fix s3 deployment example

owncloud · May 5, 2022 · 6e3752b · 6e3752b
1 parent bba70c5
commit 6e3752b
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 69 deletions.
diff --git a/deployments/examples/ocis_s3/.env b/deployments/examples/ocis_s3/.env
@@ -2,10 +2,6 @@
 # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
 INSECURE=true
 
-# The demo users should not be created on a production instance
-# because their passwords are public
-DEMO_USERS=true
-
 ### Traefik settings ###
 # Serve Traefik dashboard. Defaults to "false".
 TRAEFIK_DASHBOARD=
@@ -21,16 +17,11 @@ TRAEFIK_ACME_MAIL=
 OCIS_DOCKER_TAG=
 # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
 OCIS_DOMAIN=
-# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
-IDP_LDAP_BIND_PASSWORD=
-# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
-STORAGE_LDAP_BIND_PASSWORD=
-# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
-OCIS_JWT_SECRET=
-# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
-STORAGE_TRANSFER_SECRET=
-# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
-OCIS_MACHINE_AUTH_API_KEY=
+# oCIS admin user password. Defaults to "admin".
+ADMIN_PASSWORD=
+# The demo users should not be created on a production instance
+# because their passwords are public. Defaults to "false".
+DEMO_USERS=
 
 ### MINIO / S3 settings ###
 # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".

diff --git a/deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh
diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml
@@ -48,35 +48,33 @@ services:
       ocis-net:
     entrypoint:
       - /bin/sh
-      - /entrypoint-override.sh
+    # run ocis init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the ocis server
+    command: ["-c", "ocis init || true; ocis server"]
     environment:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
-      # change default secrets
-      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
-      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
-      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
-      STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
-      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # activate s3ng storage driver
       STORAGE_USERS_DRIVER: s3ng
       STORAGE_SYSTEM_DRIVER: ocis # keep system data on ocis storage since this are only small files atm
       # s3ng specific settings
-      STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://minio:9000
-      STORAGE_USERS_DRIVER_S3NG_REGION: default
-      STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis}
-      STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
-      STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}
+      STORAGE_USERS_S3NG_ENDPOINT: http://minio:9000
+      STORAGE_USERS_S3NG_REGION: default
+      STORAGE_USERS_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis}
+      STORAGE_USERS_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
+      STORAGE_USERS_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
       OCIS_INSECURE: "${INSECURE:-false}"
       # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
       PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
+      # admin user password
+      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
       # demo users
-      ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}"  # deprecated, remove after switching to LibreIDM
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
     volumes:
-      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
+      - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:
       - "traefik.enable=true"
@@ -95,8 +93,7 @@ services:
       ocis-net:
     entrypoint:
       - /bin/sh
-      - -c
-      - "mkdir -p /data/${MINIO_BUCKET:-ocis-bucket} && minio server --console-address ':9001' /data"
+    command:  ["-c", "mkdir -p /data/${MINIO_BUCKET:-ocis-bucket} && minio server --console-address ':9001' /data"]
     volumes:
       - minio-data:/data
     environment:
@@ -115,6 +112,7 @@ services:
 
 volumes:
   certs:
+  ocis-config:
   ocis-data:
   minio-data:
 

diff --git a/docs/ocis/deployment/ocis_s3.md b/docs/ocis/deployment/ocis_s3.md
@@ -70,16 +70,11 @@ See also [example server setup]({{< ref "preparing_server" >}})
   OCIS_DOCKER_TAG=
   # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
   OCIS_DOMAIN=
-  # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
-  IDP_LDAP_BIND_PASSWORD=
-  # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
-  STORAGE_LDAP_BIND_PASSWORD=
-  # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
-  OCIS_JWT_SECRET=
-  # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
-  STORAGE_TRANSFER_SECRET=
-  # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
-  OCIS_MACHINE_AUTH_API_KEY=
+  # oCIS admin user password. Defaults to "admin".
+  ADMIN_PASSWORD=
+  # The demo users should not be created on a production instance
+  # because their passwords are public. Defaults to "false".
+  DEMO_USERS=
 
   ### MINIO / S3 settings ###
   # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".
@@ -104,6 +99,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
 
   Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, e.g. `OCIS_DOMAIN=ocis.owncloud.test`.
 
+  Set the initial admin user password in `ADMIN_PASSWORD=`, it defaults to `admin`.
+
   Set your domain for the MinIO frontend in `MINIO_DOMAIN=`, e.g. `MINIO_DOMAIN=minio.owncloud.test`. If you are using other S3-compatible providers you need to configure the respective endpoint here.
 
   If you like you can change the default name of the S3 bucket by setting `MINIO_BUCKET=` to a different value.

diff --git a/tests/acceptance/docker/src/ocis-base.yml b/tests/acceptance/docker/src/ocis-base.yml
@@ -16,11 +16,11 @@ services:
       ACCOUNTS_HASH_DIFFICULTY: 4
       OCIS_INSECURE: "true"
       # s3ng specific settings
-      STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080
-      STORAGE_USERS_DRIVER_S3NG_REGION: default
-      STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: test
-      STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: test
-      STORAGE_USERS_DRIVER_S3NG_BUCKET: test
+      STORAGE_USERS_S3NG_ENDPOINT: http://ceph:8080
+      STORAGE_USERS_S3NG_REGION: default
+      STORAGE_USERS_S3NG_ACCESS_KEY: test
+      STORAGE_USERS_S3NG_SECRET_KEY: test
+      STORAGE_USERS_S3NG_BUCKET: test
     volumes:
       - ../../../config:/drone/src/tests/config
       - oCISownCloud10testsuite:/srv