From 5c73abb3fbe018da8148661bc603a55a24a49c2f Mon Sep 17 00:00:00 2001
From: Bernhard Mallinger <bernhard.mallinger@eox.at>
Date: Tue, 18 Jan 2022 12:40:27 +0100
Subject: [PATCH] Designate new docker-compose as generic one
(We could merge it into docker-compose.yml if it works out with dev)
---
...se.ops.yml => docker-compose.instance.yml} | 0
.../templates/docker-compose.staging.yml | 268 ------------------
2 files changed, 268 deletions(-)
rename vs_starter/templates/{docker-compose.ops.yml => docker-compose.instance.yml} (100%)
delete mode 100644 vs_starter/templates/docker-compose.staging.yml
diff --git a/vs_starter/templates/docker-compose.ops.yml b/vs_starter/templates/docker-compose.instance.yml
similarity index 100%
rename from vs_starter/templates/docker-compose.ops.yml
rename to vs_starter/templates/docker-compose.instance.yml
diff --git a/vs_starter/templates/docker-compose.staging.yml b/vs_starter/templates/docker-compose.staging.yml
deleted file mode 100644
index 0c666da..0000000
--- a/vs_starter/templates/docker-compose.staging.yml
+++ /dev/null
@@ -1,268 +0,0 @@
-version: "3.6"
-services:
- database:
- volumes:
- - type: tmpfs
- target: /dev/shm
- tmpfs:
- size: 536870912
- renderer:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:staging
- environment:
- INSTALL_DIR: "/var/www/pvs/ops/"
- INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
- deploy:
- labels:
- # router for shib auth based access (https)
- - "traefik.http.routers.{{slug}}-renderer-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.middlewares.{{slug}}-renderer-shib-fa.forwardauth.address=http://shibauth-{{slug}}/secure"
- - "traefik.http.routers.{{slug}}-renderer-shib.middlewares={{slug}}-renderer-shib-fa,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-renderer-shib.tls=true"
- - "traefik.http.routers.{{slug}}-renderer-shib.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-renderer-shib.entrypoints=https"
- # router for shib auth based access (http)
- - "traefik.http.routers.{{slug}}-renderer-redirect-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer-redirect-shib.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-renderer-redirect-shib.entrypoints=http"
- # router for internal proxy based access with checking header (https)
- - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
- - "traefik.http.middlewares.{{slug}}-renderer-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-renderer"
- - "traefik.http.routers.{{slug}}-renderer-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
- - "traefik.http.routers.{{slug}}-renderer-proxy.middlewares={{slug}}-pass-wl,{{slug}}-renderer-proxy-fa,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-renderer-proxy.tls=true"
- - "traefik.http.routers.{{slug}}-renderer-proxy.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-renderer-proxy.entrypoints=https"
- # router for internal proxy based access with checking header (http)
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.entrypoints=http"
- # router for internal proxy based access without checking header (https)
- - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
- - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.tls=true"
- - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.entrypoints=https"
- # router for internal proxy based access without checking header (http)
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,redirect@file"
- - "traefik.http.routers.{{slug}}-renderer-redirect-proxy-noheader.entrypoints=http"
- # router for basic auth based access (https)
- - "traefik.http.routers.{{slug}}-renderer.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer.middlewares=auth@file,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-renderer.tls=true"
- - "traefik.http.routers.{{slug}}-renderer.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-renderer.entrypoints=https"
- # router for basic auth based access (http)
- - "traefik.http.routers.{{slug}}-renderer-redirect.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- - "traefik.http.routers.{{slug}}-renderer-redirect.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-renderer-redirect.entrypoints=http"
- # general
- - "traefik.http.services.{{slug}}-renderer.loadbalancer.sticky=false"
- - "traefik.http.services.{{slug}}-renderer.loadbalancer.server.port=80"
- - "traefik.docker.network={{slug}}-extnet"
- - "traefik.docker.lbswarm=true"
- - "traefik.enable=true"
- resources:
- limits:
- memory: 8G
- networks:
- - extnet
- cache:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:staging
- configs:
- - source: mapcache-ops
- target: /mapcache-template.xml
- deploy:
- labels:
- - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
- # router for shib auth based access (https)
- - "traefik.http.routers.{{slug}}-cache-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- - "traefik.http.middlewares.{{slug}}-cache-shib-fa.forwardauth.address=http://shibauth-{{slug}}/secure"
- - "traefik.http.middlewares.{{slug}}-cache-shib-chain.chain.middlewares={{slug}}-cache-shib-fa,cache-stripprefix,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-cache-shib.middlewares={{slug}}-cache-shib-chain"
- - "traefik.http.routers.{{slug}}-cache-shib.tls=true"
- - "traefik.http.routers.{{slug}}-cache-shib.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-cache-shib.entrypoints=https"
- # router for shib auth based access (http)
- - "traefik.http.routers.{{slug}}-cache-redirect-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache-redirect-shib.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-cache-redirect-shib.entrypoints=http"
- # router for internal proxy based access with checking header (https)
- - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
- - "traefik.http.routers.{{slug}}-cache-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
- - "traefik.http.middlewares.{{slug}}-cache-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-cache"
- - "traefik.http.routers.{{slug}}-cache-proxy.middlewares={{slug}}-cache-proxy-chain"
- - "traefik.http.middlewares.{{slug}}-cache-proxy-chain.chain.middlewares={{slug}}-pass-wl,{{slug}}-cache-proxy-fa,cache-stripprefix,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-cache-proxy.tls=true"
- - "traefik.http.routers.{{slug}}-cache-proxy.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-cache-proxy.entrypoints=https"
- # router for internal proxy based access with checking header (http)
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy.entrypoints=http"
- # router for internal proxy based access without checking header (https)
- - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
- - "traefik.http.routers.{{slug}}-cache-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache-proxy-noheader.middlewares={{slug}}-cache-proxy-chain-noheader"
- - "traefik.http.middlewares.{{slug}}-cache-proxy-chain-noheader.chain.middlewares={{slug}}-pass-wl-noheader,cache-stripprefix,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-cache-proxy-noheader.tls=true"
- - "traefik.http.routers.{{slug}}-cache-proxy-noheader.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-cache-proxy-noheader.entrypoints=https"
- # router for internal proxy based access without checking header (http)
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,redirect@file"
- - "traefik.http.routers.{{slug}}-cache-redirect-proxy-noheader.entrypoints=http"
- # router for basic auth based access (https)
- - "traefik.http.routers.{{slug}}-cache.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-cache.tls=true"
- - "traefik.http.routers.{{slug}}-cache.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-cache.entrypoints=https"
- # router for basic auth based access (http)
- - "traefik.http.routers.{{slug}}-cache-redirect.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- - "traefik.http.routers.{{slug}}-cache-redirect.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-cache-redirect.entrypoints=http"
- # general
- - "traefik.http.services.{{slug}}-cache.loadbalancer.sticky=false"
- - "traefik.http.services.{{slug}}-cache.loadbalancer.server.port=80"
- - "traefik.docker.network={{slug}}-extnet"
- - "traefik.docker.lbswarm=true"
- - "traefik.enable=true"
- resources:
- limits:
- memory: 8G
- networks:
- - extnet
- registrar:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:staging
- environment:
- INSTALL_DIR: "/var/www/pvs/ops/"
- INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
- UPLOAD_CONTAINER: "{{slug}}-data-staging"
- ingestor:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:staging
- environment:
- REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
- sftp:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp:staging
- configs:
- - source: sftp_ssh_host_rsa_key
- target: /etc/ssh/ssh_host_rsa_key
- mode: 0600
- - source: sftp_ssh_host_ed25519_key
- target: /etc/ssh/ssh_host_ed25519_key
- mode: 0600
- client:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:staging
- configs:
- - source: client-ops
- target: /usr/share/nginx/html/index.html
- deploy:
- labels:
- # router for shib auth based access (https)
- - "traefik.http.routers.{{slug}}-client-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`)"
- - "traefik.http.middlewares.{{slug}}-client-shib-fa.forwardauth.address=http://shibauth-{{slug}}/secure"
- - "traefik.http.routers.{{slug}}-client-shib.middlewares={{slug}}-client-shib-fa,compress@file"
- - "traefik.http.routers.{{slug}}-client-shib.tls=true"
- - "traefik.http.routers.{{slug}}-client-shib.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-client-shib.entrypoints=https"
- # router for shib auth based access (http)
- - "traefik.http.routers.{{slug}}-client-redirect-shib.rule=Host(`sso.{{slug}}.pass.copernicus.eu`)"
- - "traefik.http.routers.{{slug}}-client-redirect-shib.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-client-redirect-shib.entrypoints=http"
- # router for basic auth based access (https)
- - "traefik.http.routers.{{slug}}-client.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`)"
- - "traefik.http.routers.{{slug}}-client.middlewares=auth@file,compress@file"
- - "traefik.http.routers.{{slug}}-client.tls=true"
- - "traefik.http.routers.{{slug}}-client.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-client.entrypoints=https"
- # router for basic auth based access (http)
- - "traefik.http.routers.{{slug}}-client-redirect.rule=Host(`{{slug}}.pass.copernicus.eu`, `{{slug}}.pdas.prism.eox.at`)"
- - "traefik.http.routers.{{slug}}-client-redirect.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-client-redirect.entrypoints=http"
- # general
- - "traefik.http.services.{{slug}}-client.loadbalancer.sticky=false"
- - "traefik.http.services.{{slug}}-client.loadbalancer.server.port=80"
- - "traefik.docker.network={{slug}}-extnet"
- - "traefik.docker.lbswarm=true"
- - "traefik.enable=true"
- networks:
- - extnet
- preprocessor:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:staging
- volumes:
- - type: bind
- source: /var/vhr
- target: /tmp
- environment:
- UPLOAD_CONTAINER: "{{slug}}-data-staging"
- shibauth-{{slug}}:
- image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth:staging
- environment:
- APACHE_SERVERNAME: "https://sso.{{slug}}.pass.copernicus.eu:443"
- USER_CATEGORY_ALLOW_RENDERER: "{{shibauth_renderer}}"
- USER_CATEGORY_ALLOW_CACHE: "{{shibauth_cache}}"
- SPEntityID: "https://{{slug}}.pass.copernicus.eu/shibboleth"
- IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
- secrets:
- - source: EMG_SHIB_CERT
- target: SHIB_CERT
- - source: EMG_SHIB_KEY
- target: SHIB_KEY
- deploy:
- replicas: 1
- labels:
- # router for basic auth based access (https)
- - "traefik.http.routers.{{slug}}-shibauth.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"
- - "traefik.http.routers.{{slug}}-shibauth.middlewares=compress@file,cors@file"
- - "traefik.http.routers.{{slug}}-shibauth.tls=true"
- - "traefik.http.routers.{{slug}}-shibauth.tls.certresolver=default"
- - "traefik.http.routers.{{slug}}-shibauth.entrypoints=https"
- # router for basic auth based access (http)
- - "traefik.http.routers.{{slug}}-shibauth-redirect.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"
- - "traefik.http.routers.{{slug}}-shibauth-redirect.middlewares=redirect@file"
- - "traefik.http.routers.{{slug}}-shibauth-redirect.entrypoints=http"
- # general
- - "traefik.http.services.{{slug}}-shibauth.loadbalancer.sticky=false"
- - "traefik.http.services.{{slug}}-shibauth.loadbalancer.server.port=80"
- - "traefik.docker.network={{slug}}-extnet"
- - "traefik.docker.lbswarm=true"
- - "traefik.enable=true"
- networks:
- - extnet
- configs:
- - source: shib-apache
- target: /etc/httpd/conf.d/shib.conf
- - source: shib-attribute-map
- target: /etc/shibboleth/attribute-map.xml
- - source: idp-metadata
- target: /etc/shibboleth/idp-metadata.xml
- - source: shibd-logger
- target: /etc/shibboleth/shibd.logger
- - source: native-logger
- target: /etc/shibboleth/native.logger
-networks:
- extnet:
- name: {{slug}}-extnet
- external: true
-configs:
- shib-apache:
- file: ./config/shibboleth/shib-apache.conf
- shib-attribute-map:
- file: ./config/shibboleth/attribute-map.xml
- native-logger:
- file: ./config/shibboleth/native.logger
- shibd-logger:
- file: ./config/shibboleth/shibd.logger
- idp-metadata:
- external: true
- sftp_ssh_host_rsa_key:
- external: true
- sftp_ssh_host_ed25519_key:
- external: true
-secrets:
- EMG_SHIB_CERT:
- external: true
- EMG_SHIB_KEY:
- external: true
--
GitLab