forked from buzzfeed/sso
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
143 lines (121 loc) · 4.79 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
version: '3'
services:
# ===========================================================================
# sso services
#
# Here we provide a minimal sso installation for demo purposes that allows
# any valid google account to log in, and hard codes the various secrets
# required to secure communication.
#
# A more realistic deployment will likely require a specific organization's
# email domain and restrict access to upstream services based on Google Group
# membership.
#
# The sso-proxy service is handing requests to any domain under
# *.sso.localtest.me and the sso-auth service is available at sso-
# auth.localtest.me.
#
# There are two upstream services defined below, which can be accessed at
# - http://hello-world.sso.localtest.me
# - http://httpbin.sso.localtest.me
# ===========================================================================
sso-proxy:
# Swap the two lines below to build from the current commit instead of
# pulling the latest dev image
image: buzzfeed/sso-dev:latest
# build: ..
entrypoint: /bin/sso-proxy
environment:
# Allow any google account to log in for demo purposes
- DEFAULT_ALLOWED_EMAIL_DOMAINS=*
# (Optional) Allow specific google email address to log in for demo purposes
# This overrides DEFAULT_ALLOWED_EMAIL_DOMAIN
# - DEFAULT_ALLOWED_EMAIL_ADDRESSES=*
- UPSTREAM_CONFIGS=/sso/upstream_configs.yml
- PROVIDER_URL=http://sso-auth.localtest.me
- PROVIDER_URL_INTERNAL=http://host.docker.internal
# CLIENT_ID and CLIENT_SECRET must match sso-auth's PROXY_CLIENT_ID and
# PROXY_CLIENT_SECRET configuration
- CLIENT_ID=aGNHd3FqWUVDb1Z0NVFVZDE4Vk8xbWhQeVdoc3pjMnU=
- CLIENT_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
# XXX: These secrets are for demonstration purposes only! Use
#
# openssl rand -base64 32
#
# to generate your own.
- COOKIE_SECRET=WEl0Y054TXNUN2ltTWRkazZ0YmNpRTlucXBPQUY2VHU=
# Disable https for demo purposes
- COOKIE_SECURE=false
# TODO: these config values should probably have defaults
- CLUSTER=dev
- STATSD_HOST=127.0.0.1
- STATSD_PORT=8125
# Tells nginx-proxy service how to route requests to this service
- VIRTUAL_HOST=*.sso.localtest.me
volumes:
- ./upstream_configs.yml:/sso/upstream_configs.yml:ro
expose:
- 4180
sso-auth:
# Swap the two lines below to build from the current commit instead of
# pulling the latest dev image
image: buzzfeed/sso-dev:latest
# build: ..
entrypoint: /bin/sso-auth
env_file:
./env
environment:
# Allow any google account to log in for demo purposes
- AUTHORIZE_EMAIL_DOMAINS=*
# (Optional) Allow specific email address to log in for demo purposes
# This overrides AUTHORIZE_EMAIL_DOMAINS
# - AUTHORIZE_EMAIL_ADDRESSES=*
- AUTHORIZE_PROXY_DOMAINS=localtest.me
- SERVER_SCHEME=http
- SERVER_HOST=sso-auth.localtest.me
# These values must match sso-proxy's CLIENT_ID and CLIENT_SECRET values
- CLIENT_PROXY_ID=aGNHd3FqWUVDb1Z0NVFVZDE4Vk8xbWhQeVdoc3pjMnU=
- CLIENT_PROXY_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
# XXX: These secrets are for demonstration purposes only! Use
#
# openssl rand -base64 32
#
# to generate your own.
- SESSION_KEY=c1kxTHcyN3FwdGRiZHpZRU15TUpNdFlpb1ZEUUw5R3M=
- SESSION_COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
# Disable https for demo purposes
- SESSION_COOKIE_SECURE=false
# TODO: these config values should probably have defaults
- CLUSTER=dev
- METRICS_STATSD_HOST=127.0.0.1
- METRICS_STATSD_PORT=8125
# Tells nginx-proxy service how to route requests to this service
- VIRTUAL_HOST=sso-auth.localtest.me,host.docker.internal
expose:
- 4180
# ===========================================================================
# Upstream services protected by sso
#
# These services can be accessed at
# - hello-world.sso.localtest.me
# - httpbin.sso.localtest.me
# ===========================================================================
httpbin:
image: mccutchen/go-httpbin:latest
expose:
- 8080
hello-world:
image: tutum/hello-world:latest
expose:
- 80
# ===========================================================================
# nginx-proxy handles routing of requests to the sso-proxy and sso-auth
# containers. See its docs for more info:
# https://github.com/jwilder/nginx-proxy
# ===========================================================================
nginx-proxy:
image: jwilder/nginx-proxy:latest
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro