venari-devops/docker-stack.yaml at main · assert-security/venari-devops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
version: '3.7'
volumes:
  nodedata:
    name: venari-devops
  userdb:
    name: venari-userdb #Important! Make sure this is not on a volume backed by a network share (i.e. nfs)
networks:
  venari:
    external: true
    name: venari-devops
secrets:
  jobnode-client-secret:
    external: true
    name: jobnode-client-secret
#  server-ssl-cert.pfx:
#    external: true
#    name: server-ssl-cert.pfx
#  server-ssl-cert.pwd:
#    external: true
#    name: server-ssl-cert.pwd
services:
  venarimaster:
    command:
    - "--logging:loglevel:default=warning"
    - "--connectionStrings:userDatabase=Data Source=/local-storage/venari-users.db"

    - "--server:loglevel=warn"
    - "--server:tlsPort=9000"
    - "--server:deleteRulesOnStartup=false"
    - "--server:NodeHubTimeoutSeconds=300"
    - "--server:ignorecerterrors=true"

    - "--node:disablejobqueue=true"
    - "--node:analyzerinprocess=false"
    - "--node:RootAppDataDirectoryOverride=/Data"

    - "--identity:adminUserName=${ADMIN_EMAIL}"
    - "--identity:publicUrl=${PUBLIC_MASTER_URL}"

    - "--identity:local:enabled=true"
    - "--identity:local:allowedIssuers:0=${PUBLIC_MASTER_URL}/"
    - "--identity:local:PostLogoutUris:0=${PUBLIC_MASTER_URL}/index.html"

    - "--identity:external:0:Name=OKTA"
    - "--identity:external:0:enabled=false"
    - "--identity:external:0:authority=<INSERT_OKTA_AUTHORITY>"
    - "--identity:external:0:clientid=<INSERT_OKTA_CLIENTID"
    - "--identity:external:0:scope=openid offline_access profile email"

    deploy:
#      placement:
#        constraints:
#        - node.role == manager
      replicas: 1
    environment:
      bootstrapaccounts__serviceaccounts__0__clientid: jobnode
      bootstrapaccounts__serviceaccounts__0__scope: jobnode
      bootstrapaccounts__serviceaccounts__0__secret: file:///run/secrets/jobnode-client-secret
      bootstrapaccounts__serviceaccounts__0__displayname: "Default Shared Job Node Service Account"
    image: ${VENARI_IMAGE}
    networks:
      venari:
        aliases:
          - venarimaster
    ports:
      - published: ${PUBLIC_MASTER_PORT:-?err}
        target: 9000
    secrets:
    - jobnode-client-secret
#    - server-ssl-cert.pfx
#    - server-ssl-cert.pwd
    volumes:
    - nodedata:/Data:rw
    - userdb:/local-storage
  jobnode:
    command:
    - "--logging:loglevel:default=warning"
    - "--node:masterNodeBaseAddress=${PUBLIC_MASTER_URL}"
    - "--node:analyzerinprocess=false"
    - "--node:RootAppDataDirectoryOverride=/Data"
    - "--server:loglevel=warn"
    - "--server:NodeHubTimeoutSeconds=300"
    - "--server:ignorecerterrors=true"
    deploy:
#      placement:
#        constraints:
#        - node.role == worker
      replicas: 1
      resources:
        limits:
          cpus: '${JOBNODE_CPU}'
          memory: ${JOBNODE_MEMORY}
        reservations:
          cpus: '${JOBNODE_CPU}'
          memory: ${JOBNODE_MEMORY}
    image: ${VENARI_IMAGE}
    networks:
      venari:
    environment:
      node__authinfo__clientsecret: file:///run/secrets/jobnode-client-secret
    secrets:
    - jobnode-client-secret
    volumes:
    - nodedata:/Data:rw
    - type: tmpfs
      target: /dev/shm
      tmpfs:
          size: 1073741824