Docker Compose

The IBM Security Verify Access OIDC Provider (ISVAOP) image is available from IBM Cloud Container Registry: icr.io/isva/verify-access-oidc-provider:24.06

Download the image using the docker pull command, as below.

docker pull icr.io/isva/verify-access-oidc-provider:24.06

See Software Downloads > Containers for more information.

Pre-requisites

Configuration

The configuration for the container is supplied as YAML files, template files, JavaScript files along with other potential supporting files (e.g. PEM certificate files).

๐Ÿ“˜

Note

Boilerplate YAML configuration is available for download from the Resources Github Repository.

When the container starts, it processes configuration found at '/var/isvaop/config' directory. As such, the configuration for the container will need to be present in this directory before the container is started or mounted as part of startup. This can be achieved by:

  1. Pre-baking the configuration into a new image which is based on the ISVAOP image. A Dockerfile which can be used to create a pre-baked image is shown below:
##
## You can build this image by issuing the following command:
##          docker build -t acme-isvaop:1.0 $PWD
##

## The container is based on the ISVAOP container.
FROM icr.io/isva/verify-access-oidc-provider:24.06

## Copy the configuration files from the data directory
## to the docker image.
COPY data/. /var/isvaop/config/


## Some labels which will be associated with the image.
LABEL maintainer="[email protected]" \
    vendor="ACME"
  1. Placing the configuration information into a Docker volume and then mounting this volume into the Docker container. Information on Docker volumes can be found at: https://docs.docker.com/storage/volumes/;

  2. Placing the configuration information into a local directory on the Docker host and then creating a Bind mount to the Docker container. Information on Docker Bind mounts can be found at: https://docs.docker.com/storage/bind-mounts/.

Ports

The ISVAOP container exposes a single port for each protocol which is enabled for the server. For the HTTPS protocol the 8436 port is exposed, and for the HTTP protocol the 8432 port is exposed. Configure the docker-compose.yml to forward the ports to the desired host ports.

Quick Start

Create a docker-compose.yml file as below.

services:
    
    verify-access-oidc-provider:
        image: icr.io/isva/verify-access-oidc-provider:24.06
        hostname: verify-access-oidc-provider
        ports:
            - 8436:8436
        volumes:
            - /var/isvaop-test/config:/var/isvaop/config/

Here, the configuration is mounted from the host and only the HTTPS port is exposed.

Run the service using the command:

[demouser@demovm ~]$ docker-compose up -d

๐Ÿ“˜

Note

In some flavors of Linux, compose is included with the docker installation and is executed using
docker compose ....

Supported Docker Versions

  • This image is officially supported on Docker version v17 and later;
  • Support for older versions is provided on a best-effort basis.

License

The image is covered by an IBM software license. The license can be viewed directly from the image by executing the following command:

[demouser@demovm ~]$ docker run --rm --entrypoint license icr.io/isva/verify-access-oidc-provider:24.06