Skip to content

Instantly share code, notes, and snippets.

@SolomonHD

SolomonHD/.env.example

Last active April 27, 2025 19:57
Show Gist options
  • Save SolomonHD/b55be40146b7a53b8f26fe244f5be52e to your computer and use it in GitHub Desktop.
Save SolomonHD/b55be40146b7a53b8f26fe244f5be52e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
.env.example
## Prerequisites:
# 1) Create a Docker IPv4 bridge network
# 2) Pick an IPv4 Address for Traefik, use the end of the network range
# 3) Pick a domain, recommend real DNS but faking is possible by editing the /etc/hosts file to point to Traefik's IPv4 address.
# 4) Replace the ${DOMAIN} place holder in the config-ldap.yaml, and env-config.js and files with the domain.
# 5) Get a valid certificate via Let's Encrypt or another method, recommend a wildcard cert
# 6) Copy cert/private key as /etc/letsencrypt/live/${DOMAIN}/{privkey.pem, fullchain.pem}, Uncomment lines 233-234 in the docker.compose.yml file
# Also uncomment the lines in traefik_dynamic.yaml after cert and key are in place
# 7) Copy this file as '.env', fill out with the appropriate values
### Domain Names
## https://tk.${DOMAIN} # Main website, terrakube-ui
## https://tk-api.${DOMAIN} # API, terrakube-api
## https://tk-registry.${DOMAIN} # Registry, terrakube-registry
## https://tk-executor.${DOMAIN} # Executor, terrakube-executor
## https://tk-dex.${DOMAIN} # Dex, terrakube-dex
# Required Variables
DOMAIN= # Set domain
EXTERNAL_NETWORK_NAME= # External network is required
HOST_GATEWAY=host-gateway # Should be okay leaving as is, may have to change to Traefik's IPv4 address
TK_OUTPUT_ACCESS_KEY=minioadmin
TK_OUTPUT_ENDPOINT=http://terrakube-minio:9000
TK_OUTPUT_SECRET_KEY=minioadmin
TK_OUTPUT_STORAGE_REGION=us-east-1
TK_OUTPUT_BUCKET_NAME=sample
TK_VERSION=2.19.2
TRAEFIK_IPV4_ADDRESS= # Give Traefik a reserved IPv4 Address in your external network, pick something towards the end of the network to avoid conflicts
TRAEFIK_HTTP_PORT=80
TRAEFIK_HTTPS_PORT=443
# Optional Variables
DNS_IP_PUBLIC=
Raw
config-ldap.ldif
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organization
o: Example, Inc
dn: ou=users,dc=example,dc=org
ou: users
objectClass: organizationalunit
dn: cn=lester,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Parkinson
cn: Lester
mail: [email protected]
userpassword: admin
dn: cn=grady,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Chambers
cn: Grady
mail: [email protected]
userpassword: azure
dn: cn=saarah,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Lott
cn: Saarah
mail: [email protected]
userpassword: aws
dn: cn=eugene,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Monaghan
cn: Eugene
mail: [email protected]
userpassword: gcp
# Group definitions.
dn: ou=Groups,dc=example,dc=org
objectClass: organizationalUnit
ou: Groups
dn: cn=TERRAKUBE_ADMIN,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: TERRAKUBE_ADMIN
member: cn=lester,ou=users,dc=example,dc=org
dn: cn=TERRAKUBE_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: TERRAKUBE_DEVELOPERS
member: cn=lester,ou=users,dc=example,dc=org
dn: cn=AZURE_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: AZURE_DEVELOPERS
member: cn=saarah,ou=users,dc=example,dc=org
dn: cn=AWS_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: AWS_DEVELOPERS
member: cn=grady,ou=users,dc=example,dc=org
dn: cn=GCP_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: GCP_DEVELOPERS
member: cn=eugene,ou=users,dc=example,dc=org
Raw
config-ldap.yaml
# REPLACE ${DOMAIN} with the base domain!
issuer: https://tk-dex.${DOMAIN}/dex
storage:
type: memory
web:
http: 0.0.0.0:5556
allowedOrigins: ["*"]
oauth2:
responseTypes: ["code", "token", "id_token"]
connectors:
- type: ldap
name: OpenLDAP
id: ldap
config:
# The following configurations seem to work with OpenLDAP:
#
# 1) Plain LDAP, without TLS:
host: terrakube-ldap-service:1389
insecureNoSSL: true
insecureSkipVerify: true
#
# 2) LDAPS without certificate validation:
#host: localhost:636
#insecureNoSSL: false
#insecureSkipVerify: true
#
# 3) LDAPS with certificate validation:
#host: YOUR-HOSTNAME:636
#insecureNoSSL: false
#insecureSkipVerify: false
#rootCAData: 'CERT'
# ...where CERT="$( base64 -w 0 your-cert.crt )"
# This would normally be a read-only user.
bindDN: cn=admin,dc=example,dc=org
bindPW: admin
usernamePrompt: Email Address
userSearch:
baseDN: ou=users,dc=example,dc=org
filter: "(objectClass=person)"
username: mail
# "DN" (case sensitive) is a special attribute name. It indicates that
# this value should be taken from the entity's DN not an attribute on
# the entity.
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: ou=Groups,dc=example,dc=org
filter: "(objectClass=groupOfNames)"
userMatchers:
# A user is a member of a group when their DN matches
# the value of a "member" attribute on the group entity.
- userAttr: DN
groupAttr: member
# The group name should be the "cn" value.
nameAttr: cn
staticClients:
- id: example-app
redirectURIs:
- "https://tk.${DOMAIN}"
- "https://tk-api.${DOMAIN}"
- "https://tk-dex.${DOMAIN}"
- "/device/callback"
- "http://localhost:3000/login"
- "http://localhost:10001/login"
name: "Example App"
#secret: ZXhhbXBsZS1hcHAtc2VjcmV0
public: true
Raw
docker-compose.yml
version: "3.8"
### DNS ####
x-terrakube_dns: &terrakube_dns
- ${DNS_IP_PUBLIC:-1.1.1.1}
#### Extra Hosts #####
x-terrakube_hosts: &terrakube_hosts
- "tk-api.${DOMAIN}:${HOST_GATEWAY}"
- "tk-dex.${DOMAIN}:${HOST_GATEWAY}"
- "tk-executor.${DOMAIN}:${HOST_GATEWAY}"
- "tk.${DOMAIN}:${HOST_GATEWAY}"
- "tk-registry.${DOMAIN}:${HOST_GATEWAY}"
#### Container Environment Variables #####
x-api: &api_env
ApiDataSourceType: POSTGRESQL
DatasourceHostname: postgresql-service
DatasourceDatabase: terrakubedb
DatasourceUser: terrakube
DatasourcePassword: terrakubepassword
GroupValidationType: DEX
UserValidationType: DEX
AuthenticationValidationType: DEX
TerrakubeHostname: https://tk-api.${DOMAIN}
AzBuilderExecutorUrl: https://tk-executor.${DOMAIN}/api/v1/terraform-rs
PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g=
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
DexIssuerUri: https://tk-dex.${DOMAIN}/dex
StorageType: AWS
AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY
AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY
AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME
AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION
AwsEndpoint: $TK_OUTPUT_ENDPOINT
TerrakubeUiURL: https://tk.${DOMAIN}
spring_profiles_active: demo
DexClientId: example-app
CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json"
TerrakubeRedisHostname: terrakube-redis
TerrakubeRedisPort: 6379
TerrakubeRedisPassword: password123456
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true
x-executor: &executor_env
TerrakubeEnableSecurity: true
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
TerraformStateType: AwsTerraformStateImpl
AwsTerraformStateAccessKey: $TK_OUTPUT_ACCESS_KEY
AwsTerraformStateSecretKey: $TK_OUTPUT_SECRET_KEY
AwsTerraformStateBucketName: $TK_OUTPUT_BUCKET_NAME
AwsTerraformStateRegion: us-east-1
AwsEndpoint: $TK_OUTPUT_ENDPOINT
TerraformOutputType: AwsTerraformOutputImpl
AwsTerraformOutputAccessKey: $TK_OUTPUT_ACCESS_KEY
AwsTerraformOutputSecretKey: $TK_OUTPUT_SECRET_KEY
AwsTerraformOutputBucketName: $TK_OUTPUT_BUCKET_NAME
AwsTerraformOutputRegion: us-east-1
AzBuilderApiUrl: https://tk-api.${DOMAIN}
ExecutorFlagBatch: false
ExecutorFlagDisableAcknowledge: false
TerrakubeToolsRepository: https://github.com/AzBuilder/terrakube-extensions.git
TerrakubeToolsBranch: main
TerrakubeRegistryDomain: tk-registry.${DOMAIN}
TerrakubeApiUrl: https://tk-api.${DOMAIN}
CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json"
TerrakubeRedisHostname: terrakube-redis
TerrakubeRedisPort: 6379
TerrakubeRedisPassword: password123456
JAVA_TOOL_OPTIONS: >
-Xmx512m -Xms256m -Dcom.sun.security.enableAIAcaIssuers=true
x-registry: &registry_env
AzBuilderRegistry: https://tk-registry.${DOMAIN}
AzBuilderApiUrl: https://tk-api.${DOMAIN}
AuthenticationValidationTypeRegistry: DEX
TerrakubeEnableSecurity: true
DexIssuerUri: https://tk-dex.${DOMAIN}/dex
TerrakubeUiURL: https://tk.${DOMAIN}
PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g=
InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
RegistryStorageType: AwsStorageImpl
AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY
AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY
AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME
AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION
AwsEndpoint: $TK_OUTPUT_ENDPOINT
AppClientId: example-app
AppIssuerUri: https://tk-dex.${DOMAIN}/dex
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true
x-ldap: &ldap_env
LDAP_TLS_VERIFY_CLIENT: try
LDAP_ADMIN_USERNAME: "admin"
LDAP_ADMIN_PASSWORD: "admin"
LDAP_ROOT: "dc=example,dc=org"
LDAP_CUSTOM_LDIF_DIR: "/ldifs"
x-minio: &minio_env
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: minioadmin
MINIO_DEFAULT_BUCKETS: 'sample'
x-ui: &ui_env
REACT_APP_TERRAKUBE_API_URL: https://tk-api.${DOMAIN}/api/v1/
REACT_APP_CLIENT_ID: example-app
REACT_APP_AUTHORITY: https://tk-dex.${DOMAIN}/dex
REACT_APP_REDIRECT_URI: https://tk.${DOMAIN}
REACT_APP_REGISTRY_URI: https://tk-registry.${DOMAIN}
REACT_APP_SCOPE: email openid profile offline_access groups
JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true
x-traefik_env: &traefik_env
TRAEFIK_API_DASHBOARD: false
TRAEFIK_ENTRYPOINTS_WEB: true
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":${TRAEFIK_HTTP_PORT}"
TRAEFIK_ENTRYPOINTS_WEB_HTTP_ENCODEQUERYSEMICOLONS: true
TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEQUERYSEMICOLONS: true
TRAEFIK_ENTRYPOINTS_WEBSECURE: true
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":${TRAEFIK_HTTPS_PORT}"
TRAEFIK_PROVIDERS_DOCKER: true
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
TRAEFIK_PROVIDERS_FILE_FILENAME: /etc/traefik_dynamic.yml
## Terrakube API
x-traefik_api_labels: &traefik_api_labels
traefik.enable: true
## Terrakube API HTTPS
traefik.http.routers.terrakube-api-https.rule: Host(`tk-api.${DOMAIN}`)
traefik.http.routers.terrakube-api-https.entrypoints: websecure
traefik.http.routers.terrakube-api-https.tls: true
traefik.http.routers.terrakube-api-https.middlewares: terrakube-dex-allow-origin
traefik.http.services.terrakube-api-https.loadbalancer.server.port: 8080
## Redirect to HTTPS
traefik.http.routers.terrakube-api-http.rule: Host(`tk-api.${DOMAIN}`)
traefik.http.routers.terrakube-api-http.entrypoints: web
traefik.http.routers.terrakube-api-http.middlewares: terrakube-api-redirect-https
traefik.http.middlewares.terrakube-api-redirect-https.redirectscheme.scheme: https
## Traefik labels
## Terrakube Executor
x-traefik_executor_labels: &traefik_executor_labels
traefik.enable: true
## Terrakube executor HTTPS
traefik.http.routers.terrakube-executor-https.rule: Host(`tk-executor.${DOMAIN}`)
traefik.http.routers.terrakube-executor-https.entrypoints: websecure
traefik.http.routers.terrakube-executor-https.tls: true
traefik.http.routers.terrakube-executor-https.middlewares: terrakube-dex-allow-origin
traefik.http.services.terrakube-executor-https.loadbalancer.server.port: 8090
## Redirect to HTTPS
traefik.http.routers.terrakube-executor-http.rule: Host(`tk-executor.${DOMAIN}`)
traefik.http.routers.terrakube-executor-http.entrypoints: web
traefik.http.routers.terrakube-executor-http.middlewares: terrakube-executor-redirect-https
traefik.http.middlewares.terrakube-executor-redirect-https.redirectscheme.scheme: https
## Terrakube UI
x-traefik_ui_labels: &traefik_ui_labels
traefik.enable: true
## Terrakube UI HTTPS
traefik.http.routers.terrakube-ui-https.rule: Host(`tk.${DOMAIN}`)
traefik.http.routers.terrakube-ui-https.entrypoints: websecure
traefik.http.routers.terrakube-ui-https.middlewares: terrakube-dex-allow-origin
traefik.http.routers.terrakube-ui-https.tls: true
traefik.http.services.terrakube-ui-https.loadbalancer.server.port: 8080
## Redirect to HTTPS
traefik.http.routers.terrakube-ui-http.rule: Host(`tk.${DOMAIN}`)
traefik.http.routers.terrakube-ui-http.entrypoints: web
traefik.http.routers.terrakube-ui-http.middlewares: terrakube-ui-redirect-https
traefik.http.middlewares.terrakube-ui-redirect-https.redirectscheme.scheme: https
x-traefik_dex_labels: &traefik_dex_labels
traefik.enable: true
## Terrakube DEX HTTPS
traefik.http.routers.terrakube-dex-https.rule: Host(`tk-dex.${DOMAIN}`)
traefik.http.routers.terrakube-dex-https.entrypoints: websecure
traefik.http.routers.terrakube-dex-https.middlewares: terrakube-dex-allow-origin
traefik.http.routers.terrakube-dex-https.tls: true
traefik.http.services.terrakube-dex-https.loadbalancer.server.port: 5556
## Redirect to HTTPS
traefik.http.routers.terrakube-dex-http.rule: Host(`tk-dex.${DOMAIN}`)
traefik.http.routers.terrakube-dex-http.entrypoints: web
traefik.http.routers.terrakube-dex-http.middlewares: terrakube-dex-redirect-https
traefik.http.middlewares.terrakube-dex-redirect-https.redirectscheme.scheme: https
## Allow CORs from Terrakube UI
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowmethods: GET, PATCH, PUT, POST, DELETE, HEAD, OPTIONS
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowheaders: >
Content-Type, Accept, Authorization, X-Requested-With, Origin, *
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolalloworiginlist: https://tk.${DOMAIN}
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowcredentials: true
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: >
Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified,
Pragma, x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2, ETag
traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolmaxage: 86400
traefik.http.middlewares.terrakube-dex-allow-origin.headers.addvaryheader: true
## Terrakube registry
x-traefik_registry_labels: &traefik_registry_labels
traefik.enable: true
## Terrakube registry HTTPS
traefik.http.routers.terrakube-registry-https.rule: Host(`tk-registry.${DOMAIN}`)
traefik.http.routers.terrakube-registry-https.entrypoints: websecure
traefik.http.routers.terrakube-registry-https.tls: true
traefik.http.routers.terrakube-registry-https.middlewares: terrakube-dex-allow-origin
traefik.http.services.terrakube-registry-https.loadbalancer.server.port: 8075
## Redirect to HTTPS
traefik.http.routers.terrakube-registry-http.rule: Host(`tk-registry.${DOMAIN}`)
traefik.http.routers.terrakube-registry-http.entrypoints: web
traefik.http.routers.terrakube-registry-http.middlewares: terrakube-registry-redirect-https
traefik.http.middlewares.terrakube-registry-redirect-https.redirectscheme.scheme: https
### Containers
services:
traefik:
image: traefik:latest
container_name: terrakube-traefik
# Give Traefik a reserved IP address in your external network, pick something towards the end of the network to avoid conflicts
networks:
default:
ipv4_address: $TRAEFIK_IPV4_ADDRESS
environment: *traefik_env
dns: *terrakube_dns
ports:
- $TRAEFIK_HTTP_PORT:80
- $TRAEFIK_HTTPS_PORT:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik_dynamic.yml:/etc/traefik_dynamic.yml
## Uncomment for let's encrypt cert based off Domain
# - /etc/letsencrypt/live/${DOMAIN}/privkey.pem:/letsencrypt/privkey.pem:ro
# - /etc/letsencrypt/live/${DOMAIN}/fullchain.pem:/letsencrypt/fullchain.pem:ro
restart: unless-stopped
terrakube-api:
image: azbuilder/api-server:${TK_VERSION}
container_name: terrakube-api
environment:
<<: [*api_env]
labels: *traefik_api_labels
extra_hosts: *terrakube_hosts
depends_on:
- postgresql-service
terrakube-ui:
image: azbuilder/terrakube-ui:${TK_VERSION}
container_name: terrakube-ui
extra_hosts: *terrakube_hosts
labels: *traefik_ui_labels
volumes:
- ./env-config.js:/app/env-config.js
environment:
<<: [*ui_env]
terrakube-executor:
dns: *terrakube_dns
image: azbuilder/executor:${TK_VERSION}
labels: *traefik_executor_labels
extra_hosts: *terrakube_hosts
container_name: terrakube-executor
environment:
<<: [*executor_env]
terrakube-registry:
dns: *terrakube_dns
image: azbuilder/open-registry:${TK_VERSION}
labels: *traefik_registry_labels
extra_hosts: *terrakube_hosts
container_name: terrakube-registry
environment:
<<: [*registry_env]
terrakube-dex:
image: ghcr.io/dexidp/dex:v2.37.0
extra_hosts: *terrakube_hosts
labels: *traefik_dex_labels
container_name: terrakube-dex
volumes:
- ./config-ldap.yaml:/etc/dex/config.docker.yaml
ldap-service:
image: bitnami/openldap:2.6.4-debian-11-r4
container_name: terrakube-ldap-service
environment: *ldap_env
volumes:
- ./config-ldap.ldif:/ldifs/config-ldap.ldif
minio:
container_name: terrakube-minio
image: docker.io/bitnami/minio:2022
environment: *minio_env
volumes:
- 'minio_data:/data'
redis-service:
image: bitnami/redis:7.0.10
container_name: terrakube-redis
environment:
- REDIS_REPLICATION_MODE=master
- REDIS_PASSWORD=password123456
- REDIS_MASTER_PASSWORD=password123456
- REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
volumes:
- 'redis_data:/bitnami/redis/data'
postgresql-service:
image: docker.io/bitnami/postgresql:15
container_name: postgresql-service
environment:
- POSTGRESQL_USERNAME=terrakube
- POSTGRESQL_PASSWORD=terrakubepassword
- POSTGRESQL_DATABASE=terrakubedb
volumes:
- postgresql_data:/bitnami/postgresql
volumes:
minio_data:
redis_data:
postgresql_data:
driver: local
# External network is required, import its name below
networks:
default:
name: $EXTERNAL_NETWORK_NAME
external: true
Raw
env-config.js
window._env_ = {
REACT_APP_TERRAKUBE_API_URL: "https://tk-api.${DOMAIN}/api/v1/",
REACT_APP_CLIENT_ID: "example-app",
REACT_APP_AUTHORITY: "https://tk-dex.${DOMAIN}/dex",
REACT_APP_REDIRECT_URI: "https://tk.${DOMAIN}",
REACT_APP_REGISTRY_URI: "https://tk-registry.${DOMAIN}",
REACT_APP_SCOPE: "email openid profile offline_access groups",
}
Raw
traefik_dynamic.yml
# tls:
# stores:
# default:
# defaultCertificate:
# certFile: /letsencrypt/fullchain.pem
# keyFile: /letsencrypt/privkey.pem
@alfespa17
Copy link

alfespa17 commented Apr 29, 2024
edited
Loading

I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.

On a side note: Is it possible to get rid of env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.

Hello @SolomonHD you can't remove the env-config.js because it is used as an static file for the react UI, I think you could remove the environment variables for the UI those are no longer need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment