From 1707085ad093c1cdcba2b2d2331a136e947e3e91 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Fri, 17 May 2024 21:18:12 +0200 Subject: [PATCH] Archive more services moved to Kubernetes --- docker-compose.yml | 247 -------------------------------- k8s-archive/docker-compose.yml | 249 ++++++++++++++++++++++++++++++++- 2 files changed, 248 insertions(+), 248 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 08a7d59..386e00a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,210 +36,6 @@ services: restart: "no" env_file: ./config/faf-db-migrations/faf-db-migrations.env - # - # FAF game server for clients to connect to. - # - faf-python-server: - container_name: faf-python-server - image: faforever/faf-python-server:v1.14.0 - user: ${FAF_PYTHON_SERVER_USER} - networks: - faf: - aliases: - - "faf-python-server" - restart: unless-stopped - env_file: ./config/faf-python-server/faf-python-server.env - volumes: - - ./config/faf-python-server/dynamic:/code/config - ulimits: - nproc: 65535 - nofile: - soft: 100000 - hard: 200000 - expose: - - "8003" # Websocket Server UTF8 Json - ports: - - "8001:8001" # Server QDataStream - - "8002:8002" # Server UTF8 Json - - "127.0.0.1:4000:4000" # Control server - labels: - - "loki_retention=long" - - # - # FAF game server for clients to connect to. - # - faf-ws-bridge: - container_name: faf-ws-bridge - image: faforever/ws_bridge_rs:0.1.4 - user: rust - networks: - faf: - aliases: - - "faf-ws-bridge" - restart: unless-stopped - expose: - - "8003" - command: ws_to_tcp -vvv --proxy faf-ws-bridge:8003 --proxy-header-name "CF-Connecting-IP" faf-python-server:8003 - labels: - - "traefik.enable=true" - - "traefik.http.routers.faf-ws-bridge.rule=Host(`ws.${DOMAINNAME}`)" - - "traefik.http.routers.faf-ws-bridge.entryPoints=websecure" - - "traefik.http.services.faf-ws-bridge.loadbalancer.server.port=8003" - - # - # FAF JSON-API to provide data over HTTP. - # - faf-java-api: - container_name: faf-java-api - image: faforever/faf-java-api:v3.4.4 - user: ${FAF_JAVA_API_USER} - networks: - faf: - aliases: - - "faf-java-api" - restart: unless-stopped - env_file: ./config/faf-java-api/faf-java-api.env - volumes: - - ./config/faf-java-api/pki:/pki - - ./config/faf-java-api/mail:/config/mail - - ./data/maps:/maps - - ./data/mods:/mods - - ./data/legacy-featured-mod-files:/legacy-featured-mod-files - - ./data/content:/content - - ./data/faf-java-api/logs:/logs - - ./data/faf-java-api/repositories:/repositories - expose: - - "8010" # HTTP API - - "8011" # HTTP Management API - ports: - - "127.0.0.1:8010:8010" # For internal testing only - labels: - - "loki_retention=long" - - "traefik.enable=true" - - "traefik.http.routers.faf-java-api.rule=Host(`api.${DOMAINNAME}`)" - - "traefik.http.routers.faf-java-api.entryPoints=websecure" - - "traefik.http.services.faf-java-api.loadbalancer.server.port=8010" - # TODO move to Dockerfile - healthcheck: - test: "wget -q -O /dev/null http://localhost:8011/actuator/health" - interval: 30s - timeout: 5s - retries: 3 - logging: - driver: "json-file" - options: - max-size: "100m" - - # - # IRC for FAF chat. - # - ergochat: - init: true - image: ghcr.io/ergochat/ergo:v2.13.0-rc1 - volumes: - - ./config/ergochat:/ircd - - ./data/ergochat:/data - networks: - - faf - restart: unless-stopped - expose: - - "8097" - ports: - - "6667:6667/tcp" - - "6697:6697/tcp" - labels: - - "traefik.enable=true" - - "traefik.http.routers.ergochat.rule=Host(`chat.${DOMAINNAME}`)" - - "traefik.http.routers.ergochat.entryPoints=websecure" - - "traefik.http.services.ergochat.loadbalancer.server.port=8097" - - # - # The content management system which is still being used as a backend for the website. The website accesses - # Wordpress over a JSON API plugin. - # - faf-wordpress: - container_name: faf-wordpress - image: wordpress - user: ${FAF_WORDPRESS_USER} - restart: unless-stopped - volumes: - - ./data/faf-wordpress/wp-content:/var/www/html/wp-content/:rw - networks: - faf: - aliases: - - "faf-wordpress" - env_file: ./config/faf-wordpress/faf-wordpress.env - labels: - - "traefik.enable=true" - - "traefik.http.routers.faf-wordpress.rule=Host(`direct.${DOMAINNAME}`)" - - "traefik.http.routers.faf-wordpress.entryPoints=websecure" - - "traefik.http.routers.faf-wordpress-http.rule=Host(`direct.${DOMAINNAME}`)" - - "traefik.http.routers.faf-wordpress-http.entryPoints=web" - - # - # Serves static files such as maps, mods, game files etc. - # - faf-content: - container_name: faf-content - image: nginx:1.25 - restart: unless-stopped - volumes: - - ./data/maps:/usr/share/nginx/html/maps - - ./data/mods:/usr/share/nginx/html/mods - - ./data/replays:/usr/share/nginx/html/replays - - ./data/legacy-featured-mod-files:/usr/share/nginx/html/legacy-featured-mod-files - - ./data/content:/usr/share/nginx/html - - ./config/faf-content/default.conf:/etc/nginx/conf.d/default.conf:ro - networks: - - faf - env_file: ./config/faf-content/faf-content.env - labels: - - "traefik.enable=true" - - "traefik.http.routers.faf-content.rule=Host(`content.${DOMAINNAME}`) || Host(`replay.${DOMAINNAME}`)" - - "traefik.http.routers.faf-content.entryPoints=websecure" - - "traefik.http.routers.faf-content.middlewares=redirect-replay-subdomain, cors" - - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.regex=^(http|https)://replay.${DOMAINNAME}/(\\d+)" - - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.replacement=$${1}://api.${DOMAINNAME}/game/$${2}/replay" - - "traefik.http.middlewares.cors.headers.accesscontrolallowmethods=GET" - - "traefik.http.middlewares.cors.headers.accesscontrolalloworiginlist=*" - - "traefik.http.middlewares.cors.headers.accesscontrolmaxage=60" - - "traefik.http.middlewares.cors.headers.addvaryheader=false" - - - # The third version of the "live replay" server, in Rust. - faf-rust-replayserver: - container_name: faf-rust-replayserver - image: faforever/faf-rust-replayserver:0.3.2 - user: ${FAF_AIO_REPLAYSERVER_USER} - restart: unless-stopped - volumes: - - ./data/replays:/content/replays - - ./config/faf-rust-replayserver:/config - networks: - - faf - env_file: ./config/faf-rust-replayserver/faf-rust-replayserver.env - ports: - - "15000:15000" - labels: - - "loki_retention=long" - - faf-policy-server: - container_name: faf-policy-server - image: faforever/faf-policy-server:v1.22 - env_file: ./config/faf-policy-server/faf-policy-server.env - user: ${FAF_POLICY_SERVER_USER} - restart: unless-stopped - networks: - faf: - aliases: - - "faf-policy-server" - expose: - - "8097" - volumes: - - ./data/faf-policy-server/faf-uid-verifier/verifier:/app/verifier - labels: - - "loki_retention=long" - # # RabbitMQ is open source message broker software (sometimes called message-oriented middleware) that implements the # Advanced Message Queuing Protocol (AMQP). @@ -267,49 +63,6 @@ services: - "traefik.http.routers.faf-rabbitmq.entryPoints=websecure" - "traefik.http.services.faf-rabbitmq.loadbalancer.server.port=15672" - # - # OAuth2 service - # - faf-ory-hydra: - container_name: faf-ory-hydra - image: oryd/hydra:v1.11.10 - # We consider the Docker network safe since we are on a single host. - # If someone gains access to network, he has root access and can turn off the security anyway. - # This can be improved once the login stack was moved outside the main host. - command: serve all -c /hydra.yaml --dangerous-force-http - networks: - faf: - aliases: - - "faf-ory-hydra" - volumes: - - ./config/faf-ory-hydra/hydra.yaml:/hydra.yaml - restart: unless-stopped - ports: - - "127.0.0.1:4445:4445" # only for testing - - "127.0.0.1:4444:4444" # only for testing - labels: - # Traefik endpoint disabled (moved to K8s), only internal admin endpoint is required - - "traefik.enable=false" - - "traefik.http.routers.faf-ory-hydra.rule=Host(`hydra.${DOMAINNAME}`)" - - "traefik.http.routers.faf-ory-hydra.entryPoints=websecure" - - "traefik.http.routers.faf-ory-hydra.tls.certresolver=default" - - "traefik.http.services.faf-ory-hydra.loadbalancer.server.port=4444" - - # - # FAF Telemetry Server collecting ICE adapter telemetry - # - faf-telemetry-server: - container_name: faf-telemetry-server - image: faforever/faf-telemetry-server:main - restart: unless-stopped - labels: - - "loki_retention=long" - - "traefik.enable=true" - - "traefik.http.routers.faf-telemetry-server.rule=Host(`ice-telemetry.${DOMAINNAME}`)" - - "traefik.http.routers.faf-telemetry-server.entryPoints=websecure" - - "traefik.http.routers.faf-telemetry-server.tls.certresolver=default" - - "traefik.http.services.faf-telemetry-server.loadbalancer.server.port=8080" - networks: faf: driver: bridge diff --git a/k8s-archive/docker-compose.yml b/k8s-archive/docker-compose.yml index baaca55..d67cf22 100644 --- a/k8s-archive/docker-compose.yml +++ b/k8s-archive/docker-compose.yml @@ -8,7 +8,7 @@ services: # Runs in dashboard mode, secured by basic http auth # faf-traefik: - # traefik >= 2.7.2 breaks requests to the api. traefik will replace all `;` with `&` which turns the api filter list into their own + # traefik >= 2.7.2 breaks requests to the api. traefik will replace all `;` with `&` which turns the api filter list into their own # query parameters. This breaks the api causing it to return 400. Until resolved we are limited to 2.7.1 # See https://github.com/traefik/traefik/issues/9164 for more details image: traefik:v2.7.1 @@ -31,6 +31,210 @@ services: - "traefik.http.routers.faf-traefik.service=api@internal" - "traefik.http.services.faf-traefik.loadbalancer.server.port=8080" # Dummy port so Docker doesn't complain + # + # FAF game server for clients to connect to. + # + faf-python-server: + container_name: faf-python-server + image: faforever/faf-python-server:v1.14.0 + user: ${FAF_PYTHON_SERVER_USER} + networks: + faf: + aliases: + - "faf-python-server" + restart: unless-stopped + env_file: ./config/faf-python-server/faf-python-server.env + volumes: + - ./config/faf-python-server/dynamic:/code/config + ulimits: + nproc: 65535 + nofile: + soft: 100000 + hard: 200000 + expose: + - "8003" # Websocket Server UTF8 Json + ports: + - "8001:8001" # Server QDataStream + - "8002:8002" # Server UTF8 Json + - "127.0.0.1:4000:4000" # Control server + labels: + - "loki_retention=long" + + # + # FAF game server for clients to connect to. + # + faf-ws-bridge: + container_name: faf-ws-bridge + image: faforever/ws_bridge_rs:0.1.4 + user: rust + networks: + faf: + aliases: + - "faf-ws-bridge" + restart: unless-stopped + expose: + - "8003" + command: ws_to_tcp -vvv --proxy faf-ws-bridge:8003 --proxy-header-name "CF-Connecting-IP" faf-python-server:8003 + labels: + - "traefik.enable=true" + - "traefik.http.routers.faf-ws-bridge.rule=Host(`ws.${DOMAINNAME}`)" + - "traefik.http.routers.faf-ws-bridge.entryPoints=websecure" + - "traefik.http.services.faf-ws-bridge.loadbalancer.server.port=8003" + + # + # FAF JSON-API to provide data over HTTP. + # + faf-java-api: + container_name: faf-java-api + image: faforever/faf-java-api:v3.4.4 + user: ${FAF_JAVA_API_USER} + networks: + faf: + aliases: + - "faf-java-api" + restart: unless-stopped + env_file: ./config/faf-java-api/faf-java-api.env + volumes: + - ./config/faf-java-api/pki:/pki + - ./config/faf-java-api/mail:/config/mail + - ./data/maps:/maps + - ./data/mods:/mods + - ./data/legacy-featured-mod-files:/legacy-featured-mod-files + - ./data/content:/content + - ./data/faf-java-api/logs:/logs + - ./data/faf-java-api/repositories:/repositories + expose: + - "8010" # HTTP API + - "8011" # HTTP Management API + ports: + - "127.0.0.1:8010:8010" # For internal testing only + labels: + - "loki_retention=long" + - "traefik.enable=true" + - "traefik.http.routers.faf-java-api.rule=Host(`api.${DOMAINNAME}`)" + - "traefik.http.routers.faf-java-api.entryPoints=websecure" + - "traefik.http.services.faf-java-api.loadbalancer.server.port=8010" + # TODO move to Dockerfile + healthcheck: + test: "wget -q -O /dev/null http://localhost:8011/actuator/health" + interval: 30s + timeout: 5s + retries: 3 + logging: + driver: "json-file" + options: + max-size: "100m" + + # + # IRC for FAF chat. + # + ergochat: + init: true + image: ghcr.io/ergochat/ergo:v2.13.0-rc1 + volumes: + - ./config/ergochat:/ircd + - ./data/ergochat:/data + networks: + - faf + restart: unless-stopped + expose: + - "8097" + ports: + - "6667:6667/tcp" + - "6697:6697/tcp" + labels: + - "traefik.enable=true" + - "traefik.http.routers.ergochat.rule=Host(`chat.${DOMAINNAME}`)" + - "traefik.http.routers.ergochat.entryPoints=websecure" + - "traefik.http.services.ergochat.loadbalancer.server.port=8097" + + # + # The content management system which is still being used as a backend for the website. The website accesses + # Wordpress over a JSON API plugin. + # + faf-wordpress: + container_name: faf-wordpress + image: wordpress + user: ${FAF_WORDPRESS_USER} + restart: unless-stopped + volumes: + - ./data/faf-wordpress/wp-content:/var/www/html/wp-content/:rw + networks: + faf: + aliases: + - "faf-wordpress" + env_file: ./config/faf-wordpress/faf-wordpress.env + labels: + - "traefik.enable=true" + - "traefik.http.routers.faf-wordpress.rule=Host(`direct.${DOMAINNAME}`)" + - "traefik.http.routers.faf-wordpress.entryPoints=websecure" + - "traefik.http.routers.faf-wordpress-http.rule=Host(`direct.${DOMAINNAME}`)" + - "traefik.http.routers.faf-wordpress-http.entryPoints=web" + + # + # Serves static files such as maps, mods, game files etc. + # + faf-content: + container_name: faf-content + image: nginx:1.25 + restart: unless-stopped + volumes: + - ./data/maps:/usr/share/nginx/html/maps + - ./data/mods:/usr/share/nginx/html/mods + - ./data/replays:/usr/share/nginx/html/replays + - ./data/legacy-featured-mod-files:/usr/share/nginx/html/legacy-featured-mod-files + - ./data/content:/usr/share/nginx/html + - ./config/faf-content/default.conf:/etc/nginx/conf.d/default.conf:ro + networks: + - faf + env_file: ./config/faf-content/faf-content.env + labels: + - "traefik.enable=true" + - "traefik.http.routers.faf-content.rule=Host(`content.