diff --git a/convertigo/content.md b/convertigo/content.md index a678a6c80f59..dbcff92d7603 100644 --- a/convertigo/content.md +++ b/convertigo/content.md @@ -23,16 +23,18 @@ $ docker run --name C8O -d -p 28080:28080 %%IMAGE%% This will start a container running the minimum Convertigo server. Convertigo uses images' **/workspace** directory to store configuration file and deployed projects as an Docker volume. -You can access the Server admin console on http://[dockerhost]:28080/convertigo and login using the default credentials: admin / admin +You can access the Server admin console on `http://[dockerhost]:28080/convertigo` and login using the default credentials: `admin / admin`. + +The Server can also be accessed by HTTPS on `https://[dockerhost]:28443/convertigo` if SSL is configured (see the **HTTPS** section below). ## Link Convertigo to a CouchDB database for FullSync (Convertigo EE only) -Convertigo FullSync module uses Apache CouchDB 2.3.1 as NoSQL repository. You can use the **[couchdb](https://hub.docker.com/_/couchdb/)** docker image and link to it convertigo this way +Convertigo FullSync module uses Apache CouchDB 3.2.2 as NoSQL repository. You can use the **[couchdb](https://hub.docker.com/_/couchdb/)** docker image and link to it convertigo this way Launch CouchDB container and name it 'fullsync' ```console -$ docker run -d --name fullsync couchdb:2.3.1 +$ docker run -d --name fullsync couchdb:3.2.2 ``` Then launch Convertigo and link it to the running 'fullsync' container. Convertigo Low Code sever will automatically use it as its fullsync repository. @@ -41,11 +43,21 @@ Then launch Convertigo and link it to the running 'fullsync' container. Converti $ docker run -d --name C8O --link fullsync:couchdb -p 28080:28080 %%IMAGE%% ``` +## Use embedded PouchDB as FullSync engine (not for production) + +Convertigo FullSync is designed to use CouchDB server or cluster. Convertigo FullSync is also compatible with PouchDB but only for little projects or tests. Internet access is required to enable this feature. + +It can be enabled directly at startup: + +```console +$ docker run -d --name C8O -e JAVA_OPTS="-Dconvertigo.engine.fullsync.pouchdb=true" -p 28080:28080 %%IMAGE%% +``` + ## Link Convertigo Low Code Server to a Billing & Analytics database ### MySQL -MySQL is the recommended database for holding Convertigo MBaaS server analytics. You can use this command to run convertigo and link it to a running MySQL container. Change `[mysql-container]` to the container name, and `[username for the c8oAnalytics db]`, `[password for specified db user]` with the values for your MySQL configuration. +MySQL is the recommended database for holding Convertigo Low Code server analytics. You can use this command to run convertigo and link it to a running MySQL container. Change `[mysql-container]` to the container name, and `[username for the c8oAnalytics db]`, `[password for specified db user]` with the values for your MySQL configuration. ```console $ docker run -d --name C8O --link [mysql-container]:mysql -p 28080:28080 \ @@ -95,7 +107,7 @@ COPY myDependency.car /usr/local/tomcat/webapps/convertigo/WEB-INF/default_user_ The default administration account of a Convertigo server is **admin** / **admin** and the **testplatform** is anonymous. -These accounts can be configured through the *administration console* and saved in the **workspace**. +These accounts can be configured through the **administration console** and saved in the **workspace**. ### `CONVERTIGO_ADMIN_USER` and `CONVERTIGO_ADMIN_PASSWORD` Environment variables @@ -113,11 +125,66 @@ You can lock the **testplatform** by setting the account : $ docker run -d --name C8O -e CONVERTIGO_TESTPLATFORM_USER=tp_user -e CONVERTIGO_TESTPLATFORM_PASSWORD=s3cret -p 28080:28080 %%IMAGE%% ``` +## HTTPS / SSL Configuration + +In many cases, the Convertigo instance is behind a reverse proxy that handles HTTPS / SSL configuration. But you can configure the container to manage existing SSL certificates or dynamically generate one. + +If the SSL configuration is correct, the Convertigo Server will listen **HTTP** on port `28080` and **HTTPS** on port `28443`. + +### Provide existing certificate using the /ssl mount point + +If you have an existing certificate and a private key, you can put them in **PEM** format in a folder (or in a Kubernetes secret): + +- `key.pem` : the private key in PEM format (no password) +- `cert.pem` : the server certificate in PEM format, can also contain the full chain of certificates +- `chain.pem` : the optional chain of certificates not included in `cert.pem` using the PEM format + +```console +$ docker run -d --name C8O -v :/ssl -p 28443:28443 %%IMAGE%% +``` + +If you want to expose both **HTTP** and **HTTPS** you can expose both **ports**: + +```console +$ docker run -d --name C8O -v :/ssl -p 28080:28080 -p 28443:28443 %%IMAGE%% +``` + +### Provide existing certificate using environment variables + +If you cannot mount a volume, you can probably add environment variables of previously described files. Content cannot be set directly in a variable but their base64 version can. Here are the variables to configure: + +- `SSL_KEY_B64` : the private key in base64 PEM format (no password) +- `SSL_CERT_B64` : the server certificate in base64 PEM format, can also contain the full chain of certificates +- `SSL_CHAIN_B64` : the optional chain of certificates not included in `cert.pem` using the base64 PEM format + +```console +$ SSL_KEY_B64=$(base64 key.pem) +$ SSL_CERT_B64=$(base64 cert.pem) +$ SSL_CHAIN_B64=$(base64 chain.pem) +$ docker run -d --name C8O -e SSL_KEY_B64="$SSL_KEY_B64" -e SSL_CERT_B64="$SSL_CERT_B64" -e SSL_CHAIN_B64="$SSL_CHAIN_B64" -p 28443:28443 %%IMAGE%% +``` + +### Generate and use a self-signed certificate + +If you don't have certificate file, you can dynamically generate one for the first start. This will be an untrusted certificate for Browsers and HTTPS clients. This shouldn't be used for production environment. + +Use the `SSL_SELFSIGNED` environment variable to indicate for what domain you want generate certificate. + +```console +$ docker run -d --name C8O -e SSL_SELFSIGNED=mycomputer -p 28443:28443 %%IMAGE%% +``` + +Generated files can be retrieved if the `/ssl` mount point is configured on folder without `cert.pem` nor `key.pem`. + +```console +$ docker run -d --name C8O -v :/ssl -e SSL_SELFSIGNED=mycomputer -p 28443:28443 %%IMAGE%% +``` + ## `JAVA_OPTS` Environment variable -Convertigo is based on a *Java* process with some defaults *JVM* options. You can override our defaults *JVM* options with you own. +Convertigo is based on a **Java** process with some defaults **JVM** options. You can override our defaults **JVM** options with you own. -Add any *Java JVM* options such as -D[something] : +Add any **Java JVM** options such as -D[something] : ```console $ docker run -d --name C8O -e JAVA_OPTS="-DjvmRoute=server1" -p 28080:28080 %%IMAGE%% @@ -137,7 +204,7 @@ $ docker run -d --name C8O -e JXMX="4096" -p 28080:28080 %%IMAGE%% ## `COOKIE_PATH` Environment variable -Convertigo generates a `JSESSIONID` to maintain the user session and stores in a *cookie*. The *cookie* is set for the server path `/` by default. In case of a front server with multiple services for different paths, you can set a path restriction for the *cookie* with the `JSESSIONID`. Just define the `COOKIE_PATH` environment variable with a compatible path. +Convertigo generates a `JSESSIONID` to maintain the user session and stores in a **cookie**. The **cookie** is set for the server path `/` by default. In case of a front server with multiple services for different paths, you can set a path restriction for the **cookie** with the `JSESSIONID`. Just define the `COOKIE_PATH` environment variable with a compatible path. The default `COOKIE_PATH` value is `/` and can be defined : @@ -147,9 +214,9 @@ $ docker run -d --name C8O -e COOKIE_PATH="/convertigo" -p 28080:28080 %%IMAGE%% ## `COOKIE_SECURE` Environment variable -Convertigo use a *cookie* to maintain sessions. Requests on port `28080` are *HTTP* but we advice to use an *HTTPS* front for production (nginx, kubenetes ingress, ...). In this case, you can secure yours cookies to be used only with secured connections by adding the `Secure` flag. +Convertigo uses a **cookie** to maintain sessions. Requests on port `28080` are **HTTP** but we advise to use an **HTTPS** front for production (nginx, kubernetes ingress, ...). In this case, you can secure your cookies to be used only with secured connections by adding the `Secure` flag. -The Secure flag can be enabled by setting the `COOKIE_SECURE` environment variable to `true`. Once enabled, cookies and sessions aren't working through an *HTTP* connection. +The Secure flag can be enabled by setting the `COOKIE_SECURE` environment variable to `true`. Once enabled, cookies and sessions aren't working through an **HTTP** connection. The default `COOKIE_SECURE` value is `false` and can be defined : @@ -157,11 +224,13 @@ The default `COOKIE_SECURE` value is `false` and can be defined : $ docker run -d --name C8O -e COOKIE_SECURE="true" -p 28080:28080 %%IMAGE%% ``` +**Note :** if you have set the **SSL** configuration and you access the **HTTPS 28443** port, cookies are automatically `Secure`. + ## `COOKIE_SAMESITE` Environment variable -Allow to configure the *SameSite* parameter for generated cookies. Can be empty, `none`, `lax` or `strict`. +Allow to configure the **SameSite** parameter for generated cookies. Can be empty, `none`, `lax` or `strict`. -The default `COOKIE_SAMESITE` value is *empty* and can be defined this way: +The default `COOKIE_SAMESITE` value is **empty** and can be defined this way: ```console $ docker run -d --name C8O -e COOKIE_SAMESITE=lax -p 28080:28080 %%IMAGE%% @@ -169,9 +238,9 @@ $ docker run -d --name C8O -e COOKIE_SAMESITE=lax -p 28080:28080 %%IMAGE%% ## `SESSION_TIMEOUT` Environment variable -Allow to configure the default Tomcat *session-timeout* in minutes. This value is used for non-project calls (Administration console, Fullsync...). This value is overridden by each projects' calls (Sequence, Transaction ...). +Allow to configure the default Tomcat **session-timeout** in minutes. This value is used for non-project calls (Administration console, Fullsync...). This value is overridden by each projects' calls (Sequence, Transaction ...). -The default `SESSION_TIMEOUT` value is *30* and can be defined this way: +The default `SESSION_TIMEOUT` value is **30** and can be defined this way: ```console $ docker run -d --name C8O -e SESSION_TIMEOUT=5 -p 28080:28080 %%IMAGE%% @@ -179,9 +248,9 @@ $ docker run -d --name C8O -e SESSION_TIMEOUT=5 -p 28080:28080 %%IMAGE%% ## `DISABLE_SUDO` Environment variable -The image include *sudo* command line, configured to allow the *convertigo* user to use it without password and to perform some *root* action inside the container. This variable allow to disable this permission. +The image include **sudo** command line, configured to allow the **convertigo** user to use it without password and to perform some **root** action inside the container. This variable allows to disable this permission. -The default `DISABLE_SUDO` value is *empty* and can be defined this way: +The default `DISABLE_SUDO` value is **empty** and can be defined this way: ```console $ docker run -d --name C8O -e DISABLE_SUDO=true -p 28080:28080 %%IMAGE%%