47 feature add proper account management for backend components #159
Conversation
|
Be aware that a new secret is needed: |
| @@ -33,6 +33,7 @@ MINIO_LANDINGZONE_BUCKET="landingzone" | |||
| MINIO_STAGING_BUCKET="staging" | |||
| MINIO_ENDPOINT="scopem-openemdata.ethz.ch:9090" | |||
| MINIO_EXTERNAL_ENDPOINT="scopem-openemdata.ethz.ch:9090" | |||
| MINIO_MIDDLEWARES=minio-stripprefix,minio-headers,minio-cors,authentik | |||
There was a problem hiding this comment.
Minio is not deployed in prod so this does not make sense here
|
|
||
| # Omit authentik as a middleware that protects access to dashboards | ||
| MINIO_MIDDLEWARES=minio-stripprefix,minio-headers,minio-cors |
There was a problem hiding this comment.
Not a fan of having the the usage of the middlewares here but the definition of them in the docker compose. What about
#.env.prod:
FORWARD_AUTH_MIDDLEWARE=authentik
#.env.development:
FORWARD_AUTH_MIDDLEWARE=""
# .docker-compose.yml
- "traefik.http.routers.prefect-server.middlewares=${FORWARD_AUTH_MIDDLEWARE}"
| @@ -51,7 +52,14 @@ PREFECT_JOB_TEMPLATE=prefect-jobtemplate-prod.json | |||
| PREFECT_ARCHIVAL_WORKPOOL_NAME=archival-docker-workpool | |||
| # Workpool name for retrieval jobs | |||
| PREFECT_RETRIEVAL_WORKPOOL_NAME=retrieval-docker-workpool | |||
| # Protect UI | |||
| PREFECT_UI_MIDDLEWARES=authentik | |||
There was a problem hiding this comment.
The API route should probably be removed from traefik - should only be access from the archiver api service from within
| @@ -78,6 +78,7 @@ services: | |||
| - "traefik.http.routers.prefect-server.entrypoints=websecure" | |||
| - "traefik.http.routers.prefect-server.tls" | |||
| - "traefik.http.services.prefect-server.loadbalancer.server.port=4200" | |||
| - "traefik.http.routers.prefect-server.middlewares=${PREFECT_UI_MIDDLEWARES}" | |||
|
|
|||
| - "traefik.http.routers.prefect-api-server.rule=Host(`${HOST}`) && PathPrefix(`/archiver/prefect/api`)" | |||
There was a problem hiding this comment.
I think this route can be removed; the api service should communicate directly with this service and not through traefik
| environment: | ||
| AUTHENTIK_HOST: ${AUTHENTIK_HOST} | ||
| AUTHENTIK_INSECURE: ${AUTHENTIK_INSECURE} | ||
| AUTHENTIK_TOKEN: |
There was a problem hiding this comment.
technically not really. It is more of a comment that these three env variables are needed.
|
|
||
| AUTHENTIK_HOST=https://authentik.ethz.ch | ||
| # Check whether the Authentik infrastructure uses a self-signed certificate (true) or not | ||
| AUTHENTIK_INSECURE=true |
There was a problem hiding this comment.
Is this correct in prod? Sounds wrong. Doesn't just the correct root cert need to be added to the container?
There was a problem hiding this comment.
yes, it should be correctly signed. But at the moment it seems not to be the case:
No description provided.