-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
192 lines (185 loc) · 9.27 KB
/
Copy pathdocker-compose.yml
File metadata and controls
192 lines (185 loc) · 9.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# docker-compose.yml
name: ${COMPOSE_PROJECT_NAME:-rocketgraph}
services:
frontend:
image: ${MC_FRONTEND_IMAGE:-docker.io/rocketgraph/mission-control-frontend:2.6.1}
environment:
MC_SSL_PORT: ${MC_SSL_PORT:-443}
ports:
- "${MC_PORT:-80}:80"
- "${MC_SSL_PORT:-443}:443"
networks:
- external-network
volumes:
- ${MC_SSL_PUBLIC_CERT:-~/.rocketgraph/.fallback_mount/certs/xgt-public.pem}:/etc/ssl/certs/td.pem:ro,Z
- ${MC_SSL_PRIVATE_KEY:-~/.rocketgraph/.fallback_mount/certs/xgt-private.pem}:/etc/ssl/private/td.pem:ro,Z
- ${MC_SSL_CERT_CHAIN:-~/.rocketgraph/.fallback_mount/certs/xgt-chain.pem}:/etc/ssl/certs/ca-chain.pem:ro,Z
depends_on:
backend:
condition: service_healthy
healthcheck:
test: ["CMD", "curl", "-fsS", "-o", "/dev/null", "http://localhost/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
restart: on-failure
backend:
image: ${MC_BACKEND_IMAGE:-docker.io/rocketgraph/mission-control-backend:2.6.1}
environment:
# The backend builds the bundled MongoDB URI from these vars (auth,
# TLS, mTLS) in build_mongo_uri() — not via compose ${...:+...}, which
# podman-compose 1.5.0 can't interpolate. The TLS server cert needs a
# subjectAltName for "mongodb" (scripts/generate_mongo_certs.sh). Set
# MC_MONGO_URI to override entirely (e.g. an external MongoDB).
MC_MONGO_URI: ${MC_MONGO_URI:-}
MC_MONGO_PASSWORD: ${MC_MONGO_PASSWORD:-}
MC_MONGO_TLS_ENABLED: ${MC_MONGO_TLS_ENABLED:-}
MC_MONGO_TLS_CLIENT_PEM: ${MC_MONGO_TLS_CLIENT_PEM:-}
MC_PORT: ${MC_PORT:-80}
MC_SSL_PORT: ${MC_SSL_PORT:-443}
MC_DEFAULT_XGT_HOST: ${MC_DEFAULT_XGT_HOST:-}
MC_DEFAULT_XGT_PORT: ${MC_DEFAULT_XGT_PORT:-}
MC_SESSION_TTL: ${MC_SESSION_TTL:-}
MC_SSL_PUBLIC_CERT: ${MC_SSL_PUBLIC_CERT:-}
MC_SSL_PRIVATE_KEY: ${MC_SSL_PRIVATE_KEY:-}
MC_SSL_PROXY_PUBLIC_CERT: ${MC_SSL_PROXY_PUBLIC_CERT:-}
MC_SSL_PROXY_PRIVATE_KEY: ${MC_SSL_PROXY_PRIVATE_KEY:-}
XGT_SERVER_CN: ${XGT_SERVER_CN:-}
XGT_AUTH_TYPES: ${XGT_AUTH_TYPES:-}
MC_OIDC_ISSUER: ${MC_OIDC_ISSUER:-}
MC_OIDC_CLIENT_ID: ${MC_OIDC_CLIENT_ID:-}
MC_OIDC_CLIENT_SECRET: ${MC_OIDC_CLIENT_SECRET:-}
MC_OIDC_SCOPES: ${MC_OIDC_SCOPES:-}
MC_OIDC_FRONTEND_URL: ${MC_OIDC_FRONTEND_URL:-}
MC_OIDC_REDIRECT_URI: ${MC_OIDC_REDIRECT_URI:-}
MC_OIDC_ALLOWED_ORIGINS: ${MC_OIDC_ALLOWED_ORIGINS:-}
MC_OIDC_TLS_VERIFY: ${MC_OIDC_TLS_VERIFY:-}
MC_XGT_ALLOWED_HOSTS: ${MC_XGT_ALLOWED_HOSTS:-}
LD_LIBRARY_PATH: "/odbc:${MC_ODBC_LIBRARY_PATH-}"
