Skip to content

Commit

Permalink
updated docker compose and created new docker compose for possible im…
Browse files Browse the repository at this point in the history
…provements of how the user manages secrets and data

Signed-off-by: Aaron Lippold <[email protected]>
  • Loading branch information
aaronlippold committed Nov 20, 2024
1 parent 50d1b57 commit be86d28
Show file tree
Hide file tree
Showing 4 changed files with 236 additions and 243 deletions.
115 changes: 115 additions & 0 deletions docker-compose-env-vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
version: '3.8'

services:
database:
image: postgres:13
platform: linux/x86_64
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 30s
timeout: 60s
retries: 5
start_period: 80s
volumes:
- ./data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=heimdall-server-production
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- PGDATA=/var/lib/postgresql/data/pgdata
expose:
- "5432"
secrets:
- db_password

certs:
image: registry.access.redhat.com/ubi8/ubi:latest
platform: linux/x86_64
restart: unless-stopped
command: sh -c "sh /etc/pki/ca-trust/source/anchors/dodcerts.sh && update-ca-trust && tail -f /dev/null"
volumes:
- type: volume
source: cert_bundles
target: /etc/pki/ca-trust/extracted/
- type: bind
source: ./certs/
target: /etc/pki/ca-trust/source/anchors/

server:
image: mitre/heimdall2:latest
platform: linux/x86_64
restart: unless-stopped
environment:
- NODE_ENV=production
- DATABASE_HOST=database
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
- JWT_SECRET=${JWT_SECRET}
- API_KEY_SECRET=${API_KEY_SECRET}
env_file: .env
ports:
- "3000:3000"
volumes:
- type: volume
source: cert_bundles
target: /etc/pki/ca-trust/extracted/
read_only: true
volume:
nocopy: true
depends_on:
database:
condition: service_healthy
secrets:
- db_password

nginx:
image: nginx:alpine
platform: linux/x86_64
environment:
NGINX_HOST: ${NGINX_HOST}
volumes:
- ./nginx/conf/:/etc/nginx/templates/
- ./nginx/certs/:/etc/nginx/cert/
ports:
- "80:80"
- "443:443"
depends_on:
- server
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]
interval: 30s
timeout: 10s
retries: 3

volumes:
cert_bundles:

secrets:
db_password:
file: ./secrets/db_password.txt

# Instructions:
# 1. Create a file named 'db_password.txt' in the './secrets/' directory and put the database password in it.
# Example content of 'db_password.txt':
# mysecretpassword
#
# 2. Ensure that the './secrets/db_password.txt' file is located in the 'secrets' directory relative to your 'docker-compose.yml' file.
#
# 3. Define the following environment variables in a '.env' file or export them in your shell:
# - JWT_SECRET: The secret key for JWT.
# - API_KEY_SECRET: The secret key for API keys.
# - NGINX_HOST: The hostname or IP address for the Nginx server.
#
# Example content of '.env':
# JWT_SECRET=your_jwt_secret
# API_KEY_SECRET=your_api_key_secret
# NGINX_HOST=your_nginx_host
#
# 4. Use named volumes ('cert_bundles') for better management.
#
# 5. The 'certs' service updates the CA trust store with custom certificates.
#
# 6. The 'server' service runs the Heimdall2 application.
#
# 7. The 'nginx' service serves as a reverse proxy for the Heimdall2 application.
#
# 8. The 'healthcheck' for the 'nginx' service ensures it is running correctly.
42 changes: 38 additions & 4 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
version: '3.8'

services:
database:
image: postgres:13
Expand All @@ -13,10 +15,12 @@ services:
- ./data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=heimdall-server-production
- POSTGRES_PASSWORD=${DATABASE_PASSWORD}
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- PGDATA=/var/lib/postgresql/data/pgdata
expose:
- "5432"
secrets:
- db_password

certs:
image: registry.access.redhat.com/ubi8/ubi:latest
Expand All @@ -38,10 +42,10 @@ services:
environment:
- NODE_ENV=production
- DATABASE_HOST=database
- DATABASE_PASSWORD=${DATABASE_PASSWORD}
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
env_file: .env
ports:
- "3000"
- "3000:3000"
volumes:
- type: volume
source: cert_bundles
Expand All @@ -52,6 +56,8 @@ services:
depends_on:
database:
condition: service_healthy
secrets:
- db_password

nginx:
image: nginx:alpine
Expand All @@ -65,7 +71,35 @@ services:
- "80:80"
- "443:443"
depends_on:
- "server"
- server
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]
interval: 30s
timeout: 10s
retries: 3

volumes:
cert_bundles:

secrets:
db_password:
file: ./secrets/db_password.txt

# Instructions:
# 1. Create a file named 'db_password.txt' in the './secrets/' directory and put the database password in it.
# Example content of 'db_password.txt':
# mysecretpassword
#
# 2. Ensure that the './secrets/db_password.txt' file is located in the 'secrets' directory relative to your 'docker-compose.yml' file.
#
# 3. The 'POSTGRES_PASSWORD_FILE' and 'DATABASE_PASSWORD_FILE' environment variables are used to point to the secret file within the container.
#
# 4. Use named volumes ('cert_bundles') for better management.
#
# 5. The 'certs' service updates the CA trust store with custom certificates.
#
# 6. The 'server' service runs the Heimdall2 application.
#
# 7. The 'nginx' service serves as a reverse proxy for the Heimdall2 application.
#
# 8. The 'healthcheck' for the 'nginx' service ensures it is running correctly.
Loading

0 comments on commit be86d28

Please sign in to comment.