a82aed1
commit
52d6b18322
1
Makefile
1
Makefile
@ -412,6 +412,7 @@ test-commander: ## Test scripts with commander
|
||||
COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=core/commander/grapi dccommander run kopano_grapi
|
||||
COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=webapp dccommander run kopano_webapp
|
||||
COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=zpush dccommander run kopano_zpush
|
||||
COMMANDER_OPTS="--concurrent 1 --verbose" COMMANDER_FILES_PATH=konnect dccommander run kopano_konnect
|
||||
COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=scheduler dccommander run kopano_scheduler
|
||||
# this test will fail if you are not on a whitelisted ip
|
||||
commander test tests/commander-supported.yaml || true
|
||||
|
||||
@ -54,6 +54,11 @@ RUN \
|
||||
kopano-grapi kopano-kapid \
|
||||
${ADDITIONAL_KOPANO_PACKAGES} \
|
||||
&& \
|
||||
coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \
|
||||
if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \
|
||||
apt-get install --no-install-recommends -y \
|
||||
python3-grapi.backend.ldap; \
|
||||
fi; \
|
||||
set +x && \
|
||||
rm -rf /var/cache/apt /var/lib/apt/lists && \
|
||||
touch /etc/kopano/admin.cfg && \
|
||||
|
||||
@ -154,6 +154,7 @@ services:
|
||||
- KCCONF_MEET_disableFullGAB=false
|
||||
- KCCONF_MEET_guests_enabled=true
|
||||
- KCCONF_MEET_useIdentifiedUser=true
|
||||
- KCCONF_MEET_GRID_WEBAPP=no
|
||||
depends_on:
|
||||
- kopano_kapi
|
||||
- kopano_konnect
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
ARG CODE_VERSION=0.25.3
|
||||
ARG CODE_VERSION=0.26.0
|
||||
FROM kopano/konnectd:${CODE_VERSION}
|
||||
|
||||
ARG VCS_REF
|
||||
|
||||
43
konnect/commander.yaml
Normal file
43
konnect/commander.yaml
Normal file
@ -0,0 +1,43 @@
|
||||
tests:
|
||||
normal startup:
|
||||
command: /commander/test-helper.sh && wrapper.sh
|
||||
exit-code: 0
|
||||
stdout:
|
||||
contains:
|
||||
- "Entrypoint: Allowing guest login"
|
||||
- "--allow-client-guests"
|
||||
- "Entrypoint: Allowing dynamic client registration"
|
||||
- "--allow-dynamic-client-registration"
|
||||
guests disabled:
|
||||
command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf
|
||||
stdout:
|
||||
not-contains:
|
||||
- "--allow-client-guests"
|
||||
- "kpop-https://$FQDN/meet/"
|
||||
config:
|
||||
env:
|
||||
allow_client_guests: no
|
||||
external oidc provider:
|
||||
command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf
|
||||
stdout:
|
||||
contains:
|
||||
- '"authorities": ['
|
||||
config:
|
||||
env:
|
||||
external_oidc_provider: yes
|
||||
config:
|
||||
env:
|
||||
PATH: ${PATH}
|
||||
eckey: ${eckey}
|
||||
allow_client_guests: ${allow_client_guests}
|
||||
ecparam: ${ecparam}
|
||||
signing_private_key: ${signing_private_key}
|
||||
KONNECT_BACKEND: ${KONNECT_BACKEND}
|
||||
FQDN: ${FQDN}
|
||||
identifier_registration_conf: ${identifier_registration_conf}
|
||||
encryption_secret_key: ${encryption_secret_key}
|
||||
identifier_scopes_conf: ${identifier_scopes_conf}
|
||||
allow_dynamic_client_registration: ${allow_dynamic_client_registration}
|
||||
DEBUG: ${DEBUG}
|
||||
LANG: ${LANG}
|
||||
|
||||
11
konnect/test-helper.sh
Executable file
11
konnect/test-helper.sh
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/sh
|
||||
|
||||
# add a dummy for the konnectd binary
|
||||
cat << 'EOF' > /commander/konnectd
|
||||
#!/bin/sh
|
||||
echo konnectd $@
|
||||
EOF
|
||||
|
||||
chmod +x /commander/konnectd
|
||||
|
||||
exit 0
|
||||
@ -3,6 +3,12 @@
|
||||
set -eu
|
||||
[ "$DEBUG" ] && set -x
|
||||
|
||||
# allow helper commands given by "docker-compose run"
|
||||
if [ $# -gt 0 ]; then
|
||||
exec "$@"
|
||||
exit
|
||||
fi
|
||||
|
||||
dockerize \
|
||||
-wait file://"${ecparam:?}" \
|
||||
-wait file://"${eckey:?}" \
|
||||
@ -21,12 +27,19 @@ fi
|
||||
|
||||
if [ "${allow_client_guests:-}" = "yes" ]; then
