Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/docker-compose.yml
Jonathan Rudenberg 48760fec58
Add support for reading private_key from AWS Secrets Manager (#31134) 
Adds support for reading server `private_key` from AWS Secrets Manager.
Combined with #31075, this should allow removing all common sensitive
secrets from the environment/config (if I missed any let me know). This
works with localstack for local development (set
`AWS_ENDPOINT_URL=$LOCALSTACK_URL`, `AWS_ACCESS_KEY_ID=test`, and
`AWS_SECRET_ACCESS_KEY=test`).

I did not include config options for `AWS_ACCESS_KEY_ID` and
`AWS_SECRET_ACCESS_KEY` because they are a bad practice vs role
credentials and defeat the purpose of this feature which is to remove
secrets from the environment/config.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Scott Gress <scott@fleetdm.com>
2025-09-09 16:56:35 -05:00

171 lines
5.1 KiB
YAML
Raw Blame History

---
services:
# To test with MariaDB, set FLEET_MYSQL_IMAGE to mariadb:10.6 or the like (note MariaDB is not
# officially supported).
# To run in macOS M1, set FLEET_MYSQL_IMAGE=arm64v8/mysql:oracle FLEET_MYSQL_PLATFORM=linux/arm64/v8
mysql:
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.36}
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
volumes:
- mysql-persistent-volume:/tmp
command: [
"mysqld",
"--datadir=/tmp/mysqldata",
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
"--enforce-gtid-consistency=ON",
"--log-bin=bin.log",
"--server-id=master-01",
# Required for storage of Apple MDM bootstrap packages.
"--max_allowed_packet=536870912",
]
environment: &mysql-default-environment
MYSQL_ROOT_PASSWORD: toor
MYSQL_DATABASE: fleet
MYSQL_USER: fleet
MYSQL_PASSWORD: insecure
# This is required by Percona XtraDB server.
CLUSTER_NAME: fleet
ports:
- "3306:3306"
mysql_test:
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.36}
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
# innodb-file-per-table=OFF gives ~20% speedup for test runs.
command: [
"mysqld",
"--datadir=/tmpfs",
"--slow_query_log=1",
"--log_output=TABLE",
"--log-queries-not-using-indexes",
"--innodb-file-per-table=OFF",
"--table-definition-cache=8192",
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
"--enforce-gtid-consistency=ON",
"--log-bin=bin.log",
"--server-id=1",
# Required for storage of Apple MDM bootstrap packages.
"--max_allowed_packet=536870912",
]
environment: *mysql-default-environment
ports:
- "${FLEET_MYSQL_TEST_PORT:-3307}:3306"
tmpfs:
- /var/lib/mysql:rw,noexec,nosuid
- /tmpfs
mysql_replica_test:
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.36}
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
# innodb-file-per-table=OFF gives ~20% speedup for test runs.
command: [
"mysqld",
"--datadir=/tmpfs",
"--slow_query_log=1",
"--log_output=TABLE",
"--log-queries-not-using-indexes",
"--innodb-file-per-table=OFF",
"--table-definition-cache=8192",
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
"--enforce-gtid-consistency=ON",
"--log-bin=bin.log",
"--server-id=2",
# Required for storage of Apple MDM bootstrap packages.
"--max_allowed_packet=536870912",
]
environment: *mysql-default-environment
ports:
# ports 3308 and 3309 are used by the main and replica MySQL containers in tools/mysql-replica-testing/docker-compose.yml
- "3310:3306"
tmpfs:
- /var/lib/mysql:rw,noexec,nosuid
- /tmpfs
# Unauthenticated SMTP server.
mailhog:
image: mailhog/mailhog:latest
ports:
- "8025:8025"
- "1025:1025"
# SMTP server with Basic Authentication.
mailpit:
image: axllent/mailpit:latest
ports:
- "8026:8025"
- "1026:1025"
volumes:
- ./tools/mailpit/auth.txt:/auth.txt
command: ["--smtp-auth-file=/auth.txt", "--smtp-auth-allow-insecure=true"]
# SMTP server with TLS
smtp4dev_test:
image: rnwood/smtp4dev:v3
ports:
- "8028:80"
- "1027:25"
volumes:
- ./tools/smtp4dev:/certs
environment:
- ServerOptions__TlsMode=ImplicitTls
- ServerOptions__TlsCertificate=/certs/fleet.crt
- ServerOptions__TlsCertificatePrivateKey=/certs/fleet.key
redis:
image: redis:5
ports:
- "6379:6379"
saml_idp:
image: fleetdm/docker-idp:latest
volumes:
- ./tools/saml/users.php:/var/www/simplesamlphp/config/authsources.php
- ./tools/saml/config.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php
ports:
- "9080:8080"
- "9443:8443"
# CAdvisor container allows monitoring other containers. Useful for
# development.
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
ports:
- "5678:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./tools/app/prometheus.yml:/etc/prometheus/prometheus.yml
# localstack to simulate AWS integrations like firehose & kinesis
# use http://localhost:4566 as the `--endpoint-url` argument in awscli
localstack:
image: localstack/localstack
ports:
- "4566:4566"
- "4571:4571"
environment:
- SERVICES=firehose,kinesis,s3,iam,sts,secretsmanager
# s3 compatible object storage (file carving backend)
minio:
image: quay.io/minio/minio
command: server /data --console-address ":9001"
ports:
- "9000:9000"
- "9001:9001"
environment:
MINIO_ROOT_USER: minio
MINIO_ROOT_PASSWORD: minio123!
volumes:
- data-minio:/data
volumes:
mysql-persistent-volume:
data-minio:
Reference in a new issue View git blame Copy permalink