-
Notifications
You must be signed in to change notification settings - Fork 24.2k
/
docker-compose.yml
182 lines (178 loc) · 9.71 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
version: '3.7'
services:
elasticsearch-node:
image: elasticsearch:test
environment:
- discovery.type=single-node
- node.name=elasticsearch-node
- cluster.name=elasticsearch-node
- bootstrap.memory_lock=true
- network.publish_host=127.0.0.1
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- path.repo=/tmp/es-repo
- node.attr.testattr=test
- cluster.routing.allocation.disk.watermark.low=1b
- cluster.routing.allocation.disk.watermark.high=1b
- cluster.routing.allocation.disk.watermark.flood_stage=1b
- node.store.allow_mmap=false
- ingest.geoip.downloader.enabled=false
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.keystore.path=testnode.jks
- xpack.security.authc.token.enabled=true
- xpack.security.authc.realms.file.file.order=0
- xpack.security.authc.realms.native.native.order=1
- xpack.security.authc.realms.oidc.c2id.order=2
- xpack.security.authc.realms.oidc.c2id.op.issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.oidc.c2id.op.authorization_endpoint=http://oidc-provider:8080/c2id-login
- xpack.security.authc.realms.oidc.c2id.op.token_endpoint=http://oidc-provider:8080/c2id/token
- xpack.security.authc.realms.oidc.c2id.op.userinfo_endpoint=http://oidc-provider:8080/c2id/userinfo
- xpack.security.authc.realms.oidc.c2id.op.jwkset_path=op-jwks.json
- xpack.security.authc.realms.oidc.c2id.rp.redirect_uri=https://my.fantastic.rp/cb
- xpack.security.authc.realms.oidc.c2id.rp.client_id=https://my.elasticsearch.org/rp
- xpack.security.authc.realms.oidc.c2id.rp.response_type=code
- xpack.security.authc.realms.oidc.c2id.claims.principal=sub
- xpack.security.authc.realms.oidc.c2id.claims.name=name
- xpack.security.authc.realms.oidc.c2id.claims.mail=email
- xpack.security.authc.realms.oidc.c2id.claims.groups=groups
- xpack.security.authc.realms.oidc.c2id-implicit.order=3
- xpack.security.authc.realms.oidc.c2id-implicit.op.issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.oidc.c2id-implicit.op.authorization_endpoint=http://oidc-provider:8080/c2id-login
- xpack.security.authc.realms.oidc.c2id-implicit.op.token_endpoint=http://oidc-provider:8080/c2id/token
- xpack.security.authc.realms.oidc.c2id-implicit.op.userinfo_endpoint=http://oidc-provider:8080/c2id/userinfo
- xpack.security.authc.realms.oidc.c2id-implicit.op.jwkset_path=op-jwks.json
- xpack.security.authc.realms.oidc.c2id-implicit.rp.redirect_uri=https://my.fantastic.rp/cb
- xpack.security.authc.realms.oidc.c2id-implicit.rp.client_id=elasticsearch-rp
- xpack.security.authc.realms.oidc.c2id-implicit.rp.response_type=id_token token
- xpack.security.authc.realms.oidc.c2id-implicit.claims.principal=sub
- xpack.security.authc.realms.oidc.c2id-implicit.claims.name=name
- xpack.security.authc.realms.oidc.c2id-implicit.claims.mail=email
- xpack.security.authc.realms.oidc.c2id-implicit.claims.groups=groups
- xpack.security.authc.realms.oidc.c2id-proxy.order=4
- xpack.security.authc.realms.oidc.c2id-proxy.op.issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.oidc.c2id-proxy.op.authorization_endpoint=http://oidc-provider:8080/c2id-login
- xpack.security.authc.realms.oidc.c2id-proxy.op.token_endpoint=http://oidc-provider:8080/c2id/token
- xpack.security.authc.realms.oidc.c2id-proxy.op.userinfo_endpoint=http://oidc-provider:8080/c2id/userinfo
- xpack.security.authc.realms.oidc.c2id-proxy.op.jwkset_path=op-jwks.json
- xpack.security.authc.realms.oidc.c2id-proxy.rp.redirect_uri=https://my.fantastic.rp/cb
- xpack.security.authc.realms.oidc.c2id-proxy.rp.client_id=https://my.elasticsearch.org/rp
- xpack.security.authc.realms.oidc.c2id-proxy.rp.response_type=code
- xpack.security.authc.realms.oidc.c2id-proxy.claims.principal=sub
- xpack.security.authc.realms.oidc.c2id-proxy.claims.name=name
- xpack.security.authc.realms.oidc.c2id-proxy.claims.mail=email
- xpack.security.authc.realms.oidc.c2id-proxy.claims.groups=groups
- xpack.security.authc.realms.oidc.c2id-proxy.http.proxy.host=http-proxy
- xpack.security.authc.realms.oidc.c2id-proxy.http.proxy.port=8888
- xpack.security.authc.realms.oidc.c2id-post.order=5
- xpack.security.authc.realms.oidc.c2id-post.op.issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.oidc.c2id-post.op.authorization_endpoint=http://oidc-provider:8080/c2id-login
- xpack.security.authc.realms.oidc.c2id-post.op.token_endpoint=http://oidc-provider:8080/c2id/token
- xpack.security.authc.realms.oidc.c2id-post.op.userinfo_endpoint=http://oidc-provider:8080/c2id/userinfo
- xpack.security.authc.realms.oidc.c2id-post.op.jwkset_path=op-jwks.json
- xpack.security.authc.realms.oidc.c2id-post.rp.redirect_uri=https://my.fantastic.rp/cb
- xpack.security.authc.realms.oidc.c2id-post.rp.client_id=elasticsearch-post
- xpack.security.authc.realms.oidc.c2id-post.rp.client_auth_method=client_secret_post
- xpack.security.authc.realms.oidc.c2id-post.rp.response_type=code
- xpack.security.authc.realms.oidc.c2id-post.claims.principal=sub
- xpack.security.authc.realms.oidc.c2id-post.claims.name=name
- xpack.security.authc.realms.oidc.c2id-post.claims.mail=email
- xpack.security.authc.realms.oidc.c2id-post.claims.groups=groups
- xpack.security.authc.realms.oidc.c2id-jwt.order=6
- xpack.security.authc.realms.oidc.c2id-jwt.op.issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.oidc.c2id-jwt.op.authorization_endpoint=http://oidc-provider:8080/c2id-login
- xpack.security.authc.realms.oidc.c2id-jwt.op.token_endpoint=http://oidc-provider:8080/c2id/token
- xpack.security.authc.realms.oidc.c2id-jwt.op.userinfo_endpoint=http://oidc-provider:8080/c2id/userinfo
- xpack.security.authc.realms.oidc.c2id-jwt.op.jwkset_path=op-jwks.json
- xpack.security.authc.realms.oidc.c2id-jwt.rp.redirect_uri=https://my.fantastic.rp/cb
- xpack.security.authc.realms.oidc.c2id-jwt.rp.client_id=elasticsearch-post-jwt
- xpack.security.authc.realms.oidc.c2id-jwt.rp.client_auth_method=client_secret_jwt
- xpack.security.authc.realms.oidc.c2id-jwt.rp.response_type=code
- xpack.security.authc.realms.oidc.c2id-jwt.claims.principal=sub
- xpack.security.authc.realms.oidc.c2id-jwt.claims.name=name
- xpack.security.authc.realms.oidc.c2id-jwt.claims.mail=email
- xpack.security.authc.realms.oidc.c2id-jwt.claims.groups=groups
- xpack.security.authc.realms.jwt.op-jwt.order=7
- xpack.security.authc.realms.jwt.op-jwt.allowed_issuer=http://oidc-provider:8080/c2id
- xpack.security.authc.realms.jwt.op-jwt.allowed_audiences=elasticsearch-jwt1,elasticsearch-jwt2
- xpack.security.authc.realms.jwt.op-jwt.pkc_jwkset_path=op-jwks.json
- xpack.security.authc.realms.jwt.op-jwt.claims.principal=sub
- xpack.security.authc.realms.jwt.op-jwt.claims.groups=groups
- xpack.security.authc.realms.jwt.op-jwt.client_authentication.type=shared_secret
volumes:
- ./testfixtures_shared/logs/node1:/usr/share/elasticsearch/logs
- ./build/certs/testnode.jks:/usr/share/elasticsearch/config/testnode.jks
- ./docker-test-entrypoint.sh:/docker-test-entrypoint.sh
- ./oidc/op-jwks.json:/usr/share/elasticsearch/config/op-jwks.json
ports:
- "9200"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
entrypoint: /docker-test-entrypoint.sh
healthcheck:
start_period: 15s
test: ["CMD", "curl", "-f", "-u", "x_pack_rest_user:x-pack-test-password", "-k", "https://localhost:9200"]
interval: 10s
timeout: 2s
retries: 5
openldap:
command: --copy-service --loglevel debug
image: "osixia/openldap:1.4.0"
ports:
- "389"
- "636"
environment:
LDAP_ADMIN_PASSWORD: "NickFuryHeartsES"
LDAP_DOMAIN: "oldap.test.elasticsearch.com"
LDAP_BASE_DN: "DC=oldap,DC=test,DC=elasticsearch,DC=com"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap_server.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca_server.pem"
LDAP_TLS_KEY_FILENAME: "ldap_server.key"
LDAP_TLS_VERIFY_CLIENT: "never"
LDAP_TLS_CIPHER_SUITE: "NORMAL"
LDAP_LOG_LEVEL: 256
volumes:
- ./openldap/ldif/users.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif
- ./openldap/ldif/config.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif
- ./openldap/certs:/container/service/slapd/assets/certs
shibboleth-idp:
image: "unicon/shibboleth-idp:3.4.2"
depends_on:
- openldap
environment:
- JETTY_MAX_HEAP=64m
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret
- JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
ports:
- "4443"
links:
- openldap:openldap
volumes:
- ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
- ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
- ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
- ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
oidc-provider:
image: "c2id/c2id-server-demo:12.16.1"
depends_on:
- http-proxy
ports:
- "8080"
expose:
- "8080"
volumes:
- ./oidc/override.properties:/etc/c2id/override.properties
http-proxy:
image: "nginx:latest"
volumes:
- ./oidc/nginx.conf:/etc/nginx/nginx.conf
ports:
- "8888"
expose:
- "8888"