ITISFoundation · YuryHrytsuk · Oct 23, 2024 · Oct 21, 2024 · Oct 22, 2024 · Oct 22, 2024
@@ -132,7 +132,11 @@ services:
         - traefik.http.middlewares.ops_ratelimit.ratelimit.average=${TRAEFIK_RATELIMIT_AVG}
         - traefik.http.middlewares.ops_ratelimit.ratelimit.burst=${TRAEFIK_RATELIMIT_BURST}
         - traefik.http.middlewares.ops_ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=1
-
+        # Platform user auth: Use this middleware to enforce only authenticated users
+        # https://doc.traefik.io/traefik/middlewares/http/forwardauth
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.address=http://${WEBSERVER_HOST}:${WEBSERVER_PORT}/v0/auth:check
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.trustForwardHeader=true
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc2
     networks:
       public: null
       monitored: null

@@ -34,3 +34,6 @@ OPS_TRAEFIK_LOGLEVEL=${OPS_TRAEFIK_LOGLEVEL}
 
 PUBLIC_NETWORK=${PUBLIC_NETWORK}
 MONITORED_NETWORK=${MONITORED_NETWORK}
+
+WEBSERVER_HOST=${WEBSERVER_HOST}
+WEBSERVER_PORT=${WEBSERVER_PORT}
@@ -0,0 +1,35 @@
+.DEFAULT_GOAL := help
+
+# Internal VARIABLES ------------------------------------------------
+# STACK_NAME defaults to name of the current directory. Should not to be changed if you follow GitOps operating procedures.
+STACK_NAME = $(notdir $(shell pwd))
+TEMP_COMPOSE=.stack.${STACK_NAME}.yaml
+REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
+
+# TARGETS --------------------------------------------------
+include ${REPO_BASE_DIR}/scripts/common.Makefile
+
+.PHONY: up ## Deploys registry stack
+up: ${TEMP_COMPOSE} .init .env
+	docker stack deploy --with-registry-auth --prune --compose-file $< ${STACK_NAME}
+
+.PHONY: up-dalco ## Deploys registry stack for Dalco Cluster
+up-dalco: up
+
+.PHONY: up-aws
+up-aws: up
+
+.PHONY: up-master ## Deploys registry on master cluster
+up-master: up
+
+.PHONY: up-public ## Deploys registry on public cluster
+up-public: up
+
+.PHONY: up-local ## Deploys registry on local deployment
+up-local: up
+
+# Helpers -------------------------------------------------
+
+.PHONY: ${TEMP_COMPOSE}
+${TEMP_COMPOSE}: docker-compose.yml .env
+	${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@
@@ -0,0 +1,24 @@
+version: "3.7"
+
+services:
+  manual:
+    image: ${VENDOR_MANUAL_IMAGE}
+    init: true
+    hostname: "{{.Node.Hostname}}-{{.Task.Slot}}"
+    deploy:
+      replicas: ${VENDOR_MANUAL_REPLICAS}
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=${PUBLIC_NETWORK}
+        - traefik.http.services.vendor_manual.loadbalancer.server.port=${VENDOR_MANUAL_PORT}
+        - traefik.http.routers.vendor_manual.entrypoints=https
+        - traefik.http.routers.vendor_manual.tls=true
+        - traefik.http.routers.vendor_manual.rule=Host(`${VENDOR_MANUAL_DOMAIN}`)
+        - traefik.http.routers.vendor_manual.middlewares=ops_gzip@swarm, authenticated_platform_user@swarm
+    networks:
+      - public
+
+networks:
+  public:
+    external: true
+    name: ${PUBLIC_NETWORK}
@@ -0,0 +1,5 @@
+VENDOR_MANUAL_IMAGE=${VENDOR_MANUAL_IMAGE}
+VENDOR_MANUAL_REPLICAS=${VENDOR_MANUAL_REPLICAS}
+VENDOR_MANUAL_DOMAIN=${VENDOR_MANUAL_DOMAIN}
+VENDOR_MANUAL_PORT=${VENDOR_MANUAL_PORT}
+PUBLIC_NETWORK=${PUBLIC_NETWORK}