-
Notifications
You must be signed in to change notification settings - Fork 8
/
docker-compose.instance.yaml
61 lines (53 loc) · 2.71 KB
/
docker-compose.instance.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#! This is a ytt template file for docker-compose.override.yaml
#! References:
#! https://carvel.dev/ytt
#! https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
#! https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
#! ### Standard project vars:
#@ load("@ytt:data", "data")
#@ project = data.values.project
#@ instance = data.values.instance
#@ context = data.values.context
#@ traefik_host = data.values.traefik_host
#@ ip_sourcerange = data.values.ip_sourcerange
#@ enable_http_auth = len(data.values.http_auth.strip()) > 0
#@ http_auth = data.values.http_auth_var
#@ enable_oauth2 = data.values.oauth2 == "true"
#@ authorized_group = data.values.authorized_group
#@ enable_mtls_auth = data.values.enable_mtls_auth == "true"
#@ mtls_authorized_certs = data.values.mtls_authorized_certs
#@ enabled_middlewares = []
#@yaml/text-templated-strings
services:
s3-proxy:
#@ service = "s3-proxy"
labels:
- "backup-volume.stop-during-backup=true"
#! Services must opt-in to be proxied by Traefik:
- "traefik.enable=true"
#! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
#@ router = "{}-{}-{}".format(project,instance,service)
#! The host matching router rule (s3-proxy should only allow GET requests):
- "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`) && Method(`GET`)"
- "traefik.http.routers.(@= router @).entrypoints=websecure"
#@ enabled_middlewares.append("{}-ipallowlist".format(router))
- "traefik.http.middlewares.(@= router @)-ipallowlist.ipallowlist.sourcerange=(@= ip_sourcerange @)"
#@ if enable_http_auth:
#@ enabled_middlewares.append("{}-basicauth".format(router))
- "traefik.http.middlewares.(@= router @)-basicauth.basicauth.users=(@= http_auth @)"
- "traefik.http.middlewares.(@= router @)-basicauth.basicauth.headerField=X-Forwarded-User"
#@ end
#@ if enable_oauth2:
#@ enabled_middlewares.append("traefik-forward-auth@docker")
#@ enabled_middlewares.append("header-authorization-group-{}@file".format(authorized_group))
#@ end
#@ if enable_mtls_auth:
- "traefik.http.routers.(@= router @).tls.options=step_ca_mTLS@file"
#@ if len(mtls_authorized_certs):
- "traefik.http.middlewares.mtlsauth-(@= router @).plugin.certauthz.domains=(@= mtls_authorized_certs @)"
#@ enabled_middlewares.append("mtlsauth-{}".format(router))
#@ end
#@ enabled_middlewares.append("mtls-header@file")
#@ end
#! Apply all middlewares (do this at the end!)
- "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"