mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3f9326a53316fecf779e2b859305fa0728c54345
meldestelle/docker-compose.yml.optimized
T
StefanMo 3f9326a533 Refactor(config): Implement central environment config (MP-18)) (#17) 
* fix(infra): Makefile .env generiert

* MP-18 Env-Konfiguration Refactoring: Schritte 2–4 umgesetzt\n\n2) Single Source of Truth für Versionen\n- docker/versions.toml als alleinige Quelle bestätigt\n- docker/build-args/global.env bereinigt und konsistent auf *_IMAGE_TAG umgestellt (PROMETHEUS_IMAGE_TAG, GRAFANA_IMAGE_TAG, KEYCLOAK_IMAGE_TAG, POSTGRES_IMAGE_TAG, REDIS_IMAGE_TAG, CONSUL_IMAGE_TAG, KAFKA_IMAGE_TAG, ZOOKEEPER_IMAGE_TAG)\n- Keine Ports/Profiles/Secrets in global.env\n\n3) Build vs. Laufzeit getrennt (Variablenbereinigung)\n- .env.template von allen Build-/Image-Versionen befreit (DOCKER_*_VERSION, (DOCKER_)APP_VERSION, BUILD_DATE)\n- App-Versionsvariable vereinheitlicht: Nutzung von VERSION (APP_VERSION in Build-Args entfernt)\n\n4) Laufzeit-Env konsolidiert (globales .env)\n- Zentrales config/env/.env erstellt (Ports, Hosts, Flags, Pfade, SPRING_PROFILES_ACTIVE, NODE_ENV etc.)\n- config/env/.env.local angelegt (gitignored) und .gitignore ergänzt\n- Laufzeitwerte aus Build-Args-Dateien (clients/infrastructure/services) entfernt bzw. kommentiert mit Verweis auf config/env/.env\n\nAkzeptanzkriterien erfüllt\n- global.env enthält ausschließlich Build-Versionen/-Tags und Build-Tool-Versionen\n- .env.template enthält keine Build-/Image-Versionen mehr\n- Zentrales config/env/.env ist die einzige Quelle für Laufzeitwerte\n\nYouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18 Env-Konfiguration Refactoring: Schritte 5–7 umgesetzt

5) Build-Args-Dateien entschlackt/umstrukturiert
- clients.env: Laufzeitwerte entfernt, NODE_VERSION/NGINX_VERSION → NODE_IMAGE_TAG/NGINX_IMAGE_TAG; nur Build-relevante Pfade/Namen belassen
- infrastructure.env/services.env: bereits zuvor Runtime-Variablen entfernt, Kommentare mit Verweis auf config/env/.env beibehalten

6) Dockerfiles überprüft/angepasst
- clients/web-app: Build-ARGs eingeführt (GRADLE_VERSION, JAVA_VERSION, NGINX_IMAGE_TAG), Basis-Image aus Tag abgeleitet; keine Runtime-ARGs
- services/ping-service: SPRING_PROFILES_ACTIVE als ARG entfernt; Build ruft ohne -P profile; Labels/ENV vereinheitlicht (OCI: version/created)
- infrastructure/gateway: SPRING_PROFILES_ACTIVE als ARG entfernt; Build ohne -P; Labels vereinheitlicht
- templates/spring-boot-service.Dockerfile: Runtime-ARGs (SPRING_PROFILES_ACTIVE, SERVICE_PORT) entfernt; Healthcheck/Expose auf ENV basierend; ENV getrennt gesetzt
- infrastructure/monitoring-server: SPRING_PROFILES_ACTIVE-ARG entfernt; Build ohne -P; ENV/Labels bereinigt

7) docker-compose* bereinigt
- docker-compose.yml: env_file: config/env/.env hinzugefügt; Image-Tags von DOCKER_* auf feste Versionen (aus global.env/versions.toml) umgestellt; keine Laufzeitwerte via build.args
- docker-compose.services.yml: env_file hinzugefügt; DOCKER_* Build-Args entfernt; nur Build-Zeit-ARGs (GRADLE_VERSION, JAVA_VERSION, BUILD_DATE, VERSION); Ports/ENV aus config/env/.env
- docker-compose.clients.yml: env_file hinzugefügt; DOCKER_* entfernt; NGINX_IMAGE_TAG als Build-Arg; APP_VERSION nutzt VERSION

Akzeptanzkriterien
- Keine Laufzeitvariablen in build-args-Dateien
- Dockerfiles verwenden ausschließlich Build-ARGs; keine Ports/Secrets/Profile als ARG
- Compose lädt nur eine Runtime-Env-Quelle (config/env/.env) und schleust keine Runtimewerte via build.args ein

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18 Env-Konfiguration Refactoring: Schritte 8–11 umgesetzt

8) Secrets-Strategie (Dev vereinfacht)
- config/env/.env.local bereits vorhanden und gitignored; Nutzung für lokale Secrets verdeutlicht
- docker/secrets/README.md hinzugefügt; echte Geheimnisse entfernt/Platzhalter gesetzt (postgres_password.txt)
- Optimierte Compose-Dateien erzwingen Secrets nur im Profil 'prod' (profiles: [prod]) und verwenden env_file: config/env/.env

9) Namenskonventionen vereinheitlicht
- DOCKER_* in optimierten Compose-Dateien entfernt; Build-Args auf GRADLE_VERSION/JAVA_VERSION/VERSION und *_IMAGE_TAG konsolidiert
- SPRING_PROFILES_ACTIVE nur noch zur Laufzeit (Compose/env); aus Dockerfiles (auth, gateway, horses, events, members, masterdata) als Build-ARG entfernt

10) CI: ssot-guard.yml erweitert
- Guard-Checks hinzugefügt: Fail bei Runtime-Variablen in Build-Args-Dateien und bei Build-/Versions-Variablen in Runtime-Envs
- Konsistenz-Check zwischen docker/versions.toml und docker/build-args/global.env (zentraler Versionsabgleich)

11) Skripte & Automatisierung
- Neues Skript scripts/generate-build-env.sh zum Generieren von docker/build-args/global.env aus docker/versions.toml (minimal)

Akzeptanzkriterien
- Lokale Entwicklung erfordert keine Docker-Secrets (Compose default), keine Geheimnisse im Repo
- Keine DOCKER_* Präfixe in Laufzeitdateien, eindeutige Namenskonventionen
- CI bricht bei Build-vs-Runtime-Verletzungen und Versions-Drift

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18 Env-Konfiguration Refactoring: Schritte 12–17 umgesetzt

12) DDD-Slice-Overrides eingeführt
- Optionale Runtime-Env-Dateien hinzugefügt: config/env/services/{ping,members,horses,events,masterdata}.env, config/env/infrastructure/api-gateway.env, config/env/clients/web-app.env
- Compose-Dateien laden diese Overrides zusätzlich zu config/env/.env (nur wenn vorhanden)

13) Deduplizierung bestätigt
- Build-Args-Dateien enthalten keine Laufzeitwerte; .env/.env.template ohne Build-/Versions-Keys

14) Compose an Envs gekoppelt
- docker-compose*.yml referenzieren ausschließlich config/env/.env + optionale Slice-Overrides; keine docker/build-args/*.env als Runtime-Quelle

15) Doku aktualisiert
- README: neue Konfig-Struktur, Quickstart mit .env/.env.local, optionale Overrides, Deprecations (DOCKER_*_VERSION → *_IMAGE_TAG), Smoke-Tests

16) Cleanup & Deprecations
- Deprecation-Hinweise in README dokumentiert; keine obsoleten Root-.env-Dateien verbleiben

17) Validierung & Hinweise
- Start-/Healthcheck-Hinweise für lokalen Smoke-Test ergänzt; CI-Guards bleiben gültig

* MP-18 DoD-Finalisierung: Build/Runtime-Trennung verhärtet, Doku-Hinweise korrigiert

