updated docker compose file with 2.0 services

Author: holashchand

.env

@@ -1 +1,31 @@
-RELEASE_VERSION=v1.0.0
+RELEASE_VERSION=v2.0.0
+KEYCLOAK_SECRET=**********
+
+# vault service
+VAULT_ADDR=http://0.0.0.0:8200
+VAULT_API_ADDR=http://0.0.0.0:8200
+VAULT_ADDRESS=http://0.0.0.0:8200
+
+# identity service
+VAULT_ADDR=http://vault:8200
+VAULT_TOKEN=
+VAULT_BASE_URL=http://vault:8200/v1
+VAULT_ROOT_PATH=http://vault:8200/v1/kv
+VAULT_TIMEOUT=5000
+VAULT_PROXY=false
+SIGNING_ALGORITHM=Ed25519Signature2020
+JWKS_URI=
+ENABLE_AUTH=false
+WEB_DID_BASE_URL=https://example.com/identifier
+
+# credential schema service
+IDENTITY_BASE_URL=http://identity:3332
+JWKS_URI=
+ENABLE_AUTH=false
+
+# credential service
+IDENTITY_BASE_URL=http://identity:3332
+SCHEMA_BASE_URL=http://schema:3333
+CREDENTIAL_SERVICE_BASE_URL=https://example.com/credentials
+JWKS_URI=
+ENABLE_AUTH=false

.gitignore

@@ -88,5 +88,6 @@ out
 
 .ipynb_checkpoints
 db-data*
+vault-data
 es-data*
 keycloak-mobile*.jar

Makefile

@@ -90,4 +90,7 @@ release: test
     	  docker push $$image:latest;\
     	  docker push $$image:$(RELEASE_VERSION);\
       	done
-	@cd tools/cli/ && npm publish
+	@cd tools/cli/ && npm publish
+
+compose-init:
+	bash setup_vault.sh docker-compose.yml vault

