-
Notifications
You must be signed in to change notification settings - Fork 63
/
docker-compose.yaml
108 lines (101 loc) · 3.63 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Copyright 2024 Tetrate
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: "3.9"
services:
# This is a proxy that intercepts requests to the target application and calls the authservice to
# perform the OIDC authorization check.
envoy:
depends_on:
ext-authz:
condition: service_started
image: envoyproxy/envoy:v1.29-latest
platform: linux/${ARCH:-amd64}
command: -c /etc/envoy/envoy-config.yaml --log-level warning
ports:
- "8443:443"
volumes:
- type: bind
source: envoy-config.yaml
target: /etc/envoy/envoy-config.yaml
- type: bind
source: certs
target: /etc/envoy/certs
# This is a simple HTTP server that will be used as the target application for the tests.
http-echo:
image: jmalloc/echo-server:0.3.6
platform: linux/${ARCH:-amd64}
hostname: http-echo
# This is the `authservice` image that should be up-to-date when running the tests.
ext-authz:
depends_on:
setup-keycloak:
condition: service_completed_successfully
image: ${E2E_IMAGE}
platform: ${E2E_PLATFORM}
volumes:
- type: bind
source: authz-config.json
target: /etc/authservice/config.json
extra_hosts: # Required when running on Linux
- "host.docker.internal:host-gateway"
# Redis container to be used to persist the session information and OIDC authorization
# state.
redis:
image: redis:7.2.4
platform: linux/${ARCH:-amd64}
# Keycloak container to be used as the OIDC provider. The tests will use the `master` realm
keycloak:
image: quay.io/keycloak/keycloak:23.0.6
platform: linux/${ARCH:-amd64}
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
ports:
- "9443:9443"
command: start-dev --https-port=9443 --https-certificate-file=/opt/keycloak/certs/host.docker.internal.crt --https-certificate-key-file=/opt/keycloak/certs/host.docker.internal.key
volumes:
- type: bind
source: certs
target: /opt/keycloak/certs
healthcheck:
test: /opt/keycloak/bin/kcadm.sh get realms/master --server http://localhost:8080 --realm master --user admin --password admin
interval: 5s
timeout: 2s
retries: 30
start_period: 5s
extra_hosts: # Required when running on Linux
- "host.docker.internal:host-gateway"
# Container to configure the Keycloak instance with a User and Client application
setup-keycloak:
depends_on:
keycloak:
condition: service_healthy
image: quay.io/keycloak/keycloak:23.0.6
platform: linux/${ARCH:-amd64}
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
entrypoint: /opt/setup-keycloak.sh
volumes:
- type: bind
source: setup-keycloak.sh
target: /opt/setup-keycloak.sh
# Healthcheck to make sure the created client has been successfully created, and that other services
# can depend on
healthcheck:
test: /opt/keycloak/bin/kcreg.sh get authservice --server http://keycloak:8080 --realm master --user admin --password admin
interval: 2s
timeout: 2s
retries: 10
start_period: 2s