feat: replace single key by a jwks in docker-compose

aldbr · aldbr · commit 35299c66830c · 2025-05-07T10:20:39.000+02:00
diff --git a/tests/CI/docker-compose.yml b/tests/CI/docker-compose.yml
@@ -130,7 +130,7 @@ services:
         condition: service_healthy
       dirac-init-certificates:
         condition: service_completed_successfully # Let the init container create the certificates
-      diracx-init-key:
+      diracx-init-keystore:
         condition: service_completed_successfully # Let the init container create the signing key
       diracx-init-cs:
         condition: service_completed_successfully # Let the init container create the cs
@@ -139,10 +139,10 @@ services:
     volumes:
       - certs_data:/ca/certs
       - diracx-cs-store:/cs_store
-      - diracx-key-store:/signing-key
+      - diracx-key-store:/keystore
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
     pull_policy: always
 
@@ -185,33 +185,33 @@ services:
       start_period: 60s
     command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
 
-  diracx-init-key:
-    image: ghcr.io/diracgrid/diracx/secret-generation:latest
-    container_name: diracx-init-key
+  diracx-init-keystore:
+    image: ghcr.io/diracgrid/diracx/services:dev
+    container_name: diracx-init-keystore
     environment:
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY="file:///signing-key/rs256.key"
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE="file:///keystore/jwks.json"
     volumes:
-      - diracx-key-store:/signing-key/
+      - diracx-key-store:/keystore/
       # As the diracx images don't run as root we need to change the permissions of the /cs_store/ directory as well
       - diracx-cs-store:/cs_store/
     # We need to allow everybody to read the private keys
     # Because the users are different between the DIRAC and DiracX containers
     entrypoint: |
-      bash -xc "ssh-keygen -P '' -trsa -b4096 -mPEM -f/signing-key/rs256.key && chmod o+r /signing-key/rs256.* && chmod -R o=u /cs_store"
+      /entrypoint.sh bash -xc 'python -m diracx.logic rotate-jwk --jwks-path /keystore/jwks.json && chmod -R o=u /cs_store'
     pull_policy: always
 
   diracx-init-cs:
     image: ghcr.io/diracgrid/diracx/client:dev
     container_name: diracx-init-cs
     depends_on:
-      diracx-init-key:
+      diracx-init-keystore:
         condition: service_completed_successfully # Let the init container set the permission on /cs_store/
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
     volumes:
       - diracx-cs-store:/cs_store/
-      - diracx-key-store:/signing-key/
+      - diracx-key-store:/keystore/
     entrypoint: |
       /entrypoint.sh bash -xc 'dirac internal generate-cs /cs_store/initialRepo'
     pull_policy: always
@@ -239,7 +239,7 @@ services:
       - DIRACX_DB_URL_SANDBOXMETADATADB=mysql+aiomysql://Dirac:Dirac@mysql/SandboxMetadataDB
       - DIRACX_DB_URL_PILOTAGENTSDB=mysql+aiomysql://Dirac:Dirac@mysql/PilotAgentsDB
       - 'DIRACX_OS_DB_PILOTLOGSDB={"sqlalchemy_dsn": "mysql+aiomysql://Dirac:Dirac@mysql/PilotLogsDB"}'
-      - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
+      - DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE=file:///keystore/jwks.json
       - DIRACX_SERVICE_AUTH_TOKEN_ISSUER=http://diracx:8000
       - DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS=["http://diracx:8000/docs/oauth2-redirect"]
       # Obtained with head -c 32 /dev/urandom | base64
@@ -256,7 +256,7 @@ services:
         condition: service_completed_successfully
     volumes:
       - diracx-cs-store:/cs_store/
-      - diracx-key-store:/signing-key/
+      - diracx-key-store:/keystore/
     entrypoint: |
       /entrypoint.sh bash -xc 'uvicorn --factory diracx.routers:create_app --host=0.0.0.0'
 
