From 56e063e67edfe60caa7399cc18a25d3f884f4a91 Mon Sep 17 00:00:00 2001 From: nkechi Date: Thu, 24 Jan 2019 15:45:49 -0500 Subject: [PATCH 01/12] docker build script --- build.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 build.sh diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..b177dcc --- /dev/null +++ b/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +read -p 'Please enter the configuration you are using [docker-compose] or [docker-swarm] : ' docker_path + +if [ "$docker_path" == "docker-compose" ]; +then + cp ./scimsession ./docker-compose/scimsession + rm ./scimsession + cd docker-compose + ./generate-env.sh +elif [ "$docker_path" == "docker-swarm" ] +then + cp ./scimsession ./docker-swarm/scimsession + rm ./scimsession + cd docker-swarm + ./generate-secret.sh +else + echo "Invalid docker manager. Please use docker-compose or docker-swarm" + exit +fi + +read -p 'Please enter your domain name : ' domain_name + +sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml + +docker-compose up --build From 4e0e0eacf39d54c80fc767aa8d62fea46bb8ac5b Mon Sep 17 00:00:00 2001 From: nkechi Date: Sun, 27 Jan 2019 13:23:10 -0500 Subject: [PATCH 02/12] documentation review --- build.sh | 42 ++++++++++++++++++++++++++-------------- docker-compose/README.md | 29 ++++++++++++++------------- docker-swarm/README.md | 26 +++++++++++++++---------- 3 files changed, 58 insertions(+), 39 deletions(-) diff --git a/build.sh b/build.sh index b177dcc..31ba6f2 100755 --- a/build.sh +++ b/build.sh @@ -2,27 +2,41 @@ set -e +run_docker_compose() { + cp ./scimsession ./docker-compose/scimsession + rm ./scimsession + cd docker-compose + ./generate-env.sh + + read -p 'Please enter your domain name : ' domain_name + + sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml + + docker-compose up --build +} + +run_docker_swarm(){ + cp ./scimsession ./docker-swarm/scimsession + rm ./scimsession + cd docker-swarm + ./generate-secret.sh + + read -p 'Please enter your domain name : ' domain_name + + sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml + + docker stack deploy -c docker-compose.yml op-scim +} + read -p 'Please enter the configuration you are using [docker-compose] or [docker-swarm] : ' docker_path if [ "$docker_path" == "docker-compose" ]; then - cp ./scimsession ./docker-compose/scimsession - rm ./scimsession - cd docker-compose - ./generate-env.sh + run_docker_compose elif [ "$docker_path" == "docker-swarm" ] then - cp ./scimsession ./docker-swarm/scimsession - rm ./scimsession - cd docker-swarm - ./generate-secret.sh + run_docker_swarm else echo "Invalid docker manager. Please use docker-compose or docker-swarm" exit fi - -read -p 'Please enter your domain name : ' domain_name - -sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml - -docker-compose up --build diff --git a/docker-compose/README.md b/docker-compose/README.md index c36b749..a74b771 100644 --- a/docker-compose/README.md +++ b/docker-compose/README.md @@ -1,18 +1,20 @@ # Deploying the 1Password SCIM Bridge using Docker Compose -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. +This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ -Note that this deployment strategy is very useful for testing, but it is not reccomended for use in a production environment. The scimsession file is passed into the container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and reccomended. +Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. ## Create your DNS record -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ -## Create your scimsession file +## Create your scimsession file and Deploy SCIM bridge -Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script or Windows PowerShell [create-session-file.bat](../session/create-session-file.bat) batch file while connected to the Docker host on your local machine to set up your account and generate a `scimsession` file. This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. +1. Connect to your remote Docker host from your local machine -The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place. +1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ Example: ``` @@ -21,17 +23,15 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -## Deploy the SCIM bridge +1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : -Once your scimsession file has been created, copy it into this directory (next to docker-compose.yml), as we need to populate some ENV variables in the container. Linux Bash `generate-env.sh` script or Windows PowerShell `generate-env.bat` batch file will create a `scim.env` file, allowing docker-compose to pass the scimsession file into the container without writing it to the container filesystem, leading to insecure storage of the file. The scimsession is base64 encoded before being put into the .env file. + 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. -Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for your SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. + 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. -Running `docker-compose up --build` will now create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. + 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. -Once you have tested the configuration, the bridge can be exited using ctrl/cmd-c, and restarted in daemon mode using `docker-compose up -d, or deployed for production use with Docker Swarm or Kubernetes. You can access logs using `docker-compose logs` at any point in the future. - -## Automatically starting the SCIM bridge upon startup +_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. In order to automatically launch the 1Password SCIM bridge upon startup when using docker-compose you'll need to automatically start the Docker daemon, then start op-scim. @@ -39,5 +39,4 @@ In order to automatically launch the 1Password SCIM bridge upon startup when usi 1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. 2. Reload systemd: `systemctl daemon-reload` -3. Enable the op-scim service: `systemctl enable op-scim` - +3. Enable the op-scim service: `systemctl enable op-scim` \ No newline at end of file diff --git a/docker-swarm/README.md b/docker-swarm/README.md index 51ea996..5b3018f 100644 --- a/docker-swarm/README.md +++ b/docker-swarm/README.md @@ -1,16 +1,20 @@ -# Deploying the 1Password SCIM Bridge using Docker Swarm +# Deploying the 1Password SCIM Bridge using Docker Compose -This example describes deploying the 1Password SCIM bridge using Docker Swarm. These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. +This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ + +Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. ## Create your DNS record -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker cluster. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ -## Create your scimsession file +## Create your scimsession file and Deploy SCIM bridge -Use the [scim-setup.sh](https://github.com/1Password/scim-examples/tree/master/scim-setup.sh) script while connected to the Docker host on your local machine to set up your account and generate a `scimsession` file. This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. +1. Connect to your remote Docker host from your local machine -The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place. +1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ Example: ``` @@ -19,10 +23,12 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -## Deploy the SCIM bridge +1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : -Once your scimsession file has been created, copy it into this directory (next to docker-compose.yml), as we need to populate a Docker Swarm secret in order to securely deploy your scimsession. `generate-secret.sh` will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. + 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. -Next, edit `docker-compose.yml`, replacing `{YOUR-DOMAIN-HERE}` with the domain name indicated by the DNS record created for your SCIM bridge. This will configure LetsEncrypt to automatically issue a certificate for your bridge. + 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. -Running `docker stack deploy -c docker-compose.yml op-scim` will now create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine using `docker service logs -f op-scim_scim`. \ No newline at end of file + 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. + +_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. \ No newline at end of file From a5b0bde6b93c4279c6a3362412ed028eb1cab62e Mon Sep 17 00:00:00 2001 From: nkechi Date: Sun, 27 Jan 2019 13:38:10 -0500 Subject: [PATCH 03/12] Update README.md --- docker-compose/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose/README.md b/docker-compose/README.md index a74b771..1c82868 100644 --- a/docker-compose/README.md +++ b/docker-compose/README.md @@ -23,7 +23,7 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : +3. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. @@ -39,4 +39,4 @@ In order to automatically launch the 1Password SCIM bridge upon startup when usi 1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. 2. Reload systemd: `systemctl daemon-reload` -3. Enable the op-scim service: `systemctl enable op-scim` \ No newline at end of file +3. Enable the op-scim service: `systemctl enable op-scim` From ee1ff72c1a34418081f52a33d612aff4109f1449 Mon Sep 17 00:00:00 2001 From: nkechi Date: Sun, 27 Jan 2019 13:38:58 -0500 Subject: [PATCH 04/12] Update README.md --- docker-swarm/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-swarm/README.md b/docker-swarm/README.md index 5b3018f..c78b1a3 100644 --- a/docker-swarm/README.md +++ b/docker-swarm/README.md @@ -23,7 +23,7 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : +3. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. @@ -31,4 +31,4 @@ Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. -_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. \ No newline at end of file +_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. From 8a8b25650a31d76c647f8f773115e23a157dcc31 Mon Sep 17 00:00:00 2001 From: nkechi Date: Tue, 29 Jan 2019 12:11:58 -0500 Subject: [PATCH 05/12] merged docker swarm and compose examples --- README.md | 4 +- build.sh => deploy.sh | 8 ++-- docker-compose/README.md | 42 ----------------- docker-swarm/README.md | 34 -------------- docker/README.md | 47 +++++++++++++++++++ .../compose}/docker-compose.yml | 2 +- .../compose}/generate-env.bat | 0 .../compose}/generate-env.sh | 0 .../compose}/op-scim.service | 0 .../swarm}/docker-compose.yml | 0 .../swarm}/generate-secret.sh | 0 11 files changed, 53 insertions(+), 84 deletions(-) rename