Commit 61ccb7d4 authored by Ľuboslav Pivarč's avatar Ľuboslav Pivarč
Browse files

moved SAML-K8S

parent cc13eafe
FROM ubuntu:18.04
LABEL maintainer="456130@mail.muni.cz"
# apache2 and mellon module installation
RUN apt-get update &&\
apt-get install -y apache2 &&\
apt-get install -y libapache2-mod-auth-mellon &&\
apt-get clean
RUN ln -sf /proc/self/fd/1 /var/log/apache2/access.log && \
ln -sf /proc/self/fd/2 /var/log/apache2/error.log
COPY ./proxy.conf /etc/apache2/sites-available/proxy.conf
COPY ./http_cbiood.edirex.ics.muni.cz_mellon.key \
./http_cbiood.edirex.ics.muni.cz_mellon.cert \
/etc/apache2/mellon/
COPY mellon.conf mellon.conf
COPY start.sh start.sh
COPY idp-metadata.xml idp-metadata.xml
COPY http_cbiood.edirex.ics.muni.cz_mellon.xml /sp-metadata.xml
RUN rm -rf /etc/apache2/sites-enabled/*
RUN a2enmod proxy && \
a2enmod proxy_http && \
a2enmod rewrite && \
a2enmod ssl && \
a2enmod headers && \
a2ensite proxy.conf && \
mkdir /etc/apache2/ssl &&\
mkdir /etc/apache2/sites-enabled/routes
ENV TZ=Europe/Prague
RUN chmod +x start.sh
EXPOSE 80
#Flask
RUN apt-get install -y python3 && \
apt-get install -y python3-pip && \
pip3 install Flask
ENV LC_ALL=C.UTF-8 \
LANG=C.UTF-8 \
FLASK_APP=/secure-routing/app/app.py
COPY ./secure-routing /secure-routing
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
RUN mkdir -p /var/log/supervisor
#supervisor
RUN apt-get update && \
apt-get install -y supervisor && \
apt-get clean
EXPOSE 5000
CMD [ "/start.sh" ]
# APACHE SAML Configuration
# Build
command:
docker build -t <repo>/<image-name>:<tag>
example:
docker build -t lpivo/k8s-saml:t1 .
docker build --build-arg SOURCE=/mylocation/secure-routing \
-t lpivo/k8s-saml:t1 .
args:
SOURCE -> location of python app source code
-> default=./secure-routing
#!/bin/sh
#Run if you dont have sp metadata which are registered on idp
#create metadata
./helper.sh "http://cbiood.edirex.ics.muni.cz/mellon" "http://cbiood.edirex.ics.muni.cz/mellon"
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^:/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService: $BASEURL/logout"
echo "AssertionConsumerService: $BASEURL/postResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
<EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
chmod go+r "$OUTFILE.cert"
-----BEGIN CERTIFICATE-----
MIICzzCCAbcCFBT9Z4ukaoX5prNGPZ526Sdxc95vMA0GCSqGSIb3DQEBCwUAMCQx
IjAgBgNVBAMMGWNiaW9vZC5lZGlyZXguaWNzLm11bmkuY3owHhcNMTkwNDE3MDkz
MjIwWhcNMjkwNDE2MDkzMjIwWjAkMSIwIAYDVQQDDBljYmlvb2QuZWRpcmV4Lmlj
cy5tdW5pLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NQgk74l
XyXwwdH5/mF6hQPbVNmuIkAI8c4JVsZcXzpzObhL+89y2XROteLvxqVSmCXH7x9h
dwhaLzKCWQiUTNIXauimQHfRtyUGPisxcNzYf/sV3ecB/J9/ug5wtnfqAf8UWHB7
QeTBGBgSgUlTZ7S4r5CB4sReFKtJuiiK1F9OUpDe2RInbZMuEiTgqkX1o6J0ABZA
8xoW2XMxMoxI6mcI8sXlI2KJa351eWfS9cJ+m8RZEFT5DLF1kqeckah1tsdYxAD8
SB1B2yV256baJjpgQEfXYDchLTh49HD2sEom5hKwuTWiB26wGTGTsr8a75jous7M
nz/wg3GlzDd/AQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDTCSD2ipchyE4xHvTJ
X12T15QLKrvvPnNZM2/LF2nAhR+JRjBKgHbMnuDWu6quwQ+uJiKASaM+hi+9XJqh
SQZjvmUAvTzqUncjQ170bqfip5+JmUPYj0PIwD58Xnb28nXDOmQ4XxvP2i4YEdwW
coUto0qkLusqz/ZPU8qQmPL18XB8zgewzgVbRBESy1lUtJSr53AwMjGstlqx4dMx
DBSyGA2GO6dkVSqto9kBZ7s87kxxNCrA/tQZmB5km3CZwEyx6hCKyJqQw+Huh+Ex
TO9R3dX2NRDztD8ZMQks+Uf6PfV/lqOpciHOE2FuiK8cceWzJgEueI6l6AXTxcnR
pcO5
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc1CCTviVfJfDB
0fn+YXqFA9tU2a4iQAjxzglWxlxfOnM5uEv7z3LZdE614u/GpVKYJcfvH2F3CFov
MoJZCJRM0hdq6KZAd9G3JQY+KzFw3Nh/+xXd5wH8n3+6DnC2d+oB/xRYcHtB5MEY
GBKBSVNntLivkIHixF4Uq0m6KIrUX05SkN7ZEidtky4SJOCqRfWjonQAFkDzGhbZ
czEyjEjqZwjyxeUjYolrfnV5Z9L1wn6bxFkQVPkMsXWSp5yRqHW2x1jEAPxIHUHb
JXbnptomOmBAR9dgNyEtOHj0cPawSibmErC5NaIHbrAZMZOyvxrvmOi6zsyfP/CD
caXMN38BAgMBAAECggEAW8kv4Tjff7TdZTJJnpoVusPnnlT8M/A5x4fECfVY35wD
2LHpoziOnCPjs2YoE4ET23mYqKN6d2dZVNTBqRAP0/5fDWi18YXb/Su+dIivfCHP
OyK57AngoYgKJuNppe4hrcLASiI2mSTjvYgD6Qj5SdmsCg0eb4r/L8giVOYVDj/o
4jm4x7GNTyRN20P4h+tfum3kYHjvmDrL6RWunaChR6+Y33JGO7pW/q6uhonZCUxX
vUqkZ/UKuMRa43lFWWo2QHt2f0ELRjtZwFA9LSqBnf6rZ/p7dubN7g5+l57PScAT
4vWYsC5JLT8OM989w4urvVae4jrN3DafOg13qnV6IQKBgQD8lf4psasvIfE6isAL
uh3nRLV7cpU1YFfZM17j2lleXlHmqu+9oXK5oCtAXoXLvh4N33F5BskXOByKwAMP
+0XDdM7rhVqQdyOe/WYObcCQqCMeuj+XxGyhwRoXjTX3yzwZN9oGAlIhRvGsaLnc
3dANzsVKVVMDuzR+BfLNEW/UIwKBgQDf0D8mhHUh8Mu01HCZlOwQHuRCxje9mNN+
fuTJ977X0tJw2z3t74yLN5x2Y/U0OQUxHXBBhqNjsWeMF9kFAZn1mMqTCVlo0NZz
UNXC3wZAY//cVtY4E8M8Fl4q6bLF+byAYdIoSrWNkznElTM0425EwSvE9SS4qQ8G
Ebad3JBwiwKBgQDu3YYLtfp2SzoOq9JsBKls4RxjTvvuC1toi10sS3yCct4vLu4j
vf95rg/ZAsqy3+saIXn1A0a+T5EmYelDftP9wIRCVM1Nm22zWF3gPUiDRI5Z67Zh
9x7oZW4gYals2eTO0HO9hQpYb/fynONQDPBJboZDAqfL+ojsuQFhjyDbUwKBgFqO
sw6Np6ss9+9ZyZmKtR0ssqUF+MXBEUnsY/wIPvKqfbVmMB+WvmISBT+t4CfaLmya
AbKxnGiY/lGj0I6DAF1sDgMCVGfhn/OWsHchsDDbhUoM5K5Z6LPmRQHN/yS1kHzN
l6/v0pfPCx+sUsTChPpSwrf1jH8fAFIvVpl3BgZTAoGATZbsq6cX3lbq0EFnLY/G
nhTXoyrywxrnhMUfhhxuSBY7ENFrjf/p5lXum3UuY730ss2nKHkfzZHne0+r9D1/
Y1wPE/4HYyJ5p3Z45fOwoEz0Ik9hNrzs0mVRaCni7ZyVso+iavJIAu4jTYaxjYfp
2l5/pzZ5owWLz0OZk1BAYUA=
-----END PRIVATE KEY-----
<EntityDescriptor entityID="http://cbiood.edirex.ics.muni.cz/mellon" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICzzCCAbcCFBT9Z4ukaoX5prNGPZ526Sdxc95vMA0GCSqGSIb3DQEBCwUAMCQx
IjAgBgNVBAMMGWNiaW9vZC5lZGlyZXguaWNzLm11bmkuY3owHhcNMTkwNDE3MDkz
MjIwWhcNMjkwNDE2MDkzMjIwWjAkMSIwIAYDVQQDDBljYmlvb2QuZWRpcmV4Lmlj
cy5tdW5pLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NQgk74l
XyXwwdH5/mF6hQPbVNmuIkAI8c4JVsZcXzpzObhL+89y2XROteLvxqVSmCXH7x9h
dwhaLzKCWQiUTNIXauimQHfRtyUGPisxcNzYf/sV3ecB/J9/ug5wtnfqAf8UWHB7
QeTBGBgSgUlTZ7S4r5CB4sReFKtJuiiK1F9OUpDe2RInbZMuEiTgqkX1o6J0ABZA
