Skip to content

Running test scenarios using Docker-Compose

Integrating with our MIM IDP involves running a dedicated client application on your machine. This client interacts with the MIM IDP, facilitates management of the workload's identity, and exposes the workload to locally-running processes. This guide describes how to use docker-compose to run a simple side-car pattern with the MIM client (tsmim).

Note

See the Quickstart for how to implement workload authentication scenarios.

1. Create a Docker Image

To use the binary inside a docker container, we first need to create a container image. We can use the following Dockerfile:

# syntax = docker/dockerfile:1.4
FROM alpine:latest
WORKDIR =/opt/mim
COPY ./tsmim ./tsmim
USER nobody:nogroup
CMD ["version"]
ENTRYPOINT [ "./tsmim", "run" ]

Assuming this content is saved as mim-client.Dockerfile in the same folder containing the Linux binary tsmim, we can run the following command to build the image:

$ docker build . -t mim-client -f mim-client.Dockerfile

2. Configure and run Docker

Now that we have the image, we can define the manifest for our docker-compose spec file - docker-compose.yaml:

version: "3.8"

services:
  app:
    image: alpine
    command: 'sh -c "while ! wget --header \"Authorization: Bearer ${API_KEY}\" -qO- http://tsmim:3014/peer/v1/id_token; do sleep 1; done"'
    depends_on:
      - tsmim

  tsmim:
    image: mim-client:latest
    environment:
      - MIM_API_KEY=${API_KEY}
    command: run --operator-base=example.mim.transmitsecurity.io --invite-code=${TICKET} --listen tsmim:3014 --dir /tmp

Example explained

Let’s breakdown the example:

  • We have a service called "app" which demonstrates utilization of tsmim in order to obtain its identity, and a service called "tsmim" which acts as the side-car container running the tsmim client.

  • We set the --listen parameter of the Client binary to the same name as the docker-compose service ("tsmim"] , so that it automatically translates to the service’s internal network IP address (for example - 172.30.0.2). This allows the app service to reach the Client’s local API despite the fact the the services run on different containers.

  • Since the Client takes a few seconds to register with MIM IdP, in this example we implement a simple loop for the app service that keeps trying to reach the Client API until it receives a response.

  • For simplicity, we’ve assumed the API_KEY and TICKET values are set as environment variables (these can be set in a separate .env file). It’s important to note that these values are sensitive and should best be configured using an appropriate mechanism, such as docker-compose secrets .