Feature: IAM docker compose and assets files rucio#6188 (rucio#6299)

* IAM docker compose and IAM assets files

* rucio#6188 Binding to localhost and setting higher port

etc/docker/dev/docker-compose-storage-iam.yml

@@ -0,0 +1,200 @@
+version: "3"
+services:
+  rucioclient:
+    image: docker.io/rucio/rucio-dev:latest-alma9
+    command: ["sleep", "infinity"]
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z
+      - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z
+      - ../../certs/ruciouser.pem:/opt/rucio/etc/usercert.pem:z
+      - ../../certs/ruciouser.key.pem:/opt/rucio/etc/userkey.pem:z
+      - ../../certs/ruciouser.certkey.pem:/opt/rucio/etc/usercertkey.pem:z
+      - ../../certs/ssh/ruciouser_sshkey.pub:/root/.ssh/ruciouser_sshkey.pub:z
+      - ../../certs/ssh/ruciouser_sshkey:/root/.ssh/ruciouser_sshkey:z
+      - ../../../tools:/opt/rucio/tools:Z
+      - ../../../bin:/opt/rucio/bin:Z
+      - ../../../lib:/opt/rucio/lib:Z
+      - ../../../tests:/opt/rucio/tests:Z
+    environment:
+      - X509_USER_CERT=/opt/rucio/etc/usercert.pem
+      - X509_USER_KEY=/opt/rucio/etc/userkey.pem
+      - RDBMS=postgres14
+  rucio:
+    image: docker.io/rucio/rucio-dev:latest-alma9
+    ports:
+      - "127.0.0.1:8443:443"
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z
+      - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z
+      - ../../certs/ruciouser.pem:/opt/rucio/etc/usercert.pem:z
+      - ../../certs/ruciouser.key.pem:/opt/rucio/etc/userkey.pem:z
+      - ../../certs/ruciouser.certkey.pem:/opt/rucio/etc/usercertkey.pem:z
+      - ../../certs/ssh/ruciouser_sshkey.pub:/root/.ssh/ruciouser_sshkey.pub:z
+      - ../../certs/ssh/ruciouser_sshkey:/root/.ssh/ruciouser_sshkey:z
+      - ../../../tools:/opt/rucio/tools:Z
+      - ../../../bin:/opt/rucio/bin:Z
+      - ../../../lib:/opt/rucio/lib:Z
+      - ../../../tests:/opt/rucio/tests:Z
+    environment:
+      - X509_USER_CERT=/opt/rucio/etc/usercert.pem
+      - X509_USER_KEY=/opt/rucio/etc/userkey.pem
+      - RDBMS=postgres14
+  ruciodb:
+    image: docker.io/postgres:14
+    ports:
+      - "127.0.0.1:5432:5432"
+    environment:
+      - POSTGRES_USER=rucio
+      - POSTGRES_DB=rucio
+      - POSTGRES_PASSWORD=secret
+    command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"]
+  graphite:
+    image: docker.io/graphiteapp/graphite-statsd
+    ports:
+      - "127.0.0.1:8080:80"
+  fts:
+    image: docker.io/rucio/fts
+    ports:
+      - "127.0.0.1:8446:8446"
+      - "127.0.0.1:8449:8449"
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_fts.pem:/etc/grid-security/hostcert.pem:Z
+      - ../../certs/hostcert_fts.key.pem:/etc/grid-security/hostkey.pem:Z
+  ftsdb:
+    image: docker.io/mysql:8
+    ports:
+      - "127.0.0.1:3306:3306"
+    command: --default-authentication-plugin=mysql_native_password
+    environment:
+      - MYSQL_USER=fts
+      - MYSQL_PASSWORD=fts
+      - MYSQL_ROOT_PASSWORD=fts
+      - MYSQL_DATABASE=fts
+  xrd1:
+    image: docker.io/rucio/xrootd
+    ports:
+      - "127.0.0.1:1094:1094"
+    environment:
+      - XRDPORT=1094
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_xrd1.pem:/tmp/xrdcert.pem:Z
+      - ../../certs/hostcert_xrd1.key.pem:/tmp/xrdkey.pem:Z
+  xrd2:
+    image: docker.io/rucio/xrootd
+    ports:
+      - "127.0.0.1:1095:1095"
+    environment:
+      - XRDPORT=1095
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_xrd2.pem:/tmp/xrdcert.pem:Z
+      - ../../certs/hostcert_xrd2.key.pem:/tmp/xrdkey.pem:Z
+  xrd3:
+    image: docker.io/rucio/xrootd
+    ports:
+      - "127.0.0.1:1096:1096"
+    environment:
+      - XRDPORT=1096
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_xrd3.pem:/tmp/xrdcert.pem:Z
+      - ../../certs/hostcert_xrd3.key.pem:/tmp/xrdkey.pem:Z
+  xrd4:
+    image: docker.io/rucio/xrootd
+    ports:
+      - "127.0.0.1:1097:1097"
+    environment:
+      - XRDPORT=1097
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      - ../../certs/hostcert_xrd4.pem:/tmp/xrdcert.pem:Z
+      - ../../certs/hostcert_xrd4.key.pem:/tmp/xrdkey.pem:Z
+  minio:
+    image: docker.io/minio/minio
+    ports:
+      - "127.0.0.1:9000:9000"
+    environment:
+      - MINIO_ACCESS_KEY=admin
+      - MINIO_SECRET_KEY=password
+    volumes:
+      - ../../certs/hostcert_minio.pem:/root/.minio/certs/public.crt:Z
+      - ../../certs/hostcert_minio.key.pem:/root/.minio/certs/private.key:Z
+    command: ["server", "/data"]
+  activemq:
+    image: docker.io/webcenter/activemq:latest
+    ports:
+      - "127.0.0.1:61613:61613"
+    environment:
+      - ACTIVEMQ_CONFIG_NAME=activemq
+      - ACTIVEMQ_CONFIG_DEFAULTACCOUNT=false
+      - ACTIVEMQ_USERS_fts=supersecret
+      - ACTIVEMQ_GROUPS_writes=fts
+      - ACTIVEMQ_USERS_receiver=supersecret
+      - ACTIVEMQ_GROUPS_reads=receiver
+      - ACTIVEMQ_CONFIG_SCHEDULERENABLED=true
+  ssh1:
+    image: docker.io/rucio/ssh
+    ports:
+      - "127.0.0.1:2222:22"
+    volumes:
+      - ../../certs/ssh/ruciouser_sshkey.pub:/tmp/sshkey.pub:Z
+  db-iam:
+    image: mariadb:10.11
+    environment:
+      - TZ=Europe/Paris
+      - MYSQL_ROOT_PASSWORD=supersecret
+      - MYSQL_USER=iam
+      - MYSQL_PASSWORD=secret
+      - MYSQL_DATABASE=iam_db
+    ports:
+      - "127.0.0.1:3307:3306"
+  nginx-iam:
+    image: nginx
+    dns_search: cern.ch
+    environment:
+      TZ: Europe/Paris
+      NGINX_HOST: iam
+      NGINX_PORT: 443
+    ports:
+      - "127.0.0.1:9443:443"
+    volumes:
+      - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z
+      # - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z
+      # - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z
+      - /etc/grid-security/:/etc/grid-security/
+      - /dev/urandom:/dev/random
+      - ../../iam-assets/iam.conf:/etc/nginx/conf.d/default.conf:ro
+  iam:
+    image: indigoiam/iam-login-service:v1.8.2
+    volumes:
+      - ../../iam-assets/keystore.jwks:/keystore.jwks:ro
+    environment:
+      - IAM_JAVA_OPTS=-Djava.security.egd=file:/dev/urandom -Dspring.profiles.active=prod,oidc,cern,registration,wlcg-scopes -agentlib:jdwp=transport=dt_socket,server=y,address=1044,suspend=n -Dlogging.file.name=/var/log/iam/iam.log
+      - IAM_HOST=<IAM_HOSTNAME>
+      - IAM_PORT=8090
+      - IAM_BASE_URL=https://<IAM_HOSTNAME>
+      - IAM_ISSUER=https://<IAM_HOSTNAME>
+      - IAM_FORWARD_HEADERS_STRATEGY=native
+      - IAM_KEY_STORE_LOCATION=file:/keystore.jwks
+      - IAM_JWK_CACHE_LIFETIME=21600
+      # - IAM_X509_TRUST_ANCHORS_DIR=/etc/grid-security/certificates
+      # - IAM_X509_TRUST_ANCHORS_REFRESH=14400
+      - IAM_TOMCAT_ACCESS_LOG_ENABLED=false
+      - IAM_TOMCAT_ACCESS_LOG_DIRECTORY=/tmp
+      - IAM_ACTUATOR_USER_USERNAME=user
+      - IAM_ACTUATOR_USER_PASSWORD=secret
+      - IAM_LOCAL_RESOURCES_ENABLE=true
+      - IAM_LOCAL_RESOURCES_LOCATION=file:/indigo-iam/local-resources
+      - IAM_ORGANISATION_NAME=rucio-dc
+      - IAM_TOPBAR_TITLE="INDIGO IAM for rucio-dc"
+      - IAM_DB_HOST=<IAM_DB_HOSTNAME>
+      - IAM_DB_PORT=3307
+      - IAM_DB_NAME=iam_db
+      - IAM_DB_USERNAME=iam
+      - IAM_DB_PASSWORD=secret
+    ports:
+      - "127.0.0.1:8090:8090"

etc/iam-assets/iam.conf

@@ -0,0 +1,27 @@
+server {
+  listen        443 ssl;
+  server_name   <hostname>;
+  access_log   /var/log/nginx/iam.access.log  combined;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate      /etc/grid-security/hostcert.pem;
+  ssl_certificate_key  /etc/grid-security/hostkey.pem;
+
+  location / {
+    proxy_pass              http://<hostname>:8090;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto https;
+    proxy_set_header        Host $http_host;
+  }
+}
+
+proxy_set_header        X-SSL-Client-Cert $ssl_client_cert;
+proxy_set_header        X-SSL-Client-I-Dn $ssl_client_i_dn;
+proxy_set_header        X-SSL-Client-S-Dn $ssl_client_s_dn;
+proxy_set_header        X-SSL-Client-Serial $ssl_client_serial;
+proxy_set_header        X-SSL-Client-V-Start $ssl_client_v_start;
+proxy_set_header        X-SSL-Client-V-End   $ssl_client_v_end;
+proxy_set_header        X-SSL-Client-Verify  $ssl_client_verify;
+proxy_set_header        X-SSL-Protocol $ssl_protocol;
+proxy_set_header        X-SSL-Server-Name $ssl_server_name;

etc/iam-assets/keystore.jwks

@@ -0,0 +1,16 @@
+{
+  "keys": [
+    {
+      "p": "9KpF2OFJu5S0TUX0oYI8Gi3W2tvqjpsfxPuHLc2_0qWkUq5R3p9H0kl495ys1XE2LPl0HFn3ap026waSjt-wFw",
+      "kty": "RSA",
+      "q": "l9yCwi8L2Tr493EJFsBUPrfupgp6gUwDZZGCt9b1aBihHPFIpy-OWE9f6KOX3TmnAOWtbwsFWNB5DljrnJDVdQ",
+      "d": "Ae5d6AKyfNHe1jOWsZgFXa7PcNdJdPVzs_QwlWd1CrC6SWbWcFheZ5tZgLfG3hRiLS03wxqnRYGXy7MqCnVIidmI9FmTc6VmouXG2ZdbWbQirnx_C6wbb6L0K5SceJn4MzqpIcTttMzsW3k7iYfH_LrqMmUfSIg8YxuqRUbApME",
+      "e": "AQAB",
+      "kid": "rsa1",
+      "qi": "nDagjeZyayVV2tojjaljot2gOAAU4y4DYuqDrFWtgdTXCkN_7uIIANx7V_fkE-_rTJRaHxJ3f_w6Pko69VXaOw",
+      "dp": "OhuanSjchyWJMPUVZap1tc3_QlmKurXS9Mi8UT-VeGUIwu5N2W7A8wuqJDzcu5C4yjOwxO8FGRgfq_ASrMYpnw",
+      "dq": "aICzbsOHSM6_QzADDCgAEUTrslFlqhJQCBYROUdwi1jfjhYwY_Ri5TyCCIqDWBZzaTekmNShslOL6qagRJaafQ",
+      "n": "kSMufwC7v4SYroKch9fEnDw4Q7yQgzPdLvDkSNG-3nbkcRBkwDyyfP36JfQimZ1u1-VENGD9sr_LiRbSrZmKUgLH7JP1rxROlxPoIGw0yJA0C7iK2RH9X8H6_mIitx7LimLP4Gl4cfKR6vUZJyPYz_B-DDT89ZONM4MsGXqunYM"
+    }
+  ]
+}