-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdocker-compose.override.yml
128 lines (121 loc) · 4.39 KB
/
docker-compose.override.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
version: "2.4"
services:
hydra:
image: oryd/hydra:v1.3.2
command:
serve all --dangerous-force-http
environment:
- URLS_SELF_ISSUER=$IDP_OPAQUE_ISSUER
- URLS_CONSENT=http://notexist.tld/consent
- URLS_LOGIN=http://notexist.tld/login
- URLS_LOGOUT=http://notexist.tld/logout
- DSN=memory
- SECRETS_SYSTEM=youReallyNeedToChangeThis
restart: unless-stopped
healthcheck:
test: ["CMD", "hydra", "clients", "list", "--endpoint=http://0.0.0.0:4445" ]
start_period: 3s
timeout: 5s
retries: 3
hydra_jwt:
image: oryd/hydra:v1.3.2
command:
serve all --dangerous-force-http
environment:
- URLS_SELF_ISSUER=$IDP_JWT_ISSUER
- URLS_CONSENT=http://notexist.tld/consent
- URLS_LOGIN=http://notexist.tld/login
- URLS_LOGOUT=http://notexist.tld/logout
- DSN=memory
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- STRATEGIES_ACCESS_TOKEN=jwt
restart: unless-stopped
healthcheck:
test: ["CMD", "hydra", "clients", "list", "--endpoint=http://0.0.0.0:4445" ]
start_period: 3s
timeout: 5s
retries: 3
caddy:
image: abiosoft/caddy:0.11.1
restart: unless-stopped
depends_on:
- hydra
environment:
CADDY_CONF: |
hydra.tld:443 alias.hydra.tld:443 {
tls self_signed
proxy / hydra:4444
}
admin.hydra.tld:443 {
tls self_signed
proxy / hydra:4445
}
hydra-jwt.tld:443 alias.hydra-jwt.tld:443 {
tls self_signed
proxy / hydra_jwt:4444
}
admin.hydra-jwt.tld:443 {
tls self_signed
proxy / hydra_jwt:4445
}
entrypoint: /bin/sh
command: -c 'echo "$$CADDY_CONF" | caddy -conf stdin'
networks:
default:
aliases:
- hydra.tld
- alias.hydra.tld
- admin.hydra.tld
- hydra-jwt.tld
- admin.hydra-jwt.tld
- alias.hydra-jwt.tld
oauth2_client:
image: appropriate/curl
restart: on-failure
depends_on:
hydra:
condition: service_healthy
hydra_jwt:
condition: service_healthy
environment:
CONTENT_TYPE: "content-type: application/json"
CLIENT:
'{
"client_name": "$OAUTH2_CLIENT_ID",
"client_id": "$OAUTH2_CLIENT_ID",
"client_secret": "$OAUTH2_CLIENT_SECRET",
"scope": "$OAUTH2_CLIENT_SCOPE $OAUTH2_CLIENT_SCOPE_UNREQUIRED",
"grant_types": [ "authorization_code", "refresh_token", "client_credentials", "implicit" ],
"response_types": [ "token", "code", "id_token" ],
"redirect_uris": ["https://notexist.tld/callback"],
"audience": ["$OAUTH2_CLIENT_AUDIENCE", "$IDP_KONG_AUDIENCE_PREFIX$OAUTH2_CLIENT_AUDIENCE", "$OAUTH2_CLIENT_AUDIENCE_EXISTING", "$OAUTH2_CLIENT_AUDIENCE_UNREGISTED", "$OAUTH2_CLIENT_AUDIENCE_INVALID_ISS", "$OAUTH2_CLIENT_AUDIENCE_INVALID_CLIENT_ID"]
}'
CLIENT_JWT:
'{
"client_name": "$OAUTH2_CLIENT_ID",
"client_id": "$OAUTH2_CLIENT_ID",
"client_secret": "$OAUTH2_CLIENT_SECRET",
"scope": "$OAUTH2_CLIENT_SCOPE $OAUTH2_CLIENT_SCOPE_UNREQUIRED",
"grant_types": [ "authorization_code", "refresh_token", "client_credentials", "implicit" ],
"response_types": [ "token", "code", "id_token" ],
"redirect_uris": ["https://notexist.tld/callback"],
"audience": ["$OAUTH2_JWT_CLIENT_AUDIENCE", "$IDP_KONG_AUDIENCE_PREFIX$OAUTH2_JWT_CLIENT_AUDIENCE", "$OAUTH2_CLIENT_AUDIENCE_EXISTING", "$OAUTH2_CLIENT_AUDIENCE_UNREGISTED", "$OAUTH2_CLIENT_AUDIENCE_INVALID_ISS", "$OAUTH2_CLIENT_AUDIENCE_INVALID_CLIENT_ID"]
}'
entrypoint: [ /bin/sh , -c ]
command:
- |-
set -euo pipefail
url="https://admin.hydra.tld"
curl -sfk -X POST -H "$$CONTENT_TYPE" "$$url/clients" -d "$$CLIENT" ||\
curl -sfk -X PUT -H "$$CONTENT_TYPE" "$$url/clients/client" -d "$$CLIENT"
url="https://admin.hydra-jwt.tld"
curl -sfk -X POST -H "$$CONTENT_TYPE" "$$url/clients" -d "$$CLIENT_JWT" ||\
curl -sfk -X PUT -H "$$CONTENT_TYPE" "$$url/clients/client" -d "$$CLIENT_JWT"
busted:
depends_on:
caddy:
condition: service_started
oauth2_client:
condition: service_started
env_file:
- .env