feat(dev-deploy): one /_gm gate for console + Grafana + Mailpit
Tests · Go / test (push) Successful in 1m59s
Tests · Go / test (push) Successful in 1m59s
Consolidate the operator console and the observability / captured-mail UIs behind a single Basic Auth gate, so one password (the admin-console account, dev: gm/gm-dev-password) unlocks all three, with links in the console nav: - Caddyfile.dev: a single basic_auth on /_gm/* fronts nested routes — /_gm/grafana/ -> Grafana, /_gm/mailpit/ -> Mailpit, catch-all -> the gateway/backend console. Caddy forwards the same Authorization header, which the backend console also accepts, so there is one prompt. The former top-level /grafana/ and /mailpit/ routes are removed. - Grafana: served under /_gm/grafana/ (sub-path) as anonymous Admin with the login form and basic auth disabled, so it relies solely on the /_gm gate and ignores the forwarded credentials. - Mailpit: MP_WEBROOT=/_gm/mailpit (and the healthcheck path) so its UI lives under the gate. - Operator console: add Grafana and Mailpit links to the nav.
This commit is contained in:
Ilia Denisov
@@ -74,9 +74,10 @@ services:
|
||||
command:
|
||||
- "--smtp-relay-config=/etc/mailpit/relay.conf"
|
||||
- "--smtp-relay-matching=${GALAXY_DEV_MAIL_RELAY_MATCH:-nobody@invalid.example}"
|
||||
# Serve the capture UI under /mailpit so the host Caddy can expose it
|
||||
# at https://galaxy.lan/mailpit/ (behind basic-auth); SMTP is unaffected.
|
||||
- "--webroot=/mailpit"
|
||||
# Serve the capture UI under /_gm/mailpit so the host Caddy can expose
|
||||
# it at https://galaxy.lan/_gm/mailpit/ behind the shared /_gm gate;
|
||||
# SMTP is unaffected.
|
||||
- "--webroot=/_gm/mailpit"
|
||||
labels:
|
||||
galaxy.stack: dev-deploy
|
||||
networks:
|
||||
@@ -84,7 +85,7 @@ services:
|
||||
volumes:
|
||||
- galaxy-dev-mailpit-config:/etc/mailpit:ro
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "-q", "-O-", "http://localhost:8025/mailpit/livez"]
|
||||
test: ["CMD", "wget", "-q", "-O-", "http://localhost:8025/_gm/mailpit/livez"]
|
||||
interval: 3s
|
||||
timeout: 3s
|
||||
retries: 30
|
||||
@@ -412,8 +413,15 @@ services:
|
||||
- galaxy-tempo
|
||||
environment:
|
||||
GF_SECURITY_ADMIN_PASSWORD: ${GALAXY_DEV_GRAFANA_ADMIN_PASSWORD:-admin}
|
||||
GF_SERVER_ROOT_URL: https://galaxy.lan/grafana/
|
||||
GF_SERVER_ROOT_URL: https://galaxy.lan/_gm/grafana/
|
||||
GF_SERVER_SERVE_FROM_SUB_PATH: "true"
|
||||
# No own login: the /_gm Basic Auth gate is the only barrier, so
|
||||
# serve everyone as anonymous Admin and ignore the forwarded
|
||||
# Authorization header (basic auth off, login form off).
|
||||
GF_AUTH_ANONYMOUS_ENABLED: "true"
|
||||
GF_AUTH_ANONYMOUS_ORG_ROLE: Admin
|
||||
GF_AUTH_DISABLE_LOGIN_FORM: "true"
|
||||
GF_AUTH_BASIC_ENABLED: "false"
|
||||
GF_USERS_ALLOW_SIGN_UP: "false"
|
||||
GF_ANALYTICS_REPORTING_ENABLED: "false"
|
||||
GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
|
||||
|
||||
Reference in New Issue
Block a user