Last active
April 27, 2025 19:57
-
-
Save SolomonHD/b55be40146b7a53b8f26fe244f5be52e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Prerequisites: | |
| # 1) Create a Docker IPv4 bridge network | |
| # 2) Pick an IPv4 Address for Traefik, use the end of the network range | |
| # 3) Pick a domain, recommend real DNS but faking is possible by editing the /etc/hosts file to point to Traefik's IPv4 address. | |
| # 4) Replace the ${DOMAIN} place holder in the config-ldap.yaml, and env-config.js and files with the domain. | |
| # 5) Get a valid certificate via Let's Encrypt or another method, recommend a wildcard cert | |
| # 6) Copy cert/private key as /etc/letsencrypt/live/${DOMAIN}/{privkey.pem, fullchain.pem}, Uncomment lines 233-234 in the docker.compose.yml file | |
| # Also uncomment the lines in traefik_dynamic.yaml after cert and key are in place | |
| # 7) Copy this file as '.env', fill out with the appropriate values | |
| ### Domain Names | |
| ## https://tk.${DOMAIN} # Main website, terrakube-ui | |
| ## https://tk-api.${DOMAIN} # API, terrakube-api | |
| ## https://tk-registry.${DOMAIN} # Registry, terrakube-registry | |
| ## https://tk-executor.${DOMAIN} # Executor, terrakube-executor | |
| ## https://tk-dex.${DOMAIN} # Dex, terrakube-dex | |
| # Required Variables | |
| DOMAIN= # Set domain | |
| EXTERNAL_NETWORK_NAME= # External network is required | |
| HOST_GATEWAY=host-gateway # Should be okay leaving as is, may have to change to Traefik's IPv4 address | |
| TK_OUTPUT_ACCESS_KEY=minioadmin | |
| TK_OUTPUT_ENDPOINT=http://terrakube-minio:9000 | |
| TK_OUTPUT_SECRET_KEY=minioadmin | |
| TK_OUTPUT_STORAGE_REGION=us-east-1 | |
| TK_OUTPUT_BUCKET_NAME=sample | |
| TK_VERSION=2.19.2 | |
| TRAEFIK_IPV4_ADDRESS= # Give Traefik a reserved IPv4 Address in your external network, pick something towards the end of the network to avoid conflicts | |
| TRAEFIK_HTTP_PORT=80 | |
| TRAEFIK_HTTPS_PORT=443 | |
| # Optional Variables | |
| DNS_IP_PUBLIC= |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .env | |
| .test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dn: dc=example,dc=org | |
| dc: example | |
| objectClass: dcObject | |
| objectClass: organization | |
| o: Example, Inc | |
| dn: ou=users,dc=example,dc=org | |
| ou: users | |
| objectClass: organizationalunit | |
| dn: cn=lester,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Parkinson | |
| cn: Lester | |
| mail: [email protected] | |
| userpassword: admin | |
| dn: cn=grady,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Chambers | |
| cn: Grady | |
| mail: [email protected] | |
| userpassword: azure | |
| dn: cn=saarah,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Lott | |
| cn: Saarah | |
| mail: [email protected] | |
| userpassword: aws | |
| dn: cn=eugene,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Monaghan | |
| cn: Eugene | |
| mail: [email protected] | |
| userpassword: gcp | |
| # Group definitions. | |
| dn: ou=Groups,dc=example,dc=org | |
| objectClass: organizationalUnit | |
| ou: Groups | |
| dn: cn=TERRAKUBE_ADMIN,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: TERRAKUBE_ADMIN | |
| member: cn=lester,ou=users,dc=example,dc=org | |
| dn: cn=TERRAKUBE_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: TERRAKUBE_DEVELOPERS | |
| member: cn=lester,ou=users,dc=example,dc=org | |
| dn: cn=AZURE_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: AZURE_DEVELOPERS | |
| member: cn=saarah,ou=users,dc=example,dc=org | |
| dn: cn=AWS_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: AWS_DEVELOPERS | |
| member: cn=grady,ou=users,dc=example,dc=org | |
| dn: cn=GCP_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: GCP_DEVELOPERS | |
| member: cn=eugene,ou=users,dc=example,dc=org |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # REPLACE ${DOMAIN} with the base domain! | |
| issuer: https://tk-dex.${DOMAIN}/dex | |
| storage: | |
| type: memory | |
| web: | |
| http: 0.0.0.0:5556 | |
| allowedOrigins: ["*"] | |
| oauth2: | |
| responseTypes: ["code", "token", "id_token"] | |
| connectors: | |
| - type: ldap | |
| name: OpenLDAP | |
| id: ldap | |
| config: | |
| # The following configurations seem to work with OpenLDAP: | |
| # | |
| # 1) Plain LDAP, without TLS: | |
| host: terrakube-ldap-service:1389 | |
| insecureNoSSL: true | |
| insecureSkipVerify: true | |
| # | |
| # 2) LDAPS without certificate validation: | |
| #host: localhost:636 | |
| #insecureNoSSL: false | |
| #insecureSkipVerify: true | |
| # | |
| # 3) LDAPS with certificate validation: | |
| #host: YOUR-HOSTNAME:636 | |
| #insecureNoSSL: false | |
| #insecureSkipVerify: false | |
| #rootCAData: 'CERT' | |
| # ...where CERT="$( base64 -w 0 your-cert.crt )" | |
| # This would normally be a read-only user. | |
| bindDN: cn=admin,dc=example,dc=org | |
| bindPW: admin | |
| usernamePrompt: Email Address | |
| userSearch: | |
| baseDN: ou=users,dc=example,dc=org | |
| filter: "(objectClass=person)" | |
| username: mail | |
| # "DN" (case sensitive) is a special attribute name. It indicates that | |
| # this value should be taken from the entity's DN not an attribute on | |
| # the entity. | |
| idAttr: DN | |
| emailAttr: mail | |
| nameAttr: cn | |
| groupSearch: | |
| baseDN: ou=Groups,dc=example,dc=org | |
| filter: "(objectClass=groupOfNames)" | |
| userMatchers: | |
| # A user is a member of a group when their DN matches | |
| # the value of a "member" attribute on the group entity. | |
| - userAttr: DN | |
| groupAttr: member | |
| # The group name should be the "cn" value. | |
| nameAttr: cn | |
| staticClients: | |
| - id: example-app | |
| redirectURIs: | |
| - "https://tk.${DOMAIN}" | |
| - "https://tk-api.${DOMAIN}" | |
| - "https://tk-dex.${DOMAIN}" | |
| - "/device/callback" | |
| - "http://localhost:3000/login" | |
| - "http://localhost:10001/login" | |
| name: "Example App" | |
| #secret: ZXhhbXBsZS1hcHAtc2VjcmV0 | |
| public: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: "3.8" | |
| ### DNS #### | |
| x-terrakube_dns: &terrakube_dns | |
| - ${DNS_IP_PUBLIC:-1.1.1.1} | |
| #### Extra Hosts ##### | |
| x-terrakube_hosts: &terrakube_hosts | |
| - "tk-api.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-dex.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-executor.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-registry.${DOMAIN}:${HOST_GATEWAY}" | |
| #### Container Environment Variables ##### | |
| x-api: &api_env | |
| ApiDataSourceType: POSTGRESQL | |
| DatasourceHostname: postgresql-service | |
| DatasourceDatabase: terrakubedb | |
| DatasourceUser: terrakube | |
| DatasourcePassword: terrakubepassword | |
| GroupValidationType: DEX | |
| UserValidationType: DEX | |
| AuthenticationValidationType: DEX | |
| TerrakubeHostname: https://tk-api.${DOMAIN} | |
| AzBuilderExecutorUrl: https://tk-executor.${DOMAIN}/api/v1/terraform-rs | |
| PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| DexIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| StorageType: AWS | |
| AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| TerrakubeUiURL: https://tk.${DOMAIN} | |
| spring_profiles_active: demo | |
| DexClientId: example-app | |
| CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" | |
| TerrakubeRedisHostname: terrakube-redis | |
| TerrakubeRedisPort: 6379 | |
| TerrakubeRedisPassword: password123456 | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-executor: &executor_env | |
| TerrakubeEnableSecurity: true | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| TerraformStateType: AwsTerraformStateImpl | |
| AwsTerraformStateAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsTerraformStateSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsTerraformStateBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsTerraformStateRegion: us-east-1 | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| TerraformOutputType: AwsTerraformOutputImpl | |
| AwsTerraformOutputAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsTerraformOutputSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsTerraformOutputBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsTerraformOutputRegion: us-east-1 | |
| AzBuilderApiUrl: https://tk-api.${DOMAIN} | |
| ExecutorFlagBatch: false | |
| ExecutorFlagDisableAcknowledge: false | |
| TerrakubeToolsRepository: https://github.com/AzBuilder/terrakube-extensions.git | |
| TerrakubeToolsBranch: main | |
| TerrakubeRegistryDomain: tk-registry.${DOMAIN} | |
| TerrakubeApiUrl: https://tk-api.${DOMAIN} | |
| CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" | |
| TerrakubeRedisHostname: terrakube-redis | |
| TerrakubeRedisPort: 6379 | |
| TerrakubeRedisPassword: password123456 | |
| JAVA_TOOL_OPTIONS: > | |
| -Xmx512m -Xms256m -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-registry: ®istry_env | |
| AzBuilderRegistry: https://tk-registry.${DOMAIN} | |
| AzBuilderApiUrl: https://tk-api.${DOMAIN} | |
| AuthenticationValidationTypeRegistry: DEX | |
| TerrakubeEnableSecurity: true | |
| DexIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| TerrakubeUiURL: https://tk.${DOMAIN} | |
| PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| RegistryStorageType: AwsStorageImpl | |
| AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| AppClientId: example-app | |
| AppIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-ldap: &ldap_env | |
| LDAP_TLS_VERIFY_CLIENT: try | |
| LDAP_ADMIN_USERNAME: "admin" | |
| LDAP_ADMIN_PASSWORD: "admin" | |
| LDAP_ROOT: "dc=example,dc=org" | |
| LDAP_CUSTOM_LDIF_DIR: "/ldifs" | |
| x-minio: &minio_env | |
| MINIO_ROOT_USER: minioadmin | |
| MINIO_ROOT_PASSWORD: minioadmin | |
| MINIO_DEFAULT_BUCKETS: 'sample' | |
| x-ui: &ui_env | |
| REACT_APP_TERRAKUBE_API_URL: https://tk-api.${DOMAIN}/api/v1/ | |
| REACT_APP_CLIENT_ID: example-app | |
| REACT_APP_AUTHORITY: https://tk-dex.${DOMAIN}/dex | |
| REACT_APP_REDIRECT_URI: https://tk.${DOMAIN} | |
| REACT_APP_REGISTRY_URI: https://tk-registry.${DOMAIN} | |
| REACT_APP_SCOPE: email openid profile offline_access groups | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-traefik_env: &traefik_env | |
| TRAEFIK_API_DASHBOARD: false | |
| TRAEFIK_ENTRYPOINTS_WEB: true | |
| TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":${TRAEFIK_HTTP_PORT}" | |
| TRAEFIK_ENTRYPOINTS_WEB_HTTP_ENCODEQUERYSEMICOLONS: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEQUERYSEMICOLONS: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":${TRAEFIK_HTTPS_PORT}" | |
| TRAEFIK_PROVIDERS_DOCKER: true | |
| TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false | |
| TRAEFIK_PROVIDERS_FILE_FILENAME: /etc/traefik_dynamic.yml | |
| ## Terrakube API | |
| x-traefik_api_labels: &traefik_api_labels | |
| traefik.enable: true | |
| ## Terrakube API HTTPS | |
| traefik.http.routers.terrakube-api-https.rule: Host(`tk-api.${DOMAIN}`) | |
| traefik.http.routers.terrakube-api-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-api-https.tls: true | |
| traefik.http.routers.terrakube-api-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-api-https.loadbalancer.server.port: 8080 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-api-http.rule: Host(`tk-api.${DOMAIN}`) | |
| traefik.http.routers.terrakube-api-http.entrypoints: web | |
| traefik.http.routers.terrakube-api-http.middlewares: terrakube-api-redirect-https | |
| traefik.http.middlewares.terrakube-api-redirect-https.redirectscheme.scheme: https | |
| ## Traefik labels | |
| ## Terrakube Executor | |
| x-traefik_executor_labels: &traefik_executor_labels | |
| traefik.enable: true | |
| ## Terrakube executor HTTPS | |
| traefik.http.routers.terrakube-executor-https.rule: Host(`tk-executor.${DOMAIN}`) | |
| traefik.http.routers.terrakube-executor-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-executor-https.tls: true | |
| traefik.http.routers.terrakube-executor-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-executor-https.loadbalancer.server.port: 8090 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-executor-http.rule: Host(`tk-executor.${DOMAIN}`) | |
| traefik.http.routers.terrakube-executor-http.entrypoints: web | |
| traefik.http.routers.terrakube-executor-http.middlewares: terrakube-executor-redirect-https | |
| traefik.http.middlewares.terrakube-executor-redirect-https.redirectscheme.scheme: https | |
| ## Terrakube UI | |
| x-traefik_ui_labels: &traefik_ui_labels | |
| traefik.enable: true | |
| ## Terrakube UI HTTPS | |
| traefik.http.routers.terrakube-ui-https.rule: Host(`tk.${DOMAIN}`) | |
| traefik.http.routers.terrakube-ui-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-ui-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.routers.terrakube-ui-https.tls: true | |
| traefik.http.services.terrakube-ui-https.loadbalancer.server.port: 8080 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-ui-http.rule: Host(`tk.${DOMAIN}`) | |
| traefik.http.routers.terrakube-ui-http.entrypoints: web | |
| traefik.http.routers.terrakube-ui-http.middlewares: terrakube-ui-redirect-https | |
| traefik.http.middlewares.terrakube-ui-redirect-https.redirectscheme.scheme: https | |
| x-traefik_dex_labels: &traefik_dex_labels | |
| traefik.enable: true | |
| ## Terrakube DEX HTTPS | |
| traefik.http.routers.terrakube-dex-https.rule: Host(`tk-dex.${DOMAIN}`) | |
| traefik.http.routers.terrakube-dex-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-dex-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.routers.terrakube-dex-https.tls: true | |
| traefik.http.services.terrakube-dex-https.loadbalancer.server.port: 5556 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-dex-http.rule: Host(`tk-dex.${DOMAIN}`) | |
| traefik.http.routers.terrakube-dex-http.entrypoints: web | |
| traefik.http.routers.terrakube-dex-http.middlewares: terrakube-dex-redirect-https | |
| traefik.http.middlewares.terrakube-dex-redirect-https.redirectscheme.scheme: https | |
| ## Allow CORs from Terrakube UI | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowmethods: GET, PATCH, PUT, POST, DELETE, HEAD, OPTIONS | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowheaders: > | |
| Content-Type, Accept, Authorization, X-Requested-With, Origin, * | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolalloworiginlist: https://tk.${DOMAIN} | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowcredentials: true | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: > | |
| Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, | |
| Pragma, x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2, ETag | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolmaxage: 86400 | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.addvaryheader: true | |
| ## Terrakube registry | |
| x-traefik_registry_labels: &traefik_registry_labels | |
| traefik.enable: true | |
| ## Terrakube registry HTTPS | |
| traefik.http.routers.terrakube-registry-https.rule: Host(`tk-registry.${DOMAIN}`) | |
| traefik.http.routers.terrakube-registry-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-registry-https.tls: true | |
| traefik.http.routers.terrakube-registry-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-registry-https.loadbalancer.server.port: 8075 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-registry-http.rule: Host(`tk-registry.${DOMAIN}`) | |
| traefik.http.routers.terrakube-registry-http.entrypoints: web | |
| traefik.http.routers.terrakube-registry-http.middlewares: terrakube-registry-redirect-https | |
| traefik.http.middlewares.terrakube-registry-redirect-https.redirectscheme.scheme: https | |
| ### Containers | |
| services: | |
| traefik: | |
| image: traefik:latest | |
| container_name: terrakube-traefik | |
| # Give Traefik a reserved IP address in your external network, pick something towards the end of the network to avoid conflicts | |
| networks: | |
| default: | |
| ipv4_address: $TRAEFIK_IPV4_ADDRESS | |
| environment: *traefik_env | |
| dns: *terrakube_dns | |
| ports: | |
| - $TRAEFIK_HTTP_PORT:80 | |
| - $TRAEFIK_HTTPS_PORT:443 | |
| volumes: | |
| - /var/run/docker.sock:/var/run/docker.sock:ro | |
| - ./traefik_dynamic.yml:/etc/traefik_dynamic.yml | |
| ## Uncomment for let's encrypt cert based off Domain | |
| # - /etc/letsencrypt/live/${DOMAIN}/privkey.pem:/letsencrypt/privkey.pem:ro | |
| # - /etc/letsencrypt/live/${DOMAIN}/fullchain.pem:/letsencrypt/fullchain.pem:ro | |
| restart: unless-stopped | |
| terrakube-api: | |
| image: azbuilder/api-server:${TK_VERSION} | |
| container_name: terrakube-api | |
| environment: | |
| <<: [*api_env] | |
| labels: *traefik_api_labels | |
| extra_hosts: *terrakube_hosts | |
| depends_on: | |
| - postgresql-service | |
| terrakube-ui: | |
| image: azbuilder/terrakube-ui:${TK_VERSION} | |
| container_name: terrakube-ui | |
| extra_hosts: *terrakube_hosts | |
| labels: *traefik_ui_labels | |
| volumes: | |
| - ./env-config.js:/app/env-config.js | |
| environment: | |
| <<: [*ui_env] | |
| terrakube-executor: | |
| dns: *terrakube_dns | |
| image: azbuilder/executor:${TK_VERSION} | |
| labels: *traefik_executor_labels | |
| extra_hosts: *terrakube_hosts | |
| container_name: terrakube-executor | |
| environment: | |
| <<: [*executor_env] | |
| terrakube-registry: | |
| dns: *terrakube_dns | |
| image: azbuilder/open-registry:${TK_VERSION} | |
| labels: *traefik_registry_labels | |
| extra_hosts: *terrakube_hosts | |
| container_name: terrakube-registry | |
| environment: | |
| <<: [*registry_env] | |
| terrakube-dex: | |
| image: ghcr.io/dexidp/dex:v2.37.0 | |
| extra_hosts: *terrakube_hosts | |
| labels: *traefik_dex_labels | |
| container_name: terrakube-dex | |
| volumes: | |
| - ./config-ldap.yaml:/etc/dex/config.docker.yaml | |
| ldap-service: | |
| image: bitnami/openldap:2.6.4-debian-11-r4 | |
| container_name: terrakube-ldap-service | |
| environment: *ldap_env | |
| volumes: | |
| - ./config-ldap.ldif:/ldifs/config-ldap.ldif | |
| minio: | |
| container_name: terrakube-minio | |
| image: docker.io/bitnami/minio:2022 | |
| environment: *minio_env | |
| volumes: | |
| - 'minio_data:/data' | |
| redis-service: | |
| image: bitnami/redis:7.0.10 | |
| container_name: terrakube-redis | |
| environment: | |
| - REDIS_REPLICATION_MODE=master | |
| - REDIS_PASSWORD=password123456 | |
| - REDIS_MASTER_PASSWORD=password123456 | |
| - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL | |
| volumes: | |
| - 'redis_data:/bitnami/redis/data' | |
| postgresql-service: | |
| image: docker.io/bitnami/postgresql:15 | |
| container_name: postgresql-service | |
| environment: | |
| - POSTGRESQL_USERNAME=terrakube | |
| - POSTGRESQL_PASSWORD=terrakubepassword | |
| - POSTGRESQL_DATABASE=terrakubedb | |
| volumes: | |
| - postgresql_data:/bitnami/postgresql | |
| volumes: | |
| minio_data: | |
| redis_data: | |
| postgresql_data: | |
| driver: local | |
| # External network is required, import its name below | |
| networks: | |
| default: | |
| name: $EXTERNAL_NETWORK_NAME | |
| external: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| window._env_ = { | |
| REACT_APP_TERRAKUBE_API_URL: "https://tk-api.${DOMAIN}/api/v1/", | |
| REACT_APP_CLIENT_ID: "example-app", | |
| REACT_APP_AUTHORITY: "https://tk-dex.${DOMAIN}/dex", | |
| REACT_APP_REDIRECT_URI: "https://tk.${DOMAIN}", | |
| REACT_APP_REGISTRY_URI: "https://tk-registry.${DOMAIN}", | |
| REACT_APP_SCOPE: "email openid profile offline_access groups", | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # tls: | |
| # stores: | |
| # default: | |
| # defaultCertificate: | |
| # certFile: /letsencrypt/fullchain.pem | |
| # keyFile: /letsencrypt/privkey.pem |
Hello @SolomonHD
I got it working.
I fixed just adding "x-terraform-get"
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: >
Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified,
Pragma, x-amz-server-side-encryption, x-terraform-get, x-amz-request-id, x-amz-id-2, ETag
YES! 🥳🥳 I have it working too. Great effort on this, so happy we got this working 😂😂
ETA: What's annoying is I tried * for headers in the beginning, but that's not allowed when using the Bearer token, you have to specify them,
I'm going clean up the config, remove anything unnecessary. Have a good weekend!
Hey @alfespa17, I re-deployed terrakube inside my company's network and I am still seeing a few issues.
- I can't pull modules from the registry. The
source = "tk.example.com/module/name/provider"is not working.
To confirm, I do not need API keys when running from within TK, correct? Only running Terraform CLI with TK as backend needs API keys.
I checked Minio and the module.zip uploads correctly. A 500 error occurs in the terminal and this error message in the registry container:
2024-04-16 02:16:04.891 INFO 1 --- [nio-8075-exec-9] o.t.r.p.s.aws.AwsStorageServiceImpl : Checking Aws S3 Object exist registry/aws/api-gate/aws/3.0.0/module.zip
2024-04-16 02:16:04.996 INFO 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Cloning https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git using 3.0.0
2024-04-16 02:16:05.115 ERROR 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Remote branch 'refs/tags/3.0.0' not found in upstream origin
2024-04-16 02:16:05.118 ERROR 1 --- [nio-8075-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.zeroturnaround.zip.ZipException: Given directory '/home/cnb/.terraform-spring-boot/git/2d87dbc5-07f6-41a0-8929-c3477f8b0f52' doesn't contain any files!] with root cause
- After creating a workspace and applying a Terraform template, TK creates the resources and uploads the state file to Minio correctly, but the UI displays nothing in the Resources/Outputs tabs in the Overview. Also, the State tab is empty; the run is marked with a red failed box even when it completes successfully.
It appears to not be able to fully parse Minio. Can you try running a few templates in your setup to see if you can replicate? Do you think I'm missing additional headers?
Hello @SolomonHD to download modules from the registry you have two options:
-
Run
terraform login "TERRAKUBE-REGISTRY-HOSTNAME"andterraform login "TERRAKUBE-API-HOSTNAME"that will generate the credentials.tfrc.json file like the following:
-
The second option is to generate a Personal Access Token and you configure credentials in .terraformrc or terraform.rc
credentials "tk-registry.terrakubepoc.com" {
# valid user API token:
token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}
credentials "tk-api.terrakubepoc.com" {
# valid user API token:
token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}
By the way you will need to one credential for the registry and one for the api
For your second question I run a simple example and I can see the state and resources.
Regarding the registry error:
2024-04-16 02:16:04.996 INFO 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Cloning https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git using 3.0.0
2024-04-16 02:16:05.115 ERROR 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Remote branch 'refs/tags/3.0.0' not found in upstream origin
Make sure that inside your git repository there is a tag or release with name "3.0.0"
https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git
I hope this can help you
Hey @SolomonHD curious question were you able to fix the issue?
I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.
On a side note: Is it possible to get rid of env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.
I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.
On a side note: Is it possible to get rid of
env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.
Hello @SolomonHD you can't remove the env-config.js because it is used as an static file for the react UI, I think you could remove the environment variables for the UI those are no longer need it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The UI is doing a request to the registry, to this particular URL https://tk-registry.terrakubepoc.com/terraform/modules/v1/aws/iam/aws/v5.37.2/download.
That endpoint should include one custom response header called "x-terraform-get" that include the URL to download the module that is require for the UI.
I added some custom logs to the UI using version 2.19.2 but the responder header does not include the header "x-terraform-get", that is the reason for your issue.