|
version: "3.8" |
|
|
|
### DNS #### |
|
|
|
x-terrakube_dns: &terrakube_dns |
|
- ${DNS_IP_PUBLIC:-1.1.1.1} |
|
|
|
#### Extra Hosts ##### |
|
|
|
x-terrakube_hosts: &terrakube_hosts |
|
- "tk-api.${DOMAIN}:${HOST_GATEWAY}" |
|
- "tk-dex.${DOMAIN}:${HOST_GATEWAY}" |
|
- "tk-executor.${DOMAIN}:${HOST_GATEWAY}" |
|
- "tk.${DOMAIN}:${HOST_GATEWAY}" |
|
- "tk-registry.${DOMAIN}:${HOST_GATEWAY}" |
|
|
|
#### Container Environment Variables ##### |
|
|
|
x-api: &api_env |
|
ApiDataSourceType: POSTGRESQL |
|
DatasourceHostname: postgresql-service |
|
DatasourceDatabase: terrakubedb |
|
DatasourceUser: terrakube |
|
DatasourcePassword: terrakubepassword |
|
GroupValidationType: DEX |
|
UserValidationType: DEX |
|
AuthenticationValidationType: DEX |
|
TerrakubeHostname: https://tk-api.${DOMAIN} |
|
AzBuilderExecutorUrl: https://tk-executor.${DOMAIN}/api/v1/terraform-rs |
|
PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= |
|
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= |
|
DexIssuerUri: https://tk-dex.${DOMAIN}/dex |
|
StorageType: AWS |
|
AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY |
|
AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY |
|
AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME |
|
AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION |
|
AwsEndpoint: $TK_OUTPUT_ENDPOINT |
|
TerrakubeUiURL: https://tk.${DOMAIN} |
|
spring_profiles_active: demo |
|
DexClientId: example-app |
|
CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" |
|
TerrakubeRedisHostname: terrakube-redis |
|
TerrakubeRedisPort: 6379 |
|
TerrakubeRedisPassword: password123456 |
|
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true |
|
|
|
x-executor: &executor_env |
|
TerrakubeEnableSecurity: true |
|
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= |
|
TerraformStateType: AwsTerraformStateImpl |
|
AwsTerraformStateAccessKey: $TK_OUTPUT_ACCESS_KEY |
|
AwsTerraformStateSecretKey: $TK_OUTPUT_SECRET_KEY |
|
AwsTerraformStateBucketName: $TK_OUTPUT_BUCKET_NAME |
|
AwsTerraformStateRegion: us-east-1 |
|
AwsEndpoint: $TK_OUTPUT_ENDPOINT |
|
TerraformOutputType: AwsTerraformOutputImpl |
|
AwsTerraformOutputAccessKey: $TK_OUTPUT_ACCESS_KEY |
|
AwsTerraformOutputSecretKey: $TK_OUTPUT_SECRET_KEY |
|
AwsTerraformOutputBucketName: $TK_OUTPUT_BUCKET_NAME |
|
AwsTerraformOutputRegion: us-east-1 |
|
AzBuilderApiUrl: https://tk-api.${DOMAIN} |
|
ExecutorFlagBatch: false |
|
ExecutorFlagDisableAcknowledge: false |
|
TerrakubeToolsRepository: https://github.com/AzBuilder/terrakube-extensions.git |
|
TerrakubeToolsBranch: main |
|
TerrakubeRegistryDomain: tk-registry.${DOMAIN} |
|
TerrakubeApiUrl: https://tk-api.${DOMAIN} |
|
CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" |
|
TerrakubeRedisHostname: terrakube-redis |
|
TerrakubeRedisPort: 6379 |
|
TerrakubeRedisPassword: password123456 |
|
JAVA_TOOL_OPTIONS: > |
|
-Xmx512m -Xms256m -Dcom.sun.security.enableAIAcaIssuers=true |
|
|
|
x-registry: ®istry_env |
|
AzBuilderRegistry: https://tk-registry.${DOMAIN} |
|
AzBuilderApiUrl: https://tk-api.${DOMAIN} |
|
AuthenticationValidationTypeRegistry: DEX |
|
TerrakubeEnableSecurity: true |
|
DexIssuerUri: https://tk-dex.${DOMAIN}/dex |
|
TerrakubeUiURL: https://tk.${DOMAIN} |
|
PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= |
|
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= |
|