networks:
- database-network
- external-network
volumes:
- ${XGT_SSL_SERVER_CERT:-~/.rocketgraph/.fallback_mount/certs/xgt-server.pem}:/etc/ssl/certs/xgt-server.pem:ro,Z
- ${MC_SSL_PROXY_PUBLIC_CERT:-~/.rocketgraph/.fallback_mount/certs/proxy-client-cert.pem}:/etc/ssl/certs/proxy-client-cert.pem:ro,Z
- ${MC_SSL_PROXY_PRIVATE_KEY:-~/.rocketgraph/.fallback_mount/certs/proxy-client-key.pem}:/etc/ssl/private/proxy-client-key.pem:ro,Z
- ${MC_ODBC_PATH:-~/.rocketgraph/.fallback_mount/odbc}:/odbc:Z
- ${MC_IBM_IACCESS_PATH:-~/.rocketgraph/.fallback_mount/iaccess}:/opt/ibm/iaccess:Z
- ${MC_SITE_CONFIG_YML:-~/.rocketgraph/.fallback_mount/site_config.yml}:/app/site_config/site_config.yml:ro,Z
- ${MC_SITE_CONFIG_PY:-~/.rocketgraph/.fallback_mount/site_config.py}:/app/site_config/site_config.py:ro,Z
- ${MC_OIDC_CA_CERT:-~/.rocketgraph/.fallback_mount/oidc-ca.pem}:/etc/ssl/certs/oidc-ca.pem:ro,z
# CA cert (MC_MONGO_TLS_CA_PEM) and, for mTLS, the client cert
# (MC_MONGO_TLS_CLIENT_PEM). Unused when TLS is off.
- ${MC_MONGO_TLS_CA_PEM:-~/.rocketgraph/.fallback_mount/mongo-tls/ca.pem}:/etc/ssl/certs/mongodb-ca.pem:ro,z
- ${MC_MONGO_TLS_CLIENT_PEM:-~/.rocketgraph/.fallback_mount/mongo-tls/client.pem}:/etc/ssl/certs/mongodb-client.pem:ro,z
depends_on:
mongodb:
condition: service_healthy
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5000/api/health', timeout=5)"]
interval: 60s
timeout: 5s
retries: 5
start_period: 15s
xgt:
image: ${XGT_IMAGE:-docker.io/rocketgraph/xgt:2.6.1}
ports:
- "${XGT_PORT:-4367}:4367"
volumes:
- ${XGT_CONF_PATH:-~/.rocketgraph/conf}:/conf:Z
- ${XGT_DATA_PATH:-~/.rocketgraph/data}:/data:Z
- ${XGT_LOG_PATH:-~/.rocketgraph/log}:/log:Z
- ${XGT_LICENSE_FILE:-~/.rocketgraph/.fallback_mount/license/xgtd.lic}:/license/xgtd.lic:Z
- ${MC_OIDC_CA_CERT:-~/.rocketgraph/.fallback_mount/oidc-ca.pem}:/etc/ssl/certs/oidc-ca.pem:ro,z
healthcheck:
test: ["CMD-SHELL", "if [ -x /bin/grpc_health_probe ]; then /bin/grpc_health_probe -addr=:4366; else bash -c 'echo > /dev/tcp/localhost/4367'; fi"]
interval: 30s
timeout: 5s
retries: 3
start_period: 30s
networks:
- external-network
mongodb:
image: ${MC_MONGODB_IMAGE:-docker.io/library/mongo:8.0.23}
restart: always
# MongoDB security is opt-in (all via .env):
# * Auth — set MC_MONGO_PASSWORD (root user is always "rocketgraph").
# * TLS — set MC_MONGO_TLS_ENABLED=true with MC_MONGO_TLS_SERVER_PEM
# and MC_MONGO_TLS_CA_PEM.
# * mTLS — set MC_MONGO_MTLS_ENABLED=true and MC_MONGO_TLS_CLIENT_PEM
# to require client certs.
# See README.md and doc/mongodb_security.md for details.
environment:
# The root user is always "rocketgraph"; auth is enabled iff a password
# is set. MONGO_INITDB_ROOT_USERNAME is derived from the password in the
# command/healthcheck shells (not set here) because mongod's entrypoint
# errors out if the username is set without a password.
MONGO_INITDB_ROOT_PASSWORD: ${MC_MONGO_PASSWORD:-}
# TLS flags are assembled by the container shell, not compose ${...}
# interpolation: nested expansion isn't portable to podman-compose.
MC_MONGO_TLS_ENABLED: ${MC_MONGO_TLS_ENABLED:-}
MC_MONGO_TLS_MODE: ${MC_MONGO_TLS_MODE:-requireTLS}
MC_MONGO_MTLS_ENABLED: ${MC_MONGO_MTLS_ENABLED:-}
MC_MONGO_TLS_CLIENT_PEM: ${MC_MONGO_TLS_CLIENT_PEM:-}
entrypoint: ["/bin/sh", "-c"]
# Treat only MC_MONGO_TLS_ENABLED=true / MC_MONGO_MTLS_ENABLED=true as on
# (not any non-empty value), so they agree with the Helm chart and the
# backend's build_mongo_uri(). mTLS is off by default: when it's not on we
# add --tlsAllowConnectionsWithoutCertificates. mongod has no positive
# "require certs" flag, so we derive mtls_relax (the inverse) to keep the
# ${VAR:+flag} idiom — POSIX ${VAR:-flag} would leak the value when set.
command:
- >-
[ "$$MC_MONGO_TLS_ENABLED" = true ] || MC_MONGO_TLS_ENABLED=;
[ "$$MC_MONGO_MTLS_ENABLED" = true ] && mtls_relax= || mtls_relax=1;
if [ -n "$$MONGO_INITDB_ROOT_PASSWORD" ]; then
export MONGO_INITDB_ROOT_USERNAME=rocketgraph;
echo "MongoDB auth: ENABLED (user rocketgraph)" >&2;
else echo "MongoDB auth: DISABLED (set MC_MONGO_PASSWORD to enable)" >&2;
fi;
exec docker-entrypoint.sh mongod
$${MC_MONGO_TLS_ENABLED:+--tlsMode "$$MC_MONGO_TLS_MODE"
--tlsCertificateKeyFile /etc/ssl/mongodb/server.pem
--tlsCAFile /etc/ssl/mongodb/ca.pem
$${mtls_relax:+--tlsAllowConnectionsWithoutCertificates}}
networks:
- database-network
volumes:
- mongodb-data:/data/db
- ${MC_MONGO_TLS_SERVER_PEM:-~/.rocketgraph/.fallback_mount/mongo-tls/server.pem}:/etc/ssl/mongodb/server.pem:ro,Z
- ${MC_MONGO_TLS_CA_PEM:-~/.rocketgraph/.fallback_mount/mongo-tls/ca.pem}:/etc/ssl/mongodb/ca.pem:ro,z
# Client cert so the healthcheck can connect under mTLS.
- ${MC_MONGO_TLS_CLIENT_PEM:-~/.rocketgraph/.fallback_mount/mongo-tls/client.pem}:/etc/ssl/mongodb/client.pem:ro,z
# mongo declares /data/configdb as a VOLUME but a standalone mongod never
# uses it; tmpfs avoids leaving an orphaned anonymous volume each run.
tmpfs:
- /data/configdb
healthcheck:
# Shell-assembled like the command above; auth reuses MONGO_INITDB_ROOT_*.
test:
- CMD-SHELL
- >-
[ "$$MC_MONGO_TLS_ENABLED" = true ] || MC_MONGO_TLS_ENABLED=;
if [ -n "$$MONGO_INITDB_ROOT_PASSWORD" ]; then
MONGO_INITDB_ROOT_USERNAME=rocketgraph; fi;
mongosh
$${MC_MONGO_TLS_ENABLED:+--tls --tlsCAFile /etc/ssl/mongodb/ca.pem
$${MC_MONGO_TLS_CLIENT_PEM:+--tlsCertificateKeyFile /etc/ssl/mongodb/client.pem}}
$${MONGO_INITDB_ROOT_USERNAME:+-u "$$MONGO_INITDB_ROOT_USERNAME" -p "$$MONGO_INITDB_ROOT_PASSWORD" --authenticationDatabase admin}
--eval "db.adminCommand('ping')"
|| mongo
$${MC_MONGO_TLS_ENABLED:+--tls --tlsCAFile /etc/ssl/mongodb/ca.pem
$${MC_MONGO_TLS_CLIENT_PEM:+--tlsCertificateKeyFile /etc/ssl/mongodb/client.pem}}
$${MONGO_INITDB_ROOT_USERNAME:+-u "$$MONGO_INITDB_ROOT_USERNAME" -p "$$MONGO_INITDB_ROOT_PASSWORD" --authenticationDatabase admin}
--eval "db.adminCommand('ping')"
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
volumes:
mongodb-data:
networks:
database-network:
internal: true
external-network: