-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.secure.yml
More file actions
124 lines (116 loc) · 3.5 KB
/
docker-compose.secure.yml
File metadata and controls
124 lines (116 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
version: "3.9"
services:
postgres:
image: postgres:16
environment:
POSTGRES_USER: ${POSTGRES_USER:-postgres}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB:-keep}
ports:
- "5432:5432"
volumes:
- postgres-data:/var/lib/postgresql/data
inventory:
build:
context: .
dockerfile: services/inventory/Dockerfile
environment:
# Secret Management Configuration
SECRET_MANAGER_TYPE: ${SECRET_MANAGER_TYPE:-env}
SECRET_MANAGER_REGION: ${SECRET_MANAGER_REGION}
SECRET_MANAGER_PREFIX: ${SECRET_MANAGER_PREFIX}
# AWS SSM specific
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
# Vault specific
VAULT_ADDR: ${VAULT_ADDR}
VAULT_TOKEN: ${VAULT_TOKEN}
VAULT_TOKEN_FILE: ${VAULT_TOKEN_FILE}
VAULT_SECRET_PATH: ${VAULT_SECRET_PATH}
# Azure specific
AZURE_KEYVAULT_URL: ${AZURE_KEYVAULT_URL}
AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
AZURE_TENANT_ID: ${AZURE_TENANT_ID}
# Fallback environment variables (for development)
POSTGRES_USER: ${POSTGRES_USER:-postgres}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB:-keep}
INVENTORY_TLS_CERT: ${INVENTORY_TLS_CERT:-""}
INVENTORY_TLS_KEY: ${INVENTORY_TLS_KEY:-""}
INVENTORY_CLIENT_CA: ${INVENTORY_CLIENT_CA:-""}
INVENTORY_REQUIRE_MTLS: ${INVENTORY_REQUIRE_MTLS:-false}
depends_on:
- postgres
volumes:
- ./certs:/certs:ro
opa:
image: openpolicyagent/opa:latest
command:
- "run"
- "--server"
- "--config-file=/policies/config.yaml"
volumes:
- ./policies:/policies
envoy:
build:
context: ./envoy
dockerfile: Dockerfile
ports:
- "8080:8080"
platform: linux/amd64
depends_on:
- authz
- app
authz:
build:
context: .
dockerfile: services/authz/Dockerfile
environment:
# Secret Management Configuration
SECRET_MANAGER_TYPE: ${SECRET_MANAGER_TYPE:-env}
SECRET_MANAGER_REGION: ${SECRET_MANAGER_REGION}
SECRET_MANAGER_PREFIX: ${SECRET_MANAGER_PREFIX}
# AWS SSM specific
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
# Vault specific
VAULT_ADDR: ${VAULT_ADDR}
VAULT_TOKEN: ${VAULT_TOKEN}
VAULT_TOKEN_FILE: ${VAULT_TOKEN_FILE}
VAULT_SECRET_PATH: ${VAULT_SECRET_PATH}
# Azure specific
AZURE_KEYVAULT_URL: ${AZURE_KEYVAULT_URL}
AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
AZURE_TENANT_ID: ${AZURE_TENANT_ID}
# Service configuration
OPA_URL: http://opa:8181
INVENTORY_API: http://inventory:8080
# Fallback environment variables (for development)
GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
AUTHZ_CLIENT_CERT: ${AUTHZ_CLIENT_CERT:-""}
AUTHZ_CLIENT_KEY: ${AUTHZ_CLIENT_KEY:-""}
AUTHZ_CA_CERT: ${AUTHZ_CA_CERT:-""}
TAILSCALE_AUTH_KEY: ${TAILSCALE_AUTH_KEY:-""}
TAILSCALE_API_KEY: ${TAILSCALE_API_KEY:-""}
depends_on:
- opa
- inventory
volumes:
- ./certs:/certs:ro
app:
build:
context: .
dockerfile: app/Dockerfile
mfa:
build:
context: .
dockerfile: services/mfa/Dockerfile
environment:
MFA_LISTEN_ADDR: ":8445"
MFA_SESSION_TIMEOUT: "5m"
ports:
- "8445:8445"
volumes:
postgres-data: {}