Skip to content

Commit 17cbaf2

Browse files
wpearswpears
authored
Merge pull request cfpb#1049 from hkeeler/keycloak-ha-good-bits
WIP: Compose setup for hmda-platform-auth cfpb#126
2 parents a3a3919 + 3463de1 commit 17cbaf2

File tree

1 file changed

+65
-37
lines changed

1 file changed

+65
-37
lines changed

docker-compose.yml

Lines changed: 65 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
1-
# Assumes UI repo is cloned in parent directory
21
version: '2'
32
services:
3+
44
api:
55
build: .
66
ports:
7-
- '9090:8080'
8-
- '9091:8081'
9-
- '9092:8082'
7+
- '8080:8080'
8+
- '8081:8081'
9+
- '8082:8082'
1010
volumes:
11-
- ./target/scala-2.12/hmda.jar:/opt/hmda.jar
11+
- ./target/scala-2.12/hmda.jar:/opt/hmda.jar
1212
depends_on:
1313
- cassandra
1414
- zookeeper
@@ -20,31 +20,36 @@ services:
2020
CASSANDRA_CLUSTER_HOSTS: cassandra
2121
CASSANDRA_CLUSTER_PORT: 9042
2222
HMDA_IS_DEMO: 'true'
23+
# lb settings
24+
EXCLUDE_PORTS: '8080, 8081' # 8080 proxied through auth_proxy; 8081 (Admin API) doesn't need proxy
25+
VIRTUAL_HOST: 'https://*:4443/public/*'
26+
VIRTUAL_HOST_WEIGHT: 1 # avoids conflicts with auth_proxy
27+
# add simple CORS support; proxypass /public/ to Public API
28+
EXTRA_SETTINGS: 'rspadd Access-Control-Allow-Origin:\ *, reqirep "^([^ :]*)\ /public//?(.*)" "\1\ /\2"'
2329
restart: always
2430

2531
ui:
2632
build:
2733
context: ../hmda-platform-ui
2834
args:
2935
SKIP_JS_BUILD: 1
30-
ports:
31-
- "80:80"
3236
depends_on:
3337
- api
3438
- auth_proxy
3539
- keycloak
3640
volumes:
3741
- ../hmda-platform-ui/dist:/usr/src/app/dist
3842
environment:
39-
APP_URL: http://192.168.99.100
43+
APP_URL: https://192.168.99.100
4044
HMDA_API: https://192.168.99.100:4443/hmda
4145
KEYCLOAK_URL: https://192.168.99.100:8443/auth/realms/hmda
46+
# lb settings
47+
VIRTUAL_HOST: 'http://*:80/*, https://*:443/*'
48+
EXCLUDE_PORTS: '443' # use lb's ssl instead of ui's nginx
49+
FORCE_SSL: 'true' # redirect 80 to 443
4250

4351
keycloak:
4452
build: ../hmda-platform-auth/keycloak
45-
ports:
46-
- '8080:8080'
47-
- '8443:8443'
4853
environment:
4954
KEYCLOAK_USER: admin
5055
KEYCLOAK_PASSWORD: admin
@@ -53,27 +58,25 @@ services:
5358
POSTGRES_PASSWORD: password
5459
POSTGRES_SERVER: keycloak_db
5560
POSTGRES_PORT: 5432
56-
INSTITUTION_SEARCH_URI: https://192.168.99.100:9443
61+
PROXY_HTTPS_PORT: 8443
62+
SMTP_SERVER: mail_dev
63+
SMTP_PORT: 25
64+
INSTITUTION_SEARCH_URI: 'https://192.168.99.100:4443/public/'
5765
INSTITUTION_SEARCH_VALIDATE_SSL: "OFF"
58-
HOME_PAGE_URI: http://192.168.99.100
59-
REDIRECT_URIS: '[ "http://192.168.99.100", "http://192.168.99.100/oidc-callback", "http://192.168.99.100/silent_renew.html" ]'
66+
HOME_PAGE_URI: 'https://192.168.99.100'
67+
REDIRECT_URIS: '[ "https://192.168.99.100", "https://192.168.99.100/oidc-callback", "https://192.168.99.100/silent_renew.html" ]'
6068
SUPPORT_EMAIL: '[email protected]'
69+
# lb settings
70+
VIRTUAL_HOST: 'https://*:8443/*'
71+
VIRTUAL_HOST_WEIGHT: 0
6172
volumes:
6273
- '../hmda-platform-auth/keycloak/themes/hmda:/opt/jboss/keycloak/themes/hmda'
6374
# - '../hmda-platform-auth/keycloak/import:/opt/jboss/import'
6475

6576
# Set action to "export" to dump Keycloak realm data
66-
command: >
67-
-Dkeycloak.migration.action=import
68-
-Dkeycloak.migration.provider=dir
69-
-Dkeycloak.migration.dir=/opt/jboss/import/
70-
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
71-
-Dkeycloak.migration.usersExportStrategy=SKIP
72-
-b 0.0.0.0
77+
command: './docker-entrypoint.sh'
7378
links:
74-
- mail_dev
7579
- keycloak_db
76-
- api
7780

7881
keycloak_db:
7982
image: postgres:9.6.1
@@ -84,31 +87,34 @@ services:
8487

8588
auth_proxy:
8689
build: ../hmda-platform-auth/auth-proxy
87-
ports:
88-
- '4443:8443' # Auth Proxy
89-
- '9443:9443' # Institution Search
9090
environment:
91-
OIDC_METADATA_URI: https://keycloak:8443/auth/realms/hmda/.well-known/openid-configuration
92-
OIDC_JWKS_URI: https://keycloak:8443/auth/realms/hmda/protocol/openid-connect/certs
91+
OIDC_METADATA_URI: https://192.168.99.100:8443/auth/realms/hmda/.well-known/openid-configuration
92+
OIDC_JWKS_URI: https://192.168.99.100:8443/auth/realms/hmda/protocol/openid-connect/certs
9393
OIDC_CLIENT_ID: api
9494
OIDC_REDIRECT_URI: https://192.168.99.100:8443
95-
CRYPTO_PASSPHRASE: abcdefghijklmnopqrstuvwxyz
96-
VALIDATE_SSL: "Off"
97-
CLAIM_HEADER_PREFIX: CFPB-HMDA-
98-
REMOTE_USER_CLAIM: preferred_username
99-
REMOTE_USER_HEADER: CFPB-HMDA-Username
95+
OIDC_CRYPTO_PASSPHRASE: abcdefghijklmnopqrstuvwxyz
96+
OIDC_VALIDATE_SSL: "Off"
97+
OIDC_CLAIM_HEADER_PREFIX: CFPB-HMDA-
98+
OIDC_REMOTE_USER_CLAIM: preferred_username
99+
OIDC_REMOTE_USER_HEADER: CFPB-HMDA-Username
100100
FILING_API_UPSTREAM_URI: http://api:8080/
101101
FILING_API_PATH_PREFIX: /hmda/
102-
PUBLIC_API_UPSTREAM_URI: http://api:8082/
103102
LOG_LEVEL: info
103+
# lb settings
104+
VIRTUAL_HOST: 'https://*:4443/*'
105+
VIRTUAL_HOST_WEIGHT: 0
104106
links:
105107
- api
106108
- keycloak
107109

108110
mail_dev:
109111
image: djfarrelly/maildev:0.14.0
110-
ports:
111-
- '1080:80'
112+
environment:
113+
# lb settings
114+
VIRTUAL_HOST: 'https://*:8443/mail/*'
115+
VIRTUAL_HOST_WEIGHT: 1
116+
EXCLUDE_PORTS: '25' # don't proxy SMTP port
117+
EXTRA_SETTINGS: 'reqirep "^([^ :]*)\ /mail//?(.*)" "\1\ /\2"'
112118

113119
query_db:
114120
image: postgres:9.6.1
@@ -131,4 +137,26 @@ services:
131137
ports:
132138
- '9042:9042'
133139
- '7000:7000'
134-
- '7199:7199'
140+
- '7199:7199'
141+
142+
lb:
143+
image: dockercloud/haproxy
144+
volumes:
145+
- /var/run/docker.sock:/var/run/docker.sock
146+
ports:
147+
- '80:80' # ui http - redirects to https (443)
148+
- '443:443' # ui https
149+
- '8443:8443' # auth https - keycloak and maildev
150+
- '4443:4443' # api https - auth_proxy and api's public api
151+
links:
152+
- api
153+
- auth_proxy
154+
- keycloak
155+
- mail_dev
156+
- ui
157+
environment:
158+
# EXTRA_GLOBAL_SETTINGS: 'debug' # enable for request logging
159+
# Default SSL cert for ALL services served by lb
160+
# SEE: https://github.com/docker/dockercloud-haproxy#pem-files
161+
DEFAULT_SSL_CERT: '-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0Mal2qHA1EXk0w4Lq7K7GHT/snGZrT/bIzGmZtQGzccb6OrO\nyBs0NI+bWKuZTStrewFYPKQ/r5N2twqoWAYHiTKcp9ykWE6KKcO3NjAv0bqsZXwi\nV7BcDstlYSjE5f+4i6uwUbQKG1huSwp22QaDXJx2MWS8towihZ03cCMq7DAJLDWP\n474GpsrxVKscfZMgcUUEly7jY+y4/ot/RJE1/cwNAd7R2mUaiE8kZ3KO804UplJB\njUGzZp5zQEeqgO27esD9teYnQRLVwWbB5BkY38Uh9DOK8zUUJK3uJvAC0lUsftus\n8sloYQky2v5u8xpJQMVYNcEctp1CTh4FllRy1wIDAQABAoIBAQDCGY2lAHGIaRre\n5dYP4XF0wYHgYyFfI1kXFVgBjeptckoOeA+blz8oBsOE4rT6O/4HNC7W4lWbZNwg\nPTZZ7/EdqwJeRhI9T3fAcIdrR82NjaIuEATVxc8wqgUtGXxF4UOwBwU8UMh8t/CC\nr83i491JQuXX8jJI/WwzEQGzrd6AClLdurNP9NqRVmShbW5cNnTXi0vTZpeEQXPy\n17w7GHHCGkKVDfzdCd3lnj47thg1LdjYpNyMYMUQ0NxdUGqEhP3d355gNVdW4q7g\nzneh29hXtYzxAgovpvQ3PRkfiPKo4GbW3UUIZmKjHjWqNYtE/Kj2daqsqt+xL9Dq\nLiLpmJLRAoGBAOzD6F7MNpJQZSDkN2iUruk38kBM0GJyJp2GIB8QDtcYZzq9zAXU\n7UI+dnfRus8suZTiGQ6fx6gsVvi1mnFvYonvbe64U5iA/s/DUEo+REsLFTbCw/5X\nXKqKiHJYt6WnjbjDY23xsjT2dt+XsNlWqsiawGhQYpnNgs9D5LJ5PKilAoGBAOG8\nov/sNeRTGYOrX8equNWltKpUmA11D0Fb0RDAHYNlkw1gR7p0YJ1kteCq13zoMTMg\n1+2fR83clcpcpCpESsHOBZs0g1dujSemJvgc3x9Gf7/fc3w7gfIADbOMiG+lbzqx\