diff --git a/vs_starter/templates/docker-compose.ops.yml b/vs_starter/templates/docker-compose.ops.yml
index dcc13b90a553a087b562aaf0c647bdcffb1cb94b..9a6c3b74536a4c216e8426a8642d3afe9444fce1 100644
--- a/vs_starter/templates/docker-compose.ops.yml
+++ b/vs_starter/templates/docker-compose.ops.yml
@@ -26,7 +26,11 @@ services:
- "traefik.http.routers.{{slug}}-renderer-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.{{slug}}-renderer-redirect-shib.entrypoints=http"
# router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
- "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+ - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
- "traefik.http.middlewares.{{slug}}-renderer-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-renderer"
- "traefik.http.routers.{{slug}}-renderer-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
- "traefik.http.routers.{{slug}}-renderer-proxy.middlewares={{slug}}-pass-wl,{{slug}}-renderer-proxy-fa,compress@file,cors@file"
@@ -38,7 +42,11 @@ services:
- "traefik.http.routers.{{slug}}-renderer-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
- "traefik.http.routers.{{slug}}-renderer-redirect-proxy.entrypoints=http"
# router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
- "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+ - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
- "traefik.http.routers.{{slug}}-renderer-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.{{slug}}-renderer-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,compress@file,cors@file"
- "traefik.http.routers.{{slug}}-renderer-proxy-noheader.tls=true"
@@ -64,13 +72,17 @@ services:
- "traefik.docker.network={{slug}}-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
+{%- if environment == "ops" %}
replicas: 3
+{%- endif %}
resources:
limits:
memory: 8G
+{%- if environment == "ops" %}
placement:
constraints:
- node.labels.type == external
+{%- endif %}
networks:
- extnet
cache:
@@ -94,7 +106,11 @@ services:
- "traefik.http.routers.{{slug}}-cache-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.{{slug}}-cache-redirect-shib.entrypoints=http"
# router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
- "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+ - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
- "traefik.http.routers.{{slug}}-cache-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
- "traefik.http.middlewares.{{slug}}-cache-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-cache"
- "traefik.http.routers.{{slug}}-cache-proxy.middlewares={{slug}}-cache-proxy-chain"
@@ -107,7 +123,11 @@ services:
- "traefik.http.routers.{{slug}}-cache-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
- "traefik.http.routers.{{slug}}-cache-redirect-proxy.entrypoints=http"
# router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
- "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+ - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
- "traefik.http.routers.{{slug}}-cache-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.{{slug}}-cache-proxy-noheader.middlewares={{slug}}-cache-proxy-chain-noheader"
- "traefik.http.middlewares.{{slug}}-cache-proxy-chain-noheader.chain.middlewares={{slug}}-pass-wl-noheader,cache-stripprefix,compress@file,cors@file"
@@ -134,13 +154,17 @@ services:
- "traefik.docker.network={{slug}}-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
+{%- if environment == "ops" %}
replicas: 3
+{%- endif %}
resources:
limits:
memory: 8G
+{%- if environment == "ops" %}
placement:
constraints:
- node.labels.type == external
+{%- endif %}
networks:
- extnet
registrar:
@@ -148,23 +172,34 @@ services:
environment:
INSTALL_DIR: "/var/www/pvs/ops/"
INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
+{%- if environment == "staging" %}
+ UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
deploy:
replicas: 1
placement:
constraints: [node.role == manager]
+{%- endif %}
ingestor:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor{{release_version}} # bumpversion
environment:
REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
+{%- if environment == "ops" %}
INOTIFY_MASKS: "IN_MOVED_TO"
+{%- endif %}
+{%- if environment == "ops" %}
deploy:
placement:
constraints: [node.role == manager]
+{%- endif %}
sftp:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp{{release_version}} # bumpversion
+{%- if environment == "ops" %}
deploy:
placement:
constraints: [node.role == manager]
+{%- endif %}
configs:
- source: sftp_ssh_host_rsa_key
target: /etc/ssh/ssh_host_rsa_key
@@ -206,9 +241,11 @@ services:
- "traefik.docker.network={{slug}}-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
+{%- if environment == "ops" %}
placement:
constraints:
- node.labels.type == external
+{%- endif %}
networks:
- extnet
preprocessor:
@@ -217,11 +254,17 @@ services:
- type: bind
source: /var/vhr
target: /tmp
+{%- if environment == "staging" %}
+ environment:
+ UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
deploy:
replicas: 1
placement:
constraints:
- node.labels.type == internal
+{%- endif %}
shibauth-{{slug}}:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth{{release_version}} # bumpversion
environment:
@@ -229,7 +272,11 @@ services:
USER_CATEGORY_ALLOW_RENDERER: "{{shibauth_renderer}}"
USER_CATEGORY_ALLOW_CACHE: "{{shibauth_cache}}"
SPEntityID: "https://{{slug}}.pass.copernicus.eu/shibboleth"
+{%- if environment == "ops" %}
IDPEntityID: "https://ssoidp.copernicus.eu:443/shibboleth"
+{%- else %}
+ IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
+{%- endif %}
secrets:
- source: EMG_SHIB_CERT
target: SHIB_CERT
@@ -237,8 +284,10 @@ services:
target: SHIB_KEY
deploy:
replicas: 1
+{%- if environment == "ops" %}
placement:
constraints: [node.role == manager]
+{%- endif %}
labels:
# router for basic auth based access (https)
- "traefik.http.routers.{{slug}}-shibauth.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"