Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPSEXP-2411: switch docker compose proxy to traefik #1194

Merged
merged 27 commits into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
14428cd
replace nginx image by traefik
alxgomz Sep 19, 2024
dbdfa8e
add alfresco router
alxgomz Sep 19, 2024
87fc792
add share router
alxgomz Sep 19, 2024
8253b70
add share CSRF config
alxgomz Sep 19, 2024
8f8482d
add adf apps routers
alxgomz Sep 19, 2024
abc78b5
add docker socket to traefik container
alxgomz Sep 19, 2024
bb7bb54
fix acc router
alxgomz Sep 19, 2024
4f7d807
secure solr api (older acs)
alxgomz Sep 20, 2024
f0cbcf6
filter prometheus by client IP (default localhost only)
alxgomz Sep 20, 2024
b98e998
replicate traefik changes to 7.4 docker compose file
alxgomz Sep 23, 2024
ec6015d
replicate traefik changes to 7.3 docker compose file
alxgomz Sep 23, 2024
008fc6e
replicate traefik changes to 7.2 docker compose file
alxgomz Sep 23, 2024
834a2f8
replicate traefik changes to 7.1 docker compose file
alxgomz Sep 23, 2024
38912d0
fix function name in in prometheus router
alxgomz Sep 23, 2024
74470b4
fix AOS requests routing
alxgomz Sep 23, 2024
35adab1
fix share proxied url regex
alxgomz Sep 23, 2024
6c76ef5
update postman tests to accept traefik behaviour (no 403)
alxgomz Sep 23, 2024
f90745e
propagate fixes (prometheus,proxied urls & aos routing) to other comp…
alxgomz Sep 23, 2024
6868311
fixup
alxgomz Sep 23, 2024
0557102
add syncservice configuration
alxgomz Sep 23, 2024
8a10288
reorder labels top allow disabling exposing containers by default
alxgomz Sep 23, 2024
865b895
apply traefik config to community compose
alxgomz Sep 25, 2024
2b67244
fix adf rediction issues and bad share middleware
alxgomz Sep 27, 2024
65e071d
propagate fixes to other compose files
alxgomz Sep 27, 2024
730d75a
update doc
alxgomz Sep 27, 2024
2028a31
Looks like Docker Toolbox is no more
alxgomz Sep 27, 2024
71303bd
KEDA retired /latest path from their doc
alxgomz Sep 27, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 46 additions & 8 deletions docker-compose/7.1.N-docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,16 @@
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
-XX:MaxRAM=1900m
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
alxgomz marked this conversation as resolved.
Show resolved Hide resolved
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand Down Expand Up @@ -108,6 +118,8 @@
image: quay.io/alfresco/alfresco-share:7.1.1.10
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -118,6 +130,13 @@
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/.*$`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:13.3
mem_limit: 512m
Expand Down Expand Up @@ -159,18 +178,30 @@
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.2.0
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- "8888:8888"
privileged: true
Dismissed Show dismissed Hide dismissed
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 204 in docker-compose/7.1.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
Dismissed Show dismissed Hide dismissed
Dismissed Show dismissed Hide dismissed
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -189,6 +220,13 @@
-XX:MaxRAM=1g
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
65 changes: 55 additions & 10 deletions docker-compose/7.2.N-docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
-XX:MaxRAM=1900m
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand Down Expand Up @@ -109,6 +119,8 @@
image: quay.io/alfresco/alfresco-share:7.2.2.4
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -119,6 +131,13 @@
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:13.3
mem_limit: 512m
Expand Down Expand Up @@ -163,27 +182,46 @@
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
control-center:
image: quay.io/alfresco/alfresco-control-center:7.9.0
mem_limit: 128m
environment:
APP_CONFIG_PROVIDER: "ECM"
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
labels:
- "traefik.enable=true"
- "traefik.http.routers.acc.rule=PathPrefix(`/admin`)"
- "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin"
- "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$"
- "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot"
- "traefik.http.routers.acc.middlewares=accchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.3.0
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
- control-center
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- control-center
- "8888:8888"
privileged: true

Check warning on line 222 in docker-compose/7.2.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Privileged Containers Enabled

Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.
Dismissed Show dismissed Hide dismissed
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 224 in docker-compose/7.2.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
Dismissed Show dismissed Hide dismissed

Check failure

Code scanning / KICS

Volume Has Sensitive Host Directory Error

There is a sensitive directory (/var/run/docker.sock) mounted as a volume
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -202,6 +240,13 @@
-XX:MaxRAM=1g
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
68 changes: 56 additions & 12 deletions docker-compose/7.3.N-docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,16 @@
-Ddsync.service.uris=http://localhost:9090/alfresco
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand All @@ -69,7 +79,7 @@
http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file
ports:
- "8095:8095"
links:
depends_on:
- activemq
transform-core-aio:
image: alfresco/alfresco-transform-core-aio:3.1.2
Expand All @@ -83,7 +93,7 @@
http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file
ports:
- "8090:8090"
links:
depends_on:
- activemq
shared-file-store:
image: quay.io/alfresco/alfresco-shared-file-store:2.1.2
Expand All @@ -102,6 +112,8 @@
image: quay.io/alfresco/alfresco-share:7.3.2.1
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -111,6 +123,13 @@
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:14.4
mem_limit: 512m
Expand Down Expand Up @@ -155,27 +174,45 @@
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
control-center:
image: quay.io/alfresco/alfresco-control-center:7.9.0
mem_limit: 128m
environment:
APP_CONFIG_PROVIDER: "ECM"
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
labels:
- "traefik.enable=true"
- "traefik.http.routers.acc.rule=PathPrefix(`/admin`)"
- "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin"
- "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$"
- "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot"
- "traefik.http.routers.acc.middlewares=accchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.4.2
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
- control-center
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- control-center
- "8888:8888"
privileged: true

Check warning on line 213 in docker-compose/7.3.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Privileged Containers Enabled

Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.

Check failure

Code scanning / KICS

Privileged Containers Enabled Error

Docker compose file has 'privileged' attribute as true
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 215 in docker-compose/7.3.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.

Check failure

Code scanning / KICS

Docker Socket Mounted In Container Error

There is a docker socket named 'docker.sock' mounted in a volume

Check failure

Code scanning / KICS

Volume Has Sensitive Host Directory Error

There is a sensitive directory (/var/run/docker.sock) mounted as a volume
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -193,6 +230,13 @@
-XX:MaxRAMPercentage=80
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
Loading