|
||||
echo "Patching identifier registration for use of the Meet guest mode"
|
||||
konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
|
||||
/usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
|
||||
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
|
||||
#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
yq -y ".clients += [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
# TODO this last bit can likely go
|
||||
yq -y . $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml
|
||||
# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)
|
||||
yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}"
|
||||
fi
|
||||
|
||||
if [ "${external_oidc_provider:-}" = "yes" ]; then
|
||||
echo "Patching identifier registration for external OIDC provider"
|
||||
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
|
||||
echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON
|
||||
yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}"
|
||||
fi
|
||||
|
||||
# source additional configuration from Konnect cfg (potentially overwrites env vars)
|
||||
@ -36,14 +49,16 @@ if [ -e /etc/kopano/konnectd.cfg ]; then
|
||||
fi
|
||||
|
||||
oidc_issuer_identifier=${oidc_issuer_identifier:-https://$FQDN}
|
||||
set -- "$@" --iss="$oidc_issuer_identifier"
|
||||
echo "Entrypoint: Issuer url (--iss): $oidc_issuer_identifier"
|
||||
set -- "$@" --iss="$oidc_issuer_identifier"
|
||||
|
||||
if [ -n "${log_level:-}" ]; then
|
||||
echo "Entrypoint: Setting logging to $log_level"
|
||||
set -- "$@" --log-level="$log_level"
|
||||
fi
|
||||
|
||||
if [ "${allow_client_guests:-}" = "yes" ]; then
|
||||
echo "Entrypoint: Allowing guest login"
|
||||
set -- "$@" "--allow-client-guests"
|
||||
fi
|
||||
|
||||
@ -52,6 +67,22 @@ if [ "${allow_dynamic_client_registration:-}" = "yes" ]; then
|
||||
set -- "$@" "--allow-dynamic-client-registration"
|
||||
fi
|
||||
|
||||
if [ -n "${uri_base_path:-}" ]; then
|
||||
echo "Entrypoint: Setting base-path to $uri_base_path"
|
||||
set -- "$@" --uri-base-path="$uri_base_path"
|
||||
fi
|
||||
|
||||
if [ "${insecure:-}" = "yes" ]; then
|
||||
echo "Entrypoint: running Konnect in insecure mode"
|
||||
set -- "$@" "--insecure"
|
||||
fi
|
||||
|
||||
# read password from file (UCS requirement)
|
||||
if [ -n "${LDAP_BINDPW_FILE:-}" ]; then
|
||||
bindpw="$(cat "${LDAP_BINDPW_FILE}")"
|
||||
export LDAP_BINDPW="${bindpw}"
|
||||
fi
|
||||
|
||||
dockerize \
|
||||
-wait file://"${signing_private_key:?}" \
|
||||
-wait file://"${encryption_secret_key:?}" \
|
||||
|
||||
@ -34,8 +34,14 @@ for setting in $(compgen -A variable KCCONF_MEET); do
|
||||
esac
|
||||
done
|
||||
|
||||
# enable Kopano WebApp in the app switcher
|
||||
jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
# enable Kopano Konnect in the app grid
|
||||
jq '.apps += {"enabled": ["kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
|
||||
# enable Kopano WebApp in the app grid (enabled by default)
|
||||
# TODO how to only update the array?
|
||||
if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then
|
||||
jq '.apps += {"enabled": ["kopano-webapp", "kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
fi
|
||||
|
||||
#cat $CONFIG_JSON
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
ARG CODE_VERSION=0.8.2
|
||||
ARG CODE_VERSION=0.8.3
|
||||
FROM kopano/kwebd:${CODE_VERSION}
|
||||
|
||||
ARG VCS_REF
|
||||
|
||||
@ -61,6 +61,14 @@
|
||||
}
|
||||
redir /signin /signin/v1/identifier
|
||||
|
||||
# Konnect in subpath - this config supports /kopanoid as a subpath
|
||||
rewrite /kopanoid/konnect/v1/ {
|
||||
to /upstreams/konnect/{path}
|
||||
}
|
||||
rewrite /kopanoid/signin/v1/ {
|
||||
to /upstreams/konnect/{path}
|
||||
}
|
||||
|
||||
# Kapi
|
||||
proxy /upstreams/kapi/ {
|
||||
without /upstreams/kapi/
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user