diff --git a/devel/.env b/devel/.env index 5a45a805..2c7cec66 100644 --- a/devel/.env +++ b/devel/.env @@ -3,3 +3,4 @@ CERT_DIR=./state/x509 COMPOSER_CONFIG_DIR=./config/composer WORKER_CONFIG_DIR=./config/worker SPANDX_CONFIG=./config/spandx/local-frontend-and-api.js +COMPOSER_OFFLINE_TOKEN=someOfflineToken diff --git a/devel/config/composer/acl.yml b/devel/config/composer/acl.yml new file mode 100644 index 00000000..4d294744 --- /dev/null +++ b/devel/config/composer/acl.yml @@ -0,0 +1,4 @@ +## hack since oauth server is +## using http +- claim: typ + pattern: ^Bearer$ diff --git a/devel/config/composer/osbuild-composer.toml b/devel/config/composer/osbuild-composer.toml index b14b20c2..1fbd5ff7 100644 --- a/devel/config/composer/osbuild-composer.toml +++ b/devel/config/composer/osbuild-composer.toml @@ -1,7 +1,16 @@ [worker] +request_job_timeout = "40s" allowed_domains = [ "localhost", "worker.osbuild.org" ] +enable_mtls = false +enable_jwt = true +jwt_keys_url = "http://fauxauth:8888/certs" +jwt_acl_file = "/etc/osbuild-composer/acl.yml" ca = "/etc/osbuild-composer/ca-crt.pem" [koji] allowed_domains = [ "client.osbuild.org" ] +enable_mtls = false +enable_jwt = true +jwt_keys_url = "http://fauxauth:8888/certs" +jwt_acl_file = "/etc/osbuild-composer/acl.yml" ca = "/etc/osbuild-composer/ca-crt.pem" diff --git a/devel/config/worker/osbuild-worker.toml b/devel/config/worker/osbuild-worker.toml new file mode 100644 index 00000000..5ecf5a29 --- /dev/null +++ b/devel/config/worker/osbuild-worker.toml @@ -0,0 +1,3 @@ +[authentication] +oauth_url = "http://fauxauth:8888/token" +offline_token = "/etc/osbuild-worker/token" diff --git a/devel/config/worker/token b/devel/config/worker/token new file mode 100644 index 00000000..e3e73c2a --- /dev/null +++ b/devel/config/worker/token @@ -0,0 +1 @@ +someOfflineToken diff --git a/devel/docker-compose.yml b/devel/docker-compose.yml index 6592ec69..58a28151 100644 --- a/devel/docker-compose.yml +++ b/devel/docker-compose.yml @@ -7,6 +7,7 @@ services: dockerfile: ./distribution/Dockerfile-ubi volumes: - ${COMPOSER_CONFIG_DIR}/osbuild-composer.toml:/etc/osbuild-composer/osbuild-composer.toml:z + - ${COMPOSER_CONFIG_DIR}/acl.yml:/etc/osbuild-composer/acl.yml:z - ${CERT_DIR}/ca-crt.pem:/etc/osbuild-composer/ca-crt.pem:z - ${CERT_DIR}/composer-crt.pem:/etc/osbuild-composer/composer-crt.pem:z - ${CERT_DIR}/composer-key.pem:/etc/osbuild-composer/composer-key.pem:z @@ -24,8 +25,8 @@ services: entrypoint: [ "/usr/libexec/osbuild-composer/osbuild-worker", "composer:8700" ] volumes: - ${CERT_DIR}/ca-crt.pem:/etc/osbuild-composer/ca-crt.pem:z - - ${CERT_DIR}/worker-crt.pem:/etc/osbuild-composer/worker-crt.pem:z - - ${CERT_DIR}/worker-key.pem:/etc/osbuild-composer/worker-key.pem:z + - ${WORKER_CONFIG_DIR}/osbuild-worker.toml:/etc/osbuild-worker/osbuild-worker.toml:z + - ${WORKER_CONFIG_DIR}/token:/etc/osbuild-worker/token:z environment: - CACHE_DIRECTORY=/var/cache/osbuild-composer cap_add: @@ -77,11 +78,11 @@ services: - PGDATABASE=postgres - PGUSER=postgres - PGPASSWORD=postgres - - OSBUILD_URL=https://composer:8080 + - COMPOSER_URL=https://composer:8080 + - COMPOSER_TOKEN_URL=http://fauxauth:8888/token + - COMPOSER_OFFLINE_TOKEN=${COMPOSER_OFFLINE_TOKEN} + - COMPOSER_CA_PATH=/etc/image-builder/ca-crt.pem - DISTRIBUTIONS_DIR=/app/distributions - - OSBUILD_CERT_PATH=/etc/image-builder/client-crt.pem - - OSBUILD_KEY_PATH=/etc/image-builder/client-key.pem - - OSBUILD_CA_PATH=/etc/image-builder/ca-crt.pem - QUOTA_FILE=/config/quotas.json networks: net: @@ -148,6 +149,19 @@ services: ipv4_address: 172.31.0.80 environment: - GF_SECURITY_ADMIN_PASSWORD=foobar + fauxauth: + image: local/osbuild-fauxauth + build: + context: ../../osbuild-composer + dockerfile: ./distribution/Dockerfile-fauxauth + entrypoint: [ "/opt/fauxauth.py", "-a", "0.0.0.0", "-p", "8888" ] + volumes: + - ${CERT_DIR}/:/etc/osbuild-composer/:z + ports: + - "8888:8888" + networks: + net: + ipv4_address: 172.31.0.90 networks: net: ipam: