-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdocker-compose.yaml
More file actions
268 lines (263 loc) · 17.1 KB
/
docker-compose.yaml
File metadata and controls
268 lines (263 loc) · 17.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
# Shared Docker Services:
services:
# Reverse Proxy (Traefik):
proxy:
image: traefik:v3.6 # Use Traefik reverse proxy
restart: unless-stopped # Restore last on/off state after restart
ports:
- 80:80/tcp # Open port 80 (HTTP)
# - 443:443/tcp # Open port 443 (HTTPS)
networks:
- proxy
command:
- "--accesslog=true" # Log access for debugging
- "--entrypoints.web.address=:80/tcp" # Use port 80 as entypoint 'web'
# - "--entrypoints.websecure.address=:443/tcp" # Use port 443 as entypoint 'websecure'
- "--providers.docker=true" # Enable Docker provider to handle requests to services
- "--providers.docker.endpoint=unix:///var/run/docker.sock" # Path to docker socket to listen to new services
- "--providers.docker.exposedbydefault=false" # Do not expose every service by default
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # Mount host's docker socket read-only
# Keycloak Database (PostgreSQL):
db:
image: postgres:18-alpine # Use PostgreSQL on Alpine Linux as database for Keycloak
restart: unless-stopped # Restore last on/off state after restart
environment:
POSTGRES_DB: keycloak # Name database 'keycloak'
POSTGRES_USER_FILE: /run/secrets/db_username # Set database username to Docker Secret 'db_username'
POSTGRES_PASSWORD_FILE: /run/secrets/db_password # Set database password to Docker Secret 'db_password'
networks:
- proxy
secrets:
- db_username # Use shared Docker Secret 'db_username'
- db_password # Use shared Docker Secret 'db_password'
volumes:
- userdb:/var/lib/postgresql/data # Mount PostgreSQL data to shared Docker Volume 'userdb'
# OpenID Provider (Keycloak):
op:
image: quay.io/keycloak/keycloak:26.5.5 # Use Keycloak as OpenID Provider
restart: unless-stopped # Restore last on/off state after restart
depends_on:
- proxy # Keycloak requires running reverse proxy
- db # Keycloak requires running database
networks:
- proxy
labels:
- traefik.enable=true # Enable Traefik reverse proxy exposure
- traefik.http.routers.op.entrypoints=web # Enable exposure via HTTP entrypoint 'web'
- traefik.http.routers.op.rule=Host(`${OP_HOST}`) # Specify routing via hostname provided in environment variable 'OP_HOST'
- traefik.http.routers.op.priority=1 # Set priority low (traefik.http.routers.ict.priority must be higher)
environment:
KC_DB: postgres # Use a PostgreSQL database
KC_DB_URL: jdbc:postgresql://db:5432/keycloak # Specify JDBC URL to the PostgreSQL database ('db' = name of Keycloak Database service, 'keycloak' must be POSTGRES_DB of the Keycloak Database service)
KC_PROXY: edge # Configure Keycloak to run behind a reverse proxy with unencrypted HTTP between proxy and Keycloak
env_file:
- ./.secrets/op.env # Include secrets from generated environment variables
command:
- "start-dev"
- "--hostname-strict=false"
- "--import-realm" # Run Keycloak in development mode
secrets:
- db_username # Use shared Docker Secret 'db_username'
- db_password # Use shared Docker Secret 'db_password'
volumes:
- ./keycloak:/opt/keycloak/data/import:ro
# ICT endpoint for Keycloak (this Go application):
ict:
# # For testing:
# image: jonasprimbs/oidc-e2ea-server:latest # Use latest image from Docker Hub
# For development:
build:
context: ./ # Use this repository directory as context
dockerfile: Dockerfile # Use 'Dockerfile' from context directory
# For both:
restart: unless-stopped # Restore last on/off state after restart
depends_on:
- proxy # ICT endpoint requires running reverse proxy
- op # ICT endpoint requires running OpenID Provider
networks:
- proxy
labels:
- traefik.enable=true # Enable Traefik reverse proxy exposure
- traefik.http.routers.ict.entrypoints=web # Enable exposure via HTTP entrypoint 'web'
- >- # Specify routing via hostname provided in environment variable 'OP_HOST' and append it to userinfo endpoint
traefik.http.routers.ict.rule=(Host(`${OP_HOST}`) &&
PathPrefix(`/realms/ict/protocol/openid-connect/userinfo/ict`))
- traefik.http.routers.ict.priority=2 # Set priority high (traefik.http.routers.op.priority must be lower)
