From f124ed4fff8f13aed71914693dba69f5e8a59b7e Mon Sep 17 00:00:00 2001 From: agilecohix Date: Tue, 8 May 2018 10:10:43 -0400 Subject: [PATCH 1/7] Added Docker instructions and configuration files --- README.md | 7 +++-- docker/Dockerfile | 3 ++ docker/README.md | 30 +++++++++++++++++++ docker/docker-compose.yml | 13 ++++++++ .../create-session-file.sh | 0 5 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 docker/Dockerfile create mode 100644 docker/README.md create mode 100644 docker/docker-compose.yml rename {kubernetes => session}/create-session-file.sh (100%) diff --git a/README.md b/README.md index 7b06845..7cccbbd 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ Here you can find configuration files and best practice instructions for deploying the 1Password SCIM Bridge on various public and priavte clouds. -To deply on Kubernetes, read the [Kubernetes example](https://github.com/1Password/scim-examples/tree/master/kubernetes) +To streamline your setup, it is suggested to have Docker installed on your local machine. -More deployment examples are coming soon, including AWS, Docker Compose/Swarm, and bare metal. +To deply on Kubernetes, read the [Kubernetes example](https://github.com/1Password/scim-examples/tree/master/kubernetes) +To deply with Docker Compose, read the [Docker example](https://github.com/1Password/scim-examples/tree/master/docker) + +More deployment examples are coming soon, including AWS and bare metal. \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..016914f --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,3 @@ +FROM onepassword/scim:v0.4.1 + +COPY ./scimsession /root/.op/scimsession \ No newline at end of file diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..343ef04 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,30 @@ +# Deploying the 1Password SCIM Bridge using Docker Compose + +This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. + +## Create your DNS record + +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. + +## Create your scimsession file + +Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +The scimsession file is equivalent to your account key and master password when combined with the bearer token, therefore they should never be stored in the same place. + +Example: +``` +create-session-file.sh +[account sign-in] +Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo +``` + +## Deploy the SCIM bridge + +Once your scimsession file has been created, copy it into this directory (next to the Dockerfile and docker-compose.yml), as it will be copied into your container at build time. + +Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for the SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. + +Running `docker-compose up --build` will now create a new container with `onepassword/scim` as the base image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. + +Once you have tested the configuration, the bridge can be exited using ctrl/cmd-c, and restarted in daemon mode for permanent use. `docker-compose up -d` will re-deploy the containers, allowing you to access logs using `docker-compose logs` at any point in the future. \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 0000000..7cd9975 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,13 @@ +version: '3.3' + +services: + scim: + build: . + ports: + - "80:8080" + - "443:8443" + links: + - redis + entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain=op-scim-demo.com"] + redis: + image: redis:latest diff --git a/kubernetes/create-session-file.sh b/session/create-session-file.sh similarity index 100% rename from kubernetes/create-session-file.sh rename to session/create-session-file.sh From 9ce277419dc3fe988d5e20e39e5d90b98b75d016 Mon Sep 17 00:00:00 2001 From: agilecohix Date: Tue, 8 May 2018 10:11:33 -0400 Subject: [PATCH 2/7] Added link to create-session script in the kubernetes instructions --- kubernetes/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/README.md b/kubernetes/README.md index a63167c..1959286 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -20,7 +20,7 @@ This will deploy a single redis instance listening on Kubernetes internal DNS `r ## Create your `scimsession` Kubernetes secret -Firstly, use the `create-session-file.sh` script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. +Firstly, use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. The scimsession file is equivalent to your account key and master password when combined with the bearer token, therefore they should never be stored in the same place. From 6b6f20c364b4465420897db3982bfa1620639cfc Mon Sep 17 00:00:00 2001 From: agilecohix Date: Tue, 8 May 2018 10:14:27 -0400 Subject: [PATCH 3/7] Added domain placeholder and updated all docker hub references to v0.4.2 --- docker/Dockerfile | 2 +- docker/docker-compose.yml | 2 +- kubernetes/op-scim-deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 016914f..6815ba2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,3 +1,3 @@ -FROM onepassword/scim:v0.4.1 +FROM onepassword/scim:v0.4.2 COPY ./scimsession /root/.op/scimsession \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 7cd9975..be37ff6 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -8,6 +8,6 @@ services: - "443:8443" links: - redis - entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain=op-scim-demo.com"] + entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] redis: image: redis:latest diff --git a/kubernetes/op-scim-deployment.yaml b/kubernetes/op-scim-deployment.yaml index 4f6f2ee..31dce91 100644 --- a/kubernetes/op-scim-deployment.yaml +++ b/kubernetes/op-scim-deployment.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: op-scim - image: onepassword/scim:latest + image: onepassword/scim:v0.4.2 command: ["./op-scim"] args: ["--session=/secret/scimsession", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] ports: From 69ed06cfd17a89338879cf1e033cb25dde6ac0ef Mon Sep 17 00:00:00 2001 From: agilecohix Date: Tue, 8 May 2018 19:48:03 -0400 Subject: [PATCH 4/7] Renamed docker -> docker-compose, removed Dockerfile, adapted guide to use env vars, added warning about use in prodction --- docker-compose/README.md | 32 +++++++++++++++++++ {docker => docker-compose}/docker-compose.yml | 3 +- docker-compose/generate-env.sh | 8 +++++ docker/Dockerfile | 3 -- docker/README.md | 30 ----------------- 5 files changed, 42 insertions(+), 34 deletions(-) create mode 100644 docker-compose/README.md rename {docker => docker-compose}/docker-compose.yml (79%) create mode 100644 docker-compose/generate-env.sh delete mode 100644 docker/Dockerfile delete mode 100644 docker/README.md diff --git a/docker-compose/README.md b/docker-compose/README.md new file mode 100644 index 0000000..8089161 --- /dev/null +++ b/docker-compose/README.md @@ -0,0 +1,32 @@ +# Deploying the 1Password SCIM Bridge using Docker Compose + +This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. + +Note that this deployment strategy is very useful for testing, but it is not reccomended for use in a production environment. The scimsession file is passed into the container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and reccomended. + +## Create your DNS record + +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. + +## Create your scimsession file + +Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place. + +Example: +``` +create-session-file.sh +[account sign-in] +Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo +``` + +## Deploy the SCIM bridge + +Once your scimsession file has been created, copy it into this directory (next to docker-compose.yml), as we need to populate some ENV variables in the container. `generate-env.sh` will create a `scim.env` file, allowing docker-compose to pass the scimsession file into the container without writing it to the container filesystem, leading to insecure storage of the file. The scimsession is base64 encoded before being put into the .env file. + +Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for your SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. + +Running `docker-compose up --build` will now create a container from the `onepassword/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. + +Once you have tested the configuration, the bridge can be exited using ctrl/cmd-c, and restarted in daemon mode using `docker-compose up -d, or deployed for production use with Docker Swarm or Kubernetes. You can access logs using `docker-compose logs` at any point in the future. \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker-compose/docker-compose.yml similarity index 79% rename from docker/docker-compose.yml rename to docker-compose/docker-compose.yml index be37ff6..5817d72 100644 --- a/docker/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -2,12 +2,13 @@ version: '3.3' services: scim: - build: . + image: onepassword/scim:v0.4.2 ports: - "80:8080" - "443:8443" links: - redis entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] + env_file: scim.env redis: image: redis:latest diff --git a/docker-compose/generate-env.sh b/docker-compose/generate-env.sh new file mode 100644 index 0000000..a6220aa --- /dev/null +++ b/docker-compose/generate-env.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# this script generates a file called `scim.env` using the contents of a scimsession file in the PWD. +# This env file is used to populate the scimsession env var in the container to prevent copying the sensitive file into a container layer. + +SESSION=$(cat scimsession | base64 | tr -d "\n") + +echo "OPSCIM_SESSION=$SESSION" > scim.env \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index 6815ba2..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM onepassword/scim:v0.4.2 - -COPY ./scimsession /root/.op/scimsession \ No newline at end of file diff --git a/docker/README.md b/docker/README.md deleted file mode 100644 index 343ef04..0000000 --- a/docker/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# Deploying the 1Password SCIM Bridge using Docker Compose - -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. - -## Create your DNS record - -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. - -## Create your scimsession file - -Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. - -The scimsession file is equivalent to your account key and master password when combined with the bearer token, therefore they should never be stored in the same place. - -Example: -``` -create-session-file.sh -[account sign-in] -Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo -``` - -## Deploy the SCIM bridge - -Once your scimsession file has been created, copy it into this directory (next to the Dockerfile and docker-compose.yml), as it will be copied into your container at build time. - -Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for the SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. - -Running `docker-compose up --build` will now create a new container with `onepassword/scim` as the base image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. - -Once you have tested the configuration, the bridge can be exited using ctrl/cmd-c, and restarted in daemon mode for permanent use. `docker-compose up -d` will re-deploy the containers, allowing you to access logs using `docker-compose logs` at any point in the future. \ No newline at end of file From 34b8c838c731c88e2a69809727baf908eeb8f86a Mon Sep 17 00:00:00 2001 From: agilecohix Date: Fri, 25 May 2018 14:33:37 -0400 Subject: [PATCH 5/7] Added Docker Swarm example and updated SCIM images to v0.4.4 --- docker-compose/README.md | 2 +- docker-compose/docker-compose.yml | 2 +- docker-swarm/README.md | 28 ++++++++++++++++++++++++++ docker-swarm/docker-compose.yml | 32 ++++++++++++++++++++++++++++++ docker-swarm/generate-secret.sh | 5 +++++ kubernetes/op-scim-deployment.yaml | 2 +- session/create-session-file.sh | 8 -------- 7 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 docker-swarm/README.md create mode 100644 docker-swarm/docker-compose.yml create mode 100755 docker-swarm/generate-secret.sh delete mode 100755 session/create-session-file.sh diff --git a/docker-compose/README.md b/docker-compose/README.md index 8089161..3b9c110 100644 --- a/docker-compose/README.md +++ b/docker-compose/README.md @@ -10,7 +10,7 @@ The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP ## Create your scimsession file -Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. +Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script while connected to the Docker host on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place. diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 5817d72..2d04243 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -2,7 +2,7 @@ version: '3.3' services: scim: - image: onepassword/scim:v0.4.2 + image: onepassword/scim:v0.4.4 ports: - "80:8080" - "443:8443" diff --git a/docker-swarm/README.md b/docker-swarm/README.md new file mode 100644 index 0000000..b27270e --- /dev/null +++ b/docker-swarm/README.md @@ -0,0 +1,28 @@ +# Deploying the 1Password SCIM Bridge using Docker Swarm + +This example describes deploying the 1Password SCIM bridge using Docker Swarm. These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. + +## Create your DNS record + +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker cluster. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. + +## Create your scimsession file + +Use the [create-session-file.sh](https://github.com/1Password/scim-examples/tree/master/session) script while connected to the Docker host on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place. + +Example: +``` +create-session-file.sh +[account sign-in] +Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo +``` + +## Deploy the SCIM bridge + +Once your scimsession file has been created, copy it into this directory (next to docker-compose.yml), as we need to populate a Docker Swarm secret in order to securely deploy your scimsession. `generate-secret.sh` will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. + +Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for your SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. + +Running `docker stack deploy -c docker-compose.yml op-scim` will now create a container from the `onepassword/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine using `docker service logs -f op-scim_scim`. \ No newline at end of file diff --git a/docker-swarm/docker-compose.yml b/docker-swarm/docker-compose.yml new file mode 100644 index 0000000..aa35a98 --- /dev/null +++ b/docker-swarm/docker-compose.yml @@ -0,0 +1,32 @@ +version: '3.3' + +services: + scim: + image: onepassword/scim:v0.4.4 + deploy: + replicas: 1 + restart_policy: + condition: on-failure + networks: + - op-scim + ports: + - "80:8080" + - "443:8443" + secrets: + - scimsession + entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain={YOUR-DOMAIN-HERE}", "--session=/run/secrets/scimsession"] + redis: + image: redis:latest + deploy: + replicas: 1 + restart_policy: + condition: on-failure + networks: + - op-scim + +networks: + op-scim: + +secrets: + scimsession: + external: true \ No newline at end of file diff --git a/docker-swarm/generate-secret.sh b/docker-swarm/generate-secret.sh new file mode 100755 index 0000000..5da6d04 --- /dev/null +++ b/docker-swarm/generate-secret.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# this script creates a Docker Swarm secret using the scimsession file in the PWD + +cat ./scimsession | docker secret create scimsession - \ No newline at end of file diff --git a/kubernetes/op-scim-deployment.yaml b/kubernetes/op-scim-deployment.yaml index 31dce91..aea4029 100644 --- a/kubernetes/op-scim-deployment.yaml +++ b/kubernetes/op-scim-deployment.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: op-scim - image: onepassword/scim:v0.4.2 + image: onepassword/scim:v0.4.4 command: ["./op-scim"] args: ["--session=/secret/scimsession", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] ports: diff --git a/session/create-session-file.sh b/session/create-session-file.sh deleted file mode 100755 index 74e6fb3..0000000 --- a/session/create-session-file.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -mkdir session - -docker run -it -v $PWD/session:'/op-scim/session' onepassword/scim /op-scim/create-session-docker.sh - -cp ./session/scimsession ./scimsession -rm -rf ./session \ No newline at end of file From 1c8e9ab809bae264449eb27e71b55cbc5a18f53a Mon Sep 17 00:00:00 2001 From: agilecohix Date: Fri, 25 May 2018 14:37:30 -0400 Subject: [PATCH 6/7] restored create-session-file.sh --- session/create-session-file.sh | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100755 session/create-session-file.sh diff --git a/session/create-session-file.sh b/session/create-session-file.sh new file mode 100755 index 0000000..d20b87a --- /dev/null +++ b/session/create-session-file.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +mkdir session + +docker run -it -v $PWD/session:'/op-scim/session' onepassword/scim /op-scim/create-session-docker.sh + +cp ./session/scimsession ./scimsession +rm -rf ./session \ No newline at end of file From 0cfcf992ee56c1e9d8d3634cc1f6a1502f8a1309 Mon Sep 17 00:00:00 2001 From: agilecohix Date: Fri, 25 May 2018 14:37:56 -0400 Subject: [PATCH 7/7] Removed unneed space --- session/create-session-file.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/session/create-session-file.sh b/session/create-session-file.sh index d20b87a..74e6fb3 100755 --- a/session/create-session-file.sh +++ b/session/create-session-file.sh @@ -5,4 +5,4 @@ mkdir session docker run -it -v $PWD/session:'/op-scim/session' onepassword/scim /op-scim/create-session-docker.sh cp ./session/scimsession ./scimsession -rm -rf ./session \ No newline at end of file +rm -rf ./session \ No newline at end of file