basyx-java-server-sdk/examples/BaSyxDynamicRBAC/docker-compose.yaml at 52bff822cf1db26f9cc76249393c043c47460001 · aaronzi/basyx-java-server-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
services:
  mongo:
    image: mongo:8
    # Provide mongo config
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongoAdmin
      MONGO_INITDB_ROOT_PASSWORD: mongoPassword
    # Set health checks to wait until mongo has started
    healthcheck:
      test: ["CMD-SHELL", "mongosh --quiet --username \"$MONGO_INITDB_ROOT_USERNAME\" --password \"$MONGO_INITDB_ROOT_PASSWORD\" --authenticationDatabase admin --eval \"db.adminCommand({ ping: 1 })\" || exit 1"]
      interval: 10s
      timeout: 5s
      start_period: 20s
      retries: 10
    # Maps tcp port to host
    ports:
      - 27017:27017
    networks:
      - basyx-java-server-sdk

  # AAS Environment
  aas-env:
    image: eclipsebasyx/aas-environment:$BASYX_VERSION
    container_name: aas-env-rbac
    volumes:
      - ./aas:/application/aas
      - ./basyx/aas-env.properties:/application/application.properties
      - ./basyx/rules/aas_env_rbac_rules.json:/application/rbac_rules.json
    ports:
      - '8081:8081'
    restart: always
    depends_on:
      keycloak:
        condition: service_healthy
      aas-registry:
        condition: service_healthy
      sm-registry:
        condition: service_healthy
    networks:
      - basyx-java-server-sdk

  # AAS Registry
  aas-registry:
    image: eclipsebasyx/aas-registry-log-mongodb:$BASYX_VERSION
    container_name: secured-aas-registry-log-mongo-rbac
    ports:
      - "8082:8080"
    environment:
      SERVER_SERVLET_CONTEXT_PATH: /
      BASYX_CORS_ALLOWED_ORIGINS: '*'
      SPRING_DATA_MONGODB_URI: mongodb://mongoAdmin:mongoPassword@mongo:27017/aas-reg?authSource=admin&retryWrites=true&w=majority&readPreference=primaryPreferred
      BASYX_CORS_ALLOWED_METHODS: GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
      BASYX_FEATURE_AUTHORIZATION_ENABLED: true
      BASYX_FEATURE_AUTHORIZATION_TYPE: rbac
      BASYX_FEATURE_AUTHORIZATION_JWTBEARERTOKENPROVIDER: keycloak
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak-rbac:8080/realms/BaSyx
      BASYX_FEATURE_AUTHORIZATION_RBAC_FILE: file:/workspace/config/rbac_rules.json
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND: Submodel
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_ENDPOINT: http://security-submodel:8081/submodels/U2VjdXJpdHlTdWJtb2RlbA==
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_TOKEN_ENDPOINT: http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_GRANT_TYPE: CLIENT_CREDENTIALS
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_CLIENT_ID: workstation-1
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_CLIENT_SECRET: nY0mjyECF60DGzNmQUjL81XurSl8etom
    volumes:
      - ./basyx/rules/aas_registry_rbac_rules.json:/workspace/config/rbac_rules.json
    restart: always
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/actuator/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    depends_on:
      security-submodel:
        condition: service_healthy
    networks:
      - basyx-java-server-sdk

  # Submodel Registry
  sm-registry:
    image: eclipsebasyx/submodel-registry-log-mongodb:$BASYX_VERSION
    container_name: secured-sm-registry-log-mongo-rbac
    environment:
      SERVER_SERVLET_CONTEXT_PATH: /
      BASYX_CORS_ALLOWED_ORIGINS: '*'
      SPRING_DATA_MONGODB_URI: mongodb://mongoAdmin:mongoPassword@mongo:27017/sm-reg?authSource=admin&retryWrites=true&w=majority&readPreference=primaryPreferred
      BASYX_CORS_ALLOWED_METHODS: GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
      BASYX_FEATURE_AUTHORIZATION_ENABLED: true
      BASYX_FEATURE_AUTHORIZATION_TYPE: rbac
      BASYX_FEATURE_AUTHORIZATION_JWTBEARERTOKENPROVIDER: keycloak
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak-rbac:8080/realms/BaSyx
      BASYX_FEATURE_AUTHORIZATION_RBAC_FILE: file:/workspace/config/rbac_rules.json
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND: Submodel
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_ENDPOINT: http://security-submodel:8081/submodels/U2VjdXJpdHlTdWJtb2RlbA==
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_TOKEN_ENDPOINT: http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_GRANT_TYPE: CLIENT_CREDENTIALS
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_CLIENT_ID: workstation-1
      BASYX_FEATURE_AUTHORIZATION_RULES_BACKEND_SUBMODEL_AUTHORIZATION_CLIENT_SECRET: nY0mjyECF60DGzNmQUjL81XurSl8etom
    ports:
      - "8083:8080"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/actuator/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    volumes:
      - ./basyx/rules/sm_registry_rbac_rules.json:/workspace/config/rbac_rules.json
    depends_on:
      security-submodel:
        condition: service_healthy
    restart: always
    networks:
      - basyx-java-server-sdk