- traefik.http.routers.ict.middlewares=ict@docker,ictheaders@docker # Include 'ict' middleware from Docker labels below
- >- # Remove .../userinfo/ict path from request
traefik.http.middlewares.ict.replacepathregex.regex=^/realms/ict/protocol/openid-connect/userinfo/ict(.*)
- >- # Forward only path after .../userinfo/ict (marked with '(.*)') in request to ICT endpoint
traefik.http.middlewares.ict.replacepathregex.replacement=$$1
- traefik.http.middlewares.ictheaders.headers.customResponseHeaders.Access-Control-Allow-Origin=http://localhost:4200,https://editor.swagger.io
- traefik.http.routers.ict.service=ict
- traefik.http.services.ict.loadbalancer.server.port=8080
environment:
KEY_FILE: /run/secrets/op_private_key # Set private key file to Docker Secret 'op_private_key'
ALG: RS256 # Configure RSA with SHA256 (RS256) as signature algorithm for ID Assertion Tokens
USERINFO: >- # Configure userinfo endpoint ('op' is the Docker-internal hostname of OpenID Provider service)
http://op:8080/realms/ict/protocol/openid-connect/userinfo
USERINFO_HOST: op.localhost
TOKEN_INTROSPECTION: >-
http://op:8080/realms/ict/protocol/openid-connect/token/introspect
TOKEN_INTROSPECTION_HOST: op.localhost
INTROSPECTION_CREDENTIALS: ${ICT_CREDENTIALS} # HTTP Basic Authentication Client Credentials of ICT Endpoint
CONTEXT_PREFIX: e2e_auth_
ISSUER: http://${OP_HOST}/realms/ict # Configure issuer of issued ID Assertion Tokens
DEFAULT_TOKEN_PERIOD: 3600 # Configure the default lifetime of issued ID Assertion Tokens in seconds (3600s = 1h)
MAX_TOKEN_PERIOD: 2592000 # Configure the maximum lifetime of issued ID Assertion Tokens in seconds (2592000s = 30d)
PORT: 8080 # Configure the internal port on which the ICT endpoint is listening
env_file:
- ./.secrets/ict.env # Include secrets from generated environment variables
secrets:
- op_private_key # Use shared Docker Secret 'op_private_key'
# # Authentik Database (PostgreSQL)
# db2:
# image: postgres:18-alpine # Use PostgreSQL on Alpine Linux as database for Authentik
# restart: unless-stopped # Restore last on/off state after restart
# environment:
# POSTGRES_DB: authentik # Name database 'authentik'
# POSTGRES_USER_FILE: /run/secrets/db2_username # Set database username to Docker Secret 'db2_username'
# POSTGRES_PASSWORD_FILE: /run/secrets/db2_password # Set database password to Docker Secret 'db2_password'
# secrets:
# - db2_username # Use shared Docker Secret 'db_username'
# - db2_password # Use shared Docker Secret 'db_password'
# volumes:
# - userdb2:/var/lib/postgresql/data # Mount PostgreSQL data to shared Docker Volume 'userdb'
# # Authentik key value storage (Redis)
# redis2:
# image: redis:8-alpine
# restart: unless-stopped
# command: "--save 60 1 --loglevel warning"
# volumes:
# - redis2:/data
# op2:
# image: ghcr.io/goauthentik/server:2026.2.1
# restart: unless-stopped
# depends_on:
# - proxy
# - db2
# - redis2
# - op2_worker
# command: "server"
# environment:
# AUTHENTIK_REDIS__HOST: redis2
# AUTHENTIK_POSTGRESQL__HOST: db2
# AUTHENTIK_POSTGRESQL__NAME: authentik
# AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db2_username
# AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db2_password
# AUTHENTIK_SECRET_KEY: file:///run/secrets/op2_secret_key
# AUTHENTIK_ERROR_REPORTING__ENABLED: true
# AUTHENTIK_HOST: http://op2.localhost
# AUTHENTIK_INSECURE: true
# # AUTHENTIK_TOKEN: token-generated-by-authentik
# labels:
# - traefik.enable=true
# - traefik.port=9000
# - traefik.http.routers.op2.entrypoints=web # Enable exposure via HTTP entrypoint 'web' and 'websecure'
# - traefik.http.routers.op2.rule=Host(`${OP2_HOST}`) # Specify routing via hostname provided in environment variable 'OP_HOST'
# - traefik.http.routers.op2.priority=1 # Set priority low (traefik.http.routers.ict.priority must be higher)
# - traefik.http.routers.op2.middlewares=op2
# - traefik.http.routers.op2.service=op2
# - traefik.http.services.op2.loadbalancer.server.port=9000
# - traefik.http.middlewares.op2.headers.customResponseHeaders.Access-Control-Allow-Origin=http://localhost:4200
# secrets:
# - db2_username # Use shared Docker Secret 'db_username'
# - db2_password # Use shared Docker Secret 'db_password'
# - op2_secret_key
# volumes:
# - op2_media:/media
# - op2_templates:/templates
# op2_worker:
# image: ghcr.io/goauthentik/server:2026.2.1
# restart: unless-stopped
# depends_on:
# - proxy
# - db2
# - redis2
# command: worker
# environment:
# AUTHENTIK_REDIS__HOST: redis2
# AUTHENTIK_POSTGRESQL__HOST: db2
# AUTHENTIK_POSTGRESQL__NAME: authentik
# AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db2_username
# AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db2_password
# AUTHENTIK_SECRET_KEY: file:///run/secrets/op2_secret_key
# AUTHENTIK_ERROR_REPORTING__ENABLED: true
# secrets:
# - db2_username # Use shared Docker Secret 'db_username'
# - db2_password # Use shared Docker Secret 'db_password'
# - op2_secret_key
# volumes:
# - /var/run/docker.sock:/var/run/docker.sock
# - ./.secrets/certs:/certs
# - op2_media:/media
# - op2_templates:/templates
# # ICT endpoint for WSO2 (this Go application):
# ict2:
# # # For testing:
# # image: jonasprimbs/oidc-e2ea-server:latest # Use latest image from Docker Hub
# # For development:
# build:
# context: ./ # Use this repository directory as context
# dockerfile: Dockerfile # Use 'Dockerfile' from context directory
# # For both:
# restart: unless-stopped # Restore last on/off state after restart
# depends_on:
# - proxy # ICT endpoint requires running reverse proxy
# - op2 # ICT endpoint requires running Op4enID Provider
# labels:
# - traefik.enable=true # Enable Traefik reverse proxy exposure
# - traefik.http.routers.ict2.entrypoints=web # Enable exposure via HTTP entrypoint 'web'
# - >- # Specify routing via hostname provided in environment variable 'OP_HOST' and append it to userinfo endpoint
# traefik.http.routers.ict2.rule=(Host(`${OP2_HOST}`) &&
# PathPrefix(`/application/o/userinfo/ict`))
# - traefik.http.routers.ict2.priority=2 # Set priority high (traefik.http.routers.op.priority must be lower)
# - traefik.http.routers.ict2.middlewares=ict2@docker # Include 'ict' middleware from Docker labels below
# - >- # Remove .../userinfo/ict path from request
# traefik.http.middlewares.ict2.replacepathregex.regex=^/application/o/userinfo/ict(.*)
# - >- # Forward only path after .../userinfo/ict (marked with '(.*)') in request to ICT endpoint
# traefik.http.middlewares.ict2.replacepathregex.replacement=$$1
# environment:
# KEY_FILE: /run/secrets/op2_private_key # Set private key file to Docker Secret 'op_private_key'
# ALG: RS256 # Configure RSA with SHA256 (RS256) as signature algorithm for ID Assertion Tokens
# USERINFO: http://op2:9000/application/o/userinfo/ # Configure userinfo endpoint ('op' is the Docker-internal hostname of OpenID Provider service)
# TOKEN_INTROSPECTION: http://op2:9000/application/o/introspect/
# TOKEN_INTROSPECTION_HOST: op2:9000
# INTROSPECTION_CREDENTIALS: ${ICT_CREDENTIALS2} # HTTP Basic Authentication Client Credentials of ICT Endpoint
# CONTEXT_PREFIX: e2e_auth_
# ISSUER: http://${OP2_HOST}/application/o/ict-benchmark/ # Configure issuer of issued ID Assertion Tokens
# DEFAULT_TOKEN_PERIOD: 3600 # Configure the default lifetime of issued ID Assertion Tokens in seconds (3600s = 1h)
# MAX_TOKEN_PERIOD: 2592000 # Configure the maximum lifetime of issued ID Assertion Tokens in seconds (2592000s = 30d)
# PORT: 8080 # Configure the internal port on which the ICT endpoint is listening
# env_file:
# - ./.secrets/ict2.env # Include secrets from generated environment variables
# secrets:
# - op2_private_key # Use shared Docker Secret 'op_private_key'
# Shared Docker Volumes:
volumes:
userdb: # Specify shared volume 'userdb'
userdb2:
redis2:
op2_media:
op2_templates:
# Shared Docker Secrets:
secrets:
db_username: # Specify shared Docker Secret 'db_username'
file: ./.secrets/db_username.txt # Use generated database username
db_password: # Specify shared Docker Secret 'db_password'
file: ./.secrets/db_password.txt # Use generated database password
op_private_key: # Specify shared Docker Secret 'op_private_key'
file: ./.secrets/private.pem # Use generated private key
# db2_username: # Specify shared Docker Secret 'db_username'
# file: ./.secrets/db2_username.txt # Use generated database username
# db2_password: # Specify shared Docker Secret 'db_password'
# file: ./.secrets/db2_password.txt # Use generated database password
# op2_secret_key:
# file: ./.secrets/op2_secret_key.txt
# op2_private_key:
# file: ./.secrets/private2.pem
networks:
proxy:
driver: bridge
name: oidc2_proxy