# Runnable Topaz example for the flex-auth alignment spike. # # Boot order: # 1. topaz — runs topazd with the spike config; serves authorizer # on :8282 (gRPC) and :8383 (REST), directory on :9292 # (gRPC) and :9393 (REST), health on :9494. # 2. seed — one-shot container that pushes the manifest and seeds # directory objects/relations via REST. Exits on success. # 3. probe — one-shot container that runs three authorizer checks # (steward allow, reader allow, outsider deny) and exits # non-zero if any decision is unexpected. # # Usage: # docker compose up --abort-on-container-exit --exit-code-from probe # # See docs/topaz-mapping-spike.md and README.md. services: topaz: image: ghcr.io/aserto-dev/topaz:latest command: ["run", "--config-file", "/cfg/config.yaml", "--bundle", "/bundle"] ports: - "127.0.0.1:8282:8282" # authorizer gRPC - "127.0.0.1:8383:8383" # authorizer REST - "127.0.0.1:9292:9292" # directory gRPC - "127.0.0.1:9393:9393" # directory REST - "127.0.0.1:9494:9494" # health volumes: - ./cfg:/cfg:ro - ./bundle:/bundle:ro - topaz-db:/db - topaz-certs:/certs healthcheck: # Topaz's image has no curl/wget; nc is in busybox. Probe TCP on # the authorizer REST port — the gateway only listens once the # backing gRPC service is ready. test: ["CMD-SHELL", "nc -z 127.0.0.1 8383 || exit 1"] interval: 2s timeout: 2s retries: 30 seed: image: alpine:3.20 depends_on: topaz: condition: service_healthy volumes: - ./data:/data:ro - ./scripts:/scripts:ro - ./manifest.yaml:/manifest.yaml:ro entrypoint: ["/bin/sh", "/scripts/seed.sh"] environment: DIRECTORY_REST: "http://topaz:9393" probe: image: alpine:3.20 depends_on: seed: condition: service_completed_successfully volumes: - ./scripts:/scripts:ro entrypoint: ["/bin/sh", "/scripts/probe.sh"] environment: AUTHORIZER_REST: "http://topaz:8383" volumes: topaz-db: topaz-certs: