Part 1: Crowd SSO
Goal:
Setup SSO for atlassian bitbucket using crowd while fedarating users from external IdP. And end to end SSL termination.
Let's break down the setup:
- Integrate Crowd with Redhat SSO ( external IdP in my case )
- Integarte Crowd and bitbucket
Crowd SSO provides authentication for all atlassian products. As my users are authenticated and authorized via Redhat SSO, I donot want to disturb it. Therefore in this scenario RedHat is and Idp and Crowd is SP.
SAML SSO concepts are pretty interesting and if you dont underatand the abbrevations such as SSO, IdP, SP etc, it high time you should familarize yourself with it. Here is link "TOPIC likh" to get started.
Let's begin
Primarily we are going to focus on setting up the above task on EC2, later we can deploy it on Fargate or ECS EC2.
I personally got good exposure while seting up this project like how SAML SSO works, how do we mount an EBS volume, Letsencrypt working, SSL termination, whats keytool/pkcs12, variablizing a jinja template and more. So here I am writing down my experience and sharing the things I learnt along the way in most simplest words. Hope it helps you too :)
Save some time for yourself and have spare domain to work around. Also I hope you know how DNS works.
- Crowd custom docker image
Any product you land upon and completely unaware of it and have time constraint, try not to fall in loop hole. I tend to do most of the time but this time I got my way around.
Always start with basic requirements:
- What version do we need and quick overview of its features
- OS requirements
- Software requirements
- Hardware requirementsLink to Crowd supported platforms (https://confluence.atlassian.com/crowd/supported-platforms-191851.html)
To enable SSO we need to run it on https and for that we need legit certificate. So at container runtime certificate will be generated using Letsencrypt and provided to it.
Link to my github repo
-
certificate.sh
To generate certificate at run time using LetsEncrypt. There is limit for generating the certificate i.e you get five attempts. On exceeding the attempts you have to wait for like a week to generate new one. Also this certificate have to be renewed every 90 days. Now when your container fails you don’t want your certificate.sh script to be executed again leading to blockage. So solution around here is mounting the volume to container. Interesting point here is LetsEncrypt takes care if certificate exists? If so it checks for renewal due date. This way you don’t have to worry about the number of time script being executed.
-
server.xml.j2
Go through the crowd repo to broaden your understanding.https://bitbucket.org/atlassian-docker/docker-atlassian-crowd/src/master/. Crowd provides jinja template where I have modified accordingly to run Crowd on https. You can choose to run it on anyother port too.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/var/atlassian/application-data/crowd/crowd.pkcs12" keystorePass="{{ keystore_password | default('') }}" keyAlias="tomcat" keyPass="{{ keystore_password | default('') }}"/>
keystore ( explain about it and why we need )
- DockerfileCreate custom docker image from official crowd docker image i.e. crowd 4.1Copy the above two files with respective permissions.
ENTRYPOINT
Is the first to execute at run time therefore am providing script certificate.sh which will first generate certificate, adds into key tool and then executes entrypoint.py for crowd to get started.
- Run Crowd locally
Following commands are optional. But it is good practice to run an application by repective user and controlling it. I have used UID 2004 as per official crowd Dockerfile, don't wanna mess around that! Well this will coma handy when you are going to mount volume external and running it on production.
## Create crowd user
useradd --create-home --home /home/crowd --uid 2004 --user-group --shell /bin/bash crowd
## Mount volume
Mount the volume: mkdir -p /var/atlassian/application-data/crowd
## Add permission
chown -R crowd:crowd /var/atlassian/application-data/crowd
Build and Run Docker image
## Docker build
docker build -t crowd_sso .
## Docker run
docker run -v /var/atlassian/application-data/crowd:/var/atlassian/application-data/crowd -itd -p 0.0.0.0:8443:8443 --env-file ./varList.txt crowd_sso:latest
## Docker logs
docker logs <container-id>
Check logs and ensure crowd is running on https://crowd.dafaqcode.com