Unify docker-compose.ops.yaml and docker-compose.staging.yaml

vs_starter/templates/docker-compose.ops.yml

@@ -26,7 +26,11 @@ services:
         - "traefik.http.routers.{{slug}}-renderer-redirect-shib.middlewares=redirect@file"
         - "traefik.http.routers.{{slug}}-renderer-redirect-shib.entrypoints=http"
         # router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
         - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
         - "traefik.http.middlewares.{{slug}}-renderer-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-renderer"
         - "traefik.http.routers.{{slug}}-renderer-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
         - "traefik.http.routers.{{slug}}-renderer-proxy.middlewares={{slug}}-pass-wl,{{slug}}-renderer-proxy-fa,compress@file,cors@file"
@@ -38,7 +42,11 @@ services:
         - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
         - "traefik.http.routers.{{slug}}-renderer-redirect-proxy.entrypoints=http"
         # router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
         - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
         - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.middlewares={{slug}}-pass-wl-noheader,compress@file,cors@file"
         - "traefik.http.routers.{{slug}}-renderer-proxy-noheader.tls=true"
@@ -64,13 +72,17 @@ services:
         - "traefik.docker.network={{slug}}-extnet"
         - "traefik.docker.lbswarm=true"
         - "traefik.enable=true"
+{%- if environment == "ops" %}
       replicas: 3
+{%- endif %}
       resources:
         limits:
           memory: 8G
+{%- if environment == "ops" %}
       placement:
         constraints:
           - node.labels.type == external
+{%- endif %}
     networks:
       - extnet
   cache:
@@ -94,7 +106,11 @@ services:
         - "traefik.http.routers.{{slug}}-cache-redirect-shib.middlewares=redirect@file"
         - "traefik.http.routers.{{slug}}-cache-redirect-shib.entrypoints=http"
         # router for internal proxy based access with checking header (https)
+{%- if environment == "ops" %}
         - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=172.30.78.20"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl.ipwhitelist.sourcerange=178.248.89.10,178.248.89.19"
+{%- endif %}
         - "traefik.http.routers.{{slug}}-cache-proxy.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`) && (HeadersRegexp(`Oa-User-Category`, `[a-zA-Z]+`) || HeadersRegexp(`Oa-User-Category-Collection-Groups`, `[a-zA-Z]+`))"
         - "traefik.http.middlewares.{{slug}}-cache-proxy-fa.forwardauth.address=http://shibauth-{{slug}}/proxy-cache"
         - "traefik.http.routers.{{slug}}-cache-proxy.middlewares={{slug}}-cache-proxy-chain"
@@ -107,7 +123,11 @@ services:
         - "traefik.http.routers.{{slug}}-cache-redirect-proxy.middlewares={{slug}}-pass-wl,redirect@file"
         - "traefik.http.routers.{{slug}}-cache-redirect-proxy.entrypoints=http"
         # router for internal proxy based access without checking header (https)
+{%- if environment == "ops" %}
         - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,10.30.72.35"
+{%- else %}
+        - "traefik.http.middlewares.{{slug}}-pass-wl-noheader.ipwhitelist.sourcerange=172.30.78.8,172.30.78.11,178.248.89.10,178.248.89.19"
+{%- endif %}
         - "traefik.http.routers.{{slug}}-cache-proxy-noheader.rule=Host(`proxy.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/cache`)"
         - "traefik.http.routers.{{slug}}-cache-proxy-noheader.middlewares={{slug}}-cache-proxy-chain-noheader"
         - "traefik.http.middlewares.{{slug}}-cache-proxy-chain-noheader.chain.middlewares={{slug}}-pass-wl-noheader,cache-stripprefix,compress@file,cors@file"
@@ -134,13 +154,17 @@ services:
         - "traefik.docker.network={{slug}}-extnet"
         - "traefik.docker.lbswarm=true"
         - "traefik.enable=true"
+{%- if environment == "ops" %}
       replicas: 3
+{%- endif %}
       resources:
         limits:
           memory: 8G
+{%- if environment == "ops" %}
       placement:
         constraints:
           - node.labels.type == external
+{%- endif %}
     networks:
       - extnet
   registrar:
@@ -148,23 +172,34 @@ services:
     environment:
       INSTALL_DIR: "/var/www/pvs/ops/"
       INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
+{%- if environment == "staging" %}
+      UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
     deploy:
       replicas: 1
       placement:
         constraints: [node.role == manager]
+{%- endif %}
   ingestor:
     image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor{{release_version}} # bumpversion
     environment:
       REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
+{%- if environment == "ops" %}
       INOTIFY_MASKS: "IN_MOVED_TO"
+{%- endif %}
+{%- if environment == "ops" %}
     deploy:
       placement:
         constraints: [node.role == manager]
+{%- endif %}
   sftp:
     image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp{{release_version}} # bumpversion
+{%- if environment == "ops" %}
     deploy:
       placement:
         constraints: [node.role == manager]
+{%- endif %}
     configs:
       - source: sftp_ssh_host_rsa_key
         target: /etc/ssh/ssh_host_rsa_key
@@ -206,9 +241,11 @@ services:
         - "traefik.docker.network={{slug}}-extnet"
         - "traefik.docker.lbswarm=true"
         - "traefik.enable=true"
+{%- if environment == "ops" %}
       placement:
         constraints:
           - node.labels.type == external
+{%- endif %}
     networks:
       - extnet
   preprocessor:
@@ -217,11 +254,17 @@ services:
       - type: bind
         source: /var/vhr
         target: /tmp
+{%- if environment == "staging" %}
+    environment:
+      UPLOAD_CONTAINER: "{{slug}}-data-staging"
+{%- endif %}
+{%- if environment == "ops" %}
     deploy:
       replicas: 1
       placement:
         constraints:
           - node.labels.type == internal
+{%- endif %}
   shibauth-{{slug}}:
     image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth{{release_version}} # bumpversion
     environment:
@@ -229,7 +272,11 @@ services:
       USER_CATEGORY_ALLOW_RENDERER: "{{shibauth_renderer}}"
       USER_CATEGORY_ALLOW_CACHE: "{{shibauth_cache}}"
       SPEntityID: "https://{{slug}}.pass.copernicus.eu/shibboleth"
+{%- if environment == "ops" %}
       IDPEntityID: "https://ssoidp.copernicus.eu:443/shibboleth"
+{%- else %}
+      IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
+{%- endif %}
     secrets:
       - source: EMG_SHIB_CERT
         target: SHIB_CERT
@@ -237,8 +284,10 @@ services:
         target: SHIB_KEY
     deploy:
       replicas: 1
+{%- if environment == "ops" %}
       placement:
         constraints: [node.role == manager]
+{%- endif %}
       labels:
         # router for basic auth based access (https)
         - "traefik.http.routers.{{slug}}-shibauth.rule=Host(`sso.{{slug}}.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"