[docker] add ssl certificates / volumes

Hi,

We would like to use dockercompose to start foreman (we have a very old version running directly on a vm but are containerizing everything)

I’m using these resources:

I got a lot of questions since I’m new to foreman and the person that installed our current version is no longer available:

  1. the postgres database is somewhere is /var/lib/docker so I managed to hack the dockerfile to reside in /home/docker/foreman. Also the redis data is there but I miss the volume where the foreman app data should do - the compose file does not have a config or appdata volume exposed

  2. This is a big one: Normally I would expect to edit a config-file and add /etc/pki/tls/private/mycert.key and /etc/pki/tls/certs/mycert.cer but can’t any. I did found a lot of SSL related settings under Administer > Settings but bit overwhelmed - Do I need to put those files here?

    • SSL certificate
    • SSL CA file
    • SSL private key
    • SSL client DN env
    • SSL client verify env
    • SSL client cert env
    • Server CA file
    • Websockets SSL key
    • Websockets SSL certificate

This is my altered compose file and with this I can start the foreman frontend:

version: '3.4'
services:
  db:
    environment:
      - PGUSER=foreman
      - POSTGRES_USER=foreman
      - POSTGRES_PASSWORD=foreman
      - POSTGRES_DATABASE=foreman
      - PGDATA=/var/lib/postgresql/data/pgdata
    hostname: theforeman.local
    image: postgres:12
    ports:
      - '5432'
    restart: always
    healthcheck:
      #WRONG -> test: ["CMD-SHELL", "npc -z 127.0.0.1 5432 || exit 1"]
      test: ["CMD-SHELL", "pg_isready"]
      interval: 30s
      timeout: 30s
      retries: 3
    volumes:
      - ./db:/var/lib/postgresql/data

  app: &app_base
    image: quay.io/foreman/foreman:develop
    command: bundle exec bin/rails server -b 0.0.0.0
    build:
      context: .
    environment:
      - DATABASE_URL=postgres://foreman:foreman@db/foreman?pool=5
      - RAILS_MAX_THREADS=5
      - RAILS_ENV=production
      - FOREMAN_FQDN=theforeman.local
      - FOREMAN_DOMAIN=local
      - FOREMAN_RAILS_CACHE_STORE_TYPE=redis
      - FOREMAN_RAILS_CACHE_STORE_URLS=redis://redis-cache:6379/0
      - DYNFLOW_REDIS_URL=redis://redis-tasks:6379/0
      - REDIS_PROVIDER=DYNFLOW_REDIS_URL
    hostname: theforeman.local
    links:
      - db
      - redis-cache
      - redis-tasks
    ports:
      # - "${MY_DOCKER_IP:-127.0.0.1}:3000:3000"
      - "3000:3000"
      - "${MY_DOCKER_IP:-127.0.0.1}:5910-5930:5910-5930"
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "nc -z 127.0.0.1 3000 || exit 1"]
      interval: 5m
      start_period: 1m
    # does not work
    # volumes:
    #  - ./config:/home/foreman/cfg

  orchestrator:
    <<: *app_base
    command: bundle exec sidekiq -r ./extras/dynflow-sidekiq.rb -c 1 -q dynflow_orchestrator
    hostname: theforeman.local
    ports: []

  worker:
    <<: *app_base
    command: bundle exec sidekiq -r ./extras/dynflow-sidekiq.rb -c 15 -q default,1 -q remote_execution,1
    ports: []

  redis-cache:
    image: redis

  redis-tasks:
    image: redis
    command: redis-server --appendonly yes
    volumes:
      - ./redis-persistent:/data

volumes:
  db:
  redis-persistent:
  # does not work:
  # config: