Skip to content

Commit

Permalink
fix(docker): Improve docker-compose example (#325)
Browse files Browse the repository at this point in the history 
Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to
build docker images. Unlike the existing Dockerfile which depends on the Makefile
to build the binary, this Dockerfile copies the source code and builds the
binary.

Oathkeeper has gone through a couple of changes since the initial draft of the
docker compose file, considering these changes and the newly introduced
Dockerfile in the previous commit, make these changes to the docker-compose.yml:
1. Bump the version of the compose file to 3.
2. Remove the need for the postgres database app, since Oathkeeper no longer needs a
database.
3. Remove the need for the migration app, since we no longer need to migrate since
there is no database and the option is deprecated.
4. Use the newly defined Dockerfile 'Dockerfile-dc'.
5. We now serve both API and PROXY from the same app, so we don't need two
instances of the app.
6. Add sample config, rules and JWK files to `.docker_compose`, mount this via a
volume mount.

Closes #324

Signed-off-by: karthik nayak <[email protected]>
  • Loading branch information
@KarthikNayak
KarthikNayak authored Mar 2, 2020
1 parent cb38415 commit 1247381
Show file tree
Hide file tree
Showing 5 changed files with 204 additions and 53 deletions.
48 changes: 48 additions & 0 deletions .docker_compose/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456

access_rules:
repositories:
- file:///etc/config/oathkeeper/rules.json

errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: https://www.ory.sh/docs

mutators:
header:
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
noop:
enabled: true
id_token:
enabled: true
config:
issuer_url: http://localhost:4455/
jwks_url: file:///etc/config/oathkeeper/jwks.json

authorizers:
allow:
enabled: true
deny:
enabled: true

authenticators:
anonymous:
enabled: true
config:
subject: guest
18 changes: 18 additions & 0 deletions .docker_compose/jwks.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "387e4978-078b-4664-afb4-cf9142161610",
"alg": "RS256",
"n": "qY_EWBYkXX-8RrH_5tBFTfaEf2uloKC0HJePxf1WQ4qIh1IjcjyHCpOK8dvyfBZtNcCKHa_EQZwupWuIuZtuXGzfmVHYkrlTwbDK6juqyqhrtpQHm-wOaSCjD4hvegD50Cpb5qKm59ZssWRPuQ6AxJWJ-D1MlmNntTI0L3pJd_Np0od-A2SwAczk53gg2V7Zhk87h7dQKHvkbd3e86lzW7FjV8BsUvp2tKxg_ULfEJJYpyjxqIwaDFIUY4qsCrSS6XETOETxBcE2lAQtflPqPlqQIrNra8k9wAxB_OBNIeonmHbM3bI2H6KOcJUWzm72ZjbIfVfrTPsijH-ZhNwjbw",
"e": "AQAB",
"d": "FtEs17mrDRXqTQ0Y5YNzQAmDTO48bIATnKFcjIUJva7_rk4ETRQODANMuD0jxUTzTz9olpQXccjFkicFUAy1biSMdkJIRX5A4hibRaff1MOTMw96cqXyTn1A1A9FCQLmmveIRGHw2dPF7p0UCVAFTe7dkRUWoEoiI4Ts9tKa3lQf8SyWmTuXAMkwTmOXH1ARCCJ0CXgITg5t9_pajn1mX3yCnnrbqQTlYvQ2pkJIqbmxYCAzm6LZpj9u1XFmPLk8IkbPDahdI28bqv7PJgaVRxchlJ8JaP_YzQW1m9xme6PJNhVOcKYlF8L-PgB6gfLUdwNCT1v1MA-WPHLSZbqvQQ",
"p": "xy25H7yYa1m1H09fm9msoaPaCY3cTvF89sJqUzoGCpMHUgPBI276kZgVHPcfp8Fzbq-a_c9BnU11vJ_MV7_kYHt3JM1RTjsK1-JMvDSqNTKWy3qSAmoN2gKKUp4fRG1BskG45QLyj-smesW_7oJoEtPoe_AQ3U47mrrarayb_yE",
"q": "2e8S8IankdTvmBcRetd8kGo1cblpKZ6a9FWbAjkS0ts3fXzTeiBGa_sw5QemIrpPy2fRp3OBMn0NIw2ONbFipgjBqj72Oa-87WTdb7IsH0x8XkgHdUFxBmsU4vzQAKno58WdWY8zP0YLVL-u2ricmsX0gV2EsdvkTPpINaXEoI8",
"dp": "XHLhkVSFXpZ11kGOPBWN5jzaUELzNgUqnpJgrZ6p_TB_Xlb1x4-UaA2yBw7BN6k3_fEuPI59gxjYBCQbwcMEqq_D_mX6ThhjkQ6t1VGQiz6e9XU_3jUBluZE89IG60jXDHkq68kxcxGPe77btkX7LnoDV7t26HGOguQl6iTLB2E",
"dq": "dfQmzRYkdhLJBwldRZ6B5ewGNyJCH-ufNKVsu1xGqudJdlrsXwo-80zGXv-v1NYAQDhVygsDH199j75TfQ4gNXtBzrI7NGfAmsBf9Yd6yAnuulzD5Jvh37ZvXJe2wNU1oNRdYM7XzuRLV7hTnEAVStPfjXEfU-CPBXblRFwPO1M",
"qi": "IfUeLw9BK-4Oby0kPOk3u51D-6GfCAqc9rrYI118vi9deKH3lJUn6G9bZYh6kSA8qjK6gRfSxrjICz-IrGfanYQ-E1zm_Dx6vaa6OXVBMYtpduDaeliGiivQW1HnSWS67UQSV9qK0stUa1epcbpsQBtwhUldSPZezfCpPiUjIPw"
}
]
}
112 changes: 112 additions & 0 deletions .docker_compose/rules.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
[
{
"id": "allow-anonymous-with-header-mutator",
"upstream": {
"url": "https://httpbin.org/anything/header"
},
"match": {
"url": "http://<127.0.0.1|localhost>:4455/anything/header",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "anonymous"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "header",
"config": {
"headers": {
"X-User": "{{ print .Subject }}"
}
}
}
]
},
{
"id": "deny-anonymous",
"upstream": {
"url": "https://httpbin.org/anything/deny"
},
"match": {
"url": "http://<127.0.0.1|localhost>:4455/anything/deny",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "anonymous"
}
],
"authorizer": {
"handler": "deny"
},
"mutators": [
{
"handler": "noop"
}
],
"errors": [
{
"handler": "json",
"config": {
"when": [
{
"request": {
"header": {
"accept": ["application/json"]
}
}
}
]
}
},
{
"handler": "redirect",
"config": {
"when": [
{
"request": {
"header": {
"accept": ["text/*"]
}
}
}
]
}
}
]
},
{
"id": "allow-anonymous-with-id-token-mutator",
"upstream": {
"url": "https://httpbin.org/anything/id_token"
},
"match": {
"url": "http://<127.0.0.1|localhost>:4455/anything/id_token",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "anonymous"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "id_token"
}
]
}
]
18 changes: 18 additions & 0 deletions Dockerfile-dc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
FROM golang:1.13-alpine

RUN addgroup -S ory; \
adduser -S ory -G ory -D -H -s /bin/nologin

RUN apk add -U --no-cache ca-certificates

ADD . /app
WORKDIR /app
ENV GO111MODULE on
RUN go get -u github.com/gobuffalo/packr/v2/packr2
RUN packr2
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build

USER ory

ENTRYPOINT ["/app/oathkeeper"]
CMD ["serve"]
61 changes: 8 additions & 53 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -1,62 +1,17 @@
version: '2'
version: '3.7'

services:

oathkeeper-migrate:
oathkeeper:
build:
context: .
dockerfile: Dockerfile
links:
- postgresd:postgresd
environment:
- LOG_LEVEL=debug
command:
migrate sql postgres://dbuser:secret@postgresd:5432/accesscontroldb?sslmode=disable
restart: on-failure

oathkeeper-proxy:
build:
context: .
dockerfile: Dockerfile
links:
- postgresd:postgresd
dockerfile: Dockerfile-dc
ports:
- "4455:4455"
depends_on:
- oathkeeper-api
command:
serve proxy
environment:
- LOG_LEVEL=debug
- PORT=4455
- ISSUER_URL=http://localhost:4455/
- OATHKEEPER_API_URL=http://oathkeeper-api:4456
- CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET=arandomsecretarandomsecretarando
restart: on-failure

oathkeeper-api:
build:
context: .
dockerfile: Dockerfile
links:
- postgresd:postgresd
ports:
- "4456:4456"
depends_on:
- oathkeeper-migrate
command:
serve api
environment:
- LOG_LEVEL=debug
- PORT=4456
- DATABASE_URL=postgres://dbuser:secret@postgresd:5432/accesscontroldb?sslmode=disable
- ISSUER_URL=http://localhost:4455/
- CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET=arandomsecretarandomsecretarando
serve --config=/etc/config/oathkeeper/config.yaml
volumes:
- type: bind
source: ./.docker_compose
target: /etc/config/oathkeeper
restart: on-failure

postgresd:
image: postgres:9.6
environment:
- POSTGRES_USER=dbuser
- POSTGRES_PASSWORD=secret
- POSTGRES_DB=accesscontroldb

0 comments on commit 1247381

Please sign in to comment.