-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdocker-compose.yml
111 lines (106 loc) · 4.18 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: hexa-policy-opa
services:
# hexa-opaBundle-server is an HTTP Bundle endpoint that can be used by Hexa-Orchestrator or Hexa CLI to configure policy to be delivered to OPA Servers.
hexa-opaBundle-server:
image: hexaopa
container_name: hexa-bundle-server
ports:
- "8889:8889"
command: /app/hexaBundleServer
networks:
- hexa_network
environment:
PORT: 8889
HEXA_TKN_DIRECTORY: "/home/certs"
HEXA_CERT_DIRECTORY: "/home/certs"
HEXA_TLS_ENABLED: true
HEXA_SERVER_CERT: "/home/certs/hexa-bundle-server-cert.pem"
HEXA_SERVER_KEY_PATH: "/home/certs/hexa-bundle-server-key.pem"
HEXA_SERVER_DNS_NAME: hexa-bundle-server
BUNDLE_DIR: "/home/resources/bundles"
HEXA_TKN_MODE: "ANON"
volumes:
- "./deployments/hexaBundleServer/resources:/home/resources"
- "./.certs:/home/certs"
# hexa-opa-sidecar is an OPA Server instance extended to support IDQL Filter expressions (run time evaluation)
hexa-opa-sidecar:
image: hexaopa
container_name: hexa-opa-sidecar
ports:
- "8887:8887"
depends_on:
- hexa-opaBundle-server
command: /app/hexaOpa run --server --addr :8887 --tls-cert-file=/home/certs/hexaOpa-cert.pem --tls-private-key-file=/home/certs/hexaOpa-key.pem --log-level debug -c /home/config/config.yaml
networks:
- hexa_network
environment:
# These environment values are referenced in ./deployments/hexaOpaServer/config/config.yaml
HEXA_CONFIG_URL: "https://hexa-bundle-server:8889"
HEXA_CA_CERT: "/home/certs/ca-cert.pem"
HEXA_CERT_DIRECTORY: "/home/certs"
HEXA_SERVER_CERT: "/home/certs/hexaOpa-cert.pem"
HEXA_SERVER_KEY_PATH: "/home/certs/hexaOpa-key.pem"
HEXA_SERVER_DNS_NAME: "hexa-opa-sidecar"
volumes:
- "./deployments/hexaOpaServer/config:/home/config:ro"
- "./deployments/hexaOpaServer/.opa:/app/.opa"
- "./.certs:/home/certs"
# hexa-authzen is a prototype/demonstration PDP intended to implement the OpenID AuthZen Interop Scenario
hexa-authzen:
container_name: hexa-authzen
image: hexaopa
ports:
- "8888:8888"
command: /app/hexaAuthZen
environment:
PORT: 8888
AUTHZEN_BUNDLE_DIR: "/home/authZen/bundles"
AUTHZEN_USERPIP_FILE: "/home/authZen/users.json"
HEXA_TKN_DIRECTORY: "/home/certs"
HEXA_TKN_MODE: "BUNDLE"
HEXA_TKN_ISSUER: "hexa-authzen"
HEXA_TLS_ENABLED: false
HEXA_CERT_DIRECTORY: "/home/certs"
HEXA_SERVER_CERT: "/home/certs/authzen-cert.pem"
HEXA_SERVER_KEY_PATH: "/home/certs/authzen-key.pem"
HEXA_SERVER_DNS_NAME: "hexa-authzen"
volumes:
- "./deployments/authZen:/home/authZen"
- "./.certs:/home/certs"
# demo-app is a demonstration web site that uses the hexa-opa-sidecar to authenticate requests
demo-app:
image: hexaopa
container_name: hexa-industries-demo
hostname: demo.hexa.org
ports:
- "8886:8886"
command: /app/hexaIndustriesDemo
depends_on:
- hexa-opa-sidecar
networks:
- hexa_network
environment:
PORT: 8886
OPA_SERVER_URL: https://hexa-opa-sidecar:8887/v1/data/hexaPolicy
# HEXAOPA_DETAIL enables debug responses in console notes, fails, full, debug
HEXAOPA_DETAIL: "notes"
# HEXA_CA_CERT is used to trust self-signed TLS keys for hexa-opa-sidecar (OPA_SERVER_URL)
HEXA_CA_CERT: "/home/certs/ca-cert.pem"
HEXA_CERT_DIRECTORY: "/home/certs"
HEXA_OIDC_ENABLED: true
HEXA_OIDC_CLIENT_ID: hexaclient
HEXA_OIDC_CLIENT_SECRET: "uuXVzfbqH635Ob0oTON1uboONUqasmTt"
HEXA_OIDC_PROVIDER_URL: "http://keycloak:8080/realms/Hexa-Orchestrator-Realm"
# If TLS enabled, OIDC redirect must be changed to https
HEXA_OIDC_REDIRECT_URL: "http://demo.hexa.org:8886/redirect"
HEXA_TLS_ENABLED: false
# Following only used when HEXA_TLS_ENABLED=true and auto generate keys enabled (default)
HEXA_SERVER_CERT: "/home/certs/server-hexademo-cert.pem"
HEXA_SERVER_KEY_PATH: "/home/certs/server-hexademo-key.pem"
HEXA_SERVER_DNS_NAME: "demo.hexa.org,localhost"
volumes:
- "./.certs:/home/certs"
networks:
hexa_network:
name: hexa_shared_hexa_network
external: true