-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdocker-compose-local.yml
140 lines (127 loc) · 4.5 KB
/
docker-compose-local.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
version: '3.7'
x-kc_dbconfig_env: &kcdbconfig_env
KEYCLOAK_DATABASE_NAME: &kcdbname postgres
KEYCLOAK_DATABASE_HOST: postgres
KEYCLOAK_DATABASE_USER: &kcdbuser keycloak
# FIXME: take from env (which should be set to random)
KEYCLOAK_DATABASE_PASSWORD: &kcdbpass keycloakpwd # pragma: allowlist secret
x-ldap_admin_env: &ldap_admin_env
# FIXME: take from env (which should be set to random)
LDAP_ADMIN_PASSWORD: &ldapadminpass ldapadminpwd # pragma: allowlist secret
LDAP_ADMIN_USERNAME: &ldapadminuser admin
x-keycloak_users_env: &keycloak_users_env
KEYCLOAK_CREATE_ADMIN_USER: true
KEYCLOAK_ADMIN_USER: &kcadminuser admin
KEYCLOAK_MANAGEMENT_USER: damager
# FIXME: take from env (which should be set to random)
KEYCLOAK_ADMIN_PASSWORD: &kcadminpass kcadminpw # pragma: allowlist secret
KEYCLOAK_MANAGEMENT_PASSWORD: kcmgrpw # pragma: allowlist secret
x-keycloak_profile_env: &keycloak_profile_env
# These can be expanded in keycloak-config/profile.json
KCP_REALM: "RASENMAEHER"
KCP_MAIN_ID: "4f88fe8c-ffa5-4ae4-97c9-3831a500d502" # FIXME: get from env or something
x-keycloakinit_users_env: &keycloakinit_users_env
KEYCLOAK_USER: *kcadminuser # pragma: allowlist secret
KEYCLOAK_PASSWORD: *kcadminpass # pragma: allowlist secret
x-keycloak_tls_env: &keycloak_tls_env
KEYCLOAK_ENABLE_HTTPS: true
KCI_SERVER_HOSTNAME: ${SERVER_DOMAIN:-localmaeher.dev.pvarki.fi} # TODO: Should we use a subdomain so we can do smart proxying ??
KEYCLOAK_HTTPS_KEY_STORE_PASSWORD: ${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD:-kckspwd} # pragma: allowlist secret
KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD: ${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD:-kctspwd} # pragma: allowlist secret
KEYCLOAK_HTTPS_TRUST_STORE_FILE: /bitnami/keycloak/kcserver-truststore.jks
KEYCLOAK_HTTPS_KEY_STORE_FILE: /bitnami/keycloak/kcserver-keys.jks
services:
openldap:
image: pvarki/openldap:latest
build:
context: ./openldap
dockerfile: Dockerfile
ports:
- '1389:1389'
environment:
<<: *ldap_admin_env
LDAP_SKIP_DEFAULT_TREE: yes
LDAP_ALLOW_ANON_BINDING: no
# FIXME: get from env ??
LDAP_ROOT: "dc=example,dc=org" # Probably needs to match the custom ldfis
LDAP_LOGLEVEL: 0
volumes:
- openldap_data:/bitnami/openldap
healthcheck:
test: 'ldapsearch -Q -tt -LLL -Y EXTERNAL -H ldapi:/// "(uid=testuser)" -b dc=example,dc=org memberOf || exit 1'
interval: 5s
timeout: 5s
retries: 3
start_period: 5s
postgres:
image: postgres:12
networks:
- dbnet
volumes:
- pg_data:/var/lib/postgresql/data
- ca_public:/ca
environment:
POSTGRES_PASSWORD: *kcdbpass # pragma: allowlist secret
POSTGRES_USER: *kcdbuser
POSTGRES_DATABASE: *kcdbname
healthcheck:
test: "pg_isready --dbname=$$POSTGRES_DB --username=$$POSTGRES_USER || exit 1"
interval: 5s
timeout: 5s
retries: 3
start_period: 5s
keycloak:
image: bitnami/keycloak:${KEYCLOAK_VERSION:-22.0.4}
ports:
- '8280:8080' # do not expose this in production
- '9443:8443'
environment:
# <<: [*kcdbconfig_env, *keycloak_users_env, *keycloak_tls_env]
<<: [*kcdbconfig_env, *keycloak_users_env]
KC_HEALTH_ENABLED: true
KEYCLOAK_INITSCRIPTS_DIR: /init_scripts
networks:
- kcnet
- dbnet
volumes:
- keycloak_data:/bitnami/keycloak/
- ca_public:/ca_public
- ./init_scripts:/docker-entrypoint-initdb.d
depends_on:
openldap:
condition: service_healthy
postgres:
condition: service_healthy
healthcheck:
test: "curl -s localhost:8080/health/ready | grep status | grep UP || exit 1"
interval: 10s
timeout: 10s
retries: 5
start_period: 15s
# init container that sets up profile with realm on keycloak instance
keycloak-init:
image: adorsys/keycloak-config-cli:latest-${KEYCLOAK_VERSION:-22.0.4}
networks:
- kcnet
volumes:
- ./keycloak-config:/config
- ca_public:/ca_public
environment:
<<: [*keycloak_profile_env, *ldap_admin_env, *keycloakinit_users_env]
KEYCLOAK_URL: http://keycloak:8080
KEYCLOAK_SSL-VERIFY: false
KEYCLOAK_AVAILABILITYCHECK_ENABLED: true
KEYCLOAK_AVAILABILITYCHECK_TIMEOUT: 30s
IMPORT_VAR_SUBSTITUTION_ENABLED: true
LDAP_CONNECTION_URL: ldap://openldap:1389
depends_on:
keycloak:
condition: service_healthy
networks:
kcnet:
dbnet:
volumes:
pg_data:
openldap_data:
keycloak_data:
ca_public: