-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yaml
132 lines (126 loc) · 4.05 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: more-auth
services:
keycloak:
image: ghcr.io/more-platform/auth-keycloak:latest
depends_on:
database:
condition: service_healthy
healthcheck:
test: [ "CMD-SHELL", "curl -sf http://localhost:8080/health/ready" ]
interval: 10s
timeout: 1s
retries: 3
start_period: 15s
deploy:
replicas: 2
update_config:
parallelism: 1
delay: 15s
order: stop-first
labels:
'com.centurylinklabs.watchtower.enable': "true"
'traefik.enable': "true"
'traefik.http.routers.keycloak.rule': "Host(`auth.more.redlink.io`)"
'traefik.http.routers.keycloak.entrypoints': "ssl"
'traefik.http.routers.keycloak.tls.certResolver': 'le'
environment:
KC_HOSTNAME: 'auth.more.redlink.io'
KC_DB_URL_HOST: 'database'
KC_DB_URL_DATABASE: 'keycloak'
KC_DB_USERNAME: '${DB_USERNAME:-keycloak}'
KC_DB_PASSWORD: '${DB_PASSWORD:-secretPassword123}'
# SSL is handled by ingress
KC_PROXY: 'edge'
KC_HOSTNAME_STRICT: 'true'
KC_HOSTNAME_STRICT_BACKCHANNEL: 'true'
# Initial Admin User/Password (will be changed on first login)
KEYCLOAK_ADMIN: 'kc-admin'
KEYCLOAK_ADMIN_PASSWORD: 'kc-admin'
logging: &logging
options:
max-size: "10M"
max-file: "5"
compress: "true"
database:
image: postgres:15-alpine
restart: always
healthcheck:
test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
interval: 10s
timeout: 1s
retries: 5
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD:-secretPassword123}
POSTGRES_USER: ${DB_USERNAME:-keycloak}
POSTGRES_DB: keycloak
volumes:
- type: volume
source: postgres-data
target: /var/lib/postgresql/data
logging: *logging
ingress:
image: traefik:v2.8
restart: always
healthcheck:
test: ["CMD-SHELL", "wget -q --spider http://localhost$${TRAEFIK_ENTRYPOINTS_TRAEFIK_ADDRESS:-:8080}/ping || exit 1"]
timeout: 2s
interval: 15s
retries: 3
environment:
TRAEFIK_PING: "true"
# docker-config
TRAEFIK_PROVIDERS_DOCKER: "true"
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: "false"
# http
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
# https
TRAEFIK_ENTRYPOINTS_SSL_ADDRESS: ":443"
TRAEFIK_ENTRYPOINTS_SSL_HTTP_TLS: "true"
# let's-encrypt config
TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_EMAIL: "${LE_MAIL-infra@redlink.io}"
TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_HTTPCHALLENGE_ENTRYPOINT: "web"
TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_STORAGE: "/etc/traefik/acme/acme${ENV_SUFFIX--test}.json"
ports:
- "80:80"
- "443:443"
labels:
'com.centurylinklabs.watchtower.enable': "true"
'traefik.enable': "true"
'traefik.http.routers.redirect-to-ssl.priority': "1"
'traefik.http.routers.redirect-to-ssl.rule': "PathPrefix(`/`)"
'traefik.http.routers.redirect-to-ssl.service': "noop@internal"
'traefik.http.routers.redirect-to-ssl.entrypoints': "web"
'traefik.http.routers.redirect-to-ssl.middlewares': "redirect-to-ssl"
'traefik.http.middlewares.redirect-to-ssl.redirectscheme.scheme': "https"
volumes:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
read_only: true
- type: volume
source: letsencrypt
target: /etc/traefik/acme
logging: *logging
watchtower:
image: containrrr/watchtower
restart: always
labels:
'com.centurylinklabs.watchtower.enable': "true"
environment:
WATCHTOWER_LABEL_ENABLE: "true"
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_POLL_INTERVAL: "30"
WATCHTOWER_NO_STARTUP_MESSAGE: "true"
WATCHTOWER_ROLLING_RESTART: "true"
volumes:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
- type: bind
source: /root/.docker/config.json
target: /config.json
read_only: true
logging: *logging
volumes:
postgres-data:
letsencrypt: