-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
204 lines (197 loc) · 5.41 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
services:
nginx:
image: nginx:1.27.1-alpine
restart: always
container_name: nginx
ports:
- "80:80"
- "443:443"
# user: 1000:1000
volumes:
- ./frontend/reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
- ./frontend/reverse-proxy/certs:/etc/nginx/certs # self signed certs
depends_on:
frontend:
condition: service_started
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.25'
memory: 128M
networks:
- public-subnet
- private-subnet
frontend:
build: ./frontend/clientapp/
read_only: true
restart: always
container_name: frontend
# ports:
# - "3000:3000"
user: 1000:1000
depends_on:
blog-service:
condition: service_started
file-service:
condition: service_started
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
networks:
- private-subnet
file-service:
build: ./backend/filestorage-service/
restart: always
container_name: file-service
# ports:
# - "8000:8000"
# user: 1000:1000 # already created non-root user on dockerfile (fastapi)
environment:
FILE_STORAGE_STATIC_FOLDER: ${FILE_STORAGE_STATIC_FOLDER}
FRONTEND_URL: ${FRONTEND_URL}
volumes:
- ./backend/filestorage-service/images:${FILE_STORAGE_STATIC_FOLDER}
depends_on:
keycloak:
condition: service_healthy
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
networks:
- private-subnet
blog-service:
build: ./backend/blog-service/
restart: always
container_name: blog-service
# ports:
# - "8083:8083"
# user: 1000:1000 # already on Dockerfile from Spring DOC
environment:
MYSQL_HOST: "mysql_svr"
MYSQL_BLOG_SERVICE_PASSWORD: ${MYSQL_BLOG_SERVICE_PASSWORD}
MYSQL_BLOG_SERVICE_USER: ${MYSQL_BLOG_SERVICE_USER}
KEYCLOAK_BLOG_REALM_ID: ${KEYCLOAK_BLOG_REALM_ID}
KEYCLOAK_BLOG_CLIENT_ID: ${KEYCLOAK_BLOG_CLIENT_ID}
KEYCLOAK_BLOG_CLIENT_SECRET: ${KEYCLOAK_BLOG_CLIENT_SECRET}
KEYCLOAK_HOSTNAME: ${KEYCLOAK_HOSTNAME}
KEYCLOAK_PORT: ${KEYCLOAK_HTTP_PORT}
KEYCLOAK_PROTOCOL: ${KEYCLOAK_PROTOCOL}
FRONTEND_URL: ${FRONTEND_URL}
depends_on:
keycloak:
condition: service_healthy
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
networks:
- private-subnet
- data-subnet
keycloak:
image: quay.io/keycloak/keycloak:latest
restart: always
container_name: ${KEYCLOAK_HOSTNAME}
command: start --proxy-headers forwarded --import-realm
# ports:
# - "${KEYCLOAK_HTTP_PORT}:${KEYCLOAK_HTTP_PORT}"
user: 1000:1000 # default 1000 user, 0 group
environment:
KC_HTTP_PORT: ${KEYCLOAK_HTTP_PORT}
KC_DB: mysql
KC_DB_URL_HOST: mysql_svr
KC_DB_URL_DATABASE: ${KEYCLOAK_DATABASE}
KC_DB_PASSWORD: ${KEYCLOAK_MYSQL_PASSWORD}
KC_DB_USERNAME: ${KEYCLOAK_MYSQL_USER}
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
# Production
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_HTTP_ENABLED: true
KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/keycloak.key.pem
KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/keycloak.crt.pem
depends_on:
mysql_svr:
condition: service_healthy
volumes:
- ./backend/auth-service/certs/:/opt/keycloak/certs/
- ./backend/auth-service/realm-data:/opt/keycloak/data/import
deploy:
resources:
limits:
cpus: '1'
memory: 2048M
reservations:
cpus: '0.5'
memory: 512M
healthcheck:
test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/9000;echo -e 'GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n' >&3;if [ $? -eq 0 ]; then echo 'Healthcheck Successful';exit 0;else echo 'Healthcheck Failed';exit 1;fi;"]
interval: 30s
timeout: 10s
retries: 5
security_opt:
- no-new-privileges:true
networks:
- private-subnet
- data-subnet
mysql_svr:
image: mysql:latest
restart: always
container_name: mysql_svr
#ports:
#- "3306:3306"
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
volumes:
- ./backend/mysql/db:/var/lib/mysql
- ./backend/mysql/initdb:/docker-entrypoint-initdb.d
healthcheck:
test: mysqladmin ping -h 127.0.0.1 -u ${MYSQL_BLOG_DB_NAME} --password=${MYSQL_PASSWORD}
start_period: 5s
interval: 5s
timeout: 5s
retries: 5
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '1'
memory: 2048M
reservations:
cpus: '0.5'
memory: 1024M
networks:
- data-subnet
networks:
public-subnet:
driver: bridge
private-subnet:
driver: bridge
data-subnet:
driver: bridge