8xoW2XMxMoxI6mcI8sXlI2KJa351eWfS9cJ+m8RZEFT5DLF1kqeckah1tsdYxAD8
SB1B2yV256baJjpgQEfXYDchLTh49HD2sEom5hKwuTWiB26wGTGTsr8a75jous7M
nz/wg3GlzDd/AQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDTCSD2ipchyE4xHvTJ
X12T15QLKrvvPnNZM2/LF2nAhR+JRjBKgHbMnuDWu6quwQ+uJiKASaM+hi+9XJqh
SQZjvmUAvTzqUncjQ170bqfip5+JmUPYj0PIwD58Xnb28nXDOmQ4XxvP2i4YEdwW
coUto0qkLusqz/ZPU8qQmPL18XB8zgewzgVbRBESy1lUtJSr53AwMjGstlqx4dMx
DBSyGA2GO6dkVSqto9kBZ7s87kxxNCrA/tQZmB5km3CZwEyx6hCKyJqQw+Huh+Ex
TO9R3dX2NRDztD8ZMQks+Uf6PfV/lqOpciHOE2FuiK8cceWzJgEueI6l6AXTxcnR
pcO5</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cbiood.edirex.ics.muni.cz/mellon/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cbiood.edirex.ics.muni.cz/mellon/postResponse" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://login.europdx.eu/idp/">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<shibmd:Scope regexp="false">europdx.eu</shibmd:Scope>
<mdui:UIInfo><mdui:DisplayName xml:lang="en">EuroPDX research infrastructure AAI</mdui:DisplayName>
<mdui:Description xml:lang="en">
This service is identity provider for EuroPDX community.
</mdui:Description>
<mdui:InformationURL xml:lang="en">https://europdx.eu</mdui:InformationURL>
<mdui:PrivacyStatementURL xml:lang="en">https://TBA</mdui:PrivacyStatementURL>
<mdui:Keywords xml:lang="en">EuroPDX proxy biology life sciences</mdui:Keywords>
<mdui:Logo width="96" height="96">
https://login.elixir-czech.org/media/elixir-96x96.jpg
</mdui:Logo>
</mdui:UIInfo>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEUTCCAzmgAwIBAgIJALuWjo0j1/fcMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYDVQQGEwJDWjEQMA4GA1UECAwHTW9yYXZpYTENMAsGA1UEBwwEQnJubzEbMBkGA1UECgwSTWFzYXJ5ayBVbml2ZXJzaXR5MSYwJAYDVQQLDB1JbnN0aXR1dGUgb2YgQ29tcHV0ZXIgU2NpZW5jZTEbMBkGA1UEAwwSKi5lbGl4aXItY3plY2gub3JnMSwwKgYJKoZIhvcNAQkBFh1hYWktY29udGFjdEBlbGl4aXItZXVyb3BlLm9yZzAeFw0xNjA4MTAwODA5MTNaFw0yNjA4MDgwODA5MTNaMIG+MQswCQYDVQQGEwJDWjEQMA4GA1UECAwHTW9yYXZpYTENMAsGA1UEBwwEQnJubzEbMBkGA1UECgwSTWFzYXJ5ayBVbml2ZXJzaXR5MSYwJAYDVQQLDB1JbnN0aXR1dGUgb2YgQ29tcHV0ZXIgU2NpZW5jZTEbMBkGA1UEAwwSKi5lbGl4aXItY3plY2gub3JnMSwwKgYJKoZIhvcNAQkBFh1hYWktY29udGFjdEBlbGl4aXItZXVyb3BlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMvZy0XHUJ/NW/ffIuSMzcpWJp+6gL3OXhl7oG8MPZHe1JmzgBrxQ9sLzFhRl34NVfSA8flN+nKbcekp8jpeoTY/hnr/IWIWNDYfg3xLCQxCSoN/QiSqrr8FizSam8IT2vTu+BUvnCngrwia/upGCHb7hivsEDfTroQcAEPDe/S9uVWCvv5ERGwfBKgH3+06xjrdGVpFNzoy+9m+/ZLkdqmPHVc6E87o2hy0jLrV+g55nCxwJ79Z5LTLPcn2WHkg0nWoh1BITYoyfg503OpUL1ja+IL7FlofIb0s6YfV0a1duSrwc7nG/V7KFjrWJS5RCh74SfWTaGiSN5XcqdwJsgECAwEAAaNQME4wHQYDVR0OBBYEFN/3g/caCmGJG1w+35mgGhAzryLnMB8GA1UdIwQYMBaAFN/3g/caCmGJG1w+35mgGhAzryLnMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGlWHgjzeZ7VLn7ajPRr36aK/oXTOTetvzI7XcepAhDB/8suLabq55rV6ydtmuzA18ZJ/cdcb+LoIp/rqyY24siGYrNjwbjTgz9ai3legz5lFq7qnjYuAbGhc2OX4uJmzk/+jL5npKuMxkQSjgSqscYoBXsbNyJ/ou7PTXmalGkbFsr2ch0q1/McWSpDLAVzWTf1yZ85h3UYdxRyK0Evt4MWHYJ3DITK7xELYqNDg/Nrlr9So1sojSd1QIJ2yvOl8l9McMWlDwd31rPdNiT589F/UrryPEG2Xiapo75DgSyshNUOYxHKub4FYvDAZLjStjcmvhzeZo1v35jqLINp/bg=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEUTCCAzmgAwIBAgIJALuWjo0j1/fcMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYDVQQGEwJDWjEQMA4GA1UECAwHTW9yYXZpYTENMAsGA1UEBwwEQnJubzEbMBkGA1UECgwSTWFzYXJ5ayBVbml2ZXJzaXR5MSYwJAYDVQQLDB1JbnN0aXR1dGUgb2YgQ29tcHV0ZXIgU2NpZW5jZTEbMBkGA1UEAwwSKi5lbGl4aXItY3plY2gub3JnMSwwKgYJKoZIhvcNAQkBFh1hYWktY29udGFjdEBlbGl4aXItZXVyb3BlLm9yZzAeFw0xNjA4MTAwODA5MTNaFw0yNjA4MDgwODA5MTNaMIG+MQswCQYDVQQGEwJDWjEQMA4GA1UECAwHTW9yYXZpYTENMAsGA1UEBwwEQnJubzEbMBkGA1UECgwSTWFzYXJ5ayBVbml2ZXJzaXR5MSYwJAYDVQQLDB1JbnN0aXR1dGUgb2YgQ29tcHV0ZXIgU2NpZW5jZTEbMBkGA1UEAwwSKi5lbGl4aXItY3plY2gub3JnMSwwKgYJKoZIhvcNAQkBFh1hYWktY29udGFjdEBlbGl4aXItZXVyb3BlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMvZy0XHUJ/NW/ffIuSMzcpWJp+6gL3OXhl7oG8MPZHe1JmzgBrxQ9sLzFhRl34NVfSA8flN+nKbcekp8jpeoTY/hnr/IWIWNDYfg3xLCQxCSoN/QiSqrr8FizSam8IT2vTu+BUvnCngrwia/upGCHb7hivsEDfTroQcAEPDe/S9uVWCvv5ERGwfBKgH3+06xjrdGVpFNzoy+9m+/ZLkdqmPHVc6E87o2hy0jLrV+g55nCxwJ79Z5LTLPcn2WHkg0nWoh1BITYoyfg503OpUL1ja+IL7FlofIb0s6YfV0a1duSrwc7nG/V7KFjrWJS5RCh74SfWTaGiSN5XcqdwJsgECAwEAAaNQME4wHQYDVR0OBBYEFN/3g/caCmGJG1w+35mgGhAzryLnMB8GA1UdIwQYMBaAFN/3g/caCmGJG1w+35mgGhAzryLnMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGlWHgjzeZ7VLn7ajPRr36aK/oXTOTetvzI7XcepAhDB/8suLabq55rV6ydtmuzA18ZJ/cdcb+LoIp/rqyY24siGYrNjwbjTgz9ai3legz5lFq7qnjYuAbGhc2OX4uJmzk/+jL5npKuMxkQSjgSqscYoBXsbNyJ/ou7PTXmalGkbFsr2ch0q1/McWSpDLAVzWTf1yZ85h3UYdxRyK0Evt4MWHYJ3DITK7xELYqNDg/Nrlr9So1sojSd1QIJ2yvOl8l9McMWlDwd31rPdNiT589F/UrryPEG2Xiapo75DgSyshNUOYxHKub4FYvDAZLjStjcmvhzeZo1v35jqLINp/bg=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.europdx.eu/proxy/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.europdx.eu/proxy/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">EuroPDX</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">EuroPDX</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://europdx.eu</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>EuroPDX</md:GivenName>
<md:SurName>AAI</md:SurName>
<md:EmailAddress>vyskocilpavel@muni.cz</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
AuthType Mellon
MellonEnable auth
Require valid-user
include /etc/apache2/fqdn.conf
<VirtualHost *:80>
ServerName ${SERVERNAME}
ServerAdmin ${EMAILADMIN}
ErrorLog "/var/log/apache2/error.log"
CustomLog "/var/log/apache2/access.log" common
TransferLog "/var/log/apache2/access.log"
ProxyPreserveHost On
<Location / >
MellonSPPrivateKeyFile /etc/apache2/mellon/sp_key.pem
MellonSPCertFile /etc/apache2/mellon/sp_cert.pem
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
# Mapping of attribute names to something readable
MellonSetEnv "name" "urn:oid:2.16.840.1.113730.3.1.241"
MellonSetEnv "mail" "urn:oid:0.9.2342.19200300.100.1.3"
MellonSetEnv "eppn" "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
MellonSetEnv "entitlement" "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
MellonSetEnv "eduPersonUniqueId" "urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
</Location>
IncludeOptional /etc/apache2/sites-enabled/routes/*.conf
</Virtualhost>
#!/bin/sh
mellon=/etc/apache2/mellon
mellonconf=/etc/apache2/sites-enabled/mellon/
cd /$mellon
# move mellon metadata
mv /sp-metadata.xml /${mellon}/sp-metadata.xml
mv /idp-metadata.xml $mellon
mv ${mellon}/*.cert ${mellon}/sp_cert.pem
mv ${mellon}/*.key ${mellon}/sp_key.pem
# mellon conf
mkdir $mellonconf
mv /mellon.conf ${mellonconf}
# create fqdn.conf
echo "Define FQDN ${HOST}" >/etc/apache2/fqdn.conf
echo "Define EMAILADMIN ${ADMIN_USER}" >> /etc/apache2/fqdn.conf
# run Apache
#/usr/sbin/apache2ctl -D FOREGROUND
#run supervisor
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
[supervisorctl]
[supervisord]
nodaemon=true
[program:flaskAPI]
stdout_logfile=/dev/stdout
stdout_maxbytes=0
stdout_logfile_maxbytes=0
command=flask run --host=0.0.0.0
[program:apache2]
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
stdout_maxbytes=0
stderr_maxbytes=0
stdout_logfile_maxbytes=0
stdout_logfile=/dev/stdout
user=root
killasgroup=true
stopasgroup=true
command=/usr/sbin/apache2ctl -D FOREGROUND
apiVersion: v1
kind: Namespace
metadata:
name: cbio-on-demand
apiVersion: v1
kind: Namespace
metadata:
name: cbio-on-demand
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: cbio-on-demand
name: cbio-api
annotations:
maintainer: Luboslav Pivarc <456130@muni.cz>
spec:
selector:
matchLabels:
app: cbio-api
type: ondemand
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
app: cbio-api
type: ondemand
spec:
serviceAccountName: cbio-api
containers:
- name: cbio-api
image: lpivo/api:tr7
ports:
- name: http
containerPort: 8080
livenessProbe:
httpGet:
path: /actuator/health
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 2
readinessProbe:
httpGet:
path: /actuator/health
port: http
initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 2
---
apiVersion: v1
kind: Service
metadata:
name: cbio-api
namespace: cbio-on-demand
labels:
app: cbio-api
type: ondemand
annotations:
maintainer: Luboslav Pivarc <456130@muni.cz>
spec:
selector:
app: cbio-api
type: ondemand
ports:
- port: 80
targetPort: http
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: identifiers.example.com
annotations:
maintainer: Luboslav Pivarc <456130@muni.cz>
spec:
scope: Namespaced
group: example.com
version: v1beta1
names:
kind: identifier
singular: identifier
plural: identifiers
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-cbio-db
namespace: cbio-on-demand
data:
mysql.conf: "# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights
reserved.\n#\n# This program is free software; you can redistribute it and/or
modify\n# it under the terms of the GNU General Public License as published
by\n# the Free Software Foundation; version 2 of the License.\n#\n# This program
is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY;
without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You
should have received a copy of the GNU General Public License\n# along with
this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin
St, Fifth Floor, Boston, MA 02110-1301 USA\n\n#\n# The MySQL Server configuration
file.\n#\n# For explanations see\n# http://dev.mysql.com/doc/mysql/en/server-system-variables.html\n\n[mysqld]\npid-file\t=
/var/run/mysqld/mysqld.pid\nsocket\t\t= /var/run/mysqld/mysqld.sock\ndatadir\t\t=
/var/lib/mysql\n#log-error\t= /var/log/mysql/error.log\n# By default we only
accept connections from localhost\n#bind-address\t= 127.0.0.1\n# Disabling symbolic-links
is recommended to prevent assorted security risks\nsymbolic-links=0\n\n#\n#
* Fine Tuning\n#\n\nkey_buffer_size = 4G\nmax_heap_table_size =
512M\ntmp_table_size = 512M\nmax_allowed_packet = 256M\nthread_stack
\ = 256K\nthread_cache_size = 20\n# This replaces the startup
script and checks MyISAM tables if needed\n# the first time they are touched\nmyisam-recover-options
\ = BACKUP\nmax_connections = 214\n#table_cache = 64\n#thread_concurrency
\ = 10\n#\n# * Query Cache Configuration\n#\nquery_cache_limit = 1M\nquery_cache_size
\ = 0\nquery_cache_type = 0\n\n\njoin_buffer_size = 16M\ntable_open_cache
= 400\n"
---
apiVersion: v1
kind: Secret
metadata:
name: mysql-env
namespace: cbio-on-demand
data:
.env: TVlTUUxfUk9PVF9QQVNTV09SRD1QQHNzd29yZDEKTVlTUUxfVVNFUj1jYmlvCk1ZU1FMX1BBU1NXT1JEPVBAc3N3b3JkMQpNWVNRTF9EQVRBQkFTRT1jYmlvcG9ydGFsCgo=
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: cbio-on-demand
name: cbio-proxy
annotations:
maintainer: Luboslav Pivarc <456130@muni.cz>
spec:
selector:
matchLabels:
app: cbio-proxy
type: ondemand
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
app: cbio-proxy
type: ondemand
spec:
containers:
- name: cbio-proxy
image: lpivo/k8s-saml:t6
ports:
- name: http
containerPort: 80
- name: api
containerPort: 5000
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 2
env:
- name: SERVERNAME
value: cbiood.edirex.ics.muni.cz
- name: EMAILADMIN
value: 456130@mail.muni.cz
---
apiVersion: v1
kind: Service
metadata:
name: cbio-proxy-api
namespace: cbio-on-demand
labels:
app: cbio-proxy
type: ondemand
annotations:
maintainer: Luboslav Pivarc <456130@muni.cz>
spec:
selector:
app: cbio-proxy
type: ondemand
ports:
- port: 80
targetPort: api
---