Last active
April 27, 2025 19:57
-
-
Save SolomonHD/b55be40146b7a53b8f26fe244f5be52e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Prerequisites: | |
| # 1) Create a Docker IPv4 bridge network | |
| # 2) Pick an IPv4 Address for Traefik, use the end of the network range | |
| # 3) Pick a domain, recommend real DNS but faking is possible by editing the /etc/hosts file to point to Traefik's IPv4 address. | |
| # 4) Replace the ${DOMAIN} place holder in the config-ldap.yaml, and env-config.js and files with the domain. | |
| # 5) Get a valid certificate via Let's Encrypt or another method, recommend a wildcard cert | |
| # 6) Copy cert/private key as /etc/letsencrypt/live/${DOMAIN}/{privkey.pem, fullchain.pem}, Uncomment lines 233-234 in the docker.compose.yml file | |
| # Also uncomment the lines in traefik_dynamic.yaml after cert and key are in place | |
| # 7) Copy this file as '.env', fill out with the appropriate values | |
| ### Domain Names | |
| ## https://tk.${DOMAIN} # Main website, terrakube-ui | |
| ## https://tk-api.${DOMAIN} # API, terrakube-api | |
| ## https://tk-registry.${DOMAIN} # Registry, terrakube-registry | |
| ## https://tk-executor.${DOMAIN} # Executor, terrakube-executor | |
| ## https://tk-dex.${DOMAIN} # Dex, terrakube-dex | |
| # Required Variables | |
| DOMAIN= # Set domain | |
| EXTERNAL_NETWORK_NAME= # External network is required | |
| HOST_GATEWAY=host-gateway # Should be okay leaving as is, may have to change to Traefik's IPv4 address | |
| TK_OUTPUT_ACCESS_KEY=minioadmin | |
| TK_OUTPUT_ENDPOINT=http://terrakube-minio:9000 | |
| TK_OUTPUT_SECRET_KEY=minioadmin | |
| TK_OUTPUT_STORAGE_REGION=us-east-1 | |
| TK_OUTPUT_BUCKET_NAME=sample | |
| TK_VERSION=2.19.2 | |
| TRAEFIK_IPV4_ADDRESS= # Give Traefik a reserved IPv4 Address in your external network, pick something towards the end of the network to avoid conflicts | |
| TRAEFIK_HTTP_PORT=80 | |
| TRAEFIK_HTTPS_PORT=443 | |
| # Optional Variables | |
| DNS_IP_PUBLIC= |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .env | |
| .test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dn: dc=example,dc=org | |
| dc: example | |
| objectClass: dcObject | |
| objectClass: organization | |
| o: Example, Inc | |
| dn: ou=users,dc=example,dc=org | |
| ou: users | |
| objectClass: organizationalunit | |
| dn: cn=lester,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Parkinson | |
| cn: Lester | |
| mail: [email protected] | |
| userpassword: admin | |
| dn: cn=grady,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Chambers | |
| cn: Grady | |
| mail: [email protected] | |
| userpassword: azure | |
| dn: cn=saarah,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Lott | |
| cn: Saarah | |
| mail: [email protected] | |
| userpassword: aws | |
| dn: cn=eugene,ou=users,dc=example,dc=org | |
| objectClass: inetOrgPerson | |
| sn: Monaghan | |
| cn: Eugene | |
| mail: [email protected] | |
| userpassword: gcp | |
| # Group definitions. | |
| dn: ou=Groups,dc=example,dc=org | |
| objectClass: organizationalUnit | |
| ou: Groups | |
| dn: cn=TERRAKUBE_ADMIN,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: TERRAKUBE_ADMIN | |
| member: cn=lester,ou=users,dc=example,dc=org | |
| dn: cn=TERRAKUBE_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: TERRAKUBE_DEVELOPERS | |
| member: cn=lester,ou=users,dc=example,dc=org | |
| dn: cn=AZURE_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: AZURE_DEVELOPERS | |
| member: cn=saarah,ou=users,dc=example,dc=org | |
| dn: cn=AWS_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: AWS_DEVELOPERS | |
| member: cn=grady,ou=users,dc=example,dc=org | |
| dn: cn=GCP_DEVELOPERS,ou=Groups,dc=example,dc=org | |
| objectClass: groupOfNames | |
| cn: GCP_DEVELOPERS | |
| member: cn=eugene,ou=users,dc=example,dc=org |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # REPLACE ${DOMAIN} with the base domain! | |
| issuer: https://tk-dex.${DOMAIN}/dex | |
| storage: | |
| type: memory | |
| web: | |
| http: 0.0.0.0:5556 | |
| allowedOrigins: ["*"] | |
| oauth2: | |
| responseTypes: ["code", "token", "id_token"] | |
| connectors: | |
| - type: ldap | |
| name: OpenLDAP | |
| id: ldap | |
| config: | |
| # The following configurations seem to work with OpenLDAP: | |
| # | |
| # 1) Plain LDAP, without TLS: | |
| host: terrakube-ldap-service:1389 | |
| insecureNoSSL: true | |
| insecureSkipVerify: true | |
| # | |
| # 2) LDAPS without certificate validation: | |
| #host: localhost:636 | |
| #insecureNoSSL: false | |
| #insecureSkipVerify: true | |
| # | |
| # 3) LDAPS with certificate validation: | |
| #host: YOUR-HOSTNAME:636 | |
| #insecureNoSSL: false | |
| #insecureSkipVerify: false | |
| #rootCAData: 'CERT' | |
| # ...where CERT="$( base64 -w 0 your-cert.crt )" | |
| # This would normally be a read-only user. | |
| bindDN: cn=admin,dc=example,dc=org | |
| bindPW: admin | |
| usernamePrompt: Email Address | |
| userSearch: | |
| baseDN: ou=users,dc=example,dc=org | |
| filter: "(objectClass=person)" | |
| username: mail | |
| # "DN" (case sensitive) is a special attribute name. It indicates that | |
| # this value should be taken from the entity's DN not an attribute on | |
| # the entity. | |
| idAttr: DN | |
| emailAttr: mail | |
| nameAttr: cn | |
| groupSearch: | |
| baseDN: ou=Groups,dc=example,dc=org | |
| filter: "(objectClass=groupOfNames)" | |
| userMatchers: | |
| # A user is a member of a group when their DN matches | |
| # the value of a "member" attribute on the group entity. | |
| - userAttr: DN | |
| groupAttr: member | |
| # The group name should be the "cn" value. | |
| nameAttr: cn | |
| staticClients: | |
| - id: example-app | |
| redirectURIs: | |
| - "https://tk.${DOMAIN}" | |
| - "https://tk-api.${DOMAIN}" | |
| - "https://tk-dex.${DOMAIN}" | |
| - "/device/callback" | |
| - "http://localhost:3000/login" | |
| - "http://localhost:10001/login" | |
| name: "Example App" | |
| #secret: ZXhhbXBsZS1hcHAtc2VjcmV0 | |
| public: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: "3.8" | |
| ### DNS #### | |
| x-terrakube_dns: &terrakube_dns | |
| - ${DNS_IP_PUBLIC:-1.1.1.1} | |
| #### Extra Hosts ##### | |
| x-terrakube_hosts: &terrakube_hosts | |
| - "tk-api.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-dex.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-executor.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk.${DOMAIN}:${HOST_GATEWAY}" | |
| - "tk-registry.${DOMAIN}:${HOST_GATEWAY}" | |
| #### Container Environment Variables ##### | |
| x-api: &api_env | |
| ApiDataSourceType: POSTGRESQL | |
| DatasourceHostname: postgresql-service | |
| DatasourceDatabase: terrakubedb | |
| DatasourceUser: terrakube | |
| DatasourcePassword: terrakubepassword | |
| GroupValidationType: DEX | |
| UserValidationType: DEX | |
| AuthenticationValidationType: DEX | |
| TerrakubeHostname: https://tk-api.${DOMAIN} | |
| AzBuilderExecutorUrl: https://tk-executor.${DOMAIN}/api/v1/terraform-rs | |
| PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| DexIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| StorageType: AWS | |
| AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| TerrakubeUiURL: https://tk.${DOMAIN} | |
| spring_profiles_active: demo | |
| DexClientId: example-app | |
| CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" | |
| TerrakubeRedisHostname: terrakube-redis | |
| TerrakubeRedisPort: 6379 | |
| TerrakubeRedisPassword: password123456 | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-executor: &executor_env | |
| TerrakubeEnableSecurity: true | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| TerraformStateType: AwsTerraformStateImpl | |
| AwsTerraformStateAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsTerraformStateSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsTerraformStateBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsTerraformStateRegion: us-east-1 | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| TerraformOutputType: AwsTerraformOutputImpl | |
| AwsTerraformOutputAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsTerraformOutputSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsTerraformOutputBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsTerraformOutputRegion: us-east-1 | |
| AzBuilderApiUrl: https://tk-api.${DOMAIN} | |
| ExecutorFlagBatch: false | |
| ExecutorFlagDisableAcknowledge: false | |
| TerrakubeToolsRepository: https://github.com/AzBuilder/terrakube-extensions.git | |
| TerrakubeToolsBranch: main | |
| TerrakubeRegistryDomain: tk-registry.${DOMAIN} | |
| TerrakubeApiUrl: https://tk-api.${DOMAIN} | |
| CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json" | |
| TerrakubeRedisHostname: terrakube-redis | |
| TerrakubeRedisPort: 6379 | |
| TerrakubeRedisPassword: password123456 | |
| JAVA_TOOL_OPTIONS: > | |
| -Xmx512m -Xms256m -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-registry: ®istry_env | |
| AzBuilderRegistry: https://tk-registry.${DOMAIN} | |
| AzBuilderApiUrl: https://tk-api.${DOMAIN} | |
| AuthenticationValidationTypeRegistry: DEX | |
| TerrakubeEnableSecurity: true | |
| DexIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| TerrakubeUiURL: https://tk.${DOMAIN} | |
| PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g= | |
| InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM= | |
| RegistryStorageType: AwsStorageImpl | |
| AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY | |
| AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY | |
| AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME | |
| AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION | |
| AwsEndpoint: $TK_OUTPUT_ENDPOINT | |
| AppClientId: example-app | |
| AppIssuerUri: https://tk-dex.${DOMAIN}/dex | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-ldap: &ldap_env | |
| LDAP_TLS_VERIFY_CLIENT: try | |
| LDAP_ADMIN_USERNAME: "admin" | |
| LDAP_ADMIN_PASSWORD: "admin" | |
| LDAP_ROOT: "dc=example,dc=org" | |
| LDAP_CUSTOM_LDIF_DIR: "/ldifs" | |
| x-minio: &minio_env | |
| MINIO_ROOT_USER: minioadmin | |
| MINIO_ROOT_PASSWORD: minioadmin | |
| MINIO_DEFAULT_BUCKETS: 'sample' | |
| x-ui: &ui_env | |
| REACT_APP_TERRAKUBE_API_URL: https://tk-api.${DOMAIN}/api/v1/ | |
| REACT_APP_CLIENT_ID: example-app | |
| REACT_APP_AUTHORITY: https://tk-dex.${DOMAIN}/dex | |
| REACT_APP_REDIRECT_URI: https://tk.${DOMAIN} | |
| REACT_APP_REGISTRY_URI: https://tk-registry.${DOMAIN} | |
| REACT_APP_SCOPE: email openid profile offline_access groups | |
| JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true | |
| x-traefik_env: &traefik_env | |
| TRAEFIK_API_DASHBOARD: false | |
| TRAEFIK_ENTRYPOINTS_WEB: true | |
| TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":${TRAEFIK_HTTP_PORT}" | |
| TRAEFIK_ENTRYPOINTS_WEB_HTTP_ENCODEQUERYSEMICOLONS: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEQUERYSEMICOLONS: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE: true | |
| TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":${TRAEFIK_HTTPS_PORT}" | |
| TRAEFIK_PROVIDERS_DOCKER: true | |
| TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false | |
| TRAEFIK_PROVIDERS_FILE_FILENAME: /etc/traefik_dynamic.yml | |
| ## Terrakube API | |
| x-traefik_api_labels: &traefik_api_labels | |
| traefik.enable: true | |
| ## Terrakube API HTTPS | |
| traefik.http.routers.terrakube-api-https.rule: Host(`tk-api.${DOMAIN}`) | |
| traefik.http.routers.terrakube-api-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-api-https.tls: true | |
| traefik.http.routers.terrakube-api-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-api-https.loadbalancer.server.port: 8080 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-api-http.rule: Host(`tk-api.${DOMAIN}`) | |
| traefik.http.routers.terrakube-api-http.entrypoints: web | |
| traefik.http.routers.terrakube-api-http.middlewares: terrakube-api-redirect-https | |
| traefik.http.middlewares.terrakube-api-redirect-https.redirectscheme.scheme: https | |
| ## Traefik labels | |
| ## Terrakube Executor | |
| x-traefik_executor_labels: &traefik_executor_labels | |
| traefik.enable: true | |
| ## Terrakube executor HTTPS | |
| traefik.http.routers.terrakube-executor-https.rule: Host(`tk-executor.${DOMAIN}`) | |
| traefik.http.routers.terrakube-executor-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-executor-https.tls: true | |
| traefik.http.routers.terrakube-executor-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-executor-https.loadbalancer.server.port: 8090 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-executor-http.rule: Host(`tk-executor.${DOMAIN}`) | |
| traefik.http.routers.terrakube-executor-http.entrypoints: web | |
| traefik.http.routers.terrakube-executor-http.middlewares: terrakube-executor-redirect-https | |
| traefik.http.middlewares.terrakube-executor-redirect-https.redirectscheme.scheme: https | |
| ## Terrakube UI | |
| x-traefik_ui_labels: &traefik_ui_labels | |
| traefik.enable: true | |
| ## Terrakube UI HTTPS | |
| traefik.http.routers.terrakube-ui-https.rule: Host(`tk.${DOMAIN}`) | |
| traefik.http.routers.terrakube-ui-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-ui-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.routers.terrakube-ui-https.tls: true | |
| traefik.http.services.terrakube-ui-https.loadbalancer.server.port: 8080 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-ui-http.rule: Host(`tk.${DOMAIN}`) | |
| traefik.http.routers.terrakube-ui-http.entrypoints: web | |
| traefik.http.routers.terrakube-ui-http.middlewares: terrakube-ui-redirect-https | |
| traefik.http.middlewares.terrakube-ui-redirect-https.redirectscheme.scheme: https | |
| x-traefik_dex_labels: &traefik_dex_labels | |
| traefik.enable: true | |
| ## Terrakube DEX HTTPS | |
| traefik.http.routers.terrakube-dex-https.rule: Host(`tk-dex.${DOMAIN}`) | |
| traefik.http.routers.terrakube-dex-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-dex-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.routers.terrakube-dex-https.tls: true | |
| traefik.http.services.terrakube-dex-https.loadbalancer.server.port: 5556 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-dex-http.rule: Host(`tk-dex.${DOMAIN}`) | |
| traefik.http.routers.terrakube-dex-http.entrypoints: web | |
| traefik.http.routers.terrakube-dex-http.middlewares: terrakube-dex-redirect-https | |
| traefik.http.middlewares.terrakube-dex-redirect-https.redirectscheme.scheme: https | |
| ## Allow CORs from Terrakube UI | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowmethods: GET, PATCH, PUT, POST, DELETE, HEAD, OPTIONS | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowheaders: > | |
| Content-Type, Accept, Authorization, X-Requested-With, Origin, * | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolalloworiginlist: https://tk.${DOMAIN} | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowcredentials: true | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: > | |
| Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, | |
| Pragma, x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2, ETag | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolmaxage: 86400 | |
| traefik.http.middlewares.terrakube-dex-allow-origin.headers.addvaryheader: true | |
| ## Terrakube registry | |
| x-traefik_registry_labels: &traefik_registry_labels | |
| traefik.enable: true | |
| ## Terrakube registry HTTPS | |
| traefik.http.routers.terrakube-registry-https.rule: Host(`tk-registry.${DOMAIN}`) | |
| traefik.http.routers.terrakube-registry-https.entrypoints: websecure | |
| traefik.http.routers.terrakube-registry-https.tls: true | |
| traefik.http.routers.terrakube-registry-https.middlewares: terrakube-dex-allow-origin | |
| traefik.http.services.terrakube-registry-https.loadbalancer.server.port: 8075 | |
| ## Redirect to HTTPS | |
| traefik.http.routers.terrakube-registry-http.rule: Host(`tk-registry.${DOMAIN}`) | |
| traefik.http.routers.terrakube-registry-http.entrypoints: web | |
| traefik.http.routers.terrakube-registry-http.middlewares: terrakube-registry-redirect-https | |
| traefik.http.middlewares.terrakube-registry-redirect-https.redirectscheme.scheme: https | |
| ### Containers | |
| services: | |
| traefik: | |
| image: traefik:latest | |
| container_name: terrakube-traefik | |
| # Give Traefik a reserved IP address in your external network, pick something towards the end of the network to avoid conflicts | |
| networks: | |
| default: | |
| ipv4_address: $TRAEFIK_IPV4_ADDRESS | |
| environment: *traefik_env | |
| dns: *terrakube_dns | |
| ports: | |
| - $TRAEFIK_HTTP_PORT:80 | |
| - $TRAEFIK_HTTPS_PORT:443 | |
| volumes: | |
| - /var/run/docker.sock:/var/run/docker.sock:ro | |
| - ./traefik_dynamic.yml:/etc/traefik_dynamic.yml | |
| ## Uncomment for let's encrypt cert based off Domain | |
| # - /etc/letsencrypt/live/${DOMAIN}/privkey.pem:/letsencrypt/privkey.pem:ro | |
| # - /etc/letsencrypt/live/${DOMAIN}/fullchain.pem:/letsencrypt/fullchain.pem:ro | |
| restart: unless-stopped | |
| terrakube-api: | |
| image: azbuilder/api-server:${TK_VERSION} | |
| container_name: terrakube-api | |
| environment: | |
| <<: [*api_env] | |
| labels: *traefik_api_labels | |
| extra_hosts: *terrakube_hosts | |
| depends_on: | |
| - postgresql-service | |
| terrakube-ui: | |
| image: azbuilder/terrakube-ui:${TK_VERSION} | |
| container_name: terrakube-ui | |
| extra_hosts: *terrakube_hosts | |
| labels: *traefik_ui_labels | |
| volumes: | |
| - ./env-config.js:/app/env-config.js | |
| environment: | |
| <<: [*ui_env] | |
| terrakube-executor: | |
| dns: *terrakube_dns | |
| image: azbuilder/executor:${TK_VERSION} | |
| labels: *traefik_executor_labels | |
| extra_hosts: *terrakube_hosts | |
| container_name: terrakube-executor | |
| environment: | |
| <<: [*executor_env] | |
| terrakube-registry: | |
| dns: *terrakube_dns | |
| image: azbuilder/open-registry:${TK_VERSION} | |
| labels: *traefik_registry_labels | |
| extra_hosts: *terrakube_hosts | |
| container_name: terrakube-registry | |
| environment: | |
| <<: [*registry_env] | |
| terrakube-dex: | |
| image: ghcr.io/dexidp/dex:v2.37.0 | |
| extra_hosts: *terrakube_hosts | |
| labels: *traefik_dex_labels | |
| container_name: terrakube-dex | |
| volumes: | |
| - ./config-ldap.yaml:/etc/dex/config.docker.yaml | |
| ldap-service: | |
| image: bitnami/openldap:2.6.4-debian-11-r4 | |
| container_name: terrakube-ldap-service | |
| environment: *ldap_env | |
| volumes: | |
| - ./config-ldap.ldif:/ldifs/config-ldap.ldif | |
| minio: | |
| container_name: terrakube-minio | |
| image: docker.io/bitnami/minio:2022 | |
| environment: *minio_env | |
| volumes: | |
| - 'minio_data:/data' | |
| redis-service: | |
| image: bitnami/redis:7.0.10 | |
| container_name: terrakube-redis | |
| environment: | |
| - REDIS_REPLICATION_MODE=master | |
| - REDIS_PASSWORD=password123456 | |
| - REDIS_MASTER_PASSWORD=password123456 | |
| - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL | |
| volumes: | |
| - 'redis_data:/bitnami/redis/data' | |
| postgresql-service: | |
| image: docker.io/bitnami/postgresql:15 | |
| container_name: postgresql-service | |
| environment: | |
| - POSTGRESQL_USERNAME=terrakube | |
| - POSTGRESQL_PASSWORD=terrakubepassword | |
| - POSTGRESQL_DATABASE=terrakubedb | |
| volumes: | |
| - postgresql_data:/bitnami/postgresql | |
| volumes: | |
| minio_data: | |
| redis_data: | |
| postgresql_data: | |
| driver: local | |
| # External network is required, import its name below | |
| networks: | |
| default: | |
| name: $EXTERNAL_NETWORK_NAME | |
| external: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| window._env_ = { | |
| REACT_APP_TERRAKUBE_API_URL: "https://tk-api.${DOMAIN}/api/v1/", | |
| REACT_APP_CLIENT_ID: "example-app", | |
| REACT_APP_AUTHORITY: "https://tk-dex.${DOMAIN}/dex", | |
| REACT_APP_REDIRECT_URI: "https://tk.${DOMAIN}", | |
| REACT_APP_REGISTRY_URI: "https://tk-registry.${DOMAIN}", | |
| REACT_APP_SCOPE: "email openid profile offline_access groups", | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # tls: | |
| # stores: | |
| # default: | |
| # defaultCertificate: | |
| # certFile: /letsencrypt/fullchain.pem | |
| # keyFile: /letsencrypt/privkey.pem |
Hello @SolomonHD to download modules from the registry you have two options:
-
Run
terraform login "TERRAKUBE-REGISTRY-HOSTNAME"andterraform login "TERRAKUBE-API-HOSTNAME"that will generate the credentials.tfrc.json file like the following:
-
The second option is to generate a Personal Access Token and you configure credentials in .terraformrc or terraform.rc
credentials "tk-registry.terrakubepoc.com" {
# valid user API token:
token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}
credentials "tk-api.terrakubepoc.com" {
# valid user API token:
token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}
By the way you will need to one credential for the registry and one for the api
For your second question I run a simple example and I can see the state and resources.
Regarding the registry error:
2024-04-16 02:16:04.996 INFO 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Cloning https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git using 3.0.0
2024-04-16 02:16:05.115 ERROR 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl : Remote branch 'refs/tags/3.0.0' not found in upstream origin
Make sure that inside your git repository there is a tag or release with name "3.0.0"
https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git
I hope this can help you
Hey @SolomonHD curious question were you able to fix the issue?
I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.
On a side note: Is it possible to get rid of env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.
I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.
On a side note: Is it possible to get rid of
env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.
Hello @SolomonHD you can't remove the env-config.js because it is used as an static file for the react UI, I think you could remove the environment variables for the UI those are no longer need it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey @alfespa17, I re-deployed terrakube inside my company's network and I am still seeing a few issues.
source = "tk.example.com/module/name/provider"is not working.To confirm, I do not need API keys when running from within TK, correct? Only running Terraform CLI with TK as backend needs API keys.
I checked Minio and the module.zip uploads correctly. A 500 error occurs in the terminal and this error message in the registry container:
It appears to not be able to fully parse Minio. Can you try running a few templates in your setup to see if you can replicate? Do you think I'm missing additional headers?