-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathdocker-compose.yaml
More file actions
209 lines (203 loc) · 7.58 KB
/
Copy pathdocker-compose.yaml
File metadata and controls
209 lines (203 loc) · 7.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
networks:
default:
name: opentdf_platform
services:
keycloak:
volumes:
- keycloak_data:/opt/keycloak/data
- ${KEYS_DIR:-./keys}/localhost.crt:/etc/x509/tls/localhost.crt
- ${KEYS_DIR:-./keys}/localhost.key:/etc/x509/tls/localhost.key
- ${KEYS_DIR:-./keys}/ca.jks:/truststore/truststore.jks
image: keycloak/keycloak:25.0
restart: always
command:
- "start-dev"
- "--verbose"
- "-Djavax.net.ssl.trustStorePassword=password"
- "-Djavax.net.ssl.HostnameVerifier=AllowAll"
- "-Djavax.net.ssl.trustStore=/truststore/truststore.jks"
- "--spi-truststore-file-hostname-verification-policy=ANY"
environment:
KC_PROXY: edge
KC_HTTP_RELATIVE_PATH: /auth
KC_HOSTNAME_STRICT: "false"
KC_HOSTNAME_STRICT_BACKCHANNEL: "false"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HTTP_ENABLED: "true"
KC_HTTP_PORT: "8888"
KC_HTTPS_PORT: "8443"
KC_HTTP_MANAGEMENT_PORT: "9001"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: changeme
#KC_HOSTNAME_URL: http://localhost:8888/auth
KC_FEATURES: "preview,token-exchange"
KC_HEALTH_ENABLED: "true"
KC_HTTPS_KEY_STORE_PASSWORD: "password"
KC_HTTPS_KEY_STORE_FILE: "/truststore/truststore.jks"
KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/tls/localhost.crt"
KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/tls/localhost.key"
KC_HTTPS_CLIENT_AUTH: "request"
###
# The following environment variable resolves SIGILL with Code 134 when running Java processes on Apple M4 chips
#
# On Apple Silicon (M4 chip):
# export JAVA_OPTS_APPEND="-XX:UseSVE=0"
# docker-compose up
#
# On other architectures:
# export JAVA_OPTS_APPEND=""
# docker-compose up
#
# Or set directly: JAVA_OPTS_APPEND="-XX:UseSVE=0" docker-compose up
JAVA_OPTS_APPEND: "${JAVA_OPTS_APPEND:-}"
###
ports:
- "${KC_EXPOSE_PORT:-8443}:8443"
- "${KC_EXPOSE_PORT_HTTP:-8888}:8888"
- "${KC_EXPOSE_PORT_MGMT:-9001}:9001"
healthcheck:
test:
- CMD-SHELL
- |
[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck {
public static void main(String[] args) throws java.lang.Throwable {
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);
javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance(\"SSL\");
sc.init(null, new javax.net.ssl.TrustManager[]{
new javax.net.ssl.X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
}
}, new java.security.SecureRandom());
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
java.net.HttpURLConnection conn = (java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection();
System.exit(java.net.HttpURLConnection.HTTP_OK == conn.getResponseCode() ? 0 : 1);
}
}" > /tmp/HealthCheck.java && java ${JAVA_OPTS_APPEND} /tmp/HealthCheck.java https://localhost:9001/auth/health/live
timeout: 10s
retries: 3
start_period: 2m
opentdfdb:
image: postgres:15-alpine
restart: always
user: postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: changeme
POSTGRES_DB: opentdf
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 5s
timeout: 5s
retries: 10
ports:
- "${POSTGRES_EXPOSE_PORT:-5432}:5432"
jaeger:
image: jaegertracing/all-in-one:latest
environment:
COLLECTOR_OTLP_ENABLED: "true"
ports:
- "16686:16686" # Web UI
- "4317:4317" # OTLP gRPC
- "4318:4318" # OTLP HTTP
- "14250:14250" # Model/collector gRPC
profiles:
- tracing
restart: always
# Entity Resolution Service Testing Infrastructure
#
# Provides PostgreSQL and OpenLDAP services for comprehensive ERS testing
# Enables full multi-strategy ERS testing with SQL and LDAP providers
#
# Usage:
# docker-compose --profile ers-test up -d # Start ERS test services
# docker-compose --profile ers-admin up -d # Include LDAP admin UI
# ERS_TEST_POSTGRES_URL="postgres://ers_test_user:ers_test_pass@localhost:5433/ers_test?sslmode=disable" \
# ERS_TEST_LDAP_URL="ldap://localhost:1389" \
# go test ./service/entityresolution/integration -run TestMultiStrategy -v
#
# Services:
# - ers-postgres: PostgreSQL 16 on port 5433 with test schema and data
# - ers-ldap: OpenLDAP on port 1389 with organizational test data
# - ers-ldap-admin: phpLDAPadmin on port 6443 (ers-admin profile only)
# PostgreSQL for ERS SQL provider testing
ers-postgres:
image: postgres:16-alpine
container_name: ers_test_postgres
profiles:
- ers-test
- ers-admin
ports:
- "5433:5432" # Different port to avoid conflicts with main opentdfdb
environment:
POSTGRES_DB: ers_test
POSTGRES_USER: ers_test_user
POSTGRES_PASSWORD: ers_test_pass
POSTGRES_INITDB_ARGS: "--encoding=UTF-8"
volumes:
- ers_postgres_data:/var/lib/postgresql/data
- ./service/entityresolution/integration/sql_test_data:/docker-entrypoint-initdb.d
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ers_test_user -d ers_test"]
interval: 5s
timeout: 5s
retries: 5
restart: unless-stopped
# OpenLDAP for ERS LDAP provider testing
ers-ldap:
image: osixia/openldap:1.5.0
container_name: ers_test_openldap
profiles:
- ers-test
- ers-admin
ports:
- "1389:389" # LDAP port (different from standard 389)
- "1636:636" # LDAPS port (different from standard 636)
environment:
LDAP_ORGANISATION: "OpenTDF Test"
LDAP_DOMAIN: "opentdf.test"
LDAP_ADMIN_PASSWORD: "admin_password"
LDAP_CONFIG_PASSWORD: "config_password"
LDAP_READONLY_USER: "true"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "readonly_password"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_ENFORCE: "false"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
volumes:
- ers_ldap_data:/var/lib/ldap
- ers_ldap_config:/etc/ldap/slapd.d
- ./service/entityresolution/integration/ldap_test_data:/container/service/slapd/assets/config/bootstrap/ldif/custom
healthcheck:
test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost:389 -b dc=opentdf,dc=test -D cn=admin,dc=opentdf,dc=test -w admin_password '(objectclass=*)' dn"]
interval: 10s
timeout: 5s
retries: 5
restart: unless-stopped
# phpLDAPadmin for LDAP management (admin profile only)
ers-ldap-admin:
image: osixia/phpldapadmin:latest
container_name: ers_ldap_admin
profiles:
- ers-admin # Only available with --profile ers-admin
ports:
- "6443:443"
environment:
PHPLDAPADMIN_LDAP_HOSTS: ers-ldap
PHPLDAPADMIN_HTTPS: "false"
depends_on:
ers-ldap:
condition: service_healthy
volumes:
keycloak_data:
ers_postgres_data:
name: ers_test_postgres_data
ers_ldap_data:
name: ers_test_ldap_data
ers_ldap_config:
name: ers_test_ldap_config