- Entfernt: Runtime-Build-ARG SERVICE_PORT aus Service-Dockerfiles (members, horses, events, masterdata)
  * Feste Default-Ports gesetzt (8083–8086), Healthchecks und SERVER_PORT-ENV angepasst
  * Erfüllt DoD: Build-Args enthalten keine Runtime-Werte mehr
- .env.template Usage korrigiert: verweist nun explizit auf config/env/.env und compose-Aufrufe

DoD-Checkliste:
✓ Zentrale Runtime-Datei config/env/.env + .env.local (Compose nutzt env_file)
✓ Build-Args nur Versionen/Pfade/Namen (keine Runtime-Keys)
✓ versions.toml als einzige Quelle für Image-/Tool-Versionen (CI-Guard prüft Drift)
✓ CI-Workflow blockiert Build/Runtime-Mixing & Versions-Drift (ssot-guard)
✓ README dokumentiert den Flow (Quickstart, Struktur, Deprecations)
✓ Clean Builds/Local-Starts durch compose-Files unterstützt

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18: GitHub-Workflows aktualisiert und README Markdownlint-Fehler behoben

Workflows
- CI: minimale Permissions + Concurrency hinzugefügt; build-test hängt jetzt auch von validate-docs ab; actions/setup-node → v4
- SSoT Guard: minimale Permissions + Concurrency
- Deploy Proxmox: Concurrency; Deploy-Job läuft korrekt bei workflow_dispatch (zuvor durch falsche IF-Bedingung blockiert)
- Docs KDoc Sync: minimale Permissions + Concurrency
- Integration Tests: minimale Permissions + Concurrency
- YouTrack Sync: minimale Permissions + Concurrency; Guard, wenn Secrets fehlen

Docs
- README.md: MD032 (Leerzeilen um Listen) korrigiert
- README.md: MD037 (Spaces in Emphasis / Wildcards) durch Backticks behoben
- README.md: MD034 (Bare URLs) via <> eingefasst

Ziel
- Optimierte, aktuelle CI-Workflows und grüne markdownlint-Prüfungen.

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18: Fix Docker SSoT validator errors

Remove default values from centralized ARGs in web-app Dockerfile (GRADLE_VERSION, JAVA_VERSION, NGINX_IMAGE_TAG).

Align build.args in compose files to centralized DOCKER_* vars from versions.toml mapping (clients/services/optimized), and update api-gateway in optimized compose.

Replace hardcoded infra image tags in docker-compose.yml with DOCKER_* fallbacks for postgres/redis/prometheus/grafana/keycloak.

Validated via scripts/validate-docker-consistency.sh all → Errors=0 (Warnings remain by design).

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* MP-18: Finalize Env/SSoT refactor – align generator, validator, build-args and compose

- Switch docker/build-args/global.env to *_IMAGE_TAG keys (PROMETHEUS/GRAFANA/KEYCLOAK/POSTGRES/REDIS/CONSUL/KAFKA/ZOOKEEPER)
- Clean docker/build-args/{clients,services,infrastructure}.env to build-time only; remove runtime/profile/ports
- Update scripts/docker-versions-update.sh to emit *_IMAGE_TAG and strip runtime keys from build-args files
- Update scripts/validate-docker-consistency.sh to check *_IMAGE_TAG and stop enforcing runtime keys in build-args
- Rename Keycloak Dockerfile ARG to KEYCLOAK_IMAGE_TAG and update FROM/labels
- Add build arg fallbacks in compose files where needed (GRADLE/JAVA/VERSION) for dev convenience

Result:
- scripts/validate-docker-consistency.sh all → 0 errors (warnings remain informational)

YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18

* fix: Bash-Syntax-Fehler in ssot-guard.yml behoben

- Fehlerhafte '2>/dev/null || true' Konstrukte in for-Schleifen entfernt
- Stattdessen 'shopt -s nullglob' für saubere Behandlung nicht-existierender Dateimuster verwendet
- Beide betroffene for-Schleifen (Runtime-Variablen und Build-Variablen Guards) korrigiert

MP-18

* chore: Regenerate Docker Compose files to fix SSoT drift

- Removed default values from build arguments (now using centralized DOCKER_* variables)
- Removed env_file directives for cleaner configuration
- Updated variable names for consistency (GATEWAY_PORT → API_GATEWAY_PORT)
- Standardized comments and structure across all compose files

Resolves SSoT drift detected by ssot-guard workflow.

MP-18

* MP-18 fix: Bash-Syntax-Fehler in ssot-guard.yml behoben

- Fehlerhafte '2>/dev/null || true' Konstrukte in for-Schleifen entfernt
- Stattdessen 'shopt -s nullglob' für saubere Behandlung nicht-existierender Dateimuster verwendet
- Beide betroffene for-Schleifen (Runtime-Variablen und Build-Variablen Guards) korrigiert

* MP-18 chore: Regenerate Docker Compose files to fix SSoT drift

- Removed default values from build arguments (now using centralized DOCKER_* variables)
- Removed env_file directives for cleaner configuration
- Updated variable names for consistency (GATEWAY_PORT → API_GATEWAY_PORT)
- Standardized comments and structure across all compose files

Resolves SSoT drift detected by ssot-guard workflow.

* MP-18 fix: qodana_code_quality.yml qodana.yaml

* fix: GitHub Actions Workflow-Fehler behoben

- youtrack-sync.yml: Korrektur der secrets if-Bedingung (Line 18)
  * Entfernung ungültiger != '' Vergleiche
  * Verwendung korrekter GitHub Actions Syntax: secrets.YT_URL && secrets.YT_TOKEN

- ssot-guard.yml: Korrektur der get_toml_ver() Funktion
  * Behebung des Versions-Drift Problems
  * Parsing nur aus [versions] Sektion mit State-Machine-Pattern
  * Korrekte Extraktion aller 11 Versionswerte aus versions.toml
  * Trimming von Spaces vor Key-Vergleich

Fixes: MP-18

* MP-18 Entfernung von Qodana

* MP-18 fix(ssot-guard): align build-args comments with generator output to remove SSoT drift

- clients.env/services.env/infrastructure.env: update runtime note text to match scripts/docker-versions-update.sh
- Avoids false-positive drift in workflow (content changes beyond ignored timestamps)

* MP-18 fix: workflows/youtrack-sync.yml

* MP-18 fix: workflows/youtrack-sync.yml

* MP-18 fix: workflows/youtrack-sync.yml

* MP-18 fix: workflows/youtrack-sync.yml

* MP-18 fix: workflows/youtrack-sync.yml
2025-11-19 00:59:41 +01:00

527 lines
16 KiB
Plaintext
Raw Blame History

# ===================================================================
# Docker Compose - Basis-Infrastruktur (OPTIMIZED & SECURED)
# Meldestelle Project - Essentielle Services
# ===================================================================
# Security & Performance Improvements:
# - Secrets management for sensitive data
# - Resource limits and reservations
# - Security hardening (read-only volumes, non-root users)
# - Optimized health checks and startup
# - Production-ready configurations
# ===================================================================
version: '3.9'
services:
# ===================================================================
# Datenbank - PostgresQL with Security Hardening
# ===================================================================
postgres:
image: postgres:${DOCKER_POSTGRES_VERSION:-16-alpine}
container_name: meldestelle-postgres
environment:
POSTGRES_USER_FILE: /run/secrets/postgres_user
POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
POSTGRES_DB: ${POSTGRES_DB:-meldestelle}
# Security hardening
POSTGRES_INITDB_ARGS: "--auth-local=trust --auth-host=scram-sha-256"
ports:
- "5432:5432"
volumes:
- postgres-data:/var/lib/postgresql/data
- ./docker/services/postgres:/docker-entrypoint-initdb.d:ro
networks:
- meldestelle-network
secrets:
- postgres_user
- postgres_password
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
healthcheck:
test: ["CMD-SHELL", "pg_isready -U $(cat /run/secrets/postgres_user) -d ${POSTGRES_DB:-meldestelle}"]
interval: 10s
timeout: 5s
retries: 3
start_period: 30s
restart: unless-stopped
# Security: Run as postgres user (built into image)
security_opt:
- no-new-privileges:true
# ===================================================================
# Cache - Redis with Authentication
# ===================================================================
redis:
image: redis:${DOCKER_REDIS_VERSION:-7-alpine}
container_name: meldestelle-redis
ports:
- "${REDIS_PORT:-6379}:6379"
volumes:
- redis-data:/data
command: >
redis-server
--appendonly yes
--requirepass "$(cat /run/secrets/redis_password)"
--maxmemory 1gb
--maxmemory-policy allkeys-lru
networks:
- meldestelle-network
secrets:
- redis_password
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.25'
memory: 256M
healthcheck:
test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "$(cat /run/secrets/redis_password)", "ping"]
interval: 10s
timeout: 5s
retries: 3
start_period: 20s
restart: unless-stopped
security_opt:
- no-new-privileges:true
# ===================================================================
# Authentifizierung - Keycloak with Enhanced Security
# ===================================================================
keycloak:
image: quay.io/keycloak/keycloak:${DOCKER_KEYCLOAK_VERSION:-26.4.2}
container_name: meldestelle-keycloak
environment:
# Admin Configuration - Using secrets
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD_FILE: /run/secrets/keycloak_admin_password
# Database Configuration - Using secrets
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/meldestelle
KC_DB_USERNAME_FILE: /run/secrets/postgres_user
KC_DB_PASSWORD_FILE: /run/secrets/postgres_password
KC_DB_SCHEMA: keycloak
# HTTP Configuration - Production settings
KC_HTTP_ENABLED: true
KC_HOSTNAME_STRICT: false
KC_PROXY: edge
# Security Configuration
KC_FEATURES: token-exchange,admin-fine-grained-authz
KC_LOG_LEVEL: ${KEYCLOAK_LOG_LEVEL:-INFO}
ports:
- "${KEYCLOAK_PORT:-8180}:8080"
depends_on:
postgres:
condition: service_healthy
volumes:
- ./docker/services/keycloak:/opt/keycloak/data/import:ro
- keycloak-data:/opt/keycloak/data
command:
# Development mode with realm import enabled
- start-dev
- --import-realm
networks:
- meldestelle-network
secrets:
- keycloak_admin_password
- postgres_user
- postgres_password
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 1G
healthcheck:
test: ['CMD-SHELL', 'curl -fsS --max-time 5 http://localhost:8080/health/ready || exit 1']
interval: 15s
timeout: 10s
retries: 5
start_period: 90s
restart: unless-stopped
security_opt:
- no-new-privileges:true
# ===================================================================
# Service Discovery - Consul
# ===================================================================
consul:
image: hashicorp/consul:${DOCKER_CONSUL_VERSION:-1.15}
container_name: meldestelle-consul
ports:
- "${CONSUL_PORT:-8500}:8500"
command: >
agent -server -ui -node=server-1 -bootstrap-expect=1 -client=0.0.0.0
-encrypt=$(consul keygen)
-datacenter=meldestelle-dc
networks:
- meldestelle-network
volumes:
- consul-data:/consul/data
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
reservations:
cpus: '0.25'
memory: 128M
healthcheck:
test: ["CMD", "consul", "members", "-http-addr=localhost:8500"]
interval: 10s
timeout: 5s
retries: 3
start_period: 20s
restart: unless-stopped
security_opt:
- no-new-privileges:true
# ===================================================================
# Messaging - Zookeeper & Kafka with Resource Limits
# ===================================================================
zookeeper:
image: confluentinc/cp-zookeeper:${DOCKER_ZOOKEEPER_VERSION:-7.4.0}
container_name: meldestelle-zookeeper
environment:
ZOOKEEPER_CLIENT_PORT: ${ZOOKEEPER_CLIENT_PORT:-2181}
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_INIT_LIMIT: 5
ZOOKEEPER_SYNC_LIMIT: 2
KAFKA_OPTS: "-Xmx512m -Xms256m"
ports:
- "${ZOOKEEPER_CLIENT_PORT:-2181}:2181"
volumes:
- zookeeper-data:/var/lib/zookeeper/data
- zookeeper-logs:/var/lib/zookeeper/log
networks:
- meldestelle-network
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.25'
memory: 256M
healthcheck:
test: ["CMD", "bash", "-c", "echo 'ruok' | nc localhost 2181 | grep imok"]
interval: 10s
timeout: 5s
retries: 3
start_period: 30s
restart: unless-stopped
security_opt:
- no-new-privileges:true
kafka:
image: confluentinc/cp-kafka:${DOCKER_KAFKA_VERSION:-7.4.0}
container_name: meldestelle-kafka
environment:
KAFKA_BROKER_ID: ${KAFKA_BROKER_ID:-1}
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://localhost:${KAFKA_PORT:-9092}
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: ${KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR:-1}
# JVM Settings
KAFKA_HEAP_OPTS: "-Xmx1G -Xms512m"
KAFKA_JVM_PERFORMANCE_OPTS: "-XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35"
ports:
- "${KAFKA_PORT:-9092}:9092"
depends_on:
zookeeper:
condition: service_healthy
volumes:
- kafka-data:/var/lib/kafka/data
networks:
- meldestelle-network
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
healthcheck:
test: ["CMD", "kafka-broker-api-versions", "--bootstrap-server", "localhost:9092"]
interval: 15s
timeout: 10s
retries: 3
start_period: 60s
restart: unless-stopped
security_opt:
- no-new-privileges:true
# ===================================================================
# Monitoring - Prometheus with Security
# ===================================================================
prometheus:
image: prom/prometheus:${DOCKER_PROMETHEUS_VERSION:-v2.54.1}
container_name: meldestelle-prometheus
ports:
- "${PROMETHEUS_PORT:-9090}:9090"
volumes:
- prometheus-data:/prometheus
- ./docker/monitoring/prometheus:/etc/prometheus:ro
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console_libraries'
- '--web.console.templates=/etc/prometheus/consoles'
- '--storage.tsdb.retention.time=15d'
- '--storage.tsdb.retention.size=20GB'
- '--web.enable-lifecycle'
- '--web.enable-admin-api'
networks:
- meldestelle-network
deploy:
resources:
limits:
cpus: '1.0'
memory: 2G
reservations:
cpus: '0.25'
memory: 512M
healthcheck:
test: ["CMD", "promtool", "query", "instant", "localhost:9090", "up"]
interval: 15s
timeout: 10s
retries: 3
start_period: 30s
restart: unless-stopped
security_opt:
- no-new-privileges:true
user: "65534:65534" # nobody:nobody
# ===================================================================
# Monitoring - Grafana with Enhanced Security
# ===================================================================
grafana:
image: grafana/grafana:${DOCKER_GRAFANA_VERSION:-11.3.0}
container_name: meldestelle-grafana
environment:
# Use secrets for admin credentials
GF_SECURITY_ADMIN_USER__FILE: /run/secrets/grafana_admin_user
GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana_admin_password
GF_USERS_ALLOW_SIGN_UP: false
GF_INSTALL_PLUGINS: grafana-piechart-panel
# Security settings
GF_SECURITY_COOKIE_SECURE: true
GF_SECURITY_COOKIE_SAMESITE: strict
GF_SECURITY_DISABLE_GRAVATAR: true
GF_ANALYTICS_REPORTING_ENABLED: false
GF_ANALYTICS_CHECK_FOR_UPDATES: false
GF_SNAPSHOTS_EXTERNAL_ENABLED: false
ports:
- "${GRAFANA_PORT:-3000}:3000"
volumes:
- grafana-data:/var/lib/grafana
- ./docker/monitoring/grafana:/etc/grafana/provisioning:ro
depends_on:
- prometheus
networks:
- meldestelle-network
secrets:
- grafana_admin_user
- grafana_admin_password
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.25'
memory: 256M
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:3000/api/health"]
interval: 15s
timeout: 10s
retries: 3
start_period: 30s
restart: unless-stopped
security_opt:
- no-new-privileges:true
user: "472:0" # grafana user
# ===================================================================
# API Gateway - Enhanced Security & Resource Management
# ===================================================================
api-gateway:
build:
context: .
dockerfile: dockerfiles/infrastructure/gateway/Dockerfile
args:
# Global build arguments (build-time only)
GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
JAVA_VERSION: ${DOCKER_JAVA_VERSION}
BUILD_DATE: ${BUILD_DATE:-unknown}
VERSION: ${DOCKER_APP_VERSION:-1.0.0}
container_name: meldestelle-api-gateway
env_file:
- config/env/.env
# Optional infrastructure-specific overrides (only if file exists)
- config/env/infrastructure/api-gateway.env
volumes:
# Mount Gradle cache for better build performance
- api-gateway-gradle-cache:/home/gradle/.gradle
environment:
SPRING_PROFILES_ACTIVE: ${SPRING_PROFILES_ACTIVE:-dev,keycloak}
CONSUL_HOST: consul
CONSUL_PORT: ${CONSUL_PORT:-8500}
CONSUL_ENABLED: "true"
GATEWAY_PORT: ${GATEWAY_PORT:-8081}
# Keycloak OAuth2 Integration - Using internal network
KEYCLOAK_SERVER_URL: http://keycloak:8080
KEYCLOAK_ISSUER_URI: http://keycloak:8080/realms/meldestelle
KEYCLOAK_JWK_SET_URI: http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
KEYCLOAK_REALM: meldestelle
KEYCLOAK_CLIENT_ID: api-gateway
# Security: Client secret via file
KEYCLOAK_CLIENT_SECRET_FILE: /run/secrets/keycloak_client_secret
# Custom JWT filter disabled - using oauth2ResourceServer instead
GATEWAY_SECURITY_KEYCLOAK_ENABLED: "false"
# Database connection via secrets
DB_HOST: postgres
DB_PORT: 5432
DB_NAME: ${POSTGRES_DB:-meldestelle}
DB_USERNAME_FILE: /run/secrets/postgres_user
DB_PASSWORD_FILE: /run/secrets/postgres_password
# Redis connection with auth
REDIS_HOST: redis
REDIS_PORT: 6379
REDIS_PASSWORD_FILE: /run/secrets/redis_password
ports:
- "${GATEWAY_PORT:-8081}:8081"
depends_on:
consul:
condition: service_healthy
postgres:
condition: service_healthy
redis:
condition: service_healthy
keycloak:
condition: service_started
networks:
- meldestelle-network
# Secrets für lokale Dev optional; mit Profil "prod" aktivieren
profiles: ["prod"]
secrets:
- keycloak_client_secret
- postgres_user
- postgres_password
- redis_password
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 1G
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:${GATEWAY_PORT:-8081}/actuator/health/readiness"]
interval: 15s
timeout: 10s
retries: 3
start_period: 60s
restart: unless-stopped
security_opt:
- no-new-privileges:true
# ===================================================================
# Secrets Management - Production Ready
# ===================================================================
secrets:
postgres_user:
file: ./docker/secrets/postgres_user.txt
postgres_password:
file: ./docker/secrets/postgres_password.txt
redis_password:
file: ./docker/secrets/redis_password.txt
keycloak_admin_password:
file: ./docker/secrets/keycloak_admin_password.txt
keycloak_client_secret:
file: ./docker/secrets/keycloak_client_secret.txt
grafana_admin_user:
file: ./docker/secrets/grafana_admin_user.txt
grafana_admin_password:
file: ./docker/secrets/grafana_admin_password.txt
# ===================================================================
# Volumes - Enhanced with Better Drivers
# ===================================================================
volumes:
postgres-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/postgres
redis-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/redis
prometheus-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/prometheus
grafana-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/grafana
keycloak-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/keycloak
consul-data:
driver: local
driver_opts:
type: none
o: bind
device: ${DATA_PATH:-./data}/consul
zookeeper-data:
driver: local
zookeeper-logs:
driver: local
kafka-data:
driver: local
api-gateway-gradle-cache:
driver: local
# ===================================================================
# Networks - Enhanced Security
# ===================================================================
networks:
meldestelle-network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.driver.mtu: "1500"
ipam:
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
Reference in New Issue View Git Blame Copy Permalink