Provide an official Docker image for CAS-SSO
Open, LowPublicFeature
Actions

Assigned To

Authored By

	Arendpieter
	Dec 16 2025, 2:28 PM

Description

CAS-SSO is the central Identity Provider (IdP) used for Single Sign-On across Wikimedia services, based on Apereo CAS (idp.wikimedia.org) .

The CAS-SSO repository already contains Docker-related artifacts:

A Dockerfile in the repository
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/cas-overlay-template/+/refs/heads/master/Dockerfile

A docker-compose.yml for local usage
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/cas-overlay-template/+/refs/heads/master/docker-compose.yml

However, there is currently no officially built and published Docker image for CAS-SSO in the Wikimedia Docker registry.

Proposal

Publish an official, versioned Docker image for CAS-SSO to the Wikimedia Docker registry, built from the existing Dockerfile in operations/software/cas-overlay-template.

The image should:

Be built automatically (e.g. via CI) from the CAS-SSO repository
Be published to docker-registry.wikimedia.org
Support configuration via environment variables and/or mounted configuration
Be suitable for:
- Local development
- Integration testing
- CI pipelines
- Non-production Kubernetes or VM deployments

Benefits

Simplifies local development and testing of services integrating with CAS-SSO
Improves reproducibility of CAS-SSO environments
Lowers the barrier for contributors and service owners working with SSO
Makes the existing Docker support more discoverable and reusable

Suggested image name (example)

docker-registry.wikimedia.org/wikimedia/operations-software-cas-sso

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Docker build	operations/software/cas-overlay-template	master	+53 -0
	java: create openjdk-21 image (JDK)	operations/docker-images/production-images	master	+16 -0

Customize query in gerrit

Event Timeline

Arendpieter created this task.Dec 16 2025, 2:28 PM

Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptDec 16 2025, 2:28 PM

LSobanski triaged this task as Low priority.Jan 5 2026, 3:23 PM

We already have the ability to build the docker image, but it makes sense to push it to the registry. Also good to have for other projects.

How I came up with this issue:
While working on https://gerrit.wikimedia.org/r/c/labs/striker/+/1189915
, I needed this image to test the entire chain locally. For now, I copied the approach from bitu and built it locally:
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/bitu/+/refs/heads/master/docker-compose.yaml#56

Change #1229106 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Docker build

https://gerrit.wikimedia.org/r/1229106

gerritbot added a project: Patch-For-Review.Tue, Jan 20, 12:06 PM

@SLyngshede-WMF Thank you for your patch! Can we use this image in
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/bitu/+/refs/heads/master/docker-compose.yaml#56
?

Yes and no. We need to change the base image to the WMF Java image, which is only available as AMD64, which means that it's pretty much useless for me. The slowdown on ARM64 trying to run Java in AMD64 makes it incredibly slow. So we still need to have build instructions for everyone not on AMD64, and another base image for them to build from.

The plan will probably be to have the AMD64 in the WMF registry as the default in the docker-compose file, and then provide instructions on how to swap it out.

Change #1229519 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/docker-images/production-images@master] java: create openjdk-21 image (JDK)

https://gerrit.wikimedia.org/r/1229519

Change #1229519 merged by Slyngshede: