Add containerization for the ipa-tuura+Apache service

Add Containerfile and podman-compose files that containerize ipa-tuura
using httpd as HTTPS server. This replaces the previous Dockerfile.test,
using Apache HTTPS server instead of the insecure built-in Django HTTP server.

By running the podman-compose.yaml, the container is built and deployed
with the needed port mapping.

Signed-off-by: Antonio Torres <antorres@redhat.com>

Containerfile

@@ -0,0 +1,48 @@
+FROM fedora:38
+ENV TZ=Europe/Madrid
+
+LABEL org.opencontainers.image.source=https://github.com/freeipa/ipa-tuura
+LABEL org.opencontainers.image.description="IPA-tuura Container"
+
+# Install dependencies
+RUN dnf -y update && dnf -y install \
+    dbus-daemon \
+    dbus-devel \
+    gcc \
+    glib2-devel \
+    glibc \
+    httpd \
+    krb5-devel \
+    maven \
+    mod_ssl \
+    mod_wsgi \
+    openldap-devel \
+    openssl \
+    python3-devel \
+    python3-netifaces \
+    python3-pip \
+    python3-sssdconfig \
+    python-devel \
+    python-ipalib \
+    sssd-dbus \
+    unzip \
+    && dnf clean all
+RUN mkdir /www
+COPY . /www/ipa-tuura
+RUN pip install -r /www/ipa-tuura/src/install/requirements.txt
+
+# Setup ipa-tuura
+RUN echo 'LoadModule wsgi_module modules/mod_wsgi.so' >> /etc/httpd/conf/httpd.conf
+RUN sed -i 's/ALLOWED_HOSTS = \[\]/ALLOWED_HOSTS = \['"'*'"'\]/g' /www/ipa-tuura/src/ipa-tuura/root/settings.py
+RUN sed -i 's/staticfiles/static/g' /usr/local/lib/python3.11/site-packages/rest_framework_swagger/templates/rest_framework_swagger/index.html
+
+# Generate and configure self-signed certificate
+COPY src/conf/ipa.conf /root
+RUN openssl req -config /root/ipa.conf -newkey rsa -x509 -days 365 -out /etc/pki/tls/certs/apache-selfsigned.crt
+RUN sed -i 's\localhost.crt\apache-selfsigned.crt\g' /etc/httpd/conf.d/ssl.conf
+RUN sed -i 's\localhost.key\apache-selfsigned.key\g' /etc/httpd/conf.d/ssl.conf
+
+# Setup Apache virtual host
+COPY src/conf/ipatuura.conf /etc/httpd/conf.d/ipatuura.conf
+
+CMD ["/usr/sbin/httpd", "-DFOREGROUND"]

podman-compose.yaml

@@ -0,0 +1,11 @@
+version: "3"
+services:
+  tuura-server:
+    container_name: tuura-server
+    build:
+      context: .
+    ports:
+      - 8005:80
+      - 3501:3500
+      - 4701:81
+      - 4430:443

src/conf/ipa.conf

@@ -0,0 +1,71 @@
+# Key:
+#  - <SK> = Key to a config subsection
+
+# Main entry point
+# since our command on the CLI is `req`, OpenSSL is going to look for a matching entry-point
+# This lets you store multiple command configs together, in a single file
+[req]
+# algorithm and number of bits to use when creating the private key
+# rsa:2048
+default_bits = 2048
+# Same as `-nodes` argument, to prevent encryption of private key (passphrase)
+encrypt_key = no
+# Explicitly tells OpenSSL which message digest algorithm to use
+# Good practice to specify, since older versions might default to MD5 (insecure)
+default_md = sha256
+# If you don't use `-keyout` in the CLI, this determines the private key filename
+default_keyfile = /etc/pki/tls/private/apache-selfsigned.key
+# <SK> These are values that are used to *distinguish* the certificate, such as the country and organization
+# These values are normally collected via Q&A prompt in the CLI if config file is not used
+distinguished_name = req_distinguished_name
+# Ensures that distinguished_name values will be pulled from this file, as
+#     opposed to prompting the user in the CLI
+prompt = no
+# <SK> Used for extensions to the self-signed cert OpenSSL is going to generate for us
+x509_extensions = x509_extensions
+
+[req_distinguished_name]
+# - These are all values that are used to *distinguish* the certificate, such as
+#     the country and organization
+# - Many of these have shorter keys that should be used for non-prompt values,
+#     and long keys that should have a prompt string to display to the user, and
+#     optionally a default value if the prompt is skipped (see below note)
+# - For long keys, if you use fieldName with `_default` at the end, the value
+#     will be used if prompt!==true, or if the user skips the prompt in the CLI
+
+# Long = countryName
+C = ES
+# Long = stateOrProvinceName
+ST = AB
+# Long = localityName
+L = Albacete
+# Long = organizationName
+O = IPA
+# Long = organizationalUnitName
+OU = IPA TUURA
+# Long = commonName
+# Pay extra attention to common name - You can only define one, and it is the
+#     value that is displayed to the user. Should NOT include protocol, but can
+#     be in format of domain.tld, www.domain.tld, or even wildcard, to share a
+#     common cert across multiple subdomains - `*.domain.tld`.
+# Also, any value that you use here !*** MUST ***! be ALSO included in the SAN
+#     (subject alternative name) section (subjectAltName), if you choose to
+#     include that section. See: https://stackoverflow.com/a/25971071/11447682
+CN = *.ipa.test
+
+[x509_extensions]
+# <SK> Used for (generically) custom field-value pairs that should be associated
+#   with the cert, such as extra DNS names, IP addresses, and emails
+subjectAltName = @alternate_names
+
+[alternate_names]
+# Extra domain names to associate with our cert
+#  - These can be a mix of wildcard, IP address, subdomain, etc.
+DNS.1 = *.ipa.test
+DNS.2 = localhost
+DNS.3 = 127.0.0.1
+DNS.4 = master.ipa.test
+# Etc.
+# See:
+# - https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html#Subject-Alternative-Name
+# - https://en.wikipedia.org/wiki/Subject_Alternative_Name

src/install/requirements.txt

@@ -2,6 +2,8 @@
 # Copyright (C) 2022  FreeIPA Contributors see COPYING for license
 #
 
+dbus-python
+python-ldap
 django
 django-scim2
 django-extensions