diff --git a/docker-jans-configurator/README.md b/docker-jans-configurator/README.md index f81c3a7fd7f..b66db1a211e 100644 --- a/docker-jans-configurator/README.md +++ b/docker-jans-configurator/README.md @@ -72,34 +72,46 @@ The following commands are supported by the container: The load command can be used either to generate or restore config and secret for the cluster. -#### Docker +For fresh installation, generate the initial configuration and secret by creating `/path/to/host/volume/generate.json` similar to example below: +```json +{ + "hostname": "demoexample.jans.io", + "country_code": "US", + "state": "TX", + "city": "Austin", + "admin_pw": "S3cr3t+pass", + "ldap_pw": "S3cr3t+pass", + "email": "s@jans.io", + "org_name": "Gluu Inc." +} +``` -1. To generate the initial configuration and secret, create `/path/to/host/volume/generate.json` similar to example below: - - ```json - { - "hostname": "demoexample.jans.io", - "country_code": "US", - "state": "TX", - "city": "Austin", - "admin_pw": "S3cr3t+pass", - "ldap_pw": "S3cr3t+pass", - "email": "s@jans.io", - "org_name": "Gluu Inc." - } - ``` +**NOTE**: `generate.json` has optional attributes as seen below. - **NOTE**: `generate.json` has optional attributes to generate oxAuth signing and encryption keys based on specific algorithms. +- `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) +- `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) +- `optional_scopes`: list of scopes that will be used (supported scopes are `ldap`, `scim`, `fido2`, `couchbase`, `redis`, `sql`, `casa`; default to empty list) +- `ldap_pw`: user's password to access LDAP database (only used if `optional_scopes` list contains `ldap` scope) +- `sql_pw`: user's password to access SQL database (only used if `optional_scopes` list contains `sql` scope) +- `couchbase_pw`: user's password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope) +- `couchbase_superuser_pw`: superusers password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope) +- `salt`: user-defined salt (24 characters length); if omitted, salt will be generated automatically - - `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) - - `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) - - `optional_scopes`: list of scopes that will be used (supported scopes are `ldap`, `scim`, `fido2`, `couchbase`, `redis`, `sql`, `casa`; default to empty list) - - `ldap_pw`: user's password to access LDAP database (only used if `optional_scopes` list contains `ldap` scope) - - `sql_pw`: user's password to access SQL database (only used if `optional_scopes` list contains `sql` scope) - - `couchbase_pw`: user's password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope) - - `couchbase_superuser_pw`: superusers password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope) +Example of generating `salt` value: -2. Mount the volume into container: +``` +# using shell script +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1 +# output: NFAG5g4R0NSkAZXHL8t2DScL + +# using python oneliner +python -c 'import random, string; print("".join(random.choices(string.ascii_letters + string.digits, k=24)))' +# ouput: HsPzqiPkRzNySWlOVui8Ilmw +``` + +#### Docker + +1. Mount the `generate.json` into container: ```sh docker run \ @@ -117,33 +129,13 @@ The load command can be used either to generate or restore config and secret for #### Kubernetes -1. To generate the initial configuration and secret, create `/path/to/host/volume/generate.json` similar to example below: - - ```json - { - "hostname": "demoexample.jans.io", - "country_code": "US", - "state": "TX", - "city": "Austin", - "admin_pw": "S3cr3t+pass", - "ldap_pw": "S3cr3t+pass", - "email": "s@gluu.local", - "org_name": "Gluu Inc." - } - ``` - - **NOTE**: `generate.json` has optional attributes to generate oxAuth signing and encryption keys based on specific algorithms. - - - `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) - - `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) - -2. Create config map `config-generate-params` +1. Create config map `config-generate-params` to store the contents of `generate.json` ```sh kubectl create cm config-generate-params --from-file=generate.json ``` -3. Mount the configmap into container and apply the yaml: +1. Mount the configmap into container and apply the yaml: ```yaml apiVersion: batch/v1 diff --git a/docker-jans-configurator/scripts/bootstrap.py b/docker-jans-configurator/scripts/bootstrap.py index 6e3a832a361..3402b81207e 100644 --- a/docker-jans-configurator/scripts/bootstrap.py +++ b/docker-jans-configurator/scripts/bootstrap.py @@ -196,7 +196,10 @@ def get_secret(self, key, default=None): return self.ctx_manager.get_secret(key, default) def base_ctx(self): - self.set_secret("encoded_salt", partial(get_random_chars, 24)) + if self.params["salt"]: + self.set_secret("encoded_salt", self.params["salt"]) + else: + self.set_secret("encoded_salt", partial(get_random_chars, 24)) self.set_config("orgName", self.params["org_name"]) self.set_config("country_code", self.params["country_code"]) self.set_config("state", self.params["state"]) diff --git a/docker-jans-configurator/scripts/parameter.py b/docker-jans-configurator/scripts/parameter.py index e6b81552d51..75767376889 100644 --- a/docker-jans-configurator/scripts/parameter.py +++ b/docker-jans-configurator/scripts/parameter.py @@ -81,6 +81,15 @@ class Meta: auth_enc_keys = Str(missing="") + salt = Str( + validate=[ + Length(equal=24), + Predicate("isalnum", error="Only alphanumeric characters are allowed"), + ], + missing="", + default="", + ) + @validates("hostname") def validate_fqdn(self, value): fqdn = FQDN(value)