DOC: added documentation and update config files

d8629232 · Henrik tom Wörden · 4debadf2 · d8629232 · d8629232 · d8629232
Commit d8629232 authored 2 years ago by Henrik tom Wörden
--- a/README_SETUP.md
+++ b/README_SETUP.md
@@ -19,17 +19,29 @@ sudo usermod -aG docker $USER
 ```

 ## Start CaosDB ##
-Want to try it out?  Try these steps in the root directory of this repository:
+Once you have docker installed, you only need two configuration files: One
+for the reverse proxy envoy `envoy.yml` and one that defines the docker containers that
+you want to use and how they can interact `docker-compose.yml`. You can copy the 
+`compose` folder of this repository to your computer and then run
 ```sh
 docker-compose -f compose/docker-compose.yml up
 ```
-Once readey, you can access CaosDB with your web browser under `localhost:10443`.
-You need to accept the security exception or add an SSL certificate (see below).
+Once the logs read
+```
+caosdb-server_1  | Starting the Jetty [HTTPS/1.1] server on port 10443
+caosdb-server_1  | Starting the Jetty [HTTP/1.1] server on port 10080
+caosdb-server_1  | Starting org.caosdb.server.CaosDBServer application
+```
+the server is ready and you can access CaosDB with your web browser under `localhost:8081`.

 ## Stopping CaosDB ##
 You can stop the containers with CTRL-C. See the documentation of docker-compose
 for other options (e.g. `-d` for detach).

+Note, that the suggested configuration provided here uses persistent volumes.
+This means that data and files will be stored such that they are persistent
+across restarts.
+

 ## Building the image
 You can build the docker image using the `docker` command in the `docker` folder:
@@ -42,9 +54,10 @@ The buildkit setting allows the usage of some special features in the `Dockerfil
 The image will be named `caosdb`.

 ## SSL Certificates
-If you want to use a valid SSL certificate (see https://gitlab.indiscale.com/caosdb/src/caosdb-server/-/blob/main/README_SETUP.md#first-setup)
-you can place those in a folder named `other/cert` uncomment the sections in 
-the docker-compose file and adjust the path to the `other` folder.
+If you want to use SSL certificates (and in production use, you definitely should)
+you need to uncomment the respective sections in `envoy.yml` and `docker-compose.yml`.
+The given configuration assumes, that the certificate files are placed in a folder
+`compose/certs` and named `caosdb.key.pem` and `caosdb.cert.pem`.


 ## Configuration
@@ -57,3 +70,5 @@ the bind ip. Adjust the compose file accordingly.

 ## Troubleshooting

+### Envoy cannot read SSL certificate files
+Make sure that the user that is used by envoy has read permissions.
--- a/compose/docker-compose.yml
+++ b/compose/docker-compose.yml
@@ -17,9 +17,6 @@ services:
      - sqldb
    networks:
      - caosnet
-    ports:
-      # first part is the bind ip; adjust apropriately, 0.0.0.0 as wild card
-      - 127.0.0.1:10443:10443
    # Pass information to the running docker ontainer.
    # These variables should be set when calling docker-compose.
    environment:
@@ -48,6 +45,23 @@ services:
 #        source: "/path/to/other"
 #        target: /opt/caosdb/mnt/other

+  envoy:
+    image: envoyproxy/envoy:v1.21-latest
+    volumes:
+      - type: bind
+        read_only: true
+        source: $PWD/compose/envoy.yml
+        target: /etc/envoy/envoy.yaml
+#      - type: bind
+#        read_only: true
+#        source: $PWD/compose/certs
+#        target: /etc/envoy/certs
+    networks:
+      - caosnet
+    ports:
+      # first part is the bind ip; adjust apropriately, 0.0.0.0 as wild card
+      - 127.0.0.1:8081:8081
+
 # A well-defined network for caosdb
 volumes:
    caosdb-sqldata:

--- a/compose/envoy.yml
+++ b/compose/envoy.yml
+admin:
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 9901
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address: { address: 0.0.0.0, port_value: 8081 }
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          codec_type: auto
+          stat_prefix: ingress_http
+          upgrade_configs:
+          - upgrade_type: websocket
+          route_config:
+            name: local_route
+            response_headers_to_add:
+              - header:
+                  key: X-Frame-Options
+                  value: deny
+                append: false
+              - header:
+                  key: Content-Security-Policy
+                  value: "frame-ancestors 'none'"
+                append: true
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  safe_regex:
+                    google_re2: {}
+                    regex: ".*/robots.txt"
+                route:
+                  cluster: caosdb_webui
+              - match: { prefix: "/api/" }
+                route:
+                  prefix_rewrite: "/"
+                  cluster: caosdb_grpc_api
+                  max_stream_duration:
+                    grpc_timeout_header_max: 0s
+              - match: { prefix: "/webinterface/acm/static/" }
+                route:
+                  cluster: caosdb_webui
+              - match: { prefix: "/webinterface/acm/" }
+                route:
+                  regex_rewrite:
+                    pattern:
+                      google_re2: {}
+                      regex: ".*"
+                    substitution: "/webinterface/acm/index.html"
+                  cluster: caosdb_webui
+              - match: { prefix: "/webinterface/acm" }
+                redirect:
+                  #https_redirect: true
+                  path_redirect: "/webinterface/acm/"
+              - match: { prefix: "/" }
+                route:
+                  cluster: caosdb_webui
+              cors:
+                allow_origin_string_match:
+                - prefix: "*"
+                allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                max_age: "1728000"
+                expose_headers: grpc-status,grpc-message
+          http_filters:
+          - name: envoy.filters.http.grpc_web
+          - name: envoy.filters.http.cors
+          - name: envoy.filters.http.router
+#      transport_socket:
+#        name: envoy.transport_sockets.tls
+#        typed_config:
+#          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+#          common_tls_context:
+#            tls_certificates:
+#            - certificate_chain: {filename: "/etc/envoy/certs/caosdb.cert.pem"}
+#              private_key: {filename: "/etc/envoy/certs/caosdb.key.pem"}
+  clusters:
+    # this is the caosdb server
+  - name: caosdb_grpc_api
+    connect_timeout: 0.25s
+    type: logical_dns
+    http2_protocol_options: {}
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: caosdb_grpc_api_cluster_0
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: caosdb-server
+                    port_value: 8080
+
+    # this is the react development server (npm start)
+  - name: caosdb_webui
+    connect_timeout: 0.25s
+    type: logical_dns
+    lb_policy: round_robin
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+
+    load_assignment:
+      cluster_name: caosdb_webui_cluster_0
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: caosdb-server
+                    port_value: 10443