RegistryStorageType: AwsStorageImpl |
|
AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY |
|
AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY |
|
AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME |
|
AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION |
|
AwsEndpoint: $TK_OUTPUT_ENDPOINT |
|
AppClientId: example-app |
|
AppIssuerUri: https://tk-dex.${DOMAIN}/dex |
|
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true |
|
|
|
x-ldap: &ldap_env |
|
LDAP_TLS_VERIFY_CLIENT: try |
|
LDAP_ADMIN_USERNAME: "admin" |
|
LDAP_ADMIN_PASSWORD: "admin" |
|
LDAP_ROOT: "dc=example,dc=org" |
|
LDAP_CUSTOM_LDIF_DIR: "/ldifs" |
|
|
|
x-minio: &minio_env |
|
MINIO_ROOT_USER: minioadmin |
|
MINIO_ROOT_PASSWORD: minioadmin |
|
MINIO_DEFAULT_BUCKETS: 'sample' |
|
|
|
x-ui: &ui_env |
|
REACT_APP_TERRAKUBE_API_URL: https://tk-api.${DOMAIN}/api/v1/ |
|
REACT_APP_CLIENT_ID: example-app |
|
REACT_APP_AUTHORITY: https://tk-dex.${DOMAIN}/dex |
|
REACT_APP_REDIRECT_URI: https://tk.${DOMAIN} |
|
REACT_APP_REGISTRY_URI: https://tk-registry.${DOMAIN} |
|
REACT_APP_SCOPE: email openid profile offline_access groups |
|
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true |
|
|
|
x-traefik_env: &traefik_env |
|
TRAEFIK_API_DASHBOARD: false |
|
TRAEFIK_ENTRYPOINTS_WEB: true |
|
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":${TRAEFIK_HTTP_PORT}" |
|
TRAEFIK_ENTRYPOINTS_WEB_HTTP_ENCODEQUERYSEMICOLONS: true |
|
TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEQUERYSEMICOLONS: true |
|
TRAEFIK_ENTRYPOINTS_WEBSECURE: true |
|
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":${TRAEFIK_HTTPS_PORT}" |
|
TRAEFIK_PROVIDERS_DOCKER: true |
|
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false |
|
TRAEFIK_PROVIDERS_FILE_FILENAME: /etc/traefik_dynamic.yml |
|
|
|
## Terrakube API |
|
x-traefik_api_labels: &traefik_api_labels |
|
traefik.enable: true |
|
## Terrakube API HTTPS |
|
traefik.http.routers.terrakube-api-https.rule: Host(`tk-api.${DOMAIN}`) |
|
traefik.http.routers.terrakube-api-https.entrypoints: websecure |
|
traefik.http.routers.terrakube-api-https.tls: true |
|
traefik.http.routers.terrakube-api-https.middlewares: terrakube-dex-allow-origin |
|
traefik.http.services.terrakube-api-https.loadbalancer.server.port: 8080 |
|
## Redirect to HTTPS |
|
traefik.http.routers.terrakube-api-http.rule: Host(`tk-api.${DOMAIN}`) |
|
traefik.http.routers.terrakube-api-http.entrypoints: web |
|
traefik.http.routers.terrakube-api-http.middlewares: terrakube-api-redirect-https |
|
traefik.http.middlewares.terrakube-api-redirect-https.redirectscheme.scheme: https |
|
|
|
## Traefik labels |
|
## Terrakube Executor |
|
x-traefik_executor_labels: &traefik_executor_labels |
|
traefik.enable: true |
|
## Terrakube executor HTTPS |
|
traefik.http.routers.terrakube-executor-https.rule: Host(`tk-executor.${DOMAIN}`) |
|
traefik.http.routers.terrakube-executor-https.entrypoints: websecure |
|
traefik.http.routers.terrakube-executor-https.tls: true |
|
traefik.http.routers.terrakube-executor-https.middlewares: terrakube-dex-allow-origin |
|
traefik.http.services.terrakube-executor-https.loadbalancer.server.port: 8090 |
|
## Redirect to HTTPS |
|
traefik.http.routers.terrakube-executor-http.rule: Host(`tk-executor.${DOMAIN}`) |
|
traefik.http.routers.terrakube-executor-http.entrypoints: web |
|
traefik.http.routers.terrakube-executor-http.middlewares: terrakube-executor-redirect-https |
|
traefik.http.middlewares.terrakube-executor-redirect-https.redirectscheme.scheme: https |
|
|
|
## Terrakube UI |
|
x-traefik_ui_labels: &traefik_ui_labels |
|
traefik.enable: true |
|
## Terrakube UI HTTPS |
|
traefik.http.routers.terrakube-ui-https.rule: Host(`tk.${DOMAIN}`) |
|
traefik.http.routers.terrakube-ui-https.entrypoints: websecure |
|
traefik.http.routers.terrakube-ui-https.middlewares: terrakube-dex-allow-origin |
|
traefik.http.routers.terrakube-ui-https.tls: true |
|
traefik.http.services.terrakube-ui-https.loadbalancer.server.port: 8080 |
|
## Redirect to HTTPS |
|
traefik.http.routers.terrakube-ui-http.rule: Host(`tk.${DOMAIN}`) |
|
traefik.http.routers.terrakube-ui-http.entrypoints: web |
|
traefik.http.routers.terrakube-ui-http.middlewares: terrakube-ui-redirect-https |
|
traefik.http.middlewares.terrakube-ui-redirect-https.redirectscheme.scheme: https |
|
|
|
x-traefik_dex_labels: &traefik_dex_labels |
|
traefik.enable: true |
|
## Terrakube DEX HTTPS |
|
traefik.http.routers.terrakube-dex-https.rule: Host(`tk-dex.${DOMAIN}`) |
|
traefik.http.routers.terrakube-dex-https.entrypoints: websecure |
|
traefik.http.routers.terrakube-dex-https.middlewares: terrakube-dex-allow-origin |
|
traefik.http.routers.terrakube-dex-https.tls: true |
|
traefik.http.services.terrakube-dex-https.loadbalancer.server.port: 5556 |
|
## Redirect to HTTPS |
|
traefik.http.routers.terrakube-dex-http.rule: Host(`tk-dex.${DOMAIN}`) |
|
traefik.http.routers.terrakube-dex-http.entrypoints: web |
|
traefik.http.routers.terrakube-dex-http.middlewares: terrakube-dex-redirect-https |
|
traefik.http.middlewares.terrakube-dex-redirect-https.redirectscheme.scheme: https |
|
## Allow CORs from Terrakube UI |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowmethods: GET, PATCH, PUT, POST, DELETE, HEAD, OPTIONS |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowheaders: > |
|
Content-Type, Accept, Authorization, X-Requested-With, Origin, * |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolalloworiginlist: https://tk.${DOMAIN} |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowcredentials: true |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: > |
|
Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, |
|
Pragma, x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2, ETag |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolmaxage: 86400 |
|
traefik.http.middlewares.terrakube-dex-allow-origin.headers.addvaryheader: true |
|
|
|
|
|
## Terrakube registry |
|
x-traefik_registry_labels: &traefik_registry_labels |
|
traefik.enable: true |
|
## Terrakube registry HTTPS |
|
traefik.http.routers.terrakube-registry-https.rule: Host(`tk-registry.${DOMAIN}`) |
|
traefik.http.routers.terrakube-registry-https.entrypoints: websecure |
|
traefik.http.routers.terrakube-registry-https.tls: true |
|
traefik.http.routers.terrakube-registry-https.middlewares: terrakube-dex-allow-origin |
|
traefik.http.services.terrakube-registry-https.loadbalancer.server.port: 8075 |
|
## Redirect to HTTPS |
|
traefik.http.routers.terrakube-registry-http.rule: Host(`tk-registry.${DOMAIN}`) |
|
traefik.http.routers.terrakube-registry-http.entrypoints: web |
|
traefik.http.routers.terrakube-registry-http.middlewares: terrakube-registry-redirect-https |
|
traefik.http.middlewares.terrakube-registry-redirect-https.redirectscheme.scheme: https |
|
|
|
|
|
### Containers |
|
|
|
services: |
|
traefik: |
|
image: traefik:latest |
|
container_name: terrakube-traefik |
|
# Give Traefik a reserved IP address in your external network, pick something towards the end of the network to avoid conflicts |
|
networks: |
|
default: |
|
ipv4_address: $TRAEFIK_IPV4_ADDRESS |
|
environment: *traefik_env |
|
dns: *terrakube_dns |
|
ports: |
|
- $TRAEFIK_HTTP_PORT:80 |
|
- $TRAEFIK_HTTPS_PORT:443 |
|
volumes: |
|
- /var/run/docker.sock:/var/run/docker.sock:ro |
|
- ./traefik_dynamic.yml:/etc/traefik_dynamic.yml |
|
## Uncomment for let's encrypt cert based off Domain |
|
# - /etc/letsencrypt/live/${DOMAIN}/privkey.pem:/letsencrypt/privkey.pem:ro |
|
# - /etc/letsencrypt/live/${DOMAIN}/fullchain.pem:/letsencrypt/fullchain.pem:ro |
|
restart: unless-stopped |
|
terrakube-api: |
|
image: azbuilder/api-server:${TK_VERSION} |
|
container_name: terrakube-api |
|
environment: |
|
<<: [*api_env] |
|
labels: *traefik_api_labels |
|
extra_hosts: *terrakube_hosts |
|
depends_on: |
|
- postgresql-service |
|
terrakube-ui: |
|
image: azbuilder/terrakube-ui:${TK_VERSION} |
|
container_name: terrakube-ui |
|
extra_hosts: *terrakube_hosts |
|
labels: *traefik_ui_labels |
|
volumes: |
|
- ./env-config.js:/app/env-config.js |
|
environment: |
|
<<: [*ui_env] |
|
terrakube-executor: |
|
dns: *terrakube_dns |
|
image: azbuilder/executor:${TK_VERSION} |
|
labels: *traefik_executor_labels |
|
extra_hosts: *terrakube_hosts |
|
container_name: terrakube-executor |
|
environment: |
|
<<: [*executor_env] |
|
terrakube-registry: |
|
dns: *terrakube_dns |
|
image: azbuilder/open-registry:${TK_VERSION} |
|
labels: *traefik_registry_labels |
|
extra_hosts: *terrakube_hosts |
|
container_name: terrakube-registry |
|
environment: |
|
<<: [*registry_env] |
|
terrakube-dex: |
|
image: ghcr.io/dexidp/dex:v2.37.0 |
|
extra_hosts: *terrakube_hosts |
|
labels: *traefik_dex_labels |
|
container_name: terrakube-dex |
|
volumes: |
|
- ./config-ldap.yaml:/etc/dex/config.docker.yaml |
|
ldap-service: |
|
image: bitnami/openldap:2.6.4-debian-11-r4 |
|
container_name: terrakube-ldap-service |
|
environment: *ldap_env |
|
volumes: |
|
- ./config-ldap.ldif:/ldifs/config-ldap.ldif |
|
minio: |
|
container_name: terrakube-minio |
|
image: docker.io/bitnami/minio:2022 |
|
environment: *minio_env |
|
volumes: |
|
- 'minio_data:/data' |
|
redis-service: |
|
image: bitnami/redis:7.0.10 |
|
container_name: terrakube-redis |
|
environment: |
|
- REDIS_REPLICATION_MODE=master |
|
- REDIS_PASSWORD=password123456 |
|
- REDIS_MASTER_PASSWORD=password123456 |
|
- REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL |
|
volumes: |
|
- 'redis_data:/bitnami/redis/data' |
|
postgresql-service: |
|
image: docker.io/bitnami/postgresql:15 |
|
container_name: postgresql-service |
|
environment: |
|
- POSTGRESQL_USERNAME=terrakube |
|
- POSTGRESQL_PASSWORD=terrakubepassword |
|
- POSTGRESQL_DATABASE=terrakubedb |
|
volumes: |
|
- postgresql_data:/bitnami/postgresql |
|
volumes: |
|
minio_data: |
|
redis_data: |
|
postgresql_data: |
|
driver: local |
|
# External network is required, import its name below |
|
networks: |
|
default: |
|
name: $EXTERNAL_NETWORK_NAME |
|
external: true |
Hey @SolomonHD curious question were you able to fix the issue?