Merge pull request #8188 from aldbr/main_FEAT_jwks

feat: replace single key by a jwks in docker-compose

Author: fstagni

tests/CI/docker-compose.yml

@@ -48,7 +48,7 @@ services:
     volumes:
       - diracx-iam-key-store:/etc/indigo-iam/keystore
     depends_on:
-      - iam-init-jwks
+      - iam-init-keystore
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080/.well-known/openid-configuration"]
       interval: 5s
@@ -57,9 +57,9 @@ services:
       start_period: 60s
     pull_policy: always
 
-  iam-init-jwks:
+  iam-init-keystore:
     image: alpine:latest
-    container_name: init-jwks
+    container_name: iam-init-keystore
     volumes:
       - diracx-iam-key-store:/jwks
     command: >
@@ -130,7 +130,7 @@ services:
         condition: service_healthy
       dirac-init-certificates:
         condition: service_completed_successfully # Let the init container create the certificates
-      diracx-init-key:
+      diracx-init-keystore:
         condition: service_completed_successfully # Let the init container create the signing key
       diracx-init-cs:
         condition: service_completed_successfully # Let the init container create the cs
@@ -139,10 +139,10 @@ services:
     volumes:
       - certs_data:/ca/certs
       - diracx-cs-store:/cs_store
-      - diracx-key-store:/signing-key
+      - diracx-key-store:/keystore
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
     pull_policy: always
 
@@ -185,33 +185,49 @@ services:
       start_period: 60s
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
 
-  diracx-init-key:
+
+  diracx-chmod:
     image: ghcr.io/diracgrid/diracx/secret-generation:latest
-    container_name: diracx-init-key
-    environment:
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY="file:///signing-key/rs256.key"
+    container_name: diracx-chmod
     volumes:
-      - diracx-key-store:/signing-key/
-      # As the diracx images don't run as root we need to change the permissions of the /cs_store/ directory as well
+      # As the diracx images don't run as root we need to change the permissions of the directories as well
+      - diracx-key-store:/keystore/
       - diracx-cs-store:/cs_store/
     # We need to allow everybody to read the private keys
     # Because the users are different between the DIRAC and DiracX containers
     entrypoint: |
-      bash -xc "ssh-keygen -P '' -trsa -b4096 -mPEM -f/signing-key/rs256.key && chmod o+r /signing-key/rs256.* && chmod -R o=u /cs_store"
+      bash -xc 'chmod -R o=u /keystore && chmod -R o=u /cs_store'
+    pull_policy: always
+
+
+  diracx-init-keystore:
+    image: ghcr.io/diracgrid/diracx/services:dev
+    container_name: diracx-init-keystore
+    depends_on:
+      diracx-chmod:
+        condition: service_completed_successfully # Let the init container set the permission on /keystore/
+    environment:
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE="file:///keystore/jwks.json"
+    volumes:
+      - diracx-key-store:/keystore/
+    entrypoint: |
+      /entrypoint.sh bash -xc 'python -m diracx.logic rotate-jwk --jwks-path /keystore/jwks.json'
     pull_policy: always
 
   diracx-init-cs:
     image: ghcr.io/diracgrid/diracx/client:dev
     container_name: diracx-init-cs
     depends_on:
-      diracx-init-key:
+      diracx-chmod:
         condition: service_completed_successfully # Let the init container set the permission on /cs_store/
+      diracx-init-keystore:
+        condition: service_completed_successfully # Let the init container create the signing key
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
     volumes:
       - diracx-cs-store:/cs_store/
-      - diracx-key-store:/signing-key/
+      - diracx-key-store:/keystore/
     entrypoint: |
       /entrypoint.sh bash -xc 'dirac internal generate-cs /cs_store/initialRepo'
     pull_policy: always
@@ -239,7 +255,7 @@ services:
       - DIRACX_DB_URL_SANDBOXMETADATADB=mysql+aiomysql://Dirac:Dirac@mysql/SandboxMetadataDB
       - DIRACX_DB_URL_PILOTAGENTSDB=mysql+aiomysql://Dirac:Dirac@mysql/PilotAgentsDB
       - 'DIRACX_OS_DB_PILOTLOGSDB={"sqlalchemy_dsn": "mysql+aiomysql://Dirac:Dirac@mysql/PilotLogsDB"}'
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
       - DIRACX_SERVICE_AUTH_TOKEN_ISSUER=http://diracx:8000
       - DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS=["http://diracx:8000/docs/oauth2-redirect"]
       # Obtained with head -c 32 /dev/urandom | base64
@@ -256,7 +272,7 @@ services:
         condition: service_completed_successfully
     volumes:
       - diracx-cs-store:/cs_store/
-      - diracx-key-store:/signing-key/
+      - diracx-key-store:/keystore/
     entrypoint: |
       /entrypoint.sh bash -xc 'uvicorn --factory diracx.routers:create_app --host=0.0.0.0'