CadolesKube
/
sp-containers
14
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

refactor(all): complete rework of the repo 

Moving to a recipeless way of doing things
This commit is contained in:
Philippe Caseiro 2023-06-09 12:17:09 +02:00
parent b13a5e892f
commit 351f693775
13 changed files with 109 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Makefile
View File

@ -1,41 +1,13 @@
IMAGE_NAME := reg.cadoles.com/cadoles/sp ################################
# Makefile for Cadoles SP
################################
IMAGE_REPO := reg.cadoles.com/cadoles
IMAGE_NAME := sp
IMAGE_FULL_NAME := $(IMAGE_REPO)/$(IMAGE_NAME)
IMAGE_VERSION := 0.1.0
DOCKERFILE ?= DOCKERFILE ?=
DAY_SUFFIX_TAG ?= $(shell date +%Y%m%d) DAY_SUFFIX_TAG ?= $(shell date +%Y%m%d)
build: include main.mk
_build:
docker \
build \
-t "$(IMAGE_NAME):$(IMAGE_TAG)" \
-f $(DOCKERFILE) \
.
scan:
_scan: tools/trivy/bin/trivy
mkdir -p .trivy/$(IMAGE_NAME)/$(IMAGE_TAG)
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt" $(TRIVY_ARGS) $(IMAGE_NAME):$(IMAGE_TAG)
cat ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt"
tools/trivy/bin/trivy:
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
release:
_release:
docker tag $(IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_NAME):$(IMAGE_TAG)
_test: tools/bin/bash_unit
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
tools/bin/bash_unit:
mkdir -p tools/bin
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
include recipes/*.mk

14
files/alpine/sp-oidc/base/conf.d/Dockerfile
View File

@ -1,14 +0,0 @@
FROM reg.cadoles.com/proxy_cache/library/alpine:edge
#FROM reg.cadoles.com/proxy_cache/library/httpd:alpine3.18
# Adding testing repo
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update && apk add apache-mod-auth-openidc
COPY conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
COPY conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
COPY scripts/httpd-foreground /usr/local/bin/
CMD ["httpd-foreground"]

14
files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf
View File

@ -1,14 +0,0 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL} #http://portal.mse.local:8000/auth/.well-known/openid-configuration
OIDCClientID ${SP_OIDC_CLIENT_NAME} #mse
OIDCClientSecret ${SP_OIDC_CLIENT_SERCRET} #$mse&123456$
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCookieSameSite On
OIDCSessionType client-cookie
OIDCXForwardedHeaders X-Forwarded-Host
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI} #http://portal.mse.local:8000/protected/redirect_uri
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE} #$mse&123456$
OIDCOAuthAcceptTokenAs header
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI} #http://portal.mse.local:8000/erreur?msg=mod_auth_fail

10
files/alpine/sp-oidc/base/Dockerfile → files/images/sp-oidc/base/Dockerfile
View File

@ -4,11 +4,17 @@ FROM reg.cadoles.com/proxy_cache/library/alpine:edge
# Adding testing repo # Adding testing repo
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update && apk add apache-mod-auth-openidc RUN apk update && apk add apache-mod-auth-openidc apache2-ssl
RUN mkdir -p /var/www/html
COPY files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf COPY files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
COPY files/alpine/sp-oidc/base/conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf COPY files/alpine/sp-oidc/base/conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
COPY files/alpine/sp-oidc/base/scripts/httpd-foreground /usr/local/bin/ COPY files/alpine/sp-oidc/base/scripts/httpd-foreground /usr/local/bin/
RUN chmod +x /usr/local/bin/httpd-foreground
RUN mkdir -p /var/www/html
RUN chown apache:apache /var/www/html
CMD ["httpd-foreground"] SHELL ["/bin/sh", "-c"]
CMD ["/usr/local/bin/httpd-foreground"]

0
files/alpine/sp-oidc/base/conf.d/default-vhost.conf → files/images/sp-oidc/base/conf.d/default-vhost.conf
View File

14
files/images/sp-oidc/base/conf.d/mod-auth-openidc.conf Normal file
View File

@ -0,0 +1,14 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL}
OIDCClientID ${SP_OIDC_CLIENT_NAME}
OIDCClientSecret ${SP_OIDC_CLIENT_SECRET}
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCookieSameSite On
OIDCSessionType client-cookie
OIDCXForwardedHeaders X-Forwarded-Host
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI}
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE}
OIDCOAuthAcceptTokenAs header
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI}

0
files/alpine/sp-oidc/base/conf.d/scripts/httpd-foreground → files/images/sp-oidc/base/conf.d/scripts/httpd-foreground
View File

0
files/alpine/sp-oidc/base/conf.d/test_alpine-sp-oidc.sh → files/images/sp-oidc/base/conf.d/test_alpine-sp-oidc.sh
View File

0
files/alpine/sp-oidc/base/scripts/httpd-foreground → files/images/sp-oidc/base/scripts/httpd-foreground
View File

0
files/debian/sp-shib/base/Dockerfile → files/images/sp-shibboleth/base/Dockerfile
View File

78
main.mk Normal file
View File

@ -0,0 +1,78 @@
IMAGES_DIR := ./files/images
#
# $1: IMAGE_NAME
# $2: IMAGE_TAG
#
define build_image
echo "Building ${IMAGE_REPO}/$1";\
docker build \
-t "${IMAGE_REPO}/$1:$2" \
-f ${IMAGES_DIR}/$1/$2/Dockerfile \
.
endef
#
# $1: IMAGE_NAME
# $2: IMAGE_TAG
#
define scan_image
echo "Scanning ${IMAGE_REPO}/$1"; \
mkdir -p .trivy/$(IMAGE_REPO)/$1/$2; \
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_REPO)/$1/$2/report.txt" $(TRIVY_ARGS) $(IMAGE_REPO)/$1:$2 ; \
cat ".trivy/$(IMAGE_REPO)/$1/$2report.txt"
endef
define install_trivy
mkdir -p tools/trivy/bin ; \
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
endef
define release_image
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION); \
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-latest ; \
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION) ; \
docker push $(IMAGE_REPO)/$1:$2-latest
endef
#list:
build: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call build_image,$${name},base); \
done;\
scan: ${IMAGES_DIR}/*
$(call install_trivy)
@for name in $(basename $(notdir $^)); do \
$(call scan_image,$${name},base); \
done;\
tools/trivy/bin/trivy:
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
release: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call release_image,$${name},base); \
done;\
_release:
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
_test: tools/bin/bash_unit
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
tools/bin/bash_unit:
mkdir -p tools/bin
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
##include recipes/*.mk

28
recipes/alpine-sp-oidc.mk
View File

@ -1,28 +0,0 @@
build: build-alpine-sp-oidc-base
build-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
DOCKERFILE=files/alpine/sp-oidc/base/Dockerfile \
_build
scan: scan-alpine-sp-oidc-base
scan-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_scan
release: release-alpine-sp-oidc-base
release-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_release
test: test-alpine-sp-oidc-base
test-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_test

28
recipes/debian-sp-shib.mk
View File

@ -1,28 +0,0 @@
build: build-debian-sp-shib-base
build-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
DOCKERFILE=files/debian/sp-shib/base/Dockerfile \
_build
scan: scan-debian-sp-shib-base
scan-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_scan
release: release-debian-sp-shib-base
release-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_release
test: test-debian-sp-shib-base
test-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_test