-
Notifications
You must be signed in to change notification settings - Fork 189
/
production.yml
216 lines (197 loc) · 7.28 KB
/
production.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
################################################################################
# Production docker-compose.yml, not meant for local development
#
# This docker-compose file is meant to be used to override settings in the
# docker/docker-compose.yml base specification. Use one of config/env.staging or
# config/env.production (or an env file based on these) to run everything:
#
# $ docker-compose --env-file env.production up -d
#
# See https://docs.docker.com/compose/production/
################################################################################
version: '3'
services:
##############################################################################
# Telescope 1.0: Front-end and Legacy (pre-microservices) Back-end
##############################################################################
telescope:
build:
context: ..
dockerfile: Dockerfile
# next.js needs build-time access to a number of API URL values, forward as ARGs
args:
# Web front-end URL
- WEB_URL=${WEB_URL}
# Telescope 1.0 API URL
- API_URL=${API_URL}
# Telescope 2.0 Microservice URLs
- IMAGE_URL=${IMAGE_URL}
- SSO_URL=${SSO_URL}
- POSTS_URL=${POSTS_URL}
- SEARCH_URL=${SEARCH_URL}
- FEED_DISCOVERY_URL=${FEED_DISCOVERY_URL}
container_name: 'telescope'
restart: unless-stopped
environment:
# a place-holder for the variable passed by CLI with a default value
# the passed or default value is a command to run `telescope`
- script=${script:-start}
# override the .env variable for `REDIS_URL`
- REDIS_URL=redis://redis:6379
# variables for elasticsearch
- ES_HOST=elasticsearch
- ELASTIC_PORT=9200
- ELASTIC_URL=http://elasticsearch
# Environment values we expect from our legacy .env file
- NODE_ENV=production
- PORT
- POSTS_URL
- API_URL
- SSO_URL
- WEB_URL
- SEARCH_URL
- FEED_DISCOVERY_URL
- LOG_LEVEL
- FEED_URL
- FEED_URL_INTERVAL_MS
- ELASTIC_MAX_RESULTS_PER_PAGE
- ELASTIC_DELAY_MS
- SSO_LOGIN_URL
- SSO_LOGIN_CALLBACK_URL
- SLO_LOGOUT_URL
- SLO_LOGOUT_CALLBACK_URL
- SSO_IDP_PUBLIC_KEY_CERT
- SAML_ENTITY_ID
- ADMINISTRATORS
- FEED_PROCESSING_DELAY_SEC
- FEED_QUEUE_ATTEMPTS
- FEED_QUEUE_DELAY_MS
- FEED_QUEUE_PARALLEL_WORKERS
- MAX_POSTS_PER_PAGE
- GIT_COMMIT
depends_on:
- redis
- elasticsearch
##############################################################################
# Telescope 2.0 Microservices
##############################################################################
# status service
status:
image: docker.cdot.systems/status:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
environment:
- POSTS_URL
# image service
image:
image: docker.cdot.systems/image:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
# sso auth service
sso:
image: docker.cdot.systems/sso:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
# posts service
posts:
image: docker.cdot.systems/posts:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
# parser service
parser:
image: docker.cdot.systems/parser:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
# planet service
planet:
image: docker.cdot.systems/planet:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
# search service
search:
image: docker.cdot.systems/search:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
environment:
- ELASTIC_URL=http://elasticsearch
- ELASTIC_PORT=9200
dependency-discovery:
image: docker.cdot.systems/dependency-discovery:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
feed-discovery:
image: docker.cdot.systems/feed-discovery:${DOCKER_DEPLOY_TAG:-latest}
restart: unless-stopped
##############################################################################
# Third-Party Dependencies and Support Services
##############################################################################
# Our main ingress router, handling all traffic on 80/443
nginx:
image: docker.cdot.systems/nginx:${DOCKER_DEPLOY_TAG:-latest}
volumes:
# Pass a templated version of our nginx.conf so the Telescope domains are replaced
- ../config/nginx.conf.template:/etc/nginx/nginx.conf.template
- ../../certbot/conf:/etc/letsencrypt
- ../../certbot/www:/var/www/certbot
ports:
- 80:80
- 443:443
restart: unless-stopped
depends_on:
- telescope
# This makes nginx swap only the specified environment variables in our template (see:
# https://github.com/docker-library/docs/issues/496) and then reload this configuration
# (and the associated certificates) every six hours in the background and launches nginx
# in the foreground.
command: /bin/sh -c "envsubst '$$TELESCOPE_HOST $$API_HOST $$PORTAINER_HOST' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g 'daemon off;'"
# API Gateway running on 8888. We use nginx in front of this for secure/compressed/cached responses
traefik:
restart: unless-stopped
command:
- '--api.insecure=false'
- '--providers.docker=true'
- '--providers.docker.exposedbydefault=false'
- '--entryPoints.web.address=:8888'
# SSL certificate management for nginx
certbot:
image: certbot/certbot
container_name: 'certbot'
volumes:
- ../../certbot/conf:/etc/letsencrypt
- ../../certbot/www:/var/www/certbot
restart: always
# This will check if your certificate is up for renewal every 12 hours as recommended by Let’s Encrypt
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
redis:
restart: unless-stopped
volumes:
# TODO: confirm this path...
- ../../redis-data:/data
elasticsearch:
restart: unless-stopped
volumes:
# The directory in the host where the data from elasticsearch will be stored
# needs to be owned by 1000:1000
# https://discuss.elastic.co/t/elastic-elasticsearch-docker-not-assigning-permissions-to-data-directory-on-run/65812/3
# TODO: confirm this path...
- ../../elastic-data:/usr/share/elasticsearch/data:rw
labels:
# Disable Elasticsearch routing via Traefik in production (we enable it in development)
- 'traefik.enable=false'
environment:
# Prefer memory to swap (faster)
- bootstrap.memory_lock=true
# Limit the initial heap size. By default it will use 1/4 of available RAM
- 'ES_JAVA_OPTS=-Xms512m -Xmx512m'
# We only run a single node
- discovery.type=single-node
ulimits:
memlock:
soft: -1
hard: -1
rss-bridge:
restart: unless-stopped
# Portainer's routing is managed in our nginx.conf
portainer:
image: portainer/portainer-ce:alpine
container_name: 'portainer'
command: -H unix:///var/run/docker.sock --admin-password-file '/data/portainer'
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ../../portainer:/data
- ../../portainer/portainer:/data/portainer
depends_on:
- nginx