docker-compose.yml

@@ -80,7 +80,7 @@ services:
       - did_generate_url=${DID_GENERATE_URL-http://identity:3332/did/generate}
       - did_resolve_url=${DID_RESOLVE_URL-http://identity:3332/did/resolve}
       - signature_enabled=${SIGNATURE_ENABLED-false}
-      - signature_provider=${SIGNATURE_PROVIDER-dev.sunbirdrc.registry.service.impl.SignatureV1ServiceImpl}
+      - signature_provider=${SIGNATURE_PROVIDER-dev.sunbirdrc.registry.service.impl.SignatureV2ServiceImpl}
       - signature_v2_health_check_url=${SIGNATURE_V2_HEALTH_CHECK_URL-http://credential:3000/health}
       - signature_v2_issue_url=${SIGNATURE_V2_ISSUE_URL-http://credential:3000/credentials/issue}
       - signature_v2_get_url=${SIGNATURE_V2_GET_URL-http://credential:3000/credentials/{id}}
@@ -110,7 +110,7 @@ services:
       - logging.level.root=INFO
       - enable_external_templates=true
       - async_enabled=${ASYNC_ENABLED-false}
-      - authentication_enabled=${AUTHENTICATION_ENABLED-true}
+      - authentication_enabled=${AUTHENTICATION_ENABLED-false}
       - kafka_bootstrap_address=kafka:9092
       - webhook_enabled=false
       - webhook_url=http://localhost:5001/api/v1/callback
@@ -124,9 +124,6 @@ services:
       - notification_url=${NOTIFICATION_URL-http://notification-ms:8765/notification-service/v1/notification}
     ports:
       - '8081:8081'
-    networks:
-      default:
-      rcw:
     depends_on:
       db:
         condition: service_healthy
@@ -191,35 +188,101 @@ services:
       interval: 30s
       timeout: 10s
       retries: 10
-  certificate-signer:
-    image: ghcr.io/sunbird-rc/sunbird-rc-certificate-signer:${RELEASE_VERSION}
-    environment:
-      - PORT=8079
-      - TIME_ZONE=Asia/Kolkata
-    ports:
-      - '8079:8079'
+  vault:
+    image: vault:1.13.3
+    restart: always
     volumes:
-      - ./imports:/etc/signer
-    healthcheck:
-      test: ['CMD-SHELL', 'curl -f http://localhost:8079/health || exit 1']
-      interval: 30s
-      timeout: 10s
-      retries: 10
-  certificate-api:
-    image: ghcr.io/sunbird-rc/sunbird-rc-certificate-api:${RELEASE_VERSION}
+      - ./vault.json:/vault/config/vault.json
+      - ./vault-data:/vault/file
     environment:
-      - PORT=8078
+      - VAULT_ADDR=${VAULT_ADDR}
+      - VAULT_API_ADDR=${VAULT_API_ADDR}
+      - VAULT_ADDRESS=${VAULT_ADDRESS}
+    cap_add:
+      - IPC_LOCK
+    command: vault server -config=/vault/config/vault.json
     ports:
-      - '8078:8078'
+      - 8200:8200
     healthcheck:
       test:
         [
-          'CMD-SHELL',
-          'wget -nv -t1 --spider http://localhost:8078/health || exit 1',
+          "CMD-SHELL",
+          "wget --spider http://127.0.0.1:8200/v1/sys/health || exit 1",
         ]
-      interval: 30s
-      timeout: 10s
-      retries: 10
+      interval: 10s
+      timeout: 5s
+      retries: 3
+  identity:
+    image: ghcr.io/sunbird-rc/sunbird-rc-identity-service:${RELEASE_VERSION}
+    ports:
+      - "3332:3332"
+    depends_on:
+      vault:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    environment:
+      - DATABASE_URL=postgres://postgres:postgres@db:5432/registry
+      - VAULT_ADDR=${VAULT_ADDR}
+      - VAULT_TOKEN=${VAULT_TOKEN}
+      - VAULT_BASE_URL=${VAULT_BASE_URL}
+      - VAULT_ROOT_PATH=${VAULT_ROOT_PATH}
+      - VAULT_TIMEOUT=${VAULT_TIMEOUT}
+      - VAULT_PROXY=${VAULT_PROXY}
+      - SIGNING_ALGORITHM=${SIGNING_ALGORITHM}
+      - JWKS_URI=${JWKS_URI}
+      - ENABLE_AUTH=${ENABLE_AUTH}
+      - WEB_DID_BASE_URL=${WEB_DID_BASE_URL}
+    healthcheck:
+      test:
+        [ "CMD-SHELL", "curl -f http://localhost:3332/health || exit 1" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  credential-schema:
+    image: ghcr.io/sunbird-rc/sunbird-rc-credential-schema:${RELEASE_VERSION}
+    ports:
+      - "3333:3333"
+    depends_on:
+      db:
+        condition: service_healthy
+      identity:
+        condition: service_healthy
+    environment:
+      - DATABASE_URL=postgres://postgres:postgres@db:5432/registry
+      - IDENTITY_BASE_URL=${IDENTITY_BASE_URL}
+      - JWKS_URI=${JWKS_URI}
+      - ENABLE_AUTH=${ENABLE_AUTH}
+    healthcheck:
+      test:
+        [ "CMD-SHELL", "curl -f http://localhost:3333/health || exit 1" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  credential:
+    image: ghcr.io/sunbird-rc/sunbird-rc-credentials-service:${RELEASE_VERSION}
+    ports:
+      - "3000:3000"
+    depends_on:
+      db:
+        condition: service_healthy
+      identity:
+        condition: service_healthy
+      credential-schema:
+        condition: service_healthy
+    environment:
+      - DATABASE_URL=postgres://postgres:postgres@db:5432/registry
+      - IDENTITY_BASE_URL=${IDENTITY_BASE_URL}
+      - SCHEMA_BASE_URL=${SCHEMA_BASE_URL}
+      - CREDENTIAL_SERVICE_BASE_URL=${CREDENTIAL_SERVICE_BASE_URL}
+      - JWKS_URI=${JWKS_URI}
+      - ENABLE_AUTH=${ENABLE_AUTH}
+    healthcheck:
+      test:
+        [ "CMD-SHELL", "curl -f http://localhost:3000/health || exit 1" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
   file-storage:
     image: quay.io/minio/minio
     volumes:
@@ -413,8 +476,3 @@ services:
     depends_on:
       db:
         condition: service_healthy
-
-
-networks:
-  rcw:
-    external: true

