iam/docker-compose.yml at develop · indigo-iam/iam · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
volumes:
  trust:
  cabundle:
  hostcerts:
  usercerts:

services:

  db:
    image: ${DB_IMAGE}
    container_name: db

    environment:
      TZ: Europe/Rome
      MYSQL_ROOT_PASSWORD: pwd
      MYSQL_USER: iam
      MYSQL_PASSWORD: pwd
      MYSQL_DATABASE: iam

    ports:
      - "3306:3306"

    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "127.0.0.1", "-P", "3306", "--silent"]
      interval: 5s
      timeout: 3s
      retries: 10
      start_period: 0s

  trust:
    build:
      context: ./compose/trust-anchors
    volumes:
      - trust:/trust-anchors
      - cabundle:/etc/pki
      - hostcerts:/hostcerts
      - usercerts:/usercerts
    environment:
      FORCE_TRUST_ANCHORS_UPDATE: "true"

  iam-be:
    container_name: iam-be
    build:
      context: .
      dockerfile: ./iam-login-service/docker/Dockerfile

    environment:
      TZ: Europe/Rome
      IAM_JAVA_OPTS: -Dspring-boot.run.profiles=mysql-test
      IAM_BASE_URL: https://iam.local.io
      IAM_ISSUER: https://iam.local.io/
      IAM_FORWARD_HEADERS_STRATEGY: native
      IAM_NOTIFICATION_DISABLE: "true"

      IAM_DB_HOST: db
      IAM_DB_NAME: iam
      IAM_DB_USERNAME: iam
      IAM_DB_PASSWORD: pwd

      IAM_JWT_DEFAULT_PROFILE: wlcg
      IAM_ACCESS_TOKEN_INCLUDE_SCOPE: "true"
      IAM_ACCESS_TOKEN_INCLUDE_NBF: "true"

      # IAM_RCAUTH_ENABLED: "true"
      # IAM_RCAUTH_CLIENT_ID: ${IAM_RCAUTH_CLIENT_ID}
      # IAM_RCAUTH_CLIENT_SECRET: ${IAM_RCAUTH_CLIENT_SECRET}
      # IAM_RCAUTH_ISSUER: ${IAM_RCAUTH_ISSUER}

    depends_on:
      db:
        condition: service_healthy
      trust:
        condition: service_completed_successfully

    volumes:
      - trust:/etc/grid-security/certificates
      - /dev/urandom:/dev/random
      # - ./compose/custom-logging/logback-spring.xml:/indigo-iam/logback-spring.xml:ro
      - .:/indigo-iam:ro
      - ./target:/indigo-iam/target:rw
      - ./iam-common/target:/indigo-iam/iam-common/target:rw
      - ./iam-login-service/target:/indigo-iam/iam-login-service/target:rw
      - ./iam-persistence/target:/indigo-iam/iam-persistence/target:rw
      - ./iam-test-client/target:/indigo-iam/iam-test-client/target:rw
      - ./iam-voms-aa/target:/indigo-iam/iam-voms-aa/target:rw

  client:
    build:
      context: .
      dockerfile: ./iam-test-client/docker/Dockerfile

    container_name: client

    environment:
      TZ: Europe/Rome
      IAM_CLIENT_PORT: 8080
      IAM_CLIENT_FORWARD_HEADERS_STRATEGY: native
      IAM_CLIENT_TLS_USE_GRID_TRUST_ANCHORS: "true"

      IAM_HOST: iam.local.io
      IAM_CLIENT_ISSUER: https://iam.local.io/
      IAM_CLIENT_ID: client
      IAM_CLIENT_SECRET: secret
      IAM_CLIENT_REDIRECT_URIS: https://iam.local.io/iam-test-client/openid_connect_login
      IAM_CLIENT_SCOPES: openid profile email offline_access
      IAM_CLIENT_RESOURCE: http://example1.com http://example2.com http://example3.com

      #IAM_CLIENT_EXT_AUTHN_HINT: saml:exampleIdp

    depends_on:
      trust:
        condition: service_completed_successfully

    volumes:
      - trust:/etc/grid-security/certificates
      - /dev/urandom:/dev/random
      - .:/app:ro
      - ./target:/app/target:rw
      - ./iam-common/target:/app/iam-common/target:rw
      - ./iam-login-service/target:/app/iam-login-service/target:rw
      - ./iam-persistence/target:/app/iam-persistence/target:rw
      - ./iam-test-client/target:/app/iam-test-client/target:rw
      - ./iam-voms-aa/target:/app/iam-voms-aa/target:rw

  iam:
    image: ${NGINX_IMAGE}
    container_name: iam

    depends_on:
      iam-be:
        condition: service_started
      client:
        condition: service_started
      trust:
        condition: service_completed_successfully

    dns_search: local.io

    environment:
      TZ: Europe/Rome
      NGINX_HOST: iam
      NGINX_PORT: 443

    ports:
      - "443:443"

    volumes:
      - /dev/urandom:/dev/random
      - cabundle:/etc/pki
      - hostcerts:/certs
      - ./compose/nginx/iam.conf:/etc/nginx/conf.d/default.conf:ro
      - ./compose/nginx/nginx.conf:/etc/nginx/nginx.conf:ro

    networks:
      default:
        aliases:
          - iam.local.io