The quickstart guide uses docker-compose to compose several inter-related docker containers into a functioning environment. However, the components of that environment are dependent on one another.
- The
a3s
is dependent on thea3s-postgresql
Postgresql docker container, as it uses Postgresql as it's relational data store. Thea3s
container must be configured to connect to this database. - The
a3s-identity-server
component also depends on thea3s-postgresql
Postgresql docker container, as it needs to read many of the same relational stores that A3S operates on to issue access tokens to users. - The
a3s
container is dependent on thea3s-identity-server
to be it's access token issuer.
How do the containers running in this enviroment know where to connect? Internally, the docker images that are built for A3S and A3S-Identity-Server have a default internal configuration which assumes the setup within the quickstart docker-compose file. All the settings can be overridden by mounting in custom configuration files into the various containers, but this couples the integrating party to the changing configuration of A3S and IDS4, which is undesirable. Therefore, when pulling A3S and IDS4 containers into your own docker-compose environments, understanding and using the following conventions will enable you to pull the A3S, IDS4, and mutually required Postgresql container into your docker-compose environment without the need to configure (and therefore mount in configurations into the containers) for each of the containers.
-
a3s
and thea3s-identity-server
containers connect to the Postgresql container using the following settings:hostname
:a3s-postgresql
. This necessitates the name of the service within the quickstart docker-compose file to be this value.username
:postgres
. This is the reason thePOSTGRES_USER=postgres
environment variable (within the Postgresql container) is configured as such.password
:postgres
. This is the reason thePOSTGRES_PASSWORD=postgres
environment variable (within the Postgresql container) is configured as such.database
:identity_server
. This is the reason thePOSTGRES_DB=identity_server
environment variable (within the Postgresql container) is configured as such.
-
a3s
also protects it's own resources with itself and requires access tokens issued bya3s-identity-server
for authenticated access. Therefore, A3S must be configured witha3s-identity-server
to be it's access tokens issuer. The default configuration for thisIssuerURL
ishttp://a3s-identity-server
, which necessitates the name of the IDS4 container to bea3s-identity-server
with the docker-compose.yml.
When pulling in A3S containers into your own docker-compose environments, ensure that the following naming conventions are adhered to within your docker-compose.yml
file and you will not need to configure any of the A3S related containers to connect to one another. Note The A3S quickstart docker-compose file adheres to these conventions and can be used as a reference:
- Name the A3S service
a3s
. - Name the Identity Server 4 service:
a3s-identity-server.
- Name the Postgresql service:
a3s-postgresql
. - Ensure the Postgresql username is:
postgres
- Ensure the Postgresql password is:
postgres
- Ensure the Postgresql instance has a database called:
identity_server
. - If using the official Postgres image, this can all be done as follows:
a3s-postgresql:
networks:
- a3s-quickstart
image: "postgres:10.7-alpine"
restart: always
ports:
# Use a non standard port mapping to avoid potential collisions with other Postgres instances running on the host.
- '5478:5432'
environment:
- POSTGRES_PASSWORD=postgres
- POSTGRES_USER=postgres
- POSTGRES_DB=identity_server
Figure 1: An excerpt from the AS3 quickstart docker-compose.yml showing how to configure credentials and a default database when using the official Postgres docker image.
Security Contracts are a central concept within A3S. Therefore, the A3S quickstart guide intentionally includes instructions for manually applying a security contract in order to expose the user to these concepts. This is also the reason why quickstart docker-compose file does not contain any setup for automatically applying a security contract.
When integrating A3S into your docker-compose environment, it is not necessary to manually apply the security contract in the same fashion as the A3S quickstart guide. The application of a security contract is simply:
- Obtaining an access token for a user that has the
a3s.securityContracts.update
permission. - PUT the security contract using the API.
This can be achieved with any user agent capable of making the required HTTP API requests. The A3S makes use of Postman for API testing and discoverability. Therefore, the following example demonstrates how to use a Newman docker container to programatically run a Postman collection when starting up a docker-compose environment. The Postman collection simply performs the same steps as 1.
and 2.
above.
newman:
networks:
- a3s-quickstart
image: "postman/newman_alpine33"
command: run /etc/newman/register-a3s-contract.postman_collection.json --global-var client-id='a3s-default' --global-var client-secret='secret' --global-var a3s-host=http://a3s --global-var auth-server-base-url=http://a3s-identity-server --delay-request 15000
volumes:
- ../../postman:/etc/newman
depends_on:
- a3s-identity-server
Figure 2: An excerpt from a docker-compose.yml file that uses a Newman container to automatically run a Postman collection to apply a desired security contract on docker-compose up
. Note! The required register-a3s-contract.postman_collection.json
is mounted in as a volume and would be expected to be inside the ../../postman
folder on the host machine in this example.