From 6a075c67507a106dcf0e6d673bb63f070bc20a29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Mu=CC=88ller?= <jan.mueller@catdev.io>
Date: Wed, 14 Oct 2020 13:03:36 +0200
Subject: [PATCH] Adds external konnectd deployment

---
 .../ocis_external_konnectd/idpnode/.env       |  2 +
 .../config/identifier-registration.yml        | 16 +++++
 .../idpnode/docker-compose.yml                | 59 ++++++++++++++++++
 .../ocis_external_konnectd/ocisnode/.env      |  2 +
 .../ocisnode/docker-compose.yml               | 61 +++++++++++++++++++
 5 files changed, 140 insertions(+)
 create mode 100644 deployments/examples/ocis_external_konnectd/idpnode/.env
 create mode 100644 deployments/examples/ocis_external_konnectd/idpnode/config/identifier-registration.yml
 create mode 100644 deployments/examples/ocis_external_konnectd/idpnode/docker-compose.yml
 create mode 100644 deployments/examples/ocis_external_konnectd/ocisnode/.env
 create mode 100644 deployments/examples/ocis_external_konnectd/ocisnode/docker-compose.yml

diff --git a/deployments/examples/ocis_external_konnectd/idpnode/.env b/deployments/examples/ocis_external_konnectd/idpnode/.env
new file mode 100644
index 0000000000..007cbc4e88
--- /dev/null
+++ b/deployments/examples/ocis_external_konnectd/idpnode/.env
@@ -0,0 +1,2 @@
+OCIS_DOMAIN=ocis.domain.com
+IDP_DOMAIN=idp.domain.com
\ No newline at end of file
diff --git a/deployments/examples/ocis_external_konnectd/idpnode/config/identifier-registration.yml b/deployments/examples/ocis_external_konnectd/idpnode/config/identifier-registration.yml
new file mode 100644
index 0000000000..cea467bb58
--- /dev/null
+++ b/deployments/examples/ocis_external_konnectd/idpnode/config/identifier-registration.yml
@@ -0,0 +1,16 @@
+---
+# OpenID Connect client registry.
+clients:
+  - id: phoenix
+    name: OCIS
+    application_type: web
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - http://ocis.domain.com/oidc-callback.html
+      - http://ocis.domain.com/
+      - https://ocis.domain.com/
+      - https://ocis.domain.com/oidc-callback.html
+    origins:
+      - http://ocis.domain.com
+      - https://ocis.domain.com
diff --git a/deployments/examples/ocis_external_konnectd/idpnode/docker-compose.yml b/deployments/examples/ocis_external_konnectd/idpnode/docker-compose.yml
new file mode 100644
index 0000000000..91274ec29d
--- /dev/null
+++ b/deployments/examples/ocis_external_konnectd/idpnode/docker-compose.yml
@@ -0,0 +1,59 @@
+version: '3.7'
+
+services:
+
+  traefik:
+    image: "traefik:v2.2"
+    container_name: "traefik"
+    networks:
+      - idpnet
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.idp.acme.tlschallenge=true"
+      - "--certificatesresolvers.idp.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.idp.acme.email=postmaster@${IDP_DOMAIN}"
+      - "--certificatesresolvers.idp.acme.storage=/letsencrypt/acme.json"
+    ports:
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "~/letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  konnectd:
+    container_name: konnectd
+    image: owncloud/ocis-konnectd:latest
+    networks:
+      - idpnet
+    ports:
+      - "9130:9130"
+    volumes:
+      - ./config:/etc/ocis
+    environment:
+      OCIS_LOG_LEVEL: debug
+      KONNECTD_ISS: https://${IDP_DOMAIN}
+      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
+      KONNECTD_LOG_LEVEL: debug
+      KONNECTD_TLS: '0'
+      LDAP_URI: ldap://${OCIS_DOMAIN}:9125
+      LDAP_BINDDN: cn=konnectd,ou=sysusers,dc=example,dc=org
+      LDAP_BINDPW: konnectd
+      LDAP_BASEDN: ou=users,dc=example,dc=org
+      LDAP_SCOPE: sub
+      LDAP_LOGIN_ATTRIBUTE: cn
+      LDAP_EMAIL_ATTRIBUTE: mail
+      LDAP_NAME_ATTRIBUTE=: n
+      LDAP_UUID_ATTRIBUTE: uid
+      LDAP_UUID_ATTRIBUTE_TYPE: text
+      LDAP_FILTER: (objectClass=posixaccount)
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.idp.rule=Host(`${IDP_DOMAIN}`)"
+      - "traefik.http.routers.idp.entrypoints=websecure"
+      - "traefik.http.routers.idp.tls.certresolver=idp"
+      - "traefik.docker.network=idpnet"
+      - "traefik.port=9130"
+      - "traefik.protocol=https"
diff --git a/deployments/examples/ocis_external_konnectd/ocisnode/.env b/deployments/examples/ocis_external_konnectd/ocisnode/.env
new file mode 100644
index 0000000000..007cbc4e88
--- /dev/null
+++ b/deployments/examples/ocis_external_konnectd/ocisnode/.env
@@ -0,0 +1,2 @@
+OCIS_DOMAIN=ocis.domain.com
+IDP_DOMAIN=idp.domain.com
\ No newline at end of file
diff --git a/deployments/examples/ocis_external_konnectd/ocisnode/docker-compose.yml b/deployments/examples/ocis_external_konnectd/ocisnode/docker-compose.yml
new file mode 100644
index 0000000000..7b4c69a4e2
--- /dev/null
+++ b/deployments/examples/ocis_external_konnectd/ocisnode/docker-compose.yml
@@ -0,0 +1,61 @@
+version: '3.7'
+
+services:
+
+  traefik:
+    image: "traefik:v2.2"
+    container_name: "traefik"
+    networks:
+      - ocisnet
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.ocis.acme.tlschallenge=true"
+      - "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.ocis.acme.email=postmaster@${OCIS_DOMAIN}"
+      - "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme.json"
+    ports:
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "~/letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  ocis:
+    container_name: ocis
+    image: owncloud/ocis:latest
+    tty: true
+    privileged: true
+    stdin_open: true
+    ports:
+      - 9200:9200
+      - 9125:9125
+    hostname: ocis
+    networks:
+      - ocisnet
+    environment:
+      OCIS_DOMAIN: ${OCIS_DOMAIN}
+      PROXY_OIDC_ISSUER: https://${IDP_DOMAIN}
+      PROXY_OIDC_INSECURE: "true"
+      PROXY_TLS: "false"
+      GRAPH_OIDC_ENDPOINT: https://${IDP_DOMAIN}
+      REVA_OIDC_ISSUER: https://${IDP_DOMAIN}
+      REVA_LDAP_IDP: https://${IDP_DOMAIN}
+      PHOENIX_OIDC_AUTHORITY: https://${IDP_DOMAIN}
+      PHOENIX_OIDC_METADATA_URL: https://${IDP_DOMAIN}/.well-known/openid-configuration
+      PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
+      OCIS_LOG_LEVEL: debug
+      REVA_TRANSFER_EXPIRES: 86400
+      REVA_FRONTEND_URL: https://${OCIS_DOMAIN}
+      REVA_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
+      - "traefik.http.routers.ocis.entrypoints=websecure"
+      - "traefik.http.routers.ocis.tls.certresolver=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+      - "traefik.docker.network=ocisnet"
+      - "traefik.port=9200"
+      - "traefik.protocol=https"