219 lines
7.6 KiB
YAML
219 lines
7.6 KiB
YAML
services:
|
|
boulder:
|
|
# The `letsencrypt/boulder-tools:latest` tag is automatically built in local
|
|
# dev environments. In CI a specific BOULDER_TOOLS_TAG is passed, and it is
|
|
# pulled with `docker compose pull`.
|
|
image: &boulder_tools_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
|
|
build:
|
|
context: test/boulder-tools/
|
|
# Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
|
|
args:
|
|
GO_VERSION: 1.24.1
|
|
environment:
|
|
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
|
|
# to the IP address where your ACME client's solver is listening. This is
|
|
# pointing at the boulder service's "public" IP, where challtestsrv is.
|
|
FAKE_DNS: 64.112.117.122
|
|
BOULDER_CONFIG_DIR: test/config
|
|
GOCACHE: /boulder/.gocache/go-build
|
|
GOFLAGS: -mod=vendor
|
|
volumes:
|
|
- .:/boulder:cached
|
|
- ./.gocache:/root/.cache/go-build:cached
|
|
- ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
|
|
networks:
|
|
bouldernet:
|
|
ipv4_address: 10.77.77.77
|
|
publicnet:
|
|
ipv4_address: 64.112.117.122
|
|
publicnet2:
|
|
ipv4_address: 64.112.117.134
|
|
# Use consul as a backup to Docker's embedded DNS server. If there's a name
|
|
# Docker's DNS server doesn't know about, it will forward the query to this
|
|
# IP (running consul).
|
|
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
|
|
# This is used to look up service names via A records (like ra.service.consul) that
|
|
# are configured via the ServerAddress field of cmd.GRPCClientConfig.
|
|
# TODO: Remove this when ServerAddress is deprecated in favor of SRV records
|
|
# and DNSAuthority.
|
|
dns: 10.77.77.10
|
|
extra_hosts:
|
|
# Allow the boulder container to be reached as "ca.example.org", so we
|
|
# can put that name inside our integration test certs (e.g. as a crl
|
|
# url) and have it look like a publicly-accessible name.
|
|
# TODO(#8215): Move s3-test-srv to a separate service.
|
|
- "ca.example.org:64.112.117.122"
|
|
# Allow the boulder container to be reached as "integration.trust", for
|
|
# similar reasons, but intended for use as a SAN rather than a CRLDP.
|
|
# TODO(#8215): Move observer's probe target to a separate service.
|
|
- "integration.trust:64.112.117.122"
|
|
ports:
|
|
- 4001:4001 # ACMEv2
|
|
- 4002:4002 # OCSP
|
|
- 4003:4003 # SFE
|
|
depends_on:
|
|
- bmysql
|
|
- bproxysql
|
|
- bredis_1
|
|
- bredis_2
|
|
- bredis_3
|
|
- bredis_4
|
|
- bconsul
|
|
- bjaeger
|
|
- bpkimetal
|
|
entrypoint: test/entrypoint.sh
|
|
working_dir: &boulder_working_dir /boulder
|
|
|
|
bsetup:
|
|
image: *boulder_tools_image
|
|
volumes:
|
|
- .:/boulder:cached
|
|
- ./.gocache:/root/.cache/go-build:cached
|
|
- ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
|
|
entrypoint: test/certs/generate.sh
|
|
working_dir: *boulder_working_dir
|
|
profiles:
|
|
# Adding a profile to this container means that it won't be started by a
|
|
# normal "docker compose up/run boulder", only when specifically invoked
|
|
# with a "docker compose up bsetup".
|
|
- setup
|
|
|
|
bmysql:
|
|
image: mariadb:10.6.22
|
|
networks:
|
|
bouldernet:
|
|
aliases:
|
|
- boulder-mysql
|
|
environment:
|
|
MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
|
|
# Send slow queries to a table so we can check for them in the
|
|
# integration tests. For now we ignore queries not using indexes,
|
|
# because that seems to trigger based on the optimizer's choice to not
|
|
# use an index for certain queries, particularly when tables are still
|
|
# small.
|
|
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
|
|
logging:
|
|
driver: none
|
|
|
|
bproxysql:
|
|
image: proxysql/proxysql:2.5.4
|
|
# The --initial flag force resets the ProxySQL database on startup. By
|
|
# default, ProxySQL ignores new configuration if the database already
|
|
# exists. Without this flag, new configuration wouldn't be applied until you
|
|
# ran `docker compose down`.
|
|
entrypoint: proxysql -f --idle-threads -c /test/proxysql/proxysql.cnf --initial
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
depends_on:
|
|
- bmysql
|
|
networks:
|
|
bouldernet:
|
|
aliases:
|
|
- boulder-proxysql
|
|
|
|
bredis_1:
|
|
image: redis:6.2.7
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
command: redis-server /test/redis-ocsp.config
|
|
networks:
|
|
bouldernet:
|
|
# TODO(#8215): Remove this static IP allocation (and similar below) when
|
|
# we tear down ocsp-responder. We only have it because ocsp-responder
|
|
# requires IPs in its "ShardAddrs" config, while ratelimit redis
|
|
# supports looking up shards via hostname and SRV record.
|
|
ipv4_address: 10.77.77.2
|
|
|
|
bredis_2:
|
|
image: redis:6.2.7
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
command: redis-server /test/redis-ocsp.config
|
|
networks:
|
|
bouldernet:
|
|
ipv4_address: 10.77.77.3
|
|
|
|
bredis_3:
|
|
image: redis:6.2.7
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
command: redis-server /test/redis-ratelimits.config
|
|
networks:
|
|
bouldernet:
|
|
ipv4_address: 10.77.77.4
|
|
|
|
bredis_4:
|
|
image: redis:6.2.7
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
command: redis-server /test/redis-ratelimits.config
|
|
networks:
|
|
bouldernet:
|
|
ipv4_address: 10.77.77.5
|
|
|
|
bconsul:
|
|
image: hashicorp/consul:1.15.4
|
|
volumes:
|
|
- ./test/:/test/:cached
|
|
networks:
|
|
bouldernet:
|
|
ipv4_address: 10.77.77.10
|
|
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
|
|
|
|
bjaeger:
|
|
image: jaegertracing/all-in-one:1.50
|
|
networks:
|
|
- bouldernet
|
|
|
|
bpkimetal:
|
|
image: ghcr.io/pkimetal/pkimetal:v1.20.0
|
|
networks:
|
|
- bouldernet
|
|
|
|
networks:
|
|
# This network represents the data-center internal network. It is used for
|
|
# boulder services and their infrastructure, such as consul, mariadb, and
|
|
# redis.
|
|
bouldernet:
|
|
driver: bridge
|
|
ipam:
|
|
driver: default
|
|
config:
|
|
- subnet: 10.77.77.0/24
|
|
# Only issue DHCP addresses in the top half of the range, to avoid
|
|
# conflict with static addresses.
|
|
ip_range: 10.77.77.128/25
|
|
|
|
# This network represents the public internet. It uses a real public IP space
|
|
# (that Let's Encrypt controls) so that our integration tests are happy to
|
|
# validate and issue for it. It is used by challtestsrv, which binds to
|
|
# 64.112.117.122:80 and :443 for its HTTP-01 challenge responder.
|
|
#
|
|
# TODO(#8215): Put akamai-test-srv and s3-test-srv on this network.
|
|
publicnet:
|
|
driver: bridge
|
|
ipam:
|
|
driver: default
|
|
config:
|
|
- subnet: 64.112.117.0/25
|
|
|
|
# This network is used for two things in the integration tests:
|
|
# - challtestsrv binds to 64.112.117.134:443 for its tls-alpn-01 challenge
|
|
# responder, to avoid interfering with the HTTPS port used for testing
|
|
# HTTP->HTTPS redirects during http-01 challenges. Note: this could
|
|
# probably be updated in the future so that challtestsrv can handle
|
|
# both tls-alpn-01 and HTTPS on the same port.
|
|
# - test/v2_integration.py has some test cases that start their own HTTP
|
|
# server instead of relying on challtestsrv, because they want very
|
|
# specific behavior. For these cases, v2_integration.py creates a Python
|
|
# HTTP server and binds it to 64.112.117.134:80.
|
|
#
|
|
# TODO(#8215): Deprecate this network, replacing it with individual IPs within
|
|
# the existing publicnet.
|
|
publicnet2:
|
|
driver: bridge
|
|
ipam:
|
|
driver: default
|
|
config:
|
|
- subnet: 64.112.117.128/25
|