Files
ocis/deployments/examples/ocis_keycloak/docker-compose.yml
Juan Pablo Villafáñez f49e5c5c64 chore: telemetry updates for the deployments
Keycloak example will be updated to 26.2.5, which contains support for
telemetry. The committed setup changes are required for the Keycloak
update.

Due to the Keycloak update to 26.2.5, jaeger will also need to be
updated. It isn't part of the deployment, but the expected docker image
is jaegertracing/jaeger:2.7.0 (which is supported by Keycloak 26.2.5).

The jaeger update also brings changes in oCIS. Previous 6831 port in
jaeger isn't available in recent versions (particularly 2.7.0), and has
changed to port 4317, which supports the "otlp" tracing type in oCIS. No
code change is needed.
2025-07-03 15:00:23 +02:00

160 lines
6.1 KiB
YAML

---
version: "3.7"
services:
traefik:
image: traefik:v2.9.1
networks:
ocis-net:
aliases:
- ${OCIS_DOMAIN:-ocis.owncloud.test}
- ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
command:
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
# letsencrypt configuration
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
# enable dashboard
- "--api.dashboard=true"
# define entrypoints
- "--entryPoints.http.address=:80"
- "--entryPoints.http.http.redirections.entryPoint.to=https"
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
- "--entryPoints.https.address=:443"
# docker provider (get configuration from container labels)
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
# access log
- "--accessLog=true"
- "--accessLog.format=json"
- "--accessLog.fields.headers.names.X-Request-Id=keep"
ports:
- "80:80"
- "443:443"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
- "certs:/certs"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; exec ocis server"]
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/realms/${KEYCLOAK_REALM:-oCIS}
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
# general config
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_USER_CS3_CLAIM: "username"
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "${INSECURE:-false}"
OCIS_ADMIN_USER_ID: ""
OCIS_EXCLUDE_RUN_SERVICES: "idp"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
GRAPH_USERNAME_MATCH: "none"
# password policies
OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
volumes:
- ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
- ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
postgres:
image: postgres:alpine
networks:
ocis-net:
volumes:
- keycloak_postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
logging:
driver: ${LOG_DRIVER:-local}
restart: always
keycloak:
image: quay.io/keycloak/keycloak:26.2.5
networks:
ocis-net:
command: ["start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"]
entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"]
volumes:
- "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
- "./config/keycloak/ocis-realm.dist.json:/opt/keycloak/data/import-dist/ocis-realm.json"
environment:
OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
KC_DB: postgres
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: keycloak
KC_FEATURES: impersonation,opentelemetry
KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER:-admin}
KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
# as replacement of --proxy=edge
KC_PROXY_HEADERS: xforwarded
KC_HTTP_ENABLED: true
# tracing
KC_TRACING_ENABLED: ${KEYCLOAK_TRACING:-false}
KC_TRACING_ENDPOINT: http://jaeger:4317
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.entrypoints=https"
- "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
- "traefik.http.routers.keycloak.tls.certresolver=http"
- "traefik.http.routers.keycloak.service=keycloak"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
depends_on:
- postgres
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
certs:
ocis-config:
ocis-data:
keycloak_postgres_data:
networks:
ocis-net: