Merge pull request #800 from owncloud/bridge-deployment-fixes

using special powers to merge as requested by @IljaN
owncloud · Nov 12, 2020 · 9fd9e57 · 9fd9e57
2 parents f19acad + d311d41
commit 9fd9e57
Show file tree

Hide file tree

Showing 13 changed files with 320 additions and 389 deletions.
diff --git a/deployments/examples/ocis_external_konnectd/README.md b/deployments/examples/ocis_external_konnectd/README.md
@@ -1,53 +1,2 @@
-# Deployment scenario ocis with external konnectd service on separate node and traefik as reverse proxy
-
-## Setup on ocis server
-
-*   Clone ocis repository
-
-  `git clone https://github.com/owncloud/ocis.git`
-
-*   Copy example sub folder for ocisnode to /opt
-
-  `cp deployment/examples/ocis_external_konnectd/ocisnode /opt/`
-
-*   Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
-
-  `sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocisnode/.env`
-
-  `sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/ocisnode/.env`
-
-*   Change into deployment folder
-
-  `cd /opt/ocisnode`
-
-*   Start application stack
-
-  `docker-compose up -d`
-
-## Setup on idp server
-
-*   Clone ocis repository
-
-  `git clone https://github.com/owncloud/ocis.git`
-
-*   Copy example sub folder for idpnode to /opt
-
-  `cp deployment/examples/ocis_external_konnectd/idpnode /opt/`
-
-*   Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
-
-  `sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/.env`
-
-  `sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/idpnode/.env`
-
-*   Overwrite redirect uri with your-ocis.domain.com in identifier-registration.yml
-
-  `sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/config/identifier-registration.yml`
-
-*   Change into deployment folder
-
-  `cd /opt/idpnode`
-
-*   Start application stack
-
-  `docker-compose up -d`
+Please refer to [our documentation](https://owncloud.github.io/ocis/deployment/ocis_external_konnectd/)
+for instructions on how to deploy this scenario.
diff --git a/deployments/examples/ocis_oc10_backend/.env b/deployments/examples/ocis_oc10_backend/.env
@@ -1,3 +1,4 @@
 COMPOSE_PROJECT_NAME=bridge
-OCIS_DOMAIN=ocis.domain.com
-OC10_DOMAIN=oc10.domain.com
+OCIS_DOMAIN=ocis.example.org
+OC10_DOMAIN=oc10.example.org
+INSECURE=false
diff --git a/deployments/examples/ocis_oc10_backend/README.md b/deployments/examples/ocis_oc10_backend/README.md
@@ -1,30 +1,2 @@
-# Deployment scenario ocis with oc10 backend and traefik as reverse proxy
-
-## Setup on server
-
-*   Clone ocis repository
-
-  `git clone https://github.com/owncloud/ocis.git`
-
-*   Copy example folder to /opt
-  `cp deployment/examples/ocis_oc10_backend /opt/`
-
-*   Overwrite OCIS_DOMAIN and OC10_DOMAIN in .env with your-ocis.domain.com and your-oc10.domain.com
-
-  `sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/.env`
-
-  `sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/.env`
-
-*   Overwrite redirect uris with your-ocis.domain.com and your-oc10.domain.com in identifier-registration.yml
-
-  `sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
-
-  `sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
-
-*   Change into deployment folder
-
-  `cd /opt/ocis_oc10_backend`
-
-*   Start application stack
-
-  `docker-compose up -d`
+Please refer to [our documentation](https://owncloud.github.io/ocis/deployment/ocis_oc10_backend/)
+for instructions on how to deploy this scenario.
diff --git a/deployments/examples/ocis_oc10_backend/docker-compose.yml b/deployments/examples/ocis_oc10_backend/docker-compose.yml
@@ -41,6 +41,11 @@ services:
     volumes:
       - "letsencrypt:/letsencrypt"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    networks:
+      default:
+        aliases:
+          - ${OC10_DOMAIN}
+          - ${OCIS_DOMAIN}
 
   owncloud:
     build:
@@ -52,6 +57,8 @@ services:
       - db
       - redis
     environment:
+      OCIS_DOMAIN: ${OCIS_DOMAIN}
+      PROXY_LOG_LEVEL: debug
       OWNCLOUD_DOMAIN: ${OC10_DOMAIN}
       OWNCLOUD_DB_TYPE: mysql
       OWNCLOUD_DB_NAME: owncloud
@@ -88,33 +95,28 @@ services:
       - "traefik.http.routers.oc10-redirs.middlewares=redirect-to-https"
 
   ocis:
-    image: owncloud/ocis:latest
+    build:
+      context: ./ocis
+      dockerfile: Dockerfile
+      args:
+        OCIS_DOMAIN: ${OCIS_DOMAIN}
+        OC10_DOMAIN: ${OC10_DOMAIN}
     ports:
       - 9200:9200
     environment:
-      OCIS_DOMAIN: ${OCIS_DOMAIN}
+      OCIS_LOG_LEVEL: debug
+      # proxy
       PROXY_CONFIG_FILE: "/config/proxy-config.json"
       PROXY_TLS: "false"
       PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
-      PROXY_OIDC_INSECURE: "true"
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      PROXY_OIDC_INSECURE: "${INSECURE}"
+      # konnectd - binddn must exist as oc10 admin user
       KONNECTD_ISS: https://${OCIS_DOMAIN}
-      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yml"
+      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yaml"
       KONNECTD_TLS: 0
       KONNECTD_SIGNING_KID: super
-      GRAPH_OIDC_ENDPOINT: https://${OC10_DOMAIN}/apps/graphapi/v1.0
-      PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN}
-      PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration
-      PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
-      PHOENIX_WEB_CONFIG: "/config/web/config.json"
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
-      STORAGE_TRANSFER_EXPIRES: 86400
-      STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
-      STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
-      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
-      GLAUTH_BACKEND_DATASTORE: owncloud
-      GLAUTH_BACKEND_SERVERS: https://${OC10_DOMAIN}/apps/graphapi/v1.0
-      GLAUTH_BACKEND_BASEDN: dc=example,dc=org
+      KONNECTD_INSECURE: "${INSECURE}"
       LDAP_URI: ldap://localhost:9125
       LDAP_BINDDN: "cn=admin,dc=example,dc=org"
       LDAP_BINDPW: "admin"
@@ -126,9 +128,23 @@ services:
       LDAP_UUID_ATTRIBUTE: uid
       LDAP_UUID_ATTRIBUTE_TYPE: text
       LDAP_FILTER: "(objectClass=posixaccount)"
+      # glauth
+      GLAUTH_BACKEND_DATASTORE: owncloud
+      GLAUTH_BACKEND_SERVERS: https://${OC10_DOMAIN}/apps/graphapi/v1.0
+      GLAUTH_BACKEND_INSECURE: "${INSECURE}"
+      # graph
+      GRAPH_OIDC_ENDPOINT: https://${OC10_DOMAIN}/apps/graphapi/v1.0
+      # web ui
+      PHOENIX_WEB_CONFIG: "/config/web/config.json"
+      # storage - although not used, yet
+      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
+      STORAGE_OIDC_INSECURE: "${INSECURE}"
+      STORAGE_TRANSFER_EXPIRES: 86400
+      STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
+      STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
+      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
     volumes:
-      - ./ocis:/config
-      - ./ocis/proxy-config.json:/etc/ocis/proxy.json
+      - ./ocis/config/proxy-config.json:/etc/ocis/proxy.json
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.ocis.loadbalancer.server.port=9200"
@@ -143,7 +159,6 @@ services:
       - "traefik.http.routers.ocis-redirs.rule=Host(`${OCIS_DOMAIN}`)"
       - "traefik.http.routers.ocis-redirs.entrypoints=web"
       - "traefik.http.routers.ocis-redirs.middlewares=redirect-to-https"
-
   db:
     image: webhippie/mariadb:latest
     restart: always

diff --git a/deployments/examples/ocis_oc10_backend/oc10/overlay/etc/templates/config.php b/deployments/examples/ocis_oc10_backend/oc10/overlay/etc/templates/config.php
@@ -32,12 +32,14 @@ function getConfigFromEnv() {
       0 => $domain
     ],
     'openid-connect' => [
-        'provider-url' => 'https://${OCIS_DOMAIN}',
+        'provider-url' => 'https://' . getenv('OCIS_DOMAIN'),
         'client-id' => 'oc10',
         'client-secret' => 'super',
         'loginButtonName' => 'OpenId Connect',
         'search-attribute' => 'preferred_username',
         'mode' => 'userid',
+        'autoRedirectOnLoginPage' => true,
+        'insecure' => true,
       ],
     'datadirectory' => getenv('OWNCLOUD_VOLUME_FILES'),
     'dbtype' => getenv('OWNCLOUD_DB_TYPE'),
@@ -47,8 +49,8 @@ function getConfigFromEnv() {
     'dbpassword' => getenv('OWNCLOUD_DB_PASSWORD'),
     'dbtableprefix' => getenv('OWNCLOUD_DB_PREFIX'),
 
-    'phoenix.baseUrl' => 'https://${OCIS_DOMAIN}',
-    'cors.allowed-domains' => ['https://${OCIS_DOMAIN}'],
+    'phoenix.baseUrl' => 'https://'. getenv('OCIS_DOMAIN'),
+    'cors.allowed-domains' => ['https://'. getenv('OCIS_DOMAIN')],
 
     'log_type' => 'owncloud',
 
@@ -552,4 +554,4 @@ function getConfigFromEnv() {
   return $config;
 }
 
-$CONFIG = getConfigFromEnv();
+$CONFIG = getConfigFromEnv();
diff --git a/deployments/examples/ocis_oc10_backend/ocis/Dockerfile b/deployments/examples/ocis_oc10_backend/ocis/Dockerfile
@@ -0,0 +1,11 @@
+FROM owncloud/ocis:latest
+
+ARG OCIS_DOMAIN
+ENV OCIS_DOMAIN $OCIS_DOMAIN
+ARG OC10_DOMAIN
+ENV OC10_DOMAIN $OC10_DOMAIN
+
+ADD config /config
+RUN sed -i "s/ocis.example.org/${OCIS_DOMAIN}/g" /config/web/config.json \
+    && sed -i "s/ocis.example.org/${OCIS_DOMAIN}/g" /config/identifier-registration.yaml \
+    && sed -i "s/oc10.example.org/${OC10_DOMAIN}/g" /config/identifier-registration.yaml \
diff --git a/..._backend/ocis/identifier-registration.yml → .../ocis/config/identifier-registration.yaml b/..._backend/ocis/identifier-registration.yml → .../ocis/config/identifier-registration.yaml
@@ -7,15 +7,11 @@ clients:
     insecure: yes
     trusted: yes
     redirect_uris:
-      - http://ocis.domain.com/oidc-callback.html
-      - http://ocis.domain.com/
-      - https://ocis.domain.com/
-      - https://ocis.domain.com/oidc-callback.html
-      - http://ocis.domain.com/oidc-silent-redirect.html
-      - https://ocis.domain.com/oidc-silent-redirect.html
+      - https://ocis.example.org/
+      - https://ocis.example.org/oidc-callback.html
+      - https://ocis.example.org/oidc-silent-redirect.html
     origins:
-      - http://ocis.domain.com
-      - https://ocis.domain.com
+      - https://ocis.example.org
 
   - id: oc10
     name: OC10
@@ -24,11 +20,9 @@ clients:
     insecure: yes
     trusted: yes
     redirect_uris:
-      - https://oc10.domain.com/apps/openidconnect/redirect/
-      - https://oc10.domain.com/apps/openidconnect/redirect
+      - https://oc10.example.org/apps/openidconnect/redirect
     origins:
-      - http://oc10.domain.com
-      - https://oc10.domain.com
+      - https://oc10.example.org
 
   - id: ocis-explorer.js
     name: OCIS Graph Explorer

diff --git a/deployments/examples/ocis_oc10_backend/ocis/config/proxy-config.json b/deployments/examples/ocis_oc10_backend/ocis/config/proxy-config.json
@@ -0,0 +1,61 @@
+{
+  "HTTP": {
+    "Namespace": "works.owncloud"
+  },
+  "policy_selector": {
+    "static": {
+      "policy": "oc10"
+    }
+  },
+  "policies": [
+    {
+      "name": "oc10",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://localhost:9100"
+        },
+        {
+          "endpoint": "/.well-known/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/konnect/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/signin/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/ocs/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/remote.php/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/dav/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/webdav/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/status.php",
+          "backend": "http://owncloud:8080"
+        },
+        {
+          "endpoint": "/index.php/",
+          "backend": "http://owncloud:8080"
+        }
+      ]
+    }
+  ]
+}
diff --git a/deployments/examples/ocis_oc10_backend/ocis/config/web/config.json b/deployments/examples/ocis_oc10_backend/ocis/config/web/config.json
@@ -0,0 +1,39 @@
+{
+  "server": "https://ocis.example.org",
+  "theme": "owncloud",
+  "version": "0.1.0",
+  "openIdConnect": {
+    "metadata_url": "https://ocis.example.org/.well-known/openid-configuration",
+    "authority": "https://ocis.example.org",
+    "client_id": "phoenix",
+    "response_type": "code",
+    "scope": "openid profile email"
+  },
+  "applications": [
+    {
+      "title": {
+        "en": "Classic Design",
+        "de": "Klassisches ownCloud"
+      },
+      "icon": "switch_ui",
+      "url": "https://ocis.example.org",
+      "target": "_self"
+    },
+    {
+      "title": {
+        "en": "Settings",
+        "de": "Einstellungen"
+      },
+      "icon": "application",
+      "url": "https://ocis.example.org/index.php/settings/personal",
+      "target": "_self",
+      "menu": "user"
+    }
+  ],
+  "apps": [
+    "files",
+    "draw-io",
+    "markdown-editor",
+    "media-viewer"
+  ]
+}