Christian Galo
535810c2ef
Add a fedwiki-render compose service and render.sh to resolve real Keycloak user UUIDs and render .tpl templates into testdata on compose up. Convert hardcoded FedWiki testdata into templates, add seed-stack.sh helper, and update compose/env and .gitignore to run seeding before starting fedwiki.
226 lines
7.3 KiB
YAML
226 lines
7.3 KiB
YAML
# Docker Compose file for testing Keycloak, Temporal, and Fedwiki integration
|
|
# Remember, this is for testing purposes only and not for production use
|
|
|
|
services:
|
|
# Session Store
|
|
valkey:
|
|
image: valkey/valkey:8.1
|
|
ports:
|
|
- "${VALKEY_PORT:-6379}:6379"
|
|
|
|
# Member Console DB
|
|
postgres:
|
|
image: postgres:18.1
|
|
environment:
|
|
- POSTGRES_USER=member_console
|
|
- POSTGRES_PASSWORD=member_console
|
|
- POSTGRES_DB=member_console
|
|
volumes:
|
|
- ./testdata/postgres:/var/lib/postgresql
|
|
ports:
|
|
- "${POSTGRES_PORT:-5432}:5432"
|
|
|
|
# Identity Provider
|
|
keycloak:
|
|
image: quay.io/keycloak/keycloak:26.4.7
|
|
command: start-dev
|
|
environment:
|
|
- KC_BOOTSTRAP_ADMIN_USERNAME=admin
|
|
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin
|
|
- KC_HEALTH_ENABLED=true
|
|
- KC_HOSTNAME=${KC_HOSTNAME:-keycloak.localhost}
|
|
- KC_HOSTNAME_STRICT=false
|
|
healthcheck:
|
|
test:
|
|
- "CMD-SHELL"
|
|
- |
|
|
exec 3<>/dev/tcp/127.0.0.1/9000;
|
|
echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost:9000\r\nConnection: close\r\n\r\n" >&3;
|
|
if cat <&3 | grep -q "\"status\": \"UP\""; then
|
|
exit 0
|
|
else
|
|
exit 1
|
|
fi
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
networks:
|
|
default:
|
|
aliases:
|
|
- ${KC_HOSTNAME:-keycloak.localhost}
|
|
ports:
|
|
- "${KEYCLOAK_PORT:-8080}:8080"
|
|
|
|
# Seed Keycloak with clients, roles, and test users
|
|
keycloak-seed:
|
|
image: alpine/curl:latest
|
|
depends_on:
|
|
keycloak:
|
|
condition: service_healthy
|
|
volumes:
|
|
- ./seed/keycloak/seed-keycloak.sh:/seed/seed-keycloak.sh:ro
|
|
environment:
|
|
- KC_URL=http://keycloak:8080
|
|
- KC_ADMIN_USER=admin
|
|
- KC_ADMIN_PASSWORD=admin
|
|
- MC_BASE_URL=${MC_BASE_URL:-http://localhost:8081}
|
|
- TEMPORAL_UI_URL=${TEMPORAL_UI_URL:-http://localhost:8233}
|
|
entrypoint:
|
|
[
|
|
"/bin/sh",
|
|
"-c",
|
|
"apk add --no-cache jq bash >/dev/null 2>&1 && bash /seed/seed-keycloak.sh",
|
|
]
|
|
networks:
|
|
default:
|
|
|
|
# Temporal
|
|
temporal-db:
|
|
image: postgres:18.1
|
|
environment:
|
|
- POSTGRES_USER=temporal
|
|
- POSTGRES_PASSWORD=temporal
|
|
- POSTGRES_DB=temporal
|
|
volumes:
|
|
- ./testdata/temporal:/var/lib/postgresql
|
|
|
|
temporal:
|
|
image: temporalio/auto-setup:1.29.1
|
|
depends_on:
|
|
- temporal-db
|
|
command: "autosetup"
|
|
environment:
|
|
- SERVICES=frontend:history:matching:worker:internal-frontend
|
|
- DB=postgres12
|
|
- DB_PORT=5432
|
|
- POSTGRES_USER=temporal
|
|
- POSTGRES_PWD=temporal
|
|
- POSTGRES_SEEDS=temporal-db
|
|
- SKIP_DEFAULT_NAMESPACE_CREATION=true
|
|
- TEMPORAL_AUTH_AUTHORIZER=default
|
|
- TEMPORAL_AUTH_CLAIM_MAPPER=default
|
|
- TEMPORAL_JWT_KEY_SOURCE1=http://${KC_HOSTNAME:-keycloak.localhost}:8080/realms/master/protocol/openid-connect/certs
|
|
- USE_INTERNAL_FRONTEND=true
|
|
ports:
|
|
- "${TEMPORAL_PORT:-7233}:7233"
|
|
|
|
temporal-admin-tools:
|
|
image: temporalio/admin-tools:1.29
|
|
depends_on:
|
|
- temporal
|
|
environment:
|
|
- TEMPORAL_ADDRESS=temporal:7236
|
|
- TEMPORAL_CLI_ADDRESS=temporal:7236
|
|
|
|
# Registers the "default" namespace via the internal frontend (port 7236
|
|
# bypasses JWT auth). Idempotent: a "namespace already exists" failure is
|
|
# treated as success. Runs once on `up` and exits.
|
|
temporal-seed:
|
|
image: temporalio/admin-tools:1.29
|
|
depends_on:
|
|
- temporal
|
|
environment:
|
|
- TEMPORAL_ADDRESS=temporal:7236
|
|
- TEMPORAL_CLI_ADDRESS=temporal:7236
|
|
restart: "no"
|
|
entrypoint:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
set -eu
|
|
for i in $$(seq 1 60); do
|
|
if temporal operator namespace describe -n default >/dev/null 2>&1; then
|
|
echo "namespace 'default' already exists"; exit 0
|
|
fi
|
|
out=$$(temporal operator namespace create -n default --retention 24h 2>&1) && rc=0 || rc=$$?
|
|
echo "$$out"
|
|
if [ "$$rc" -eq 0 ]; then
|
|
echo "namespace 'default' created"; exit 0
|
|
fi
|
|
if echo "$$out" | grep -q "already exists"; then
|
|
echo "namespace 'default' already exists"; exit 0
|
|
fi
|
|
echo "waiting for temporal frontend... ($$i/60)"; sleep 2
|
|
done
|
|
echo "ERROR: temporal-seed gave up" >&2; exit 1
|
|
|
|
temporal-ui:
|
|
image: temporalio/ui:2.41.0
|
|
depends_on:
|
|
temporal:
|
|
condition: service_started
|
|
keycloak:
|
|
condition: service_healthy
|
|
environment:
|
|
- TEMPORAL_ADDRESS=temporal:7233
|
|
- TEMPORAL_UI_PORT=8233
|
|
- TEMPORAL_CORS_ORIGINS=${TEMPORAL_UI_URL:-http://localhost:8233}
|
|
- TEMPORAL_AUTH_ENABLED=true
|
|
- TEMPORAL_AUTH_PROVIDER_URL=http://${KC_HOSTNAME:-keycloak.localhost}:${KEYCLOAK_PORT:-8080}/realms/master
|
|
- TEMPORAL_AUTH_ISSUER_URL=http://${KC_HOSTNAME:-keycloak.localhost}:${KEYCLOAK_PORT:-8080}/realms/master
|
|
- TEMPORAL_AUTH_CLIENT_ID=temporal-ui
|
|
- TEMPORAL_AUTH_CLIENT_SECRET=HtRpQ1qZKuauyAqVV0x7r10a1YhVePy9
|
|
- TEMPORAL_AUTH_CALLBACK_URL=${TEMPORAL_UI_URL:-http://localhost:8233}/auth/sso/callback
|
|
- TEMPORAL_AUTH_SCOPES=openid,profile,email
|
|
- LOG_LEVEL=debug
|
|
ports:
|
|
- "${TEMPORAL_UI_PORT:-8233}:8233"
|
|
|
|
# FedWiki
|
|
fedwiki-init:
|
|
image: busybox
|
|
# Copy seed tree, then strip render.sh and *.tpl files — those are
|
|
# rendered into /data by the fedwiki-render service after KC seed.
|
|
# chown to uid 1000 so the fedwiki container's `node` user can mkdir
|
|
# site subdirs (pages/, recycle/, ...) at runtime.
|
|
command: sh -c 'cp -rn /seed/. /data/ && find /data -name "*.tpl" -delete && rm -f /data/render.sh && chown -R 1000:1000 /data'
|
|
volumes:
|
|
- ./seed/fedwiki:/seed:ro
|
|
- ./testdata/fedwiki:/data
|
|
|
|
# Resolves real Keycloak UUIDs and templates seed/fedwiki/*.tpl into
|
|
# testdata/fedwiki/. Must run after keycloak-seed completes (users
|
|
# exist) and after fedwiki-init completes (directory structure in
|
|
# place). Writes files as root; fedwiki-init's chown -R 1000:1000
|
|
# runs first, but any files this service writes will be root-owned.
|
|
# The fedwiki node user (uid 1000) needs read-only access to these,
|
|
# which 644/755 root-owned files satisfy.
|
|
fedwiki-render:
|
|
image: alpine/curl:latest
|
|
depends_on:
|
|
keycloak-seed:
|
|
condition: service_completed_successfully
|
|
fedwiki-init:
|
|
condition: service_completed_successfully
|
|
volumes:
|
|
- ./seed/fedwiki:/seed:ro
|
|
- ./testdata/fedwiki:/data
|
|
environment:
|
|
- KC_URL=http://keycloak:8080
|
|
- KC_REALM=master
|
|
- KC_ADMIN_USER=admin
|
|
- KC_ADMIN_PASSWORD=admin
|
|
entrypoint:
|
|
[
|
|
"/bin/sh",
|
|
"-c",
|
|
"apk add --no-cache jq gettext >/dev/null 2>&1 && sh /seed/render.sh",
|
|
]
|
|
networks:
|
|
default:
|
|
|
|
fedwiki:
|
|
image: git.coopcloud.tech/wiki-cafe/fedwiki-oci-image:0.39.4-2
|
|
depends_on:
|
|
fedwiki-init:
|
|
condition: service_completed_successfully
|
|
fedwiki-render:
|
|
condition: service_completed_successfully
|
|
# Unfortunately, fedwiki shits itself if you don't use port 80 when using passportjs
|
|
command: wiki -p 80 --farm --security_type composable --auth_provider wiki-security-passportjs --authz_enhancers wiki-plugin-useraccesstokens
|
|
volumes:
|
|
- ./testdata/fedwiki:/home/node/.wiki
|
|
ports:
|
|
- "${FEDWIKI_PORT:-80}:80"
|