Newer
Older
services:
database:
volumes:
- type: tmpfs
target: /dev/shm
tmpfs:
size: 536870912
renderer:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.1.0 # bumpversion
INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
# router for shib auth based access (https)
- "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
- "traefik.http.routers.emg-renderer-shib.tls=true"
- "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
# router for referrer based access (https)
- "traefik.http.routers.emg-renderer_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
- "traefik.http.routers.emg-renderer_referer.tls=true"
- "traefik.http.routers.emg-renderer_referer.tls.certresolver=default"
- "traefik.http.routers.emg-renderer_referer.entrypoints=https"
# router for referrer based access (http)
- "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
- "traefik.http.routers.emg-renderer.tls=true"
- "traefik.http.routers.emg-renderer.tls.certresolver=default"
- "traefik.http.routers.emg-renderer.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
- "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
placement:
constraints:
- node.labels.type == external
networks:
- extnet
cache:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:release-1.1.0 # bumpversion
configs:
- source: mapcache-ops
target: /mapcache-template.xml
deploy:
labels:
- "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
# router for shib auth based access (https)
- "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache-shib.tls=true"
- "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
- "traefik.http.routers.emg-cache-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-cache-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
# router for referrer based access (https)
- "traefik.http.routers.emg-cache_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache_referer.tls=true"
- "traefik.http.routers.emg-cache_referer.tls.certresolver=default"
- "traefik.http.routers.emg-cache_referer.entrypoints=https"
# router for referrer based access (http)
- "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
- "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache.tls=true"
- "traefik.http.routers.emg-cache.tls.certresolver=default"
- "traefik.http.routers.emg-cache.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-cache.loadbalancer.sticky=false"
- "traefik.http.services.emg-cache.loadbalancer.server.port=80"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
replicas: 3
resources:
limits:
memory: 8G
placement:
constraints:
- node.labels.type == external
networks:
- extnet
registrar:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:release-1.1.0 # bumpversion
INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
deploy:
placement:
constraints:
- node.labels.type == internal
image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.1.0 # bumpversion
environment:
REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
deploy:
placement:
constraints: [node.role == manager]
sftp:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp:release-1.1.0 # bumpversion
deploy:
placement:
constraints: [node.role == manager]
image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:release-1.1.0 # bumpversion
configs:
- source: client-ops
target: /usr/share/nginx/html/index.html
deploy:
labels:
# router for shib auth based access (https)
- "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
- "traefik.http.routers.emg-client-shib.middlewares=shibAuthCache@file,compress@file"
- "traefik.http.routers.emg-client-shib.tls=true"
- "traefik.http.routers.emg-client-shib.tls.certresolver=default"
- "traefik.http.routers.emg-client-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-client-redirect-shib.rule=Host(`emg.pass.copernicus.eu`)"
- "traefik.http.routers.emg-client-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-client-redirect-shib.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`)"
- "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
- "traefik.http.routers.emg-client.tls=true"
- "traefik.http.routers.emg-client.tls.certresolver=default"
- "traefik.http.routers.emg-client.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`)"
- "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-client-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-client.loadbalancer.sticky=false"
- "traefik.http.services.emg-client.loadbalancer.server.port=80"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
placement:
constraints:
- node.labels.type == external
networks:
- extnet
preprocessor:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:release-1.1.0 # bumpversion
volumes:
- type: bind
source: /var/vhr
target: /tmp
deploy:
placement:
constraints:
- node.labels.type == internal
shibauth:
Lubomir Dolezal
committed
image: unicon/shibboleth-sp:3.0.4
environment:
APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
- source: EMG_SHIB_CERT
target: SHIB_CERT
- source: EMG_SHIB_KEY
target: SHIB_KEY
- BASIC_AUTH_USERS_AUTH
deploy:
replicas: 1
placement:
constraints: [node.role == manager]
labels:
# router for basic auth based access (https)
- "traefik.http.routers.emg-shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
- "traefik.http.routers.emg-shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.emg-shibauth.tls=true"
- "traefik.http.routers.emg-shibauth.tls.certresolver=default"
- "traefik.http.routers.emg-shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
- "traefik.http.routers.emg-shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-shibauth-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-shibauth.loadbalancer.sticky=false"
- "traefik.http.services.emg-shibauth.loadbalancer.server.port=80"
- "traefik.docker.network=emg-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
networks:
- source: shib-access-control-conf
target: /etc/shibboleth/pass-ac.xml
- source: shib-access-control-conf-cache
target: /etc/shibboleth/pass-ac-cache.xml
Lubomir Dolezal
committed
- source: shib-shibboleth2
target: /etc/shibboleth/shibboleth2.xml
- source: shib-apache
target: /etc/httpd/conf.d/shib.conf
- source: shib-attribute-map
target: /etc/shibboleth/attribute-map.xml
- source: idp-metadata
target: /etc/shibboleth/idp-metadata.xml
- source: shib-index
target: /var/www/html/secure/index.html
- source: shib-index
target: /var/www/html/secure-cache/index.html
Lubomir Dolezal
committed
- source: shibd-logger
target: /etc/shibboleth/shibd.logger
- source: native-logger
target: /etc/shibboleth/native.logger
networks:
extnet:
name: emg-extnet
external: true
Lubomir Dolezal
committed
shib-access-control-conf:
file: ./config/shibboleth/emg-ac.xml
shib-access-control-conf-cache:
file: ./config/shibboleth/emg-ac-cache.xml
shib-shibboleth2:
file: ./config/shibboleth/emg-shibboleth2.xml
Lubomir Dolezal
committed
shib-apache:
file: ./config/shibboleth/shib-apache.conf
shib-attribute-map:
file: ./config/shibboleth/attribute-map.xml
shib-index:
file: ./config/shibboleth/index.html
native-logger:
file: ./config/shibboleth/native.logger
shibd-logger:
file: ./config/shibboleth/shibd.logger
idp-metadata:
external: true
external: true
external: true
BASIC_AUTH_USERS_AUTH:
external: true