  # Security SM Repo
  security-submodel:
    image: eclipsebasyx/submodel-repository:$BASYX_VERSION
    container_name: conf-security-submodel
    volumes:
      - ./basyx/security-sm.properties:/application/application.properties
      - ./basyx/rules/sec_sm_rbac_rules.json:/application/rbac_rules.json
      - ./entrypoint.sh:/entrypoint.sh
      - ./initial-submodel.json:/initial-submodel.json
    ports:
      - '8089:8081'
    restart: always
    depends_on:
      keycloak:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8081/actuator/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    networks:
      - basyx-java-server-sdk

  security-sm-setup:
    build:
      context: .
      dockerfile: Dockerfile
    depends_on:
      security-submodel:
        condition: service_healthy
    restart: "no"
    volumes:
      - ./entrypoint.sh:/entrypoint.sh
      - ./initial-submodel.json:/initial-submodel.json
    entrypoint: [ "bash", "-c", "sh /entrypoint.sh"]
    networks:
      - basyx-java-server-sdk

  # AAS Discovery
  aas-discovery:
    image: eclipsebasyx/aas-discovery:$BASYX_VERSION
    container_name: aas-discovery
    volumes:
      - ./basyx/aas-discovery.properties:/application/application.properties
      - ./basyx/rules/aas_discovery_rbac_rules.json:/application/rbac_rules.json
    ports:
      - '8084:8081'
    restart: always
    networks:
      - basyx-java-server-sdk

  # AAS Web UI
  aas-web-ui:
    image: eclipsebasyx/aas-gui:$AAS_WEBUI_VERSION
    container_name: aas-ui
    extra_hosts:
      - "keycloak:127.0.0.1"
    ports:
      - '3000:3000'
    environment:
      AAS_REGISTRY_PATH: http://localhost:8082/shell-descriptors
      SUBMODEL_REGISTRY_PATH: http://localhost:8083/submodel-descriptors
      AAS_REPO_PATH: http://localhost:8081/shells
      SUBMODEL_REPO_PATH: http://localhost:8081/submodels
      CD_REPO_PATH: http://localhost:8081/concept-descriptions
      AAS_DISCOVERY_PATH: http://localhost:8084/lookup/shells
      KEYCLOAK_URL: http://localhost:9097
      KEYCLOAK_REALM: BaSyx
      KEYCLOAK_CLIENT_ID: basyx-web-ui
    restart: always
    depends_on:
      aas-env:
        condition: service_healthy
    networks:
      - basyx-java-server-sdk

  keycloak:
    image: eclipsebasyx/keycloak:0.0.1
    build:
      context: ./keycloak
      dockerfile: Dockerfile
    container_name: keycloak-rbac
    environment:
      KC_HOSTNAME: localhost
      KC_SPI_INITIALIZER_ISSUER_BASE_URI: http://keycloak-rbac:8080
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: keycloak-admin
      KC_HEALTH_ENABLED: true
    command: ["start-dev", "--import-realm"]
    ports:
      - 9097:8080
    volumes:
      - ./keycloak/realm:/opt/keycloak/data/import
    healthcheck:
      test: ['CMD-SHELL', '[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { public static void main(String[] args) throws java.lang.Throwable { System.exit(java.net.HttpURLConnection.HTTP_OK == ((java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 : 1); } }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java http://localhost:8080/health/live']
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 60s
    networks:
      - basyx-java-server-sdk

networks:
  basyx-java-server-sdk:
    name: basyx-java-server-sdk
    driver: bridge