${DOMAINNAME}`) || Host(`replay.${DOMAINNAME}`)" + - "traefik.http.routers.faf-content.entryPoints=websecure" + - "traefik.http.routers.faf-content.middlewares=redirect-replay-subdomain, cors" + - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.regex=^(http|https)://replay.${DOMAINNAME}/(\\d+)" + - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.replacement=$${1}://api.${DOMAINNAME}/game/$${2}/replay" + - "traefik.http.middlewares.cors.headers.accesscontrolallowmethods=GET" + - "traefik.http.middlewares.cors.headers.accesscontrolalloworiginlist=*" + - "traefik.http.middlewares.cors.headers.accesscontrolmaxage=60" + - "traefik.http.middlewares.cors.headers.addvaryheader=false" + + + # The third version of the "live replay" server, in Rust. + faf-rust-replayserver: + container_name: faf-rust-replayserver + image: faforever/faf-rust-replayserver:0.3.2 + user: ${FAF_AIO_REPLAYSERVER_USER} + restart: unless-stopped + volumes: + - ./data/replays:/content/replays + - ./config/faf-rust-replayserver:/config + networks: + - faf + env_file: ./config/faf-rust-replayserver/faf-rust-replayserver.env + ports: + - "15000:15000" + labels: + - "loki_retention=long" + + faf-policy-server: + container_name: faf-policy-server + image: faforever/faf-policy-server:v1.22 + env_file: ./config/faf-policy-server/faf-policy-server.env + user: ${FAF_POLICY_SERVER_USER} + restart: unless-stopped + networks: + faf: + aliases: + - "faf-policy-server" + expose: + - "8097" + volumes: + - ./data/faf-policy-server/faf-uid-verifier/verifier:/app/verifier + labels: + - "loki_retention=long" + # # Coturn server for proxying between players # It uses net: "host" for performance reasons. @@ -104,6 +308,49 @@ services: - "traefik.http.routers.faf-user-service.tls.certresolver=default" - "traefik.http.services.faf-user-service.loadbalancer.server.port=8080" + # + # OAuth2 service + # + faf-ory-hydra: + container_name: faf-ory-hydra + image: oryd/hydra:v1.11.10 + # We consider the Docker network safe since we are on a single host. + # If someone gains access to network, he has root access and can turn off the security anyway. + # This can be improved once the login stack was moved outside the main host. + command: serve all -c /hydra.yaml --dangerous-force-http + networks: + faf: + aliases: + - "faf-ory-hydra" + volumes: + - ./config/faf-ory-hydra/hydra.yaml:/hydra.yaml + restart: unless-stopped + ports: + - "127.0.0.1:4445:4445" # only for testing + - "127.0.0.1:4444:4444" # only for testing + labels: + # Traefik endpoint disabled (moved to K8s), only internal admin endpoint is required + - "traefik.enable=false" + - "traefik.http.routers.faf-ory-hydra.rule=Host(`hydra.${DOMAINNAME}`)" + - "traefik.http.routers.faf-ory-hydra.entryPoints=websecure" + - "traefik.http.routers.faf-ory-hydra.tls.certresolver=default" + - "traefik.http.services.faf-ory-hydra.loadbalancer.server.port=4444" + + # + # FAF Telemetry Server collecting ICE adapter telemetry + # + faf-telemetry-server: + container_name: faf-telemetry-server + image: faforever/faf-telemetry-server:main + restart: unless-stopped + labels: + - "loki_retention=long" + - "traefik.enable=true" + - "traefik.http.routers.faf-telemetry-server.rule=Host(`ice-telemetry.${DOMAINNAME}`)" + - "traefik.http.routers.faf-telemetry-server.entryPoints=websecure" + - "traefik.http.routers.faf-telemetry-server.tls.certresolver=default" + - "traefik.http.services.faf-telemetry-server.loadbalancer.server.port=8080" + networks: faf: driver: bridge