diff --git a/.buildkite/scripts/fixture-deploy.sh b/.buildkite/scripts/fixture-deploy.sh new file mode 100755 index 000000000000..3c30b3a3176d --- /dev/null +++ b/.buildkite/scripts/fixture-deploy.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -euo pipefail + +echo "$DOCKER_REGISTRY_PASSWORD" | docker login -u "$DOCKER_REGISTRY_USERNAME" --password-stdin docker.elastic.co +unset DOCKER_REGISTRY_USERNAME DOCKER_REGISTRY_PASSWORD + +docker buildx create --use +.ci/scripts/run-gradle.sh deployFixtureDockerImages diff --git a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/docker/DockerBuildTask.java b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/docker/DockerBuildTask.java index 20f46990815b..4b5eac1a2e37 100644 --- a/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/docker/DockerBuildTask.java +++ b/build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/docker/DockerBuildTask.java @@ -20,8 +20,10 @@ import org.gradle.api.model.ObjectFactory; import org.gradle.api.provider.ListProperty; import org.gradle.api.provider.MapProperty; import org.gradle.api.provider.Property; +import org.gradle.api.provider.SetProperty; import org.gradle.api.tasks.Input; import org.gradle.api.tasks.InputDirectory; +import org.gradle.api.tasks.Optional; import org.gradle.api.tasks.OutputFile; import org.gradle.api.tasks.PathSensitive; import org.gradle.api.tasks.PathSensitivity; @@ -36,6 +38,7 @@ import java.io.IOException; import java.nio.file.Files; import java.util.Arrays; import java.util.List; +import java.util.stream.Collectors; import javax.inject.Inject; @@ -43,7 +46,7 @@ import javax.inject.Inject; * This task wraps up the details of building a Docker image, including adding a pull * mechanism that can retry, and emitting the image SHA as a task output. */ -public class DockerBuildTask extends DefaultTask { +public abstract class DockerBuildTask extends DefaultTask { private static final Logger LOGGER = Logging.getLogger(DockerBuildTask.class); private final WorkerExecutor workerExecutor; @@ -55,7 +58,6 @@ public class DockerBuildTask extends DefaultTask { private boolean noCache = true; private String[] baseImages; private MapProperty buildArgs; - private Property platform; @Inject public DockerBuildTask(WorkerExecutor workerExecutor, ObjectFactory objectFactory, ProjectLayout projectLayout) { @@ -63,7 +65,6 @@ public class DockerBuildTask extends DefaultTask { this.markerFile = objectFactory.fileProperty(); this.dockerContext = objectFactory.directoryProperty(); this.buildArgs = objectFactory.mapProperty(String.class, String.class); - this.platform = objectFactory.property(String.class).convention(Architecture.current().dockerPlatform); this.markerFile.set(projectLayout.getBuildDirectory().file("markers/" + this.getName() + ".marker")); } @@ -75,9 +76,10 @@ public class DockerBuildTask extends DefaultTask { params.getTags().set(Arrays.asList(tags)); params.getPull().set(pull); params.getNoCache().set(noCache); + params.getPush().set(getPush().getOrElse(false)); params.getBaseImages().set(Arrays.asList(baseImages)); params.getBuildArgs().set(buildArgs); - params.getPlatform().set(platform); + params.getPlatforms().set(getPlatforms()); }); } @@ -129,9 +131,11 @@ public class DockerBuildTask extends DefaultTask { } @Input - public Property getPlatform() { - return platform; - } + public abstract SetProperty getPlatforms(); + + @Input + @Optional + public abstract Property getPush(); @OutputFile public RegularFileProperty getMarkerFile() { @@ -181,7 +185,7 @@ public class DockerBuildTask extends DefaultTask { } final List tags = parameters.getTags().get(); - final boolean isCrossPlatform = parameters.getPlatform().get().equals(Architecture.current().dockerPlatform) == false; + final boolean isCrossPlatform = isCrossPlatform(); LoggedExec.exec(execOperations, spec -> { spec.executable("docker"); @@ -193,7 +197,7 @@ public class DockerBuildTask extends DefaultTask { spec.args("build", parameters.getDockerContext().get().getAsFile().getAbsolutePath()); if (isCrossPlatform) { - spec.args("--platform", parameters.getPlatform().get()); + spec.args("--platform", parameters.getPlatforms().get().stream().collect(Collectors.joining(","))); } if (parameters.getNoCache().get()) { @@ -203,11 +207,20 @@ public class DockerBuildTask extends DefaultTask { tags.forEach(tag -> spec.args("--tag", tag)); parameters.getBuildArgs().get().forEach((k, v) -> spec.args("--build-arg", k + "=" + v)); + + if (parameters.getPush().getOrElse(false)) { + spec.args("--push"); + } }); // Fetch the Docker image's hash, and write it to desk as the task's output. Doing this allows us // to do proper up-to-date checks in Gradle. try { + // multi-platform image builds do not end up in local registry, so we need to pull the just build image + // first to get the checksum and also serves as a test for the image being pushed correctly + if (parameters.getPlatforms().get().size() > 1 && parameters.getPush().getOrElse(false)) { + pullBaseImage(tags.get(0)); + } final String checksum = getImageChecksum(tags.get(0)); Files.writeString(parameters.getMarkerFile().getAsFile().get().toPath(), checksum + "\n"); } catch (IOException e) { @@ -215,6 +228,13 @@ public class DockerBuildTask extends DefaultTask { } } + private boolean isCrossPlatform() { + return getParameters().getPlatforms() + .get() + .stream() + .anyMatch(any -> any.equals(Architecture.current().dockerPlatform) == false); + } + private String getImageChecksum(String imageTag) { final ByteArrayOutputStream stdout = new ByteArrayOutputStream(); @@ -243,6 +263,8 @@ public class DockerBuildTask extends DefaultTask { MapProperty getBuildArgs(); - Property getPlatform(); + SetProperty getPlatforms(); + + Property getPush(); } } diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle index 96e577d5635a..10f4d56c0304 100644 --- a/distribution/docker/build.gradle +++ b/distribution/docker/build.gradle @@ -398,7 +398,7 @@ void addBuildDockerImageTask(Architecture architecture, DockerBase base) { noCache = BuildParams.isCi tags = generateTags(base, architecture) - platform = architecture.dockerPlatform + platforms.add(architecture.dockerPlatform) // We don't build the Iron Bank image when we release Elasticsearch, as there's // separate process for submitting new releases. However, for testing we do a @@ -468,7 +468,7 @@ void addBuildEssDockerImageTask(Architecture architecture) { noCache = BuildParams.isCi baseImages = [] tags = generateTags(base, architecture) - platform = architecture.dockerPlatform + platforms.add(architecture.dockerPlatform) onlyIf("$architecture supported") { isArchitectureSupported(architecture) } } diff --git a/test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java b/test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java index ce4d6fda861c..be8d597c2601 100644 --- a/test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java +++ b/test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java @@ -16,7 +16,6 @@ import org.slf4j.LoggerFactory; import org.testcontainers.DockerClientFactory; import org.testcontainers.containers.GenericContainer; import org.testcontainers.containers.output.Slf4jLogConsumer; -import org.testcontainers.images.builder.ImageFromDockerfile; import java.io.File; import java.io.IOException; @@ -27,6 +26,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.concurrent.Future; import java.util.stream.Collectors; public abstract class DockerEnvironmentAwareTestContainer extends GenericContainer @@ -56,8 +56,8 @@ public abstract class DockerEnvironmentAwareTestContainer extends GenericContain } } - public DockerEnvironmentAwareTestContainer(ImageFromDockerfile imageFromDockerfile) { - super(imageFromDockerfile); + public DockerEnvironmentAwareTestContainer(Future image) { + super(image); } @Override diff --git a/x-pack/qa/saml-idp-tests/build.gradle b/x-pack/qa/saml-idp-tests/build.gradle index 6a7d60f88a1d..1c41e58ffb0d 100644 --- a/x-pack/qa/saml-idp-tests/build.gradle +++ b/x-pack/qa/saml-idp-tests/build.gradle @@ -5,9 +5,9 @@ dependencies { javaRestTestImplementation "com.google.jimfs:jimfs:${versions.jimfs}" javaRestTestImplementation "com.google.guava:guava:${versions.jimfs_guava}" javaRestTestImplementation project(":x-pack:test:idp-fixture") + javaRestTestRuntimeOnly "org.slf4j:slf4j-simple:${versions.slf4j}" } - tasks.named("javaRestTest").configure { usesDefaultDistribution() } diff --git a/x-pack/qa/saml-idp-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java b/x-pack/qa/saml-idp-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java index 5718930f37c8..c8b3b3fc3aed 100644 --- a/x-pack/qa/saml-idp-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java +++ b/x-pack/qa/saml-idp-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java @@ -28,7 +28,6 @@ import org.apache.http.protocol.BasicHttpContext; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpCoreContext; import org.apache.http.util.EntityUtils; -import org.apache.lucene.tests.util.LuceneTestCase; import org.elasticsearch.client.Request; import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.Response; @@ -92,7 +91,6 @@ import static org.hamcrest.Matchers.startsWith; /** * An integration test for validating SAML authentication against a real Identity Provider (Shibboleth) */ -@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/103717") @ThreadLeakFilters(filters = { TestContainersThreadFilter.class }) public class SamlAuthenticationIT extends ESRestTestCase { diff --git a/x-pack/test/idp-fixture/build.gradle b/x-pack/test/idp-fixture/build.gradle index 691483bcfe5c..b1243b9eb681 100644 --- a/x-pack/test/idp-fixture/build.gradle +++ b/x-pack/test/idp-fixture/build.gradle @@ -1,3 +1,7 @@ +import org.elasticsearch.gradle.Architecture +import org.elasticsearch.gradle.internal.docker.DockerBuildTask +import org.elasticsearch.gradle.internal.info.BuildParams + apply plugin: 'elasticsearch.java' apply plugin: 'elasticsearch.cache-test-fixtures' @@ -7,3 +11,26 @@ dependencies { api project(':test:fixtures:testcontainer-utils') api "junit:junit:${versions.junit}" } + +tasks.register("deployIdpFixtureDockerImages", DockerBuildTask) { + dockerContext.fileValue(file("src/main/resources/idp")) + baseImages = ["openjdk:11.0.16-jre"] + noCache = BuildParams.isCi + tags = ["docker.elastic.co/elasticsearch-dev/idp-fixture:1.0"] + push = BuildParams.isCI + getPlatforms().addAll( Architecture.values().collect{ it.dockerPlatform } ) +} + + +tasks.register("deployOpenLdapFixtureDockerImages", DockerBuildTask) { + dockerContext.fileValue(file("src/main/resources/openldap")) + baseImages = ["osixia/openldap:1.4.0"] + noCache = BuildParams.isCi + tags = ["docker.elastic.co/elasticsearch-dev/openldap-fixture:1.0"] + push = BuildParams.isCI + getPlatforms().addAll( Architecture.values().collect{ it.dockerPlatform } ) +} + +tasks.register("deployFixtureDockerImages") { + dependsOn tasks.withType(DockerBuildTask) +} diff --git a/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/IdpTestContainer.java b/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/IdpTestContainer.java index 692cd4b08141..d76ca5741d8b 100644 --- a/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/IdpTestContainer.java +++ b/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/IdpTestContainer.java @@ -11,8 +11,7 @@ import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTest import org.junit.rules.TemporaryFolder; import org.testcontainers.containers.Network; import org.testcontainers.containers.wait.strategy.Wait; -import org.testcontainers.images.builder.ImageFromDockerfile; -import org.testcontainers.images.builder.dockerfile.statement.SingleArgumentStatement; +import org.testcontainers.images.RemoteDockerImage; import java.io.IOException; import java.nio.file.Path; @@ -21,8 +20,7 @@ import static org.elasticsearch.test.fixtures.ResourceUtils.copyResourceToFile; public final class IdpTestContainer extends DockerEnvironmentAwareTestContainer { - public static final String DOCKER_BASE_IMAGE = "openjdk:11.0.16-jre"; - + private static final String DOCKER_BASE_IMAGE = "docker.elastic.co/elasticsearch-dev/idp-fixture:1.0"; private final TemporaryFolder temporaryFolder = new TemporaryFolder(); private Path certsPath; @@ -34,117 +32,10 @@ public final class IdpTestContainer extends DockerEnvironmentAwareTestContainer } public IdpTestContainer(Network network) { - super( - new ImageFromDockerfile("es-idp-testfixture").withDockerfileFromBuilder( - builder -> builder.from(DOCKER_BASE_IMAGE) - .env("jetty_version", "9.3.27.v20190418") - .env("jetty_hash", "7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa") - .env("idp_version", "3.4.3") - .env("idp_hash", "eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db") - .env("dta_hash", "2f547074b06952b94c35631398f36746820a7697") - .env("slf4j_version", "1.7.25") - .env("slf4j_hash", "da76ca59f6a57ee3102f8f9bd9cee742973efa8a") - .env("logback_version", "1.2.3") - .env("logback_classic_hash", "7c4f3c474fb2c041d8028740440937705ebb473a") - .env("logback_core_hash", "864344400c3d4d92dfeb0a305dc87d953677c03c") - .env("logback_access_hash", "e8a841cb796f6423c7afd8738df6e0e4052bf24a") - - .env("JETTY_HOME", "/opt/jetty-home") - .env("JETTY_BASE", "/opt/shib-jetty-base") - .env("PATH", "$PATH:$JAVA_HOME/bin") - .env("JETTY_BROWSER_SSL_KEYSTORE_PASSWORD", "secret") - .env("JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD", "secret") - .env("JETTY_MAX_HEAP", "64m") - // Manually override the jetty keystore otherwise it will attempt to download and fail - .run("mkdir -p /opt/shib-jetty-base/modules") - .copy("idp/jetty-custom/ssl.mod", "/opt/shib-jetty-base/modules/ssl.mod") - .copy("idp/jetty-custom/keystore", "/opt/shib-jetty-base/etc/keystore") - // Download Jetty, verify the hash, and install, initialize a new base - .run( - "wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz" - + " && echo \"$jetty_hash jetty-distribution-$jetty_version.tar.gz\" | sha1sum -c -" - + " && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt" - + " && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home" - ) - // Config Jetty - .run( - "mkdir -p /opt/shib-jetty-base/modules /opt/shib-jetty-base/lib/ext /opt/shib-jetty-base/lib/logging /opt/shib-jetty-base/resources" - + " && cd /opt/shib-jetty-base" - + " && touch start.ini" - + " && java -jar ../jetty-home/start.jar --add-to-startd=http,https,deploy,ext,annotations,jstl,rewrite" - ) - // Download Shibboleth IdP, verify the hash, and install - .run( - "wget -q https://shibboleth.net/downloads/identity-provider/archive/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz" - + " && echo \"$idp_hash shibboleth-identity-provider-$idp_version.tar.gz\" | sha256sum -c -" - + " && tar -zxvf shibboleth-identity-provider-$idp_version.tar.gz -C /opt" - + " && ln -s /opt/shibboleth-identity-provider-$idp_version/ /opt/shibboleth-idp" - ) - // Download the library to allow SOAP Endpoints, verify the hash, and place - .run( - "wget -q https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty9/jetty9-dta-ssl/1.0.0/jetty9-dta-ssl-1.0.0.jar" - + " && echo \"$dta_hash jetty9-dta-ssl-1.0.0.jar\" | sha1sum -c -" - + " && mv jetty9-dta-ssl-1.0.0.jar /opt/shib-jetty-base/lib/ext/" - ) - // Download the slf4j library for Jetty logging, verify the hash, and place - .run( - "wget -q https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar" - + " && echo \"$slf4j_hash slf4j-api-$slf4j_version.jar\" | sha1sum -c -" - + " && mv slf4j-api-$slf4j_version.jar /opt/shib-jetty-base/lib/logging/" - ) - // Download the logback_classic library for Jetty logging, verify the hash, and place - .run( - "wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar" - + " && echo \"$logback_classic_hash logback-classic-$logback_version.jar\" | sha1sum -c -" - + " && mv logback-classic-$logback_version.jar /opt/shib-jetty-base/lib/logging/" - ) - // Download the logback-core library for Jetty logging, verify the hash, and place - .run( - "wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar" - + " && echo \"$logback_core_hash logback-core-$logback_version.jar\" | sha1sum -c -" - + " && mv logback-core-$logback_version.jar /opt/shib-jetty-base/lib/logging/" - ) - // Download the logback-access library for Jetty logging, verify the hash, and place - .run( - "wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar" - + " && echo \"$logback_access_hash logback-access-$logback_version.jar\" | sha1sum -c -" - + " && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/" - ) - // ## Copy local files - .copy("idp/shib-jetty-base/", "/opt/shib-jetty-base/") - .copy("idp/shibboleth-idp/", "/opt/shibboleth-idp/") - .copy("idp/bin/", "/usr/local/bin/") - // Setting owner ownership and permissions - .run( - "useradd jetty -U -s /bin/false" - + " && chown -R root:jetty /opt" - + " && chmod -R 640 /opt" - + " && chown -R root:jetty /opt/shib-jetty-base" - + " && chmod -R 640 /opt/shib-jetty-base" - + " && chmod -R 750 /opt/shibboleth-idp/bin" - ) - .run("chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh") - .run("chmod +x /opt/jetty-home/bin/jetty.sh") - // Opening 4443 (browser TLS), 8443 (mutual auth TLS) - .cmd("run-jetty.sh") - .withStatement( - new SingleArgumentStatement( - "HEALTHCHECK", - "CMD curl -f -s --http0.9 http://localhost:4443 " + "--connect-timeout 10 --max-time 10 --output - > /dev/null" - ) - ) - // .expose(4443) - .build() - ) - .withFileFromClasspath("idp/jetty-custom/ssl.mod", "/idp/jetty-custom/ssl.mod") - .withFileFromClasspath("idp/jetty-custom/keystore", "/idp/jetty-custom/keystore") - .withFileFromClasspath("idp/shib-jetty-base/", "/idp/shib-jetty-base/") - .withFileFromClasspath("idp/shibboleth-idp/", "/idp/shibboleth-idp/") - .withFileFromClasspath("idp/bin/", "/idp/bin/") - ); + super(new RemoteDockerImage(DOCKER_BASE_IMAGE)); withNetworkAliases("idp"); withNetwork(network); - waitingFor(Wait.forHealthcheck()); + waitingFor(Wait.forListeningPorts(4443)); addExposedPorts(4443, 8443); } diff --git a/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OpenLdapTestContainer.java b/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OpenLdapTestContainer.java index 2f65134f2ec7..69d42e8b985a 100644 --- a/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OpenLdapTestContainer.java +++ b/x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OpenLdapTestContainer.java @@ -10,7 +10,7 @@ package org.elasticsearch.test.fixtures.idp; import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTestContainer; import org.junit.rules.TemporaryFolder; import org.testcontainers.containers.Network; -import org.testcontainers.images.builder.ImageFromDockerfile; +import org.testcontainers.images.RemoteDockerImage; import java.io.IOException; import java.nio.file.Path; @@ -19,7 +19,7 @@ import static org.elasticsearch.test.fixtures.ResourceUtils.copyResourceToFile; public final class OpenLdapTestContainer extends DockerEnvironmentAwareTestContainer { - public static final String DOCKER_BASE_IMAGE = "osixia/openldap:1.4.0"; + private static final String DOCKER_BASE_IMAGE = "docker.elastic.co/elasticsearch-dev/openldap-fixture:1.0"; private final TemporaryFolder temporaryFolder = new TemporaryFolder(); private Path certsPath; @@ -29,36 +29,7 @@ public final class OpenLdapTestContainer extends DockerEnvironmentAwareTestConta } public OpenLdapTestContainer(Network network) { - super( - new ImageFromDockerfile("es-openldap-testfixture").withDockerfileFromBuilder( - builder -> builder.from(DOCKER_BASE_IMAGE) - .env("LDAP_ADMIN_PASSWORD", "NickFuryHeartsES") - .env("LDAP_DOMAIN", "oldap.test.elasticsearch.com") - .env("LDAP_BASE_DN", "DC=oldap,DC=test,DC=elasticsearch,DC=com") - .env("LDAP_TLS", "true") - .env("LDAP_TLS_CRT_FILENAME", "ldap_server.pem") - .env("LDAP_TLS_CA_CRT_FILENAME", "ca_server.pem") - .env("LDAP_TLS_KEY_FILENAME", "ldap_server.key") - .env("LDAP_TLS_VERIFY_CLIENT", "never") - .env("LDAP_TLS_CIPHER_SUITE", "NORMAL") - .env("LDAP_LOG_LEVEL", "256") - .copy( - "openldap/ldif/users.ldif", - "/container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif" - ) - .copy( - "openldap/ldif/config.ldif", - "/container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif" - ) - .copy("openldap/certs", "/container/service/slapd/assets/certs") - - .build() - ) - .withFileFromClasspath("openldap/certs", "/openldap/certs/") - .withFileFromClasspath("openldap/ldif/users.ldif", "/openldap/ldif/users.ldif") - .withFileFromClasspath("openldap/ldif/config.ldif", "/openldap/ldif/config.ldif") - ); - // withLogConsumer(new Slf4jLogConsumer(logger())); + super(new RemoteDockerImage(DOCKER_BASE_IMAGE)); withNetworkAliases("openldap"); withNetwork(network); withExposedPorts(389, 636); diff --git a/x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile b/x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile index ea7b6880fb42..7acb86c05e0e 100644 --- a/x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile +++ b/x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile @@ -20,12 +20,13 @@ ENV JETTY_HOME=/opt/jetty-home \ JETTY_BASE=/opt/shib-jetty-base \ PATH=$PATH:$JAVA_HOME/bin \ JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret \ - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret - + JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret \ + JETTY_MAX_HEAP=64m + # Manually override the jetty keystore otherwise it will attempt to download and fail RUN mkdir -p /opt/shib-jetty-base/modules -COPY ./idp/jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod -COPY ./idp/jetty-custom/keystore /opt/shib-jetty-base/etc/keystore +COPY ./jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod +COPY ./jetty-custom/keystore /opt/shib-jetty-base/etc/keystore # Download Jetty, verify the hash, and install, initialize a new base RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \ @@ -71,9 +72,9 @@ RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$ && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/ ## Copy local files -COPY idp/shib-jetty-base/ /opt/shib-jetty-base/ -COPY idp/shibboleth-idp/ /opt/shibboleth-idp/ -COPY idp/bin/ /usr/local/bin/ +COPY shib-jetty-base/ /opt/shib-jetty-base/ +COPY shibboleth-idp/ /opt/shibboleth-idp/ +COPY bin/ /usr/local/bin/ # Setting owner ownership and permissions RUN useradd jetty -U -s /bin/false \ @@ -86,6 +87,8 @@ RUN useradd jetty -U -s /bin/false \ RUN chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh RUN chmod +x /opt/jetty-home/bin/jetty.sh +RUN apt-get update && apt-get install -y netcat + # Opening 4443 (browser TLS), 8443 (mutual auth TLS) EXPOSE 4443 8443 diff --git a/x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile b/x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile new file mode 100644 index 000000000000..58c9952e2f4b --- /dev/null +++ b/x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile @@ -0,0 +1,17 @@ +FROM osixia/openldap:1.4.0 + + +ENV LDAP_ADMIN_PASSWORD=NickFuryHeartsES +ENV LDAP_DOMAIN=oldap.test.elasticsearch.com +ENV LDAP_BASE_DN=DC=oldap,DC=test,DC=elasticsearch,DC=com +ENV LDAP_TLS=true +ENV LDAP_TLS_CRT_FILENAME=ldap_server.pem +ENV LDAP_TLS_CA_CRT_FILENAME=ca_server.pem +ENV LDAP_TLS_KEY_FILENAME=ldap_server.key +ENV LDAP_TLS_VERIFY_CLIENT=never +ENV LDAP_TLS_CIPHER_SUITE=NORMAL +ENV LDAP_LOG_LEVEL=256 + +COPY ./ldif/users.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif +COPY ./ldif/config.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif +COPY ./certs /container/service/slapd/assets/certs