stormshield-sdk-samples/docker-compose.yml at master · stormshield/stormshield-sdk-samples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: "Stormshield Encryption Platform (exemple)"

x-kas-common: &kas_common
  image: stormshield/kmaas:4.6.0.309 # <-- update with your kmaas image
  environment:
    NODE_EXTRA_CA_CERTS: /usr/local/share/ca-certificates/rootCA.pem
  profiles: [ "sep" ]

x-keycloak: &keycloak
  image: quay.io/keycloak/keycloak:26.0
  command: [ "start-dev", "--import-realm" ]
  environment:
    KEYCLOAK_ADMIN: admin
    KEYCLOAK_ADMIN_PASSWORD: admin
    KC_HEALTH_ENABLED: true
    KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/sep.pem
    KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/sep-key.pem
  volumes:
    - ./idp/realms:/opt/keycloak/data/import:ro
    - certs_data:/etc/x509/https:ro
  depends_on:
    cert-generator:
      condition: service_completed_successfully
  healthcheck:
    test:
      [
        "CMD-SHELL",
        "[ -f /tmp/HealthCheck.java ] || echo \"public class HealthCheck {
          public static void main(String[] args) throws Exception {
          javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier((s,sessio\
          n)->true); javax.net.ssl.SSLContext sc =
          javax.net.ssl.SSLContext.getInstance(\\\"TLS\\\"); sc.init(null, new
          javax.net.ssl.TrustManager[]{new
          javax.net.ssl.X509TrustManager(){public
          java.security.cert.X509Certificate[] getAcceptedIssuers(){return
          null;} public void
          checkClientTrusted(java.security.cert.X509Certificate[] c, String a){}
          public void checkServerTrusted(java.security.cert.X509Certificate[] c,
          String a){}}}, new java.security.SecureRandom());
          javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSoc\
          ketFactory()); System.exit(java.net.HttpURLConnection.HTTP_OK ==
          ((java.net.HttpURLConnection)new
          java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 :
          1);}}\" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java
          https://localhost:9000/health/live",
      ]
    interval: 5s
    timeout: 5s
    retries: 30
  profiles: [ "sep" ]

x-pdp: &pdp
  image: openpolicyagent/opa:1.15.2
  command:
    - "run"
    - "--server"
    - "--addr=0.0.0.0:8181"
    - "--tls-cert-file=/certs/sep.pem"
    - "--tls-private-key-file=/certs/sep-key.pem"
    - --authentication=token
    - --authorization=basic
    - /policies/rules
    - /policies/auth/authz.rego
    - /policies/auth/data
  depends_on:
    cert-generator:
      condition: service_completed_successfully
  profiles: [ "sep" ]

services:
  example-base:
    build:
      context: .
      dockerfile: ./examples/base/Dockerfile
    volumes:
      - certs_data:/usr/local/share/ca-certificates
      - ./examples/base/data:/app/data
    environment:
      NODE_EXTRA_CA_CERTS: /usr/local/share/ca-certificates/rootCA.pem
    container_name: base-examples
    profiles: [ "example-base" ]

  alice-company-kmaas:
    <<: *kas_common
    container_name: alice-company-kmaas
    volumes:
      - ./kmaas/alice-company:/etc/stormshield/cse
      - certs_data:/usr/local/share/ca-certificates
    depends_on:
      cert-generator:
        condition: service_completed_successfully
      alice-company-idp:
        condition: service_healthy

  bob-company-kmaas:
    <<: *kas_common
    container_name: bob-company-kmaas
    volumes:
      - ./kmaas/bob-company:/etc/stormshield/cse
      - certs_data:/usr/local/share/ca-certificates
    depends_on:
      cert-generator:
        condition: service_completed_successfully
      bob-company-idp:
        condition: service_healthy

  alice-company-idp:
    <<: *keycloak
    volumes:
      - ./idp/alice-company:/opt/keycloak/data/import:ro
      - certs_data:/etc/x509/https:ro

  bob-company-idp:
    <<: *keycloak
    volumes:
      - ./idp/bob-company:/opt/keycloak/data/import:ro
      - certs_data:/etc/x509/https:ro

  alice-company-pdp:
    <<: *pdp
    volumes:
      - certs_data:/certs
      - ./pdp/alice-company:/policies

  bob-company-pdp:
    <<: *pdp
    volumes:
      - certs_data:/certs
      - ./pdp/bob-company:/policies

  cert-generator:
    image: alpine/mkcert
    container_name: cert-generator
    entrypoint: [ "sh", "-c" ]
    environment:
      CAROOT: /certs
    command: >
      "mkcert -cert-file /certs/sep.pem -key-file /certs/sep-key.pem localhost
      bob-company-idp alice-company-idp bob-company-pdp alice-company-pdp
      bob-company-kmaas alice-company-kmaas && chmod -R 644 /certs/*.pem"
    volumes:
      - certs_data:/certs
    restart: "no"
    profiles: [ "sep" ]

volumes:
  certs_data: