# Deploying the 1Password SCIM Bridge using Docker
This example describes the methods of deploying the 1Password SCIM bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using each manager is described below.
This example describes the methods of deploying the 1Password SCIM Bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using each manager is described below.
## Preparing
@@ -10,7 +10,7 @@ Please ensure you've read through the [PREPARATION.md](/PREPARATION.md) document
Using Docker, you have two different deployment options: `docker-compose` and Docker Swarm.
Docker Swarm is the recommended option. _Please refer to your cloud provider on how to setup a remote Docker Swarm Cluster if you do not have one set up already or are experiencing difficulties doing so._ Setting up a Swarm is beyond the scope of this documentation.
Docker Swarm is the recommended option. While setting up Swarm is beyond the scope of this documentation, you can either set one up on your own infrastructure, or on a cloud provider of your choice.
While Docker Compose is useful for testing, it is not recommended for use in a production environment. The `scimsession` file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets, Kubernetes secrets, or AWS Secrets Manager, all of which are supported and recommended for production use.
@@ -26,22 +26,19 @@ For macOS users who use Homebrew, ensure you're using the _cask_ app-based versi
## Setting up Docker
### Docker Swarm
For this, you will need to have joined a Docker Swarm. Please refer to [the official Docker documentation](https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/) on how to do that.
For this, you will need to have joined a Docker Swarm with the target deployment node. Please refer to [the official Docker documentation](https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/) on how to do that.
Once set up and you've logged into your Swarm with `docker swarm join`, it's recommended to use the provided the bash script [./docker/deploy.sh](deploy.sh) to deploy your SCIM bridge.
Once set up and you've logged into your Swarm with `docker swarm join` or created a new one with `docker swarm init`, it's recommended to use the provided the bash script [./docker/deploy.sh](deploy.sh) to deploy your SCIM Bridge.
The script will do the following:
1. Add your `scimsession`to the SCIM bridge container, using a .env file for Docker Compose or a swarm secret for Docker Swarm.
2. Prompt you for your SCIM bridge domain name which will configure LetsEncrypt to automatically issue a certificate for your bridge. This is the domain you selected in [PREPARATION.md](/PREPARATION.md).
3. Deploy a container using `1password/scim`, and a redis container. The redis container is necessary to store LetsEncrypt certificates.
1. Add your `scimsession`file as a Docker Secret within your Swarm.
2. Prompt you for your SCIM Bridge domain name which will configure LetsEncrypt to automatically issue a certificate for your Bridge. This is the domain you selected in [PREPARATION.md](/PREPARATION.md).
3. Deploy a container using `1password/scim`, and a `redis` container. The `redis` container is necessary to store LetsEncrypt certificates.
The logs from the SCIM bridge and redis containers will be streamed to your machine. If everything seems to have deployed successfully, press Ctrl+C to exit, and the containers will remain running on the remote machine.
The logs from the SCIM Bridge and redis containers will be streamed to your machine. If everything seems to have deployed successfully, press Ctrl+C to exit, and the containers will remain running on the remote machine.
At this point you should set the DNS record for the domain name you prepared to the IP address of the `op-scim` container. You can also continue setting up your Identity Provider at this point.
@@ -54,9 +51,71 @@ Once set up, ensure your environment is set up with `eval %{docker-machine env $
Run the [./docker/deploy.sh](deploy.sh) script as in the previous example.
In order to automatically launch the 1Password SCIM bridge upon startup when using `docker-compose`, you will need to configure systemd to automatically start the Docker daemon and launch op-scim.
1. Install the service file for op-scim. A [sample](compose/op-scim.service) is provided and you'll need to modify it to your needs.
2. Once installed, reload systemd so that it recognizes the service: `systemctl daemon-reload`
3. Enable the op-scim service: `systemctl enable op-scim`
4. Start the op-scim service: `systemctl start op-scim`
### Manual Instructions
#### Creating the env file
The `scim.env` file contains two environment variables:
*`OP_SESSION` (mandatory for Docker Compose) - a `base64` encoded string of your `scimsession` file
* (OPTIONAL) `OP_LETSENCRYPT_DOMAIN` (for Docker Compose and Docker Swarm) - if set, it initiates a LetsEncrypt challenge to have your SCIM Bridge issued a valid SSL certificate, provided the DNS record is set to its IP
To take advantage of the complimentary LetsEncrypt SSL certificate service, set the variable in the `scim.env` file:
```bash
# change ‘op-scim.example.com’ to match the domain name you’ve set aside for your SCIM Bridge
Alternatively, setting this variable to blank (i.e: `OP_LETSENCRYPT_DOMAIN=`) will cause the SCIM Bridge to start on port 3002. This is useful if you have a custom load balancer you want to use to terminate SSL connections rather than using LetsEncrypt. Otherwise, you should be sure to set it. This is an “advanced” option so please only try this if you are familiar with setting up your own load balancer:
```bash
# ADVANCED: if you have your own load balancer
echo “OP_LETSENCRYPT_DOMAIN=” > scim.env
```
When using Docker Compose, you can create the environment variable `OP_SESSION` manually by doing the following:
```bash
# only needed for Docker Compose - use Docker Secrets when using Swarm
On Windows, you can refer to the [./docker/compose/generate-env.bat](generate-env.bat) file on how to generate the `base64` string for `OP_SESSION`.
Check that the `scim.env` file only has two entries (in total) - `OP_LETSENCRYPT_DOMAIN` and/or `OP_SESSION`.
#### Docker Compose
To use Docker Compose to deploy:
```bash
# enter the compose directory
cd compose/
# copy the scim.env file
cp ../scim.env ./
# create the container
docker-compose -f docker-compose.yml up --build -d
# (optional) view the container logs
docker-compose -f docker-compose.yml logs -f
```
#### Docker Swarm
To use Docker Swarm to deploy, you’ll want to have run `docker swarm init` or `docker swarm join` on the target node and completed that portion of the setup. Refer to Docker’s documentation for more details.
# this command populates an .env file which allows the container to have a needed environment variable without needing to store the scimsession file itself
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
alicethorne-ab