-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
139 lines (133 loc) · 5.46 KB
/
docker-compose.yml
File metadata and controls
139 lines (133 loc) · 5.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# TODO: BBMRI expects Traefik to already exist
services:
traefik:
image: traefik:latest
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --accesslog=true
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
traefik-forward-auth:
image: quay.io/oauth2-proxy/oauth2-proxy:latest
environment:
- http_proxy=${http_proxy}
- https_proxy=${https_proxy}
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
- OAUTH2_PROXY_OIDC_ISSUER_URL=${OAUTH_ISSUER_URL}
- OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET}
- OAUTH2_PROXY_COOKIE_DOMAINS=.${GUI_HOST}
- OAUTH2_PROXY_COOKIE_REFRESH=4m
- OAUTH2_PROXY_COOKIE_EXPIRE=24h
- OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true
- OAUTH2_PROXY_WHITELIST_DOMAINS=.${GUI_HOST}
- OAUTH2_PROXY_UPSTREAMS=static://202
- OAUTH2_PROXY_EMAIL_DOMAINS=*
- OAUTH2_PROXY_ALLOWED_GROUPS=${ALLOWED_GROUPS}
# For some reason, login.verbis.dkfz.de does not have a "groups" scope but this comes automatically through a
# scope called microprofile-jwt. Remove the following line once we have a "groups" scope.
- OAUTH2_PROXY_SCOPE=openid profile email
# Pass Authorization Header and some user information to spot
- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4180"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2.rule=Host(`${GUI_HOST}`) && PathPrefix(`/oauth2/`)"
- "traefik.http.routers.oauth2.tls=true"
lens:
image: samply/ccp-explorer:latest
environment:
PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
labels:
- "traefik.enable=true"
- "traefik.http.routers.lens.rule=Host(`${GUI_HOST}`)"
- "traefik.http.routers.lens.tls=true"
- "traefik.http.routers.lens.middlewares=traefik-forward-auth"
spot:
image: samply/rustyspot:latest
platform: linux/amd64
ports:
- "8055:8055"
environment:
HTTP_PROXY: ${http_proxy}
HTTPS_PROXY: ${https_proxy}
NO_PROXY: beam-proxy, prism
BEAM_SECRET: "${LOCAL_BEAM_SECRET_SPOT}"
BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_APP_ID: "spot.${LOCAL_BEAM_ID}.${BROKER_HOST}"
CORS_ORIGIN: "https://${GUI_HOST}"
SITES: ${SITES}
TRANSFORM: LENS
PROJECT: dktk
BIND_ADDR: 0.0.0.0:8055
PRISM_URL: http://prism:8066
RUST_LOG: "info"
LOG_FILE: /logs/requests.log
volumes:
- ./logs:/logs
depends_on:
- "beam-proxy"
labels:
- "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8055"
- "traefik.http.middlewares.corsheaders.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders.headers.accesscontrolallowheaders=content-type"
- "traefik.http.middlewares.corsheaders.headers.accesscontrolalloworiginlist=https://${GUI_HOST}"
- "traefik.http.middlewares.corsheaders.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`backend.${GUI_HOST}`) && PathPrefix(`/prod`)"
- "traefik.http.middlewares.stripprefix_spot_prod.stripprefix.prefixes=/prod"
- "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders,traefik-forward-auth,stripprefix_spot_prod"
beam-proxy:
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
platform: linux/amd64
environment:
BROKER_URL: https://${BROKER_HOST}
PROXY_ID: ${LOCAL_BEAM_ID}.${BROKER_HOST}
APP_spot_KEY: ${LOCAL_BEAM_SECRET_SPOT}
APP_prism_KEY: ${LOCAL_BEAM_SECRET_PRISM}
PRIVKEY_FILE: /run/secrets/proxy.pem
ALL_PROXY: ${http_proxy}
secrets:
- proxy.pem
- root.crt.pem
prism:
image: samply/prism:main
environment:
# TODO: Autogenerate this
API_KEY: "${LOCAL_BEAM_SECRET_PRISM}"
BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_APP_ID_LONG: prism.${LOCAL_BEAM_ID}.${BROKER_HOST}
CORS_ORIGIN: "https://${GUI_HOST}"
SITES: ${SITES}
PROJECT: dktk
BIND_ADDR: 0.0.0.0:8066
RUST_LOG: "debug,hyper=info"
depends_on:
- "beam-proxy"
labels:
- "traefik.enable=true"
- "traefik.http.services.prism.loadbalancer.server.port=8066"
- "traefik.http.routers.prism.rule=Host(`${GUI_HOST}`) && PathPrefix(`/prism`)"
- "traefik.http.routers.prism.tls=true"
- "traefik.http.middlewares.prism-stripprefix.stripprefix.prefixes=/prism"
- "traefik.http.routers.prism.middlewares=corsheaders,traefik-forward-auth,prism-stripprefix"
secrets:
proxy.pem:
# TODO: Key in BBMRI was directly stored in lens directory!
file: /etc/lens/pki/${LOCAL_BEAM_ID}.priv.pem
root.crt.pem:
file: ./rootcerts/root.crt.pem