n+299z8l9NMDr4XSpDIOvi7WcW07roFXW19GumljLAoGAS6+cmqFBWKhmi4sowz+0\nYk1GHZPwkWfYPEbiAcwKUmw0o6yEieC1L5X0HP1ocE3lzVgxlmExW+tAqiSziEuI\n/nsRc1xtLLUfv566DeG1xx912pmMOcQHlWTPlW4S1tunDEc5g63dv9yBx5wgJnn0\nAkil9TKtMmllxYf4laz33RkCgYBbeFCkW1bLGlEwZXT+N1OGXwsCKh0i9tgjp8zj\neLV81N/tf6IRD69Gl9SLIS8IUh39lcVpaC10YXng8gEjj2Crf4wOBA1klEtmUZFg\n4HIY/jwtx6HIKWTSZusmYj+23dZgdlZoKxbTkoSZ1/sXhpink66M/LqTFC94GQKC\n2Ll6WQKBgQDXnrheOts4P8+1n3MM2flHPe2oY5AqjpgFngSLqqz+xHRtYsu+nNjs\ntDVRhdxwvgsLJG9ELFXEO+BVrIzAGL9zbJq+G/S3XT5WOUmYn5yfNveyX1orfTk/\n4zH+IE2LHuXeKcbgM7SPuYYSe13AXvAjP0WiQQABLpJUg1xR7+FUpw==\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDXjCCAkagAwIBAgIJAMIn/5yNe6lzMA0GCSqGSIb3DQEBBQUAMCgxCjAIBgNV\nBAMUASoxDTALBgNVBAoTBENGUEIxCzAJBgNVBAYTAlVTMB4XDTE3MDcxMDIxMjYx\nM1oXDTIwMDYyNDIxMjYxM1owKDEKMAgGA1UEAxQBKjENMAsGA1UEChMEQ0ZQQjEL\nMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQxqXa\nocDUReTTDgursrsYdP+ycZmtP9sjMaZm1AbNxxvo6s7IGzQ0j5tYq5lNK2t7AVg8\npD+vk3a3CqhYBgeJMpyn3KRYToopw7c2MC/RuqxlfCJXsFwOy2VhKMTl/7iLq7BR\ntAobWG5LCnbZBoNcnHYxZLy2jCKFnTdwIyrsMAksNY/jvgamyvFUqxx9kyBxRQSX\nLuNj7Lj+i39EkTX9zA0B3tHaZRqITyRnco7zThSmUkGNQbNmnnNAR6qA7bt6wP21\n5idBEtXBZsHkGRjfxSH0M4rzNRQkre4m8ALSVSx+26zyyWhhCTLa/m7zGklAxVg1\nwRy2nUJOHgWWVHLXAgMBAAGjgYowgYcwHQYDVR0OBBYEFLL5wreeYENfq9VPn2XQ\np2BNDu7XMFgGA1UdIwRRME+AFLL5wreeYENfq9VPn2XQp2BNDu7XoSykKjAoMQow\nCAYDVQQDFAEqMQ0wCwYDVQQKEwRDRlBCMQswCQYDVQQGEwJVU4IJAMIn/5yNe6lz\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGPxIPQRh6nWbZZcKxij\ndnqmam8j97N1r53LbAT4YtEOrHIhAtVImIMqUEc2wrr+UsrVCTf2N8V7EiFiWyJS\nFkQSmPUyrZyMX/vptwIXQj9nhMl8acT2rxOuCj2ughiWdhXBNiR5pknmsPFo36TR\nhtUFLphbHU9g9eCINUuQYlBirvssCXhc+lE9VVHC5tGpjj3XyfapeDhWLDqd8ovY\n9wCXceWH3X7I0uVSRXAOWvJ9s3b3USikoLX6MpX/yntY7vMULbZhd8jd1Mv9tT/r\nMuFEdymyyoNAYVeuhjPeZF4f9WFEgDtHOf5L5F5pmu3E4JZwWKj5q5W8EInseOgG\nwRU=\n-----END CERTIFICATE-----\n'
162+

0 commit comments

Comments
 (0)