From 6e3752bb47d77bc94d461457ea329087ae9ff1ba Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 5 May 2022 12:53:56 +0200 Subject: [PATCH] fix s3 deployment example --- deployments/examples/ocis_s3/.env | 19 ++++-------- .../config/ocis/entrypoint-override.sh | 24 --------------- .../examples/ocis_s3/docker-compose.yml | 30 +++++++++---------- docs/ocis/deployment/ocis_s3.md | 17 +++++------ tests/acceptance/docker/src/ocis-base.yml | 10 +++---- 5 files changed, 31 insertions(+), 69 deletions(-) delete mode 100644 deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh diff --git a/deployments/examples/ocis_s3/.env b/deployments/examples/ocis_s3/.env index 682264433ab..51d5e597246 100644 --- a/deployments/examples/ocis_s3/.env +++ b/deployments/examples/ocis_s3/.env @@ -2,10 +2,6 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true -# The demo users should not be created on a production instance -# because their passwords are public -DEMO_USERS=true - ### Traefik settings ### # Serve Traefik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= @@ -21,16 +17,11 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= -# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". -IDP_LDAP_BIND_PASSWORD= -# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". -STORAGE_LDAP_BIND_PASSWORD= -# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" -OCIS_JWT_SECRET= -# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" -STORAGE_TRANSFER_SECRET= -# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please" -OCIS_MACHINE_AUTH_API_KEY= +# oCIS admin user password. Defaults to "admin". +ADMIN_PASSWORD= +# The demo users should not be created on a production instance +# because their passwords are public. Defaults to "false". +DEMO_USERS= ### MINIO / S3 settings ### # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test". diff --git a/deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh deleted file mode 100644 index c1f96fae4ef..00000000000 --- a/deployments/examples/ocis_s3/config/ocis/entrypoint-override.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -set -e - -ocis server& -sleep 10 - -echo "##################################################" -echo "change default secrets:" - -# IDP -IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) -echo " IDP user UUID: $IDP_USER_UUID" -ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID - -# REVA -REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) -echo " Reva user UUID: $REVA_USER_UUID" -ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID - -echo "default secrets changed" -echo "##################################################" - -wait # wait for oCIS to exit diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index 5c4b9afc36a..49f34649887 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -48,35 +48,33 @@ services: ocis-net: entrypoint: - /bin/sh - - /entrypoint-override.sh + # run ocis init to initialize a configuration file with random secrets + # it will fail on subsequent runs, because the config file already exists + # therefore we ignore the error and then start the ocis server + command: ["-c", "ocis init || true; ocis server"] environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_TLS: "false" # do not use SSL between Traefik and oCIS - # change default secrets - IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} - STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} - OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} - STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} - OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} # activate s3ng storage driver STORAGE_USERS_DRIVER: s3ng STORAGE_SYSTEM_DRIVER: ocis # keep system data on ocis storage since this are only small files atm # s3ng specific settings - STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://minio:9000 - STORAGE_USERS_DRIVER_S3NG_REGION: default - STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis} - STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key} - STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket} + STORAGE_USERS_S3NG_ENDPOINT: http://minio:9000 + STORAGE_USERS_S3NG_REGION: default + STORAGE_USERS_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis} + STORAGE_USERS_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key} + STORAGE_USERS_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket} # INSECURE: needed if oCIS / Traefik is using self generated certificates OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # admin user password + IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file # demo users - ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh + - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis labels: - "traefik.enable=true" @@ -95,8 +93,7 @@ services: ocis-net: entrypoint: - /bin/sh - - -c - - "mkdir -p /data/${MINIO_BUCKET:-ocis-bucket} && minio server --console-address ':9001' /data" + command: ["-c", "mkdir -p /data/${MINIO_BUCKET:-ocis-bucket} && minio server --console-address ':9001' /data"] volumes: - minio-data:/data environment: @@ -115,6 +112,7 @@ services: volumes: certs: + ocis-config: ocis-data: minio-data: diff --git a/docs/ocis/deployment/ocis_s3.md b/docs/ocis/deployment/ocis_s3.md index 39350a46c86..d1bac9fd939 100644 --- a/docs/ocis/deployment/ocis_s3.md +++ b/docs/ocis/deployment/ocis_s3.md @@ -70,16 +70,11 @@ See also [example server setup]({{< ref "preparing_server" >}}) OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= - # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". - IDP_LDAP_BIND_PASSWORD= - # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". - STORAGE_LDAP_BIND_PASSWORD= - # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" - OCIS_JWT_SECRET= - # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" - STORAGE_TRANSFER_SECRET= - # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please" - OCIS_MACHINE_AUTH_API_KEY= + # oCIS admin user password. Defaults to "admin". + ADMIN_PASSWORD= + # The demo users should not be created on a production instance + # because their passwords are public. Defaults to "false". + DEMO_USERS= ### MINIO / S3 settings ### # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test". @@ -104,6 +99,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, e.g. `OCIS_DOMAIN=ocis.owncloud.test`. + Set the initial admin user password in `ADMIN_PASSWORD=`, it defaults to `admin`. + Set your domain for the MinIO frontend in `MINIO_DOMAIN=`, e.g. `MINIO_DOMAIN=minio.owncloud.test`. If you are using other S3-compatible providers you need to configure the respective endpoint here. If you like you can change the default name of the S3 bucket by setting `MINIO_BUCKET=` to a different value. diff --git a/tests/acceptance/docker/src/ocis-base.yml b/tests/acceptance/docker/src/ocis-base.yml index 594a07020da..6486a404b79 100644 --- a/tests/acceptance/docker/src/ocis-base.yml +++ b/tests/acceptance/docker/src/ocis-base.yml @@ -16,11 +16,11 @@ services: ACCOUNTS_HASH_DIFFICULTY: 4 OCIS_INSECURE: "true" # s3ng specific settings - STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080 - STORAGE_USERS_DRIVER_S3NG_REGION: default - STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: test - STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: test - STORAGE_USERS_DRIVER_S3NG_BUCKET: test + STORAGE_USERS_S3NG_ENDPOINT: http://ceph:8080 + STORAGE_USERS_S3NG_REGION: default + STORAGE_USERS_S3NG_ACCESS_KEY: test + STORAGE_USERS_S3NG_SECRET_KEY: test + STORAGE_USERS_S3NG_BUCKET: test volumes: - ../../../config:/drone/src/tests/config - oCISownCloud10testsuite:/srv