Skip to content

Commit 1fd561d

Browse files
a-ghanema-ghanem
authored
Merge pull request #6 from neicnordic/test/new-TLS-config
Use new sda-db image with verify-ca option
2 parents 625552c + 5da25ff commit 1fd561d

File tree

1 file changed

+84
-13
lines changed

1 file changed

+84
-13
lines changed

docker-template.yml

+84-13
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ services:
2121
- /tmp/tsd:/tsd/p11/data/durable/apps/ega/
2222

2323
db:
24-
image: ghcr.io/neicnordic/sda-db:v1.3.1
24+
image: ghcr.io/neicnordic/sda-db:latest
2525
ports:
2626
- 5432:5432
2727
deploy:
@@ -33,6 +33,7 @@ services:
3333
- DB_LEGA_IN_PASSWORD={{DB_LEGA_IN_PASSWORD}}
3434
- DB_LEGA_OUT_PASSWORD={{DB_LEGA_OUT_PASSWORD}}
3535
- PGDATA=/ega/data
36+
- PG_VERIFY_PEER=verify-ca
3637
- PG_SERVER_CERT=/etc/ega/pg.cert
3738
- PG_SERVER_KEY=/etc/ega/pg.key
3839
- PG_CA=/etc/ega/CA.cert
@@ -161,7 +162,7 @@ services:
161162

162163
# Private stack
163164
ingest:
164-
image: ghcr.io/neicnordic/sda-pipeline:experimental-add-tls-skip-verify
165+
image: ghcr.io/neicnordic/sda-pipeline:latest
165166
deploy:
166167
restart_policy:
167168
condition: on-failure
@@ -180,8 +181,10 @@ services:
180181
- BROKER_ROUTINGKEY=archived
181182
- BROKER_ROUTINGERROR=error
182183
- BROKER_SSL=true
183-
- BROKER_VERIFYPEER=false
184-
- BROKER_INSECURESKIPVERIFY=true
184+
- BROKER_VERIFYPEER=true
185+
- BROKER_CACERT=/etc/ega/CA.cert
186+
- BROKER_CLIENTCERT=/etc/ega/client.cert
187+
- BROKER_CLIENTKEY=/etc/ega/client-key.cert
185188
- C4GH_PASSPHRASE={{KEY_PASSWORD}}
186189
- C4GH_FILEPATH=/etc/ega/ega.sec
187190
- DB_HOST={{DB_HOST}}
@@ -190,10 +193,24 @@ services:
190193
- DB_PASSWORD={{DB_LEGA_IN_PASSWORD}}
191194
- DB_DATABASE=lega
192195
- DB_SSLMODE=require
196+
- DB_CLIENTCERT=/etc/ega/client.cert
197+
- DB_CLIENTKEY=/etc/ega/client-key.cert
193198
- INBOX_TYPE=posix
194199
- INBOX_LOCATION=/ega/inbox
195200
- LOG_LEVEL=debug
196201
secrets:
202+
- source: rootCA.pem
203+
target: /etc/ega/CA.cert
204+
- source: client.pem
205+
target: /etc/ega/client.cert
206+
uid: '65534'
207+
gid: '65534'
208+
mode: 0600
209+
- source: client-key.pem
210+
target: /etc/ega/client-key.cert
211+
uid: '65534'
212+
gid: '65534'
213+
mode: 0600
197214
- source: ega.sec.pem
198215
target: /etc/ega/ega.sec
199216
volumes:
@@ -202,7 +219,7 @@ services:
202219
command: "sda-ingest"
203220

204221
verify:
205-
image: ghcr.io/neicnordic/sda-pipeline:experimental-add-tls-skip-verify
222+
image: ghcr.io/neicnordic/sda-pipeline:latest
206223
deploy:
207224
restart_policy:
208225
condition: on-failure
@@ -221,8 +238,10 @@ services:
221238
- BROKER_ROUTINGKEY=verified
222239
- BROKER_ROUTINGERROR=error
223240
- BROKER_SSL=true
224-
- BROKER_VERIFYPEER=false
225-
- BROKER_INSECURESKIPVERIFY=true
241+
- BROKER_VERIFYPEER=true
242+
- BROKER_CACERT=/etc/ega/CA.cert
243+
- BROKER_CLIENTCERT=/etc/ega/client.cert
244+
- BROKER_CLIENTKEY=/etc/ega/client-key.cert
226245
- C4GH_PASSPHRASE={{KEY_PASSWORD}}
227246
- C4GH_FILEPATH=/etc/ega/ega.sec
228247
- DB_HOST={{DB_HOST}}
@@ -231,16 +250,30 @@ services:
231250
- DB_PASSWORD={{DB_LEGA_IN_PASSWORD}}
232251
- DB_DATABASE=lega
233252
- DB_SSLMODE=require
253+
- DB_CLIENTCERT=/etc/ega/client.cert
254+
- DB_CLIENTKEY=/etc/ega/client-key.cert
234255
- LOG_LEVEL=debug
235256
secrets:
257+
- source: rootCA.pem
258+
target: /etc/ega/CA.cert
259+
- source: client.pem
260+
target: /etc/ega/client.cert
261+
uid: '65534'
262+
gid: '65534'
263+
mode: 0600
264+
- source: client-key.pem
265+
target: /etc/ega/client-key.cert
266+
uid: '65534'
267+
gid: '65534'
268+
mode: 0600
236269
- source: ega.sec.pem
237270
target: /etc/ega/ega.sec
238271
volumes:
239272
- /tmp/vault:/ega/archive
240273
command: "sda-verify"
241274

242275
finalize:
243-
image: ghcr.io/neicnordic/sda-pipeline:experimental-add-tls-skip-verify
276+
image: ghcr.io/neicnordic/sda-pipeline:latest
244277
deploy:
245278
restart_policy:
246279
condition: on-failure
@@ -257,19 +290,36 @@ services:
257290
- BROKER_ROUTINGKEY=completed
258291
- BROKER_ROUTINGERROR=error
259292
- BROKER_SSL=true
260-
- BROKER_VERIFYPEER=false
261-
- BROKER_INSECURESKIPVERIFY=true
293+
- BROKER_VERIFYPEER=true
294+
- BROKER_CACERT=/etc/ega/CA.cert
295+
- BROKER_CLIENTCERT=/etc/ega/client.cert
296+
- BROKER_CLIENTKEY=/etc/ega/client-key.cert
262297
- DB_HOST={{DB_HOST}}
263298
- DB_PORT=5432
264299
- DB_USER={{DB_LEGA_IN_USER}}
265300
- DB_PASSWORD={{DB_LEGA_IN_PASSWORD}}
266301
- DB_DATABASE=lega
267302
- DB_SSLMODE=require
303+
- DB_CLIENTCERT=/etc/ega/client.cert
304+
- DB_CLIENTKEY=/etc/ega/client-key.cert
268305
- LOG_LEVEL=debug
269306
command: "sda-finalize"
307+
secrets:
308+
- source: rootCA.pem
309+
target: /etc/ega/CA.cert
310+
- source: client.pem
311+
target: /etc/ega/client.cert
312+
uid: '65534'
313+
gid: '65534'
314+
mode: 0600
315+
- source: client-key.pem
316+
target: /etc/ega/client-key.cert
317+
uid: '65534'
318+
gid: '65534'
319+
mode: 0600
270320

271321
mapper:
272-
image: ghcr.io/neicnordic/sda-pipeline:experimental-add-tls-skip-verify
322+
image: ghcr.io/neicnordic/sda-pipeline:latest
273323
deploy:
274324
restart_policy:
275325
condition: on-failure
@@ -285,16 +335,33 @@ services:
285335
- BROKER_EXCHANGE=sda
286336
- BROKER_ROUTINGERROR=error
287337
- BROKER_SSL=true
288-
- BROKER_VERIFYPEER=false
289-
- BROKER_INSECURESKIPVERIFY=true
338+
- BROKER_VERIFYPEER=true
339+
- BROKER_CACERT=/etc/ega/CA.cert
340+
- BROKER_CLIENTCERT=/etc/ega/client.cert
341+
- BROKER_CLIENTKEY=/etc/ega/client-key.cert
290342
- DB_HOST={{DB_HOST}}
291343
- DB_PORT=5432
292344
- DB_USER={{DB_LEGA_OUT_USER}}
293345
- DB_PASSWORD={{DB_LEGA_OUT_PASSWORD}}
294346
- DB_DATABASE=lega
295347
- DB_SSLMODE=require
348+
- DB_CLIENTCERT=/etc/ega/client.cert
349+
- DB_CLIENTKEY=/etc/ega/client-key.cert
296350
- LOG_LEVEL=debug
297351
command: "sda-mapper"
352+
secrets:
353+
- source: rootCA.pem
354+
target: /etc/ega/CA.cert
355+
- source: client.pem
356+
target: /etc/ega/client.cert
357+
uid: '65534'
358+
gid: '65534'
359+
mode: 0600
360+
- source: client-key.pem
361+
target: /etc/ega/client-key.cert
362+
uid: '65534'
363+
gid: '65534'
364+
mode: 0600
298365

299366
doa:
300367
image: neicnordic/sda-doa:release-v1.6.0
@@ -314,8 +381,12 @@ services:
314381
- POSTGRES_PASSWORD={{DB_LEGA_OUT_PASSWORD}}
315382
- OUTBOX_ENABLED=false
316383
secrets:
384+
- source: rootCA.pem
385+
target: /etc/ega/ssl/CA.cert
317386
- source: client.pem
318387
target: /etc/ega/ssl/client.cert
388+
- source: client-key.der
389+
target: /etc/ega/ssl/client.key
319390
- source: jwt.pub.pem
320391
target: /etc/ega/jwt/passport.pem
321392
- source: jwt.pub.pem

0 commit comments

Comments
 (0)