build.sh => deploy.sh (85%) delete mode 100644 docker-compose/README.md delete mode 100644 docker-swarm/README.md create mode 100644 docker/README.md rename {docker-compose => docker/compose}/docker-compose.yml (73%) rename {docker-compose => docker/compose}/generate-env.bat (100%) rename {docker-compose => docker/compose}/generate-env.sh (100%) rename {docker-compose => docker/compose}/op-scim.service (100%) rename {docker-swarm => docker/swarm}/docker-compose.yml (100%) rename {docker-swarm => docker/swarm}/generate-secret.sh (100%) diff --git a/README.md b/README.md index 73fb4da..c3e7f22 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,7 @@ To streamline your setup, it is suggested to have Docker installed on your local To deploy on Kubernetes, read the [Kubernetes example](https://github.com/1Password/scim-examples/tree/master/kubernetes) -To deploy with Docker Swarm, read the [Docker Swarm example](https://github.com/1Password/scim-examples/tree/master/docker-swarm) - -To deploy with Docker Compose, read the [Docker Compose example](https://github.com/1Password/scim-examples/tree/master/docker-compose) +To deploy with Docker, read the [Docker example](https://github.com/1Password/scim-examples/tree/master/docker) To deploy with AWS and Terraform, read the [AWS and Terraform example](https://github.com/1Password/scim-examples/tree/master/aws-terraform) diff --git a/build.sh b/deploy.sh similarity index 85% rename from build.sh rename to deploy.sh index 31ba6f2..b342c56 100755 --- a/build.sh +++ b/deploy.sh @@ -3,9 +3,9 @@ set -e run_docker_compose() { - cp ./scimsession ./docker-compose/scimsession + cp ./scimsession ./docker/compose/scimsession rm ./scimsession - cd docker-compose + cd docker/compose ./generate-env.sh read -p 'Please enter your domain name : ' domain_name @@ -16,9 +16,9 @@ run_docker_compose() { } run_docker_swarm(){ - cp ./scimsession ./docker-swarm/scimsession + cp ./scimsession ./docker/swarm/scimsession rm ./scimsession - cd docker-swarm + cd docker/swarm ./generate-secret.sh read -p 'Please enter your domain name : ' domain_name diff --git a/docker-compose/README.md b/docker-compose/README.md deleted file mode 100644 index a74b771..0000000 --- a/docker-compose/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Deploying the 1Password SCIM Bridge using Docker Compose - -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ - -Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. - -## Create your DNS record - -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ - -## Create your scimsession file and Deploy SCIM bridge - -1. Connect to your remote Docker host from your local machine - -1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. - -_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ - -Example: -``` -scim-setup.sh -[account sign-in] -Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo -``` - -1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : - - 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. - - 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. - - 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. - -_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. - -In order to automatically launch the 1Password SCIM bridge upon startup when using docker-compose you'll need to automatically start the Docker daemon, then start op-scim. - -### Systemd - -1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. -2. Reload systemd: `systemctl daemon-reload` -3. Enable the op-scim service: `systemctl enable op-scim` \ No newline at end of file diff --git a/docker-swarm/README.md b/docker-swarm/README.md deleted file mode 100644 index 5b3018f..0000000 --- a/docker-swarm/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Deploying the 1Password SCIM Bridge using Docker Compose - -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ - -Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. - -## Create your DNS record - -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ - -## Create your scimsession file and Deploy SCIM bridge - -1. Connect to your remote Docker host from your local machine - -1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. - -_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ - -Example: -``` -scim-setup.sh -[account sign-in] -Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo -``` - -1. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : - - 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. - - 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. - - 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. - -_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. \ No newline at end of file diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..83a9396 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,47 @@ +# Deploying the 1Password SCIM Bridge using Docker +This example describes the methods of deploying the 1Password SCIM bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using either managers is described below. + +## Docker Compose +This is the simplest method of deploying the SCIM bridge. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already or are experiencing difficulties doing so._ + +**Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended.** + +## Docker Swarm +These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker Swarm Cluster if you do not have one set up already or are experiencing difficulties doing so._ + +## Create your DNS record + +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The DNS record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already or are experiencing difficulties doing so._ + +## Create your scimsession file and Deploy SCIM bridge + +1. Connect to your remote Docker host from your local machine + +2. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. + +_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ + +Example: +``` +scim-setup.sh +[account sign-in] +Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo +``` + +3. Once your scimsession file has been created, use the Linux Bash `deploy.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : + + 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. + + 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. + + 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. + +_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. + +In order to automatically launch the 1Password SCIM bridge upon startup when using **docker-compose** you'll need to automatically start the Docker daemon, then start op-scim. + +### Systemd + +1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. +2. Reload systemd: `systemctl daemon-reload` +3. Enable the op-scim service: `systemctl enable op-scim` diff --git a/docker-compose/docker-compose.yml b/docker/compose/docker-compose.yml similarity index 73% rename from docker-compose/docker-compose.yml rename to docker/compose/docker-compose.yml index 18a91e8..10337e4 100644 --- a/docker-compose/docker-compose.yml +++ b/docker/compose/docker-compose.yml @@ -8,7 +8,7 @@ services: - "443:8443" links: - redis - entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] + entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain=nk.op-scim-demo.com"] env_file: scim.env redis: image: redis:latest diff --git a/docker-compose/generate-env.bat b/docker/compose/generate-env.bat similarity index 100% rename from docker-compose/generate-env.bat rename to docker/compose/generate-env.bat diff --git a/docker-compose/generate-env.sh b/docker/compose/generate-env.sh similarity index 100% rename from docker-compose/generate-env.sh rename to docker/compose/generate-env.sh diff --git a/docker-compose/op-scim.service b/docker/compose/op-scim.service similarity index 100% rename from docker-compose/op-scim.service rename to docker/compose/op-scim.service diff --git a/docker-swarm/docker-compose.yml b/docker/swarm/docker-compose.yml similarity index 100% rename from docker-swarm/docker-compose.yml rename to docker/swarm/docker-compose.yml diff --git a/docker-swarm/generate-secret.sh b/docker/swarm/generate-secret.sh similarity index 100% rename from docker-swarm/generate-secret.sh rename to docker/swarm/generate-secret.sh From 63f5b23bd453db941ce07028c64a2ae434740048 Mon Sep 17 00:00:00 2001 From: nkechi Date: Tue, 29 Jan 2019 12:16:12 -0500 Subject: [PATCH 06/12] deleted docker swarm and compose readme files --- docker-compose 12-13-33-460/README.md | 42 --------------------------- docker-swarm 12-13-33-473/README.md | 34 ---------------------- 2 files changed, 76 deletions(-) delete mode 100644 docker-compose 12-13-33-460/README.md delete mode 100644 docker-swarm 12-13-33-473/README.md diff --git a/docker-compose 12-13-33-460/README.md b/docker-compose 12-13-33-460/README.md deleted file mode 100644 index 1c82868..0000000 --- a/docker-compose 12-13-33-460/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Deploying the 1Password SCIM Bridge using Docker Compose - -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ - -Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. - -## Create your DNS record - -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ - -## Create your scimsession file and Deploy SCIM bridge - -1. Connect to your remote Docker host from your local machine - -1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. - -_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ - -Example: -``` -scim-setup.sh -[account sign-in] -Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo -``` - -3. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : - - 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. - - 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. - - 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. - -_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. - -In order to automatically launch the 1Password SCIM bridge upon startup when using docker-compose you'll need to automatically start the Docker daemon, then start op-scim. - -### Systemd - -1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. -2. Reload systemd: `systemctl daemon-reload` -3. Enable the op-scim service: `systemctl enable op-scim` diff --git a/docker-swarm 12-13-33-473/README.md b/docker-swarm 12-13-33-473/README.md deleted file mode 100644 index c78b1a3..0000000 --- a/docker-swarm 12-13-33-473/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Deploying the 1Password SCIM Bridge using Docker Compose - -This example describes the simplest method of deploying the 1Password SCIM bridge, using Docker Compose. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already._ - -Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended. - -## Create your DNS record - -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already._ - -## Create your scimsession file and Deploy SCIM bridge - -1. Connect to your remote Docker host from your local machine - -1. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. - -_The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ - -Example: -``` -scim-setup.sh -[account sign-in] -Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo -``` - -3. Once your scimsession file has been created, use the Linux Bash `build.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : - - 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. - - 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. - - 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. - -_After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. From aabffb579bbdfd9d606677dc436d878ad195412c Mon Sep 17 00:00:00 2001 From: nkechi Date: Tue, 29 Jan 2019 12:17:48 -0500 Subject: [PATCH 07/12] reverted to domain name placeholder --- docker/compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/compose/docker-compose.yml b/docker/compose/docker-compose.yml index 10337e4..18a91e8 100644 --- a/docker/compose/docker-compose.yml +++ b/docker/compose/docker-compose.yml @@ -8,7 +8,7 @@ services: - "443:8443" links: - redis - entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain=nk.op-scim-demo.com"] + entrypoint: ["/op-scim/op-scim", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] env_file: scim.env redis: image: redis:latest From 63963a2fc488f6275885bb223cb716e63a5f4f8c Mon Sep 17 00:00:00 2001 From: nkechi Date: Tue, 29 Jan 2019 12:36:52 -0500 Subject: [PATCH 08/12] moved deploy file into docker folder --- deploy.sh => docker/deploy.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deploy.sh => docker/deploy.sh (100%) diff --git a/deploy.sh b/docker/deploy.sh similarity index 100% rename from deploy.sh rename to docker/deploy.sh From a44cf28b1e87a5adf8de18cff4a277d4c99047f6 Mon Sep 17 00:00:00 2001 From: nkechi Date: Tue, 29 Jan 2019 12:37:08 -0500 Subject: [PATCH 09/12] edited to run deploy file --- docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 83a9396..b08778b 100644 --- a/docker/README.md +++ b/docker/README.md @@ -28,7 +28,7 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -3. Once your scimsession file has been created, use the Linux Bash `deploy.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : +3. Once your scimsession file has been created, use the Linux Bash `./docker/deploy.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. From 79d83257004d750f4381a390f526d3cee7914f31 Mon Sep 17 00:00:00 2001 From: nkechi Date: Wed, 30 Jan 2019 11:50:32 -0500 Subject: [PATCH 10/12] grammar improvements --- docker/README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docker/README.md b/docker/README.md index b08778b..48f9c7a 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,23 +1,23 @@ # Deploying the 1Password SCIM Bridge using Docker -This example describes the methods of deploying the 1Password SCIM bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using either managers is described below. +This example describes the methods of deploying the 1Password SCIM bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using each manager is described below. ## Docker Compose -This is the simplest method of deploying the SCIM bridge. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker host if you do not have one set up already or are experiencing difficulties doing so._ +This is the simplest method of deploying the SCIM bridge. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud provider on how to setup a remote Docker host if you do not have one set up already or are experiencing difficulties doing so._ **Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended.** ## Docker Swarm -These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud storage provider on how to setup a remote Docker Swarm Cluster if you do not have one set up already or are experiencing difficulties doing so._ +These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud provider on how to setup a remote Docker Swarm Cluster if you do not have one set up already or are experiencing difficulties doing so._ ## Create your DNS record -The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The DNS record must exist and the SCIM bridge server must be running in order for LetsEncrypt to issue a certificate. _Please refer to your cloud storage provider on how to setup a DNS record if you do not have one set up already or are experiencing difficulties doing so._ +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. In order to use TLS, you must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The DNS record must exist and the SCIM bridge server must be running if you wish to have LetsEncrypt automatically issue a TLS certificate for your SCIM bridge. _Please refer to your cloud provider on how to setup a DNS record if you do not have one set up already or are experiencing difficulties doing so._ ## Create your scimsession file and Deploy SCIM bridge 1. Connect to your remote Docker host from your local machine -2. Use the Linux Bash [scim-setup.sh](../session/scim-setup.sh) script to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. +2. Use the bash script [scim-setup.sh](../session/scim-setup.sh) to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. _The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ @@ -28,17 +28,17 @@ scim-setup.sh Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo ``` -3. Once your scimsession file has been created, use the Linux Bash `./docker/deploy.sh` script to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : +3. Once your scimsession file has been created, use the bash script `./docker/deploy.sh` to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : - 1. For `docker-compose`, it generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. + 1. For `docker-compose`, it will generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. - 1. The domain name entered will configure LetsEncrypt to automatically issue a certificate for your bridge. + 1. You will be prompted for your SCIM bridge domain name which will configure LetsEncrypt to automatically issue a certificate for your bridge. - 1. Lastly, it will create a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. + 1. Lastly, it will deploy a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. -In order to automatically launch the 1Password SCIM bridge upon startup when using **docker-compose** you'll need to automatically start the Docker daemon, then start op-scim. +In order to automatically launch the 1Password SCIM bridge upon startup when using **docker-compose**, you will need to configure systemd to automatically start the Docker daemon and launch op-scim. ### Systemd From 857e8e5bbd7c210b66cb69f2ed04bb37d70d88eb Mon Sep 17 00:00:00 2001 From: nkechi Date: Wed, 30 Jan 2019 11:51:11 -0500 Subject: [PATCH 11/12] added initialisation message --- docker/deploy.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/deploy.sh b/docker/deploy.sh index b342c56..f3009c7 100755 --- a/docker/deploy.sh +++ b/docker/deploy.sh @@ -2,6 +2,8 @@ set -e +echo "Initiating 1Password SCIM Bridge Deployment" + run_docker_compose() { cp ./scimsession ./docker/compose/scimsession rm ./scimsession From 6499027b45caa2304e8241b74851d8dc02e00a67 Mon Sep 17 00:00:00 2001 From: agilecohix Date: Wed, 20 Feb 2019 10:54:00 -0500 Subject: [PATCH 12/12] added script cleanup, changed docker type strings, use new env key, tweak instructions --- docker/README.md | 38 +++++++++++++++++++++++++-------- docker/compose/generate-env.sh | 2 +- docker/deploy.sh | 30 +++++++++++++++++--------- docker/swarm/docker-compose.yml | 2 +- 4 files changed, 51 insertions(+), 21 deletions(-) diff --git a/docker/README.md b/docker/README.md index 48f9c7a..4ac59bc 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,34 +1,52 @@ # Deploying the 1Password SCIM Bridge using Docker + This example describes the methods of deploying the 1Password SCIM bridge using Docker. The Docker Compose and Docker Swarm managers are available and deployment using each manager is described below. ## Docker Compose + This is the simplest method of deploying the SCIM bridge. These instructions require a remote Docker host be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud provider on how to setup a remote Docker host if you do not have one set up already or are experiencing difficulties doing so._ -**Note that this deployment strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended.** +**Note that the Docker Compose strategy is very useful for testing, but it is not recommended for use in a production environment. The scimsession file is passed into the docker container via an environment variable, which is less secure than Docker Swarm secrets or Kubernetes secrets, both of which are supported, and recommended.** ## Docker Swarm + These instructions require a remote Docker Swarm cluster be set up and configured to be accessed by the Docker CLI. _Please refer to your cloud provider on how to setup a remote Docker Swarm Cluster if you do not have one set up already or are experiencing difficulties doing so._ -## Create your DNS record +## 1: Clone this repository + +To make this process easier, it is recommended to clone this repository to have easy access to scripts and configuration files. + +## 2: Install Docker locally + +Install [Docker for Desktop](https://www.docker.com/products/docker-desktop) on your local machine and _start Docker_ before continuing, as it will be needed to run the setup process + +## 3: Create your DNS record The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. In order to use TLS, you must create a DNS record that points to your Docker node. _Do not attempt to perform a provisioning sync before the DNS records have been propogated_. The DNS record must exist and the SCIM bridge server must be running if you wish to have LetsEncrypt automatically issue a TLS certificate for your SCIM bridge. _Please refer to your cloud provider on how to setup a DNS record if you do not have one set up already or are experiencing difficulties doing so._ -## Create your scimsession file and Deploy SCIM bridge +## 4: Create your scimsession file and Deploy SCIM bridge 1. Connect to your remote Docker host from your local machine + - Either connect using [docker-machine](https://docs.docker.com/machine/), OR use SSH to access your remote maching and clone this repo. -2. Use the bash script [scim-setup.sh](../session/scim-setup.sh) to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. Save your bearer token, as it will be needed to authenticate with your IdP. +2. In your terminal, use the bash script [./scim-setup.sh](../session/scim-setup.sh) to authenticate your account and generate a `scimsession` file : This script uses a Docker container to run the `op-scim setup` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. **Save your bearer token, as it will be needed to authenticate with your IdP**. _The scimsession file is equivalent to your Master Password and Secret Key when combined with the bearer token, therefore they should never be stored in the same place._ Example: ``` -scim-setup.sh -[account sign-in] +> cd [location of cloned scim-examples folder] +> ./scim-setup.sh + +[interactive script] Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo + +> ./docker/deploy.sh ``` -3. Once your scimsession file has been created, use the bash script `./docker/deploy.sh` to deploy the SCIM bridge. Have the domain name indicated by the DNS record created for the SCIM bridge ready. This script will do the following : +3. Once your scimsession file has been created, use the bash script `./docker/deploy.sh` to deploy the SCIM bridge. _Have the domain name indicated by the DNS record created for the SCIM bridge ready_. This script will do the following : + + 1. Ask if you want to deploy with Docker Swarm or Compose 1. For `docker-compose`, it will generate a `scim.env` file that allows the scimsession file to be passed into the container without insecurely writing it to the container filesystem. For `docker-swarm`, it will create a secret called `scimsession`, which the op-scim container will then read from `/run/secrets`, as defined in docker-compose.yml. @@ -36,12 +54,14 @@ Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo 1. Lastly, it will deploy a container from the `1password/scim` image. A redis container will also be started automatically to be used by the SCIM bridge. +The logs from the SCIM bridge and redis containers will be streamed to your machine. When you are done, press ctrl+c to stop the logs, and the containers will remain running on the remote machine. + _After the DNS record has been propogated_, you can continue setting up your IdP with the SCIM bridge Administration Guide while monitoring the logs from the bridge on your local machine. -In order to automatically launch the 1Password SCIM bridge upon startup when using **docker-compose**, you will need to configure systemd to automatically start the Docker daemon and launch op-scim. - ### Systemd +In order to automatically launch the 1Password SCIM bridge upon startup when using **docker-compose**, you will need to configure systemd to automatically start the Docker daemon and launch op-scim. + 1. Install the service file for op-scim. A [sample](op-scim.service) is provided and you'll need to change the path. 2. Reload systemd: `systemctl daemon-reload` 3. Enable the op-scim service: `systemctl enable op-scim` diff --git a/docker/compose/generate-env.sh b/docker/compose/generate-env.sh index a6220aa..511f6b2 100755 --- a/docker/compose/generate-env.sh +++ b/docker/compose/generate-env.sh @@ -5,4 +5,4 @@ SESSION=$(cat scimsession | base64 | tr -d "\n") -echo "OPSCIM_SESSION=$SESSION" > scim.env \ No newline at end of file +echo "OP_SESSION=$SESSION" > scim.env \ No newline at end of file diff --git a/docker/deploy.sh b/docker/deploy.sh index f3009c7..f68e9df 100755 --- a/docker/deploy.sh +++ b/docker/deploy.sh @@ -1,41 +1,51 @@ #!/bin/bash -set -e - echo "Initiating 1Password SCIM Bridge Deployment" run_docker_compose() { - cp ./scimsession ./docker/compose/scimsession - rm ./scimsession + mv ./scimsession ./docker/compose/scimsession + + set -e # if the scimsession is already in ^, don't fail + cd docker/compose ./generate-env.sh + mv ./scimsession ../../ read -p 'Please enter your domain name : ' domain_name sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml - docker-compose up --build + docker-compose up --build -d + sed -i '' s/$domain_name/{YOUR-DOMAIN-HERE}/g docker-compose.yml + + docker-compose logs -f } run_docker_swarm(){ - cp ./scimsession ./docker/swarm/scimsession - rm ./scimsession + mv ./scimsession ./docker/swarm/scimsession cd docker/swarm ./generate-secret.sh + set -e # if the secret already exists, don't fail + + mv ./scimsession ../../ + read -p 'Please enter your domain name : ' domain_name sed -i '' s/{YOUR-DOMAIN-HERE}/$domain_name/g docker-compose.yml docker stack deploy -c docker-compose.yml op-scim + sed -i '' s/$domain_name/{YOUR-DOMAIN-HERE}/g docker-compose.yml + + docker service logs --raw -f op-scim_scim } -read -p 'Please enter the configuration you are using [docker-compose] or [docker-swarm] : ' docker_path +read -p 'Please enter the configuration you are using [compose] or [swarm] : ' docker_path -if [ "$docker_path" == "docker-compose" ]; +if [ "$docker_path" == "compose" ]; then run_docker_compose -elif [ "$docker_path" == "docker-swarm" ] +elif [ "$docker_path" == "swarm" ] then run_docker_swarm else diff --git a/docker/swarm/docker-compose.yml b/docker/swarm/docker-compose.yml index 002d81f..389efae 100644 --- a/docker/swarm/docker-compose.yml +++ b/docker/swarm/docker-compose.yml @@ -29,4 +29,4 @@ networks: secrets: scimsession: - external: true \ No newline at end of file + external: true