version-guard/docker-compose.yaml at main · block/version-guard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
services:
  temporal:
    image: temporalio/admin-tools:latest
    ports:
      - "7233:7233"
      - "8233:8233"
    entrypoint: ["temporal"]
    command: ["server", "start-dev", "--ip", "0.0.0.0", "--namespace", "version-guard-dev"]
    healthcheck:
      test: ["CMD", "temporal", "operator", "cluster", "health", "--address", "localhost:7233"]
      interval: 5s
      timeout: 5s
      retries: 20
      start_period: 10s

  minio:
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
      # Enables virtual-hosted-style bucket addressing (`<bucket>.minio`).
      # Required because AWS SDK Go v2 (used by the emitter) defaults to
      # virtual-hosted style and the emitter does not yet expose a
      # `S3_ENDPOINT` flag that would let us force path-style at the SDK
      # layer like the detector does.
      MINIO_DOMAIN: minio
    networks:
      default:
        aliases:
          # Resolve `version-guard-snapshots.minio` → the MinIO container
          # so virtual-hosted-style requests from the emitter land on the
          # right host.
          - version-guard-snapshots.minio

  minio-init:
    image: minio/mc:latest
    depends_on:
      - minio
    entrypoint: >
      sh -c "
        sleep 3 &&
        mc alias set local http://minio:9000 minioadmin minioadmin &&
        mc mb --ignore-existing local/version-guard-snapshots &&
        echo 'Bucket created'
      "

  endoflife:
    image: nginx:alpine
    volumes:
      - ./deploy/endoflife-override/nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - ./deploy/endoflife-override/api:/data/api:ro
    ports:
      - "8082:8080"

  version-guard:
    build:
      context: .
      dockerfile: deploy/Dockerfile
    depends_on:
      temporal:
        condition: service_healthy
      minio:
        condition: service_started
    environment:
      TEMPORAL_ENDPOINT: temporal:7233
      TEMPORAL_NAMESPACE: version-guard-dev
      TEMPORAL_METRICS_ENABLED: ${TEMPORAL_METRICS_ENABLED:-true}
      TEMPORAL_METRICS_LISTEN_ADDRESS: 0.0.0.0:9090
      S3_BUCKET: version-guard-snapshots
      AWS_REGION: us-east-1
      AWS_ACCESS_KEY_ID: minioadmin
      AWS_SECRET_ACCESS_KEY: minioadmin
      S3_ENDPOINT: http://minio:9000
      WIZ_CLIENT_ID_SECRET: ${WIZ_CLIENT_ID_SECRET:-}
      WIZ_CLIENT_SECRET_SECRET: ${WIZ_CLIENT_SECRET_SECRET:-}
      WIZ_REPORT_IDS: ${WIZ_REPORT_IDS:-}
      EOL_BASE_URL: http://endoflife:8080/api
      SCHEDULE_ENABLED: ${SCHEDULE_ENABLED:-false}
      SCHEDULE_CRON: ${SCHEDULE_CRON:-0 6 * * *}
      SCHEDULE_ID: ${SCHEDULE_ID:-version-guard-scan}
      SCHEDULE_JITTER: ${SCHEDULE_JITTER:-5m}
      # emitter webhook: only meaningful when the `with-emitter` compose
      # profile is active (the `emitter` service below). When the
      # profile is off, the emitter service isn't built/started and the
      # detector will fail to POST /trigger-act — Webhook failures are
      # non-fatal so the snapshot still lands in MinIO.
      EMITTER_WEBHOOK_URL: ${EMITTER_WEBHOOK_URL:-http://emitter:8080}
      # Synthesize 1 fake resource per config when no Wiz creds are set,
      # so the detector → snapshot path produces output without external
      # CloudSec access. NEVER set this in production.
      INVENTORY_FALLBACK: ${INVENTORY_FALLBACK:-mock}
    ports:
      - "8081:8081"
      - "9090:9090"

  # Optional emitter service — opt in with `--profile with-emitter`.
  # The build context defaults to the sibling `../version-guard-emitter`
  # checkout; override with EMITTER_PATH for any other location, e.g.:
  #   EMITTER_PATH=/path/to/your/emitter docker compose --profile with-emitter up --build
  # Devs without the emitter source can leave the profile off and still
  # exercise the detector + Temporal + MinIO + endoflife stack.
  emitter:
    profiles: ["with-emitter"]
    build:
      context: ${EMITTER_PATH:-../version-guard-emitter}
      dockerfile: Dockerfile
    depends_on:
      temporal:
        condition: service_healthy
      minio:
        condition: service_started
    environment:
      TEMPORAL_ENDPOINT: temporal:7233
      TEMPORAL_NAMESPACE: version-guard-dev
      TEMPORAL_TASK_QUEUE: version-guard-act
      ADMIN_PORT: "8080"
      S3_BUCKET: version-guard-snapshots
      S3_PREFIX: snapshots
      AWS_REGION: us-east-1
      AWS_ACCESS_KEY_ID: minioadmin
      AWS_SECRET_ACCESS_KEY: minioadmin
      # AWS SDK Go v2 honours AWS_ENDPOINT_URL_S3 for MinIO routing
      # without code changes — the emitter doesn't expose its own
      # S3_ENDPOINT flag yet.
      AWS_ENDPOINT_URL_S3: http://minio:9000
      AWS_S3_FORCE_PATH_STYLE: "true"
      # The bundled emitters/asr config in the emitter image requires
      # ASR_ENDPOINT to be set or it refuses to start. We point it at a
      # noop URL — the wire test only needs the emitter to receive the
      # /trigger-act webhook and start ActWorkflow; downstream ASR
      # submission will fail, which is expected and out of scope here.
      ASR_ENDPOINT: ${ASR_ENDPOINT:-http://localhost:9999/noop}
    ports:
      # Host :8083 → container :8080 (host :8082 is already taken by the
      # endoflife mock service).
      - "8083:8080"