Unify docker-compose.ops.yaml and docker-compose.staging.yaml

fb02432e · Bernhard Mallinger · 85e83342 · fb02432e
Commit fb02432e authored 3 years ago by Bernhard Mallinger
--- a/vs_starter/templates/docker-compose.ops.yml
+++ b/vs_starter/templates/docker-compose.ops.yml
@@ -26,7 +26,11 @@ services:
        - "traefik.http.routers.{{slug}}-renderer-redirect-shib.middlewares=redirect@file"
        - "traefik.http.routers.{{slug}}-renderer-redirect-shib.entrypoints=http"
        # router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
        - "traefik.http.middlewares.{{slug}}-renderer-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-renderer"
        - "traefik.http.routers.{{slug}}-renderer-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
        - "traefik.http.routers.{{slug}}-renderer-proxy.middlewares={{slug}}-pass-wl,{{slug}}-renderer-proxy-fa,compress@file,cors@file"
@@ -38,7 +42,11 @@ services:
        - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
        - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.entrypoints=http"
        # router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
        - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
        - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,compress@file,cors@file"
        - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.tls=true"
@@ -64,13 +72,17 @@ services:
        - "traefik.docker.network={{slug}}-extnet"
        - "traefik.docker.lbswarm=true"
        - "traefik.enable=true"
+{%- if environment == "ops" %}
      replicas: 3
+{%- endif %}
      resources:
        limits:
          memory: 8G
+{%- if environment == "ops" %}
      placement:
        constraints:
          - node.labels.type == external
+{%- endif %}
    networks:
      - extnet
  cache:
@@ -94,7 +106,11 @@ services:
        - "traefik.http.routers.{{slug}}-cache-redirect-shib.middlewares=redirect@file"
        - "traefik.http.routers.{{slug}}-cache-redirect-shib.entrypoints=http"
        # router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
        - "traefik.http.routers.{{slug}}-cache-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
        - "traefik.http.middlewares.{{slug}}-cache-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-cache"
        - "traefik.http.routers.{{slug}}-cache-proxy.middlewares={{slug}}-cache-proxy-chain"
@@ -107,7 +123,11 @@ services:
        - "traefik.http.routers.{{slug}}-cache-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
        - "traefik.http.routers.{{slug}}-cache-redirect-proxy.entrypoints=http"
        # router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
        - "traefik.http.routers.{{slug}}-cache-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
        - "traefik.http.routers.{{slug}}-cache-proxy-noheader.middlewares={{slug}}-cache-proxy-chain-noheader"
        - "traefik.http.middlewares.{{slug}}-cache-proxy-chain-noheader.chain.middlewares={{slug}}-pass-wl-noheader,cache-stripprefix,compress@file,cors@file"
@@ -134,13 +154,17 @@ services:
        - "traefik.docker.network={{slug}}-extnet"
        - "traefik.docker.lbswarm=true"
        - "traefik.enable=true"
+{%- if environment == "ops" %}
      replicas: 3
+{%- endif %}
      resources:
        limits:
          memory: 8G
+{%- if environment == "ops" %}
      placement:
        constraints:
          - node.labels.type == external
+{%- endif %}
    networks:
      - extnet
  registrar:
@@ -148,23 +172,34 @@ services:
    environment:
      INSTALL_DIR: "/var/www/pvs/ops/"
      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
+{%- if environment == "staging" %}
+      UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
+{%- endif %}
  ingestor:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor{{release_version}} # bumpversion
    environment:
      REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
+{%- if environment == "ops" %}
      INOTIFY_MASKS: "IN_MOVED_TO"
+{%- endif %}
+{%- if environment == "ops" %}
    deploy:
      placement:
        constraints: [node.role == manager]
+{%- endif %}
  sftp:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp{{release_version}} # bumpversion
+{%- if environment == "ops" %}
    deploy:
      placement:
        constraints: [node.role == manager]
+{%- endif %}
    configs:
      - source: sftp_ssh_host_rsa_key
        target: /etc/ssh/ssh_host_rsa_key
@@ -206,9 +241,11 @@ services:
        - "traefik.docker.network={{slug}}-extnet"
        - "traefik.docker.lbswarm=true"
        - "traefik.enable=true"
+{%- if environment == "ops" %}
      placement:
        constraints:
          - node.labels.type == external
+{%- endif %}
    networks:
      - extnet
  preprocessor:
@@ -217,11 +254,17 @@ services:
      - type: bind
        source: /var/vhr
        target: /tmp
+{%- if environment == "staging" %}
+    environment:
+      UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.type == internal
+{%- endif %}
  shibauth-{{slug}}:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth{{release_version}} # bumpversion
    environment:
@@ -229,7 +272,11 @@ services:
      USER_CATEGORY_ALLOW_RENDERER: "{{shibauth_renderer}}"
      USER_CATEGORY_ALLOW_CACHE: "{{shibauth_cache}}"
      SPEntityID: "https://{{slug}}.pass.copernicus.eu/shibboleth"
+{%- if environment == "ops" %}
      IDPEntityID: "https://ssoidp.copernicus.eu:443/shibboleth"
+{%- else %}
+      IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
+{%- endif %}
    secrets:
      - source: EMG_SHIB_CERT
        target: SHIB_CERT
@@ -237,8 +284,10 @@ services:
        target: SHIB_KEY
    deploy:
      replicas: 1
+{%- if environment == "ops" %}
      placement:
        constraints: [node.role == manager]
+{%- endif %}
      labels:
        # router for basic auth based access (https)
        - "traefik.http.routers.{{slug}}-shibauth.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"