setup_vault.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# This script does the following things
+# * Start a vault instance with vault/vault.json configuration
+# * Unseal the vault
+# * Create a v2 kv engine
+# * Prints the unseal keys and root token
+# * This script does not automatically unseal vault on restarts, it only works with fresh installations
+
+COMPOSE_FILE="${1:-docker-compose.yml}"
+SERVICE_NAME="${2:-vault}"
+
+echo "Setting up $SERVICE_NAME in $COMPOSE_FILE"
+
+docker-compose -f "$COMPOSE_FILE" up -d "$SERVICE_NAME"
+
+# Function to check if Vault is ready
+check_vault_status() {
+  vault_status=$(docker-compose -f "$COMPOSE_FILE" exec "$SERVICE_NAME" vault status 2>&1)
+  if [[ $vault_status == *"connection refused"* ]]; then
+    echo "Unable to connect to Vault. Waiting for Vault to start..."
+    return 1
+  elif [[ $vault_status == *"Sealed             true"* ]]; then
+    echo "Vault is sealed. Waiting for unsealing..."
+    return 0
+  else
+    echo "Unsealed and up. Moving to next steps."
+    return 0
+  fi
+}
+
+
+# Wait for Vault service to become available
+until check_vault_status; do
+    echo "Waiting for Vault service to start..."
+    sleep 1;
+done
+
+
+if [[ $vault_status == *"Initialized     true"* ]]; then
+    echo "Vault is initialized already. Unsealing if it is not unsealed"
+else
+  # keys contains ansi escape sequences, remove them if any
+  docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator init > ansi-keys.txt
+  sed 's/\x1B\[[0-9;]*[JKmsu]//g' < ansi-keys.txt  > keys.txt
+fi
+
+sed -n 's/Unseal Key [1-1]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key" < /dev/null
+
+sed -n 's/Unseal Key [2-2]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key" < /dev/null
+
+sed -n 's/Unseal Key [3-3]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key" < /dev/null
+
+root_token=$(sed -n 's/Initial Root Token: \(.*\)/\1/p' keys.txt | tr -dc '[:print:]')
+
+if [[ $vault_status == *"Initialized     true"* ]]; then
+    echo "Vault is initialized already. Skipping creating a KV engine"
+else
+  sed -i "s/VAULT_TOKEN=.*/VAULT_TOKEN=$root_token/" ".env"
+  docker-compose -f "$COMPOSE_FILE" exec -e VAULT_TOKEN=$root_token -T "$SERVICE_NAME" vault secrets enable -path=kv kv-v2
+fi
+
+echo -e "\nNOTE: KEYS ARE STORED IN keys.txt"
+
+if [ -f "ansi-keys.txt" ] ; then
+    rm ansi-keys.txt
+fi
+
+if [ -f "parsed-key.txt" ] ; then
+    rm parsed-key.txt
+fi

vault.json

@@ -0,0 +1,18 @@
+{
+  "listener": {
+    "tcp": {
+      "address": "0.0.0.0:8200",
+      "tls_disable": 1
+    }
+  },
+  "backend": {
+    "file": {
+      "path": "/vault/file"
+    }
+  },
+  "default_lease_ttl": "168h",
+  "max_lease_ttl": "0h",
+  "api_addr": "http://0.0.0.0:8200",
+  "ui": "true",
+  "disable_mlock": "true"
+}