Skip to content
Snippets Groups Projects
Verified Commit b2cd01d1 authored by Gabriel Zachmann's avatar Gabriel Zachmann
Browse files

update docker swarm files

parent 6d7fcdd5
No related branches found
No related tags found
No related merge requests found
Pipeline #323647 passed
Stage: build
Stage: test
Stage: lint
Stage: release
Stage: deploy
Hide whitespace changes
Inline Side-by-side
docker/docker-swarm.yaml
+ 48
57
View file @ b2cd01d1
version: "3.9"
version: "3.8"
services:
mytoken:
hostname: 'mytoken_{{.Task.Slot}}'
image: oidcmytoken/mytoken-server
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
configs:
- source: mytoken_config
target: /etc/mytoken/config.yaml
volumes:
- ${MYTOKEN_CONFIG_FILE}:/etc/mytoken/config.yaml
- ${MYTOKEN_GEOIPDB}:/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN
- ${MYTOKEN_CERTCHAIN}:/mytoken/certchain.pem:ro
- ${MYTOKEN_GEOIPDB}:/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN:ro
- ${MYTOKEN_LOGS_DIR}:/mytoken/logs
secrets:
- signing_key
- mytoken_signing_key
- ssh_host_ecdsa_key
- ssh_host_ed25519_key
- ssh_host_rsa_key
- db_password
- cert
networks:
- frontend
- backend
environment:
- WAIT_FOR_NODES=db_1:3306,db_2:3306,db_3:3306
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 2222
published: 2222
mode: host
# environment:
# - WAIT_FOR_NODES=db:3306
deploy:
mode: replicated
replicas: 3
# placement:
# max_replicas_per_node: 1
# replicas: 3
placement:
max_replicas_per_node: 1
restart_policy:
condition: any
delay: 30s
delay: 10s
window: 60s
rollback_config:
parallelism: 1
delay: 30s
delay: 15s
update_config:
parallelism: 1
delay: 60s
monitor: 30s
delay: 30s
monitor: 15s
failure_action: rollback
#healthcheck:
#test: ["CMD","curl", "-f", "https://localhost/.well-known/mytoken-configuration"]
#timeout: 5s
#retries: 3
#start_period: 30s
db-bootstrap:
image: bitnami/mariadb-galera:latest
hostname: db-bootstrap
volumes:
- '${DB_BOOTSTRAP_DIR}:/bitnami/mariadb'
- ${DB_BOOTSTRAP_DIR}:/bitnami/mariadb
networks:
- backend
env_file:
......@@ -74,20 +91,19 @@ services:
db:
image: oidcmytoken/galera-node:latest
hostname: 'db_{{.Task.Slot}}'
volumes:
- '${DB_DIR_TEMPLATE}:/bitnami/mariadb'
- ${DB_DATA_DIR}:/bitnami/mariadb
networks:
- backend
env_file:
- db.env
environment:
- MARIADB_GALERA_CLUSTER_ADDRESS=gcomm://db-bootstrap,db_1,db_2,db_3
- MARIADB_GALERA_CLUSTER_ADDRESS=gcomm://db-bootstrap,db
- MARIADB_PASSWORD_FILE=/run/secrets/db_password
- MARIADB_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
- MARIADB_GALERA_MARIABACKUP_PASSWORD_FILE=/run/secrets/db_backup_password
- MARIADB_REPLICATION_PASSWORD_FILE=/run/secrets/db_replication_password
- WAIT_FOR_NODES=db-bootstrap:3306,db_1:3306,db_2:3306,db_3:3306
- WAIT_FOR_NODES=db-bootstrap:3306,db:3306
secrets:
- db_password
- db_root_password
......@@ -95,9 +111,9 @@ services:
- db_replication_password
deploy:
mode: replicated
replicas: 3
# placement:
# max_replicas_per_node: 1
# replicas: 3
placement:
max_replicas_per_node: 1
restart_policy:
condition: on-failure
rollback_config:
......@@ -116,16 +132,14 @@ services:
migrate:
image: oidcmytoken/mytoken-migratedb
# depends_on:
# - db
networks:
- backend
environment:
- DB_PASSWORD_FILE=/run/secrets/db_root_password
- DB_DATABASE=mytoken
- DB_NODES=db_1,db_2,db_3
- WAIT_FOR_NODES=db_1:3306 # migrate only uses the first node for the migration, so we must wait for that one
- MYTOKEN_NODES=mytoken_1,mytoken_2,mytoken_3
- DB_NODES=db
- WAIT_FOR_NODES=db:3306
- MYTOKEN_NODES=mytoken
secrets:
- db_root_password
deploy:
......@@ -134,33 +148,6 @@ services:
restart_policy:
condition: on-failure
load_balancer:
image: haproxy
networks:
- frontend
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 2222
published: 2222
mode: host
- target: 8888
published: 8888
mode: host
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
volumes:
- ${HAPROXY_DIR}:/usr/local/etc/haproxy:ro
secrets:
- cert
deploy:
mode: replicated
replicas: 1
# debug:
# deploy:
# mode: replicated
......@@ -180,11 +167,15 @@ networks:
frontend:
backend:
configs:
mytoken_config:
file: ${MYTOKEN_CONFIG_FILE}
secrets:
cert:
file: ${SECRET_CERT}
signing_key:
file: ${SECRET_SIGNING_KEY}
mytoken_signing_key:
file: ${SECRET_MYTOKEN_SIGNING_KEY}
db_password:
file: ${SECRET_DB_PASSWORD_FILE}
db_root_password:
......
docker/example-.env
+ 6
7
View file @ b2cd01d1
COMPOSE_PROJECT_NAME=mytoken
DB_BOOTSTRAP_DIR=/home/mytoken/mytoken/db-bootstrap
DB_DATA_DIR=/home/mytoken/mytoken/db
MYTOKEN_CONFIG_FILE=/home/mytoken/mytoken/config.yaml
MYTOKEN_GEOIPDB=/home/mytoken/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN
MYTOKEN_LOGS_DIR=/home/mytoken/mytoken/logs
MYTOKEN_CERTCHAIN=/home/mytoken/mytoken/certchain.pem
HAPROXY_DIR=/home/mytoken/mytoken/haproxy
DB_BOOTSTRAP_DIR=/home/mytoken/mytoken/db/b1
DB_DIR_TEMPLATE=/home/mytoken/mytoken/db/{{.Task.Slot}}
SECRET_CERT=/home/mytoken/mytoken/mytoken.crt.pem
SECRET_SIGNING_KEY=/home/mytoken/mytoken/mytoken.signing_key
SECRET_CERT=/home/mytoken/mytoken/cert.key.pem
SECRET_MYTOKEN_SIGNING_KEY=/home/mytoken/mytoken/mytoken.signing.key
SECRET_SSH_HOST_ECDSA_KEY=/home/mytoken/mytoken/ssh_host_ecdsa_key
SECRET_SSH_HOST_ED25519_KEY=/home/mytoken/mytoken/ssh_host_ed25519_key
SECRET_SSH_HOST_RSA_KEY=/home/mytoken/mytoken/ssh_host_rsa_key
......
docker/example-db.env
+ 3
1
View file @ b2cd01d1
......@@ -2,4 +2,6 @@ MARIADB_GALERA_CLUSTER_NAME=mytoken
MARIADB_DATABASE=mytoken
MARIADB_USER=mytoken
MARIADB_GALERA_MARIABACKUP_USER=mariabackup_user
MARIADB_REPLICATION_USER=replication_user
\ No newline at end of file
MARIADB_REPLICATION_USER=replication_user
MARIADB_CHARACTER_SET=utf8mb4
MARIADB_COLLATE=utf8mb4_general_ci
\ No newline at end of file
docker/example-docker-config.yaml
+ 29
20
View file @ b2cd01d1
......@@ -21,27 +21,23 @@ server:
# Unless false port 80 is redirected to 443
redirect_http: true
# The TLS certificate file
cert:
cert: /mytoken/certchain.pem
# The TLS certificate key file
key:
key: /run/secrets/cert
# If behind a load balancer or reverse proxy, set this option. Mytoken will read the client's ip address from this header.
proxy_header: "X-FORWARDED-FOR"
# proxy_header: "X-FORWARDED-FOR"
# Configure the request limits (these are per IP)
request_limits:
# Unless false request limits are enabled
enabled: true
# The number of requests that are allowed within the specified time window, e.g. 10/1s 100/5min 1000/1h
max_requests: 100
max_requests: 600
# The time window in which the maximum number of requests is allowed, i.e. the quota is reset after this time.
# The time is given in seconds.
window: 300
# Use the list to exclude hosts from the request limit. You can specify single IP addresses, subnets and
# hostnames including wildcards.
# always_allow:
# - "127.0.0.1"
# The database file for ip geo location. Will be installed by setup to this location.
geo_ip_db_file: "/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN"
# Use the list to exclude hosts from the request limit. You can specify single IP addresses as well as subnets.
always_allow:
- "127.0.0.1"
# Configuration of the mytoken API
api:
......@@ -51,25 +47,25 @@ api:
# Configuration for the database
database:
hosts:
- "db_1"
- "db_2"
- "db_3"
- "db"
user: "mytoken"
password:
# Read the db password from this file
password_file: "/run/secrets/db_password"
db: "mytoken"
# The interval (in seconds) in which mytoken tries to reconnect to db nodes that are down
try_reconnect_interval: 60
# Enable / Disable cleanup of expired db entries once a day
# schedule_cleanup: true
schedule_cleanup: true
# The database file for ip geo location. Will be installed by setup to this location.
geo_ip_db_file: "/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN"
# Configuration for token signing
signing:
# The used algorithm
alg: "ES512"
# The file with the signing key
key_file: "/run/secrets/signing_key"
key_file: "/run/secrets/mytoken_signing_key"
# If an RSA-based algorithm is used, this is the key len. Only needed when generating a new rsa key.
rsa_key_len: 2048
......@@ -89,9 +85,17 @@ logging:
stderr: true
# The minimal log level that should be logged
level: "error"
# Configuration for 'smart' logging. If enabled internal logging is usually logged from the minimal log level as
# usual, but if an error occurs an special error log is logged to a dedicated file that contains all log entries
# (with all log levels, also levels that normally wouldn't be logged) for that particular request.
smart:
# Unless false smart logging is enabled
enabled: true
# The directory where the error log files are stored. If omitted it is equal to the normal internal logging dir
dir: "/mytoken/logs/errors"
# URL with documentation about the service
service_documentation: "https://mytoken-docs.data.kit.edu/"
service_documentation: "https://mytoken-docs.data.kit.edu"
# Configuration and enabling/disabling for different features
features:
......@@ -167,19 +171,24 @@ features:
# A director with the same structure as https://github.com/oidc-mytoken/server/tree/master/internal/server/web
# where web files can be located. If this option is set and a file is present here it is used to overwrite the
# default file. This can be used for customization, especially css.
# overwrite_dir: "/var/www/mytoken"
# overwrite_dir: "/mytoken/web"
ssh:
enabled: true
# If true the haproxy proxy protocl (https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt) is used to
# receive client information, i.e. the client's ip from the proxy; the proxy must support this
use_proxy_protocol: true
use_proxy_protocol: false
# The ssh private key files of the server
keys:
- /run/secrets/ssh_host_ecdsa_key
- /run/secrets/ssh_host_ed25519_key
- /run/secrets/ssh_host_rsa_key
server_profiles:
enabled: true
groups:
# The groups with their credentials
# The list of supported providers
providers:
- issuer: "https://example.provider.com/"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog