mirror of
https://github.com/owncloud/ocis
synced 2026-04-25 17:25:21 +02:00
f49e5c5c64
Keycloak example will be updated to 26.2.5, which contains support for telemetry. The committed setup changes are required for the Keycloak update. Due to the Keycloak update to 26.2.5, jaeger will also need to be updated. It isn't part of the deployment, but the expected docker image is jaegertracing/jaeger:2.7.0 (which is supported by Keycloak 26.2.5). The jaeger update also brings changes in oCIS. Previous 6831 port in jaeger isn't available in recent versions (particularly 2.7.0), and has changed to port 4317, which supports the "otlp" tracing type in oCIS. No code change is needed.
160 lines
6.1 KiB
YAML
160 lines
6.1 KiB
YAML
---
|
|
version: "3.7"
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.9.1
|
|
networks:
|
|
ocis-net:
|
|
aliases:
|
|
- ${OCIS_DOMAIN:-ocis.owncloud.test}
|
|
- ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
command:
|
|
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
|
|
# letsencrypt configuration
|
|
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
|
|
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
|
|
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
|
|
# enable dashboard
|
|
- "--api.dashboard=true"
|
|
# define entrypoints
|
|
- "--entryPoints.http.address=:80"
|
|
- "--entryPoints.http.http.redirections.entryPoint.to=https"
|
|
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
|
|
- "--entryPoints.https.address=:443"
|
|
# docker provider (get configuration from container labels)
|
|
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
|
|
- "--providers.docker.exposedByDefault=false"
|
|
# access log
|
|
- "--accessLog=true"
|
|
- "--accessLog.format=json"
|
|
- "--accessLog.fields.headers.names.X-Request-Id=keep"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
|
|
- "certs:/certs"
|
|
labels:
|
|
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
|
|
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
|
|
- "traefik.http.routers.traefik.entrypoints=https"
|
|
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
|
|
- "traefik.http.routers.traefik.middlewares=traefik-auth"
|
|
- "traefik.http.routers.traefik.tls.certresolver=http"
|
|
- "traefik.http.routers.traefik.service=api@internal"
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
|
|
ocis:
|
|
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
|
|
networks:
|
|
ocis-net:
|
|
entrypoint:
|
|
- /bin/sh
|
|
# run ocis init to initialize a configuration file with random secrets
|
|
# it will fail on subsequent runs, because the config file already exists
|
|
# therefore we ignore the error and then start the ocis server
|
|
command: ["-c", "ocis init || true; exec ocis server"]
|
|
environment:
|
|
# Keycloak IDP specific configuration
|
|
PROXY_AUTOPROVISION_ACCOUNTS: "true"
|
|
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
|
|
OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/realms/${KEYCLOAK_REALM:-oCIS}
|
|
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
|
|
WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
|
|
# general config
|
|
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
|
|
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
|
|
OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
|
|
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
|
|
PROXY_USER_OIDC_CLAIM: "preferred_username"
|
|
PROXY_USER_CS3_CLAIM: "username"
|
|
# INSECURE: needed if oCIS / Traefik is using self generated certificates
|
|
OCIS_INSECURE: "${INSECURE:-false}"
|
|
OCIS_ADMIN_USER_ID: ""
|
|
OCIS_EXCLUDE_RUN_SERVICES: "idp"
|
|
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
|
|
GRAPH_USERNAME_MATCH: "none"
|
|
# password policies
|
|
OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
|
|
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
|
|
KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
volumes:
|
|
- ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
|
|
- ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
|
|
- ocis-config:/etc/ocis
|
|
- ocis-data:/var/lib/ocis
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ocis.entrypoints=https"
|
|
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
|
|
- "traefik.http.routers.ocis.tls.certresolver=http"
|
|
- "traefik.http.routers.ocis.service=ocis"
|
|
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
|
|
postgres:
|
|
image: postgres:alpine
|
|
networks:
|
|
ocis-net:
|
|
volumes:
|
|
- keycloak_postgres_data:/var/lib/postgresql/data
|
|
environment:
|
|
POSTGRES_DB: keycloak
|
|
POSTGRES_USER: keycloak
|
|
POSTGRES_PASSWORD: keycloak
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
|
|
keycloak:
|
|
image: quay.io/keycloak/keycloak:26.2.5
|
|
networks:
|
|
ocis-net:
|
|
command: ["start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"]
|
|
entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"]
|
|
volumes:
|
|
- "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
|
|
- "./config/keycloak/ocis-realm.dist.json:/opt/keycloak/data/import-dist/ocis-realm.json"
|
|
environment:
|
|
OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
|
|
KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
KC_DB: postgres
|
|
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
|
|
KC_DB_USERNAME: keycloak
|
|
KC_DB_PASSWORD: keycloak
|
|
KC_FEATURES: impersonation,opentelemetry
|
|
KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER:-admin}
|
|
KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
|
|
# as replacement of --proxy=edge
|
|
KC_PROXY_HEADERS: xforwarded
|
|
KC_HTTP_ENABLED: true
|
|
# tracing
|
|
KC_TRACING_ENABLED: ${KEYCLOAK_TRACING:-false}
|
|
KC_TRACING_ENDPOINT: http://jaeger:4317
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.keycloak.entrypoints=https"
|
|
- "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
|
|
- "traefik.http.routers.keycloak.tls.certresolver=http"
|
|
- "traefik.http.routers.keycloak.service=keycloak"
|
|
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
|
|
depends_on:
|
|
- postgres
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
|
|
volumes:
|
|
certs:
|
|
ocis-config:
|
|
ocis-data:
|
|
keycloak_postgres_data:
|
|
|
|
networks:
|
|
ocis-net:
|