Add Traefik support

forwardauth/.env

@@ -0,0 +1,6 @@
+ENCRYPTION_KEY=f57d73478dedc596cf41679568c62986
+CLIENT_SECRET=7awzFYIlK3io3ipSuJd07aXxShp9p9Vp
+CLIENT_ID=bingus
+PROVIDER_URI=https://dev.theworldavatar.io/realms/twa-test
+SIGNING_SECRET=security_is_hard
+STACK_NAME=bingus

forwardauth/bingo.log

@@ -0,0 +1,3 @@
+
+time="2026-02-05T18:06:17Z" level=debug msg="Authenticate request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[en-IE,en-GB;q=0.9,en;q=0.8] Cache-Control:[max-age=0] Cookie:[_forward_auth_csrf=98b60036f1373bce89d3af6249b537b5] Dnt:[1] Sec-Ch-Ua:[\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Microsoft Edge\";v=\"144\"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:[\"Windows\"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[cross-site] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.0.0] X-Forwarded-For:[10.0.0.2] X-Forwarded-Host:[localhost:1916] X-Forwarded-Port:[1916] X-Forwarded-Proto:[http] X-Forwarded-Server:[bingus-traefik] X-Real-Ip:[10.0.0.2]]" rule=default source_ip=10.0.0.2
+time="2026-02-05T18:06:17Z" level=debug msg="sending CSRF cookie and a redirect to OIDC login" source_ip=10.0.0.2

forwardauth/compose.yml

@@ -0,0 +1,28 @@
+services:
+  forwardauth:
+    image: mesosphere/traefik-forward-auth
+    networks:
+      - stack
+    environment:
+      - SECRET=${SIGNING_SECRET}
+      - PROVIDER_URI=${PROVIDER_URI}
+      - CLIENT_ID=${CLIENT_ID}
+      - CLIENT_SECRET=${CLIENT_SECRET}
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.forwardauth.loadbalancer.server.port=4181"
+      - "traefik.http.routers.forwardauth.entrypoints=web"
+        # Router for OAuth callback endpoint - middleware will detect and process callback
+
+      - "traefik.http.routers.forwardauth.rule=Path(`/_oauth`)"
+      # Middleware definition used by other services
+      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://forwardauth:4181"
+      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
+
+networks:
+  stack:
+    name: ${STACK_NAME}
+    driver: overlay
+    external: true

stack-clients/.vscode/settings.json

@@ -0,0 +1,9 @@
+{
+    "editor.formatOnSave": true,
+    "editor.codeActionsOnSave": {
+        "source.organizeImports": "explicit"
+    },
+    "[java]": {
+        "editor.formatOnSave": true
+    }
+}

stack-clients/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stack-client:
-    image: ghcr.io/theworldavatar/stack-client${IMAGE_SUFFIX}:1.56.2
+    image: ghcr.io/theworldavatar/stack-client${IMAGE_SUFFIX}:1.57.0-traefik-support-SNAPSHOT
     secrets:
       - blazegraph_password
       - postgis_password

stack-clients/pom.xml

@@ -7,15 +7,15 @@
 
     <groupId>com.cmclinnovations</groupId>
     <artifactId>stack-clients</artifactId>
-    <version>1.56.2</version>
+    <version>1.57.0-traefik-support-SNAPSHOT</version>
 
     <name>Stack Clients</name>
     <url>https://theworldavatar.io</url>
 
     <parent>
         <groupId>uk.ac.cam.cares.jps</groupId>
         <artifactId>jps-parent-pom</artifactId>
-        <version>2.3.2</version>
+        <version>2.4.0</version>
     </parent>
 
     <properties>

stack-clients/src/main/java/com/cmclinnovations/stack/clients/core/StackClient.java

@@ -36,6 +36,7 @@ public final class StackClient {
     private static StackHost stackHost = new StackHost();
 
     private static boolean isolated = false;
+    private static String reverseProxyName;
 
     static {
         String envVarStackName = System.getenv(StackClient.STACK_NAME_KEY);
@@ -107,6 +108,14 @@ public static Path getAbsDataPath() {
         return getStackBaseDir().resolve("inputs").resolve("data");
     }
 
+    public static void setReverseProxyName(String reverseProxyName) {
+        StackClient.reverseProxyName = reverseProxyName;
+    }
+
+    public static String getReverseProxyName() {
+        return reverseProxyName;
+    }
+
     /**
      * Get a RemoteRDBStoreClient for the named Postgres RDB running in this stack.
      *

stack-clients/src/main/java/com/cmclinnovations/stack/clients/core/datasets/RML.java

@@ -1,7 +1,6 @@
 package com.cmclinnovations.stack.clients.core.datasets;
 
 import java.nio.file.Path;
-import java.util.Map;
 
 import com.cmclinnovations.stack.clients.rml.RmlMapperClient;
 

stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/DockerClient.java

@@ -53,7 +53,9 @@
 import com.github.dockerjava.core.DefaultDockerClientConfig.Builder;
 import com.github.dockerjava.core.DockerClientBuilder;
 import com.github.dockerjava.core.DockerClientConfig;
-import com.github.dockerjava.core.command.ExecStartResultCallback;
+import com.github.dockerjava.api.async.ResultCallback;
+import com.github.dockerjava.api.model.Frame;
+import com.github.dockerjava.api.model.StreamType;
 import com.github.dockerjava.httpclient5.ApacheDockerHttpClient;
 import com.github.dockerjava.transport.DockerHttpClient;
 
@@ -115,7 +117,6 @@ public String executeSimpleCommand(String containerId, String... cmd) {
                 .withOutputStream(outputStream)
                 .withErrorStream(outputStream)
                 .exec();
-        String output = outputStream.toString();
         return execId;
     }
 
@@ -231,11 +232,21 @@ public String exec() {
                     execStartCmd.withStdIn(inputStream);
                 }
 
-                // ExecStartResultCallback is marked deprecated but seems to do exactly what we
-                // want and without knowing why it is deprecated any issues with it can't be
-                // overcome anyway.
-                try (ExecStartResultCallback result = execStartCmd
-                        .exec(new ExecStartResultCallback(outputStream, errorStream))) {
+                try (ResultCallback.Adapter<Frame> result = execStartCmd
+                        .exec(new ResultCallback.Adapter<Frame>() {
+                            @Override
+                            public void onNext(Frame frame) {
+                                try {
+                                    if (frame.getStreamType() == StreamType.STDOUT && outputStream != null) {
+                                        outputStream.write(frame.getPayload());
+                                    } else if (frame.getStreamType() == StreamType.STDERR && errorStream != null) {
+                                        errorStream.write(frame.getPayload());
+                                    }
+                                } catch (IOException ex) {
+                                    throw new RuntimeException("Failed to write frame payload", ex);
+                                }
+                            }
+                        })) {
                     if (wait) {
                         if (!result.awaitCompletion(evaluationTimeout, TimeUnit.SECONDS)) {
                             LOGGER.warn("Docker exec command '{}' still running after the {} second execution timeout.",
@@ -553,7 +564,7 @@ public boolean isContainerUp(String containerName) {
 
     public String getContainerId(String containerName) {
         return getContainer(containerName).map(Container::getId)
-                .orElseThrow(() -> new NoSuchElementException("Cannot get container "+containerName+"."));
+                .orElseThrow(() -> new NoSuchElementException("Cannot get container " + containerName + "."));
     }
 
     private Map<String, List<String>> convertToConfigFilterMap(String configName, Map<String, String> labelMap) {

stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/PodmanClient.java

@@ -7,15 +7,16 @@
 
 import com.cmclinnovations.stack.clients.core.StackClient;
 import com.cmclinnovations.stack.clients.utils.JsonHelper;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.dockerjava.api.model.Config;
+import com.github.dockerjava.jaxrs.ApiClientExtension;
+
 import io.theworldavatar.swagger.podman.ApiClient;
 import io.theworldavatar.swagger.podman.ApiException;
 import io.theworldavatar.swagger.podman.api.NetworksApi;
 import io.theworldavatar.swagger.podman.api.SecretsApi;
 import io.theworldavatar.swagger.podman.model.Network;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.dockerjava.api.model.Config;
-import com.github.dockerjava.jaxrs.ApiClientExtension;
 
 public class PodmanClient extends DockerClient {
 

stack-clients/src/main/java/com/cmclinnovations/stack/clients/rdf4j/Rdf4jClient.java

@@ -4,7 +4,6 @@
 
 import org.eclipse.rdf4j.federated.repository.FedXRepositoryConfigBuilder;
 import org.eclipse.rdf4j.repository.config.RepositoryConfig;
-import org.eclipse.rdf4j.repository.config.RepositoryImplConfig;
 import org.eclipse.rdf4j.repository.manager.RemoteRepositoryManager;
 import org.eclipse.rdf4j.repository.sail.config.SailRepositoryConfig;
 import org.eclipse.rdf4j.repository.sparql.config.SPARQLRepositoryConfig;

stack-clients/src/main/java/com/cmclinnovations/stack/services/DockerService.java

@@ -9,6 +9,7 @@
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -338,8 +339,14 @@ void removeService(String serviceName) {
     protected ServiceSpec configureServiceSpec(ContainerService service) {
 
         ServiceSpec serviceSpec = service.getServiceSpec()
-                .withName(service.getContainerName())
-                .withLabels(StackClient.getStackNameLabelMap());
+                .withName(service.getContainerName());
+        // Merge existing labels with stack name labels
+        Map<String, String> serviceLabels = new HashMap<>();
+        if (serviceSpec.getLabels() != null) {
+            serviceLabels.putAll(serviceSpec.getLabels());
+        }
+        serviceLabels.putAll(StackClient.getStackNameLabelMap());
+        serviceSpec.withLabels(serviceLabels);
         TaskSpec taskTemplate = service.getTaskTemplate();
         if (null == taskTemplate.getRestartPolicy()) {
             taskTemplate.withRestartPolicy(new ServiceRestartPolicy()
@@ -350,8 +357,14 @@ protected ServiceSpec configureServiceSpec(ContainerService service) {
                 .withTarget(network.getId())
                 .withAliases(List.of(service.getName()))));
         ContainerSpec containerSpec = service.getContainerSpec()
-                .withLabels(StackClient.getStackNameLabelMap())
                 .withHostname(service.getName());
+        // Merge existing container labels with stack name labels
+        Map<String, String> containerLabels = new HashMap<>();
+        if (containerSpec.getLabels() != null) {
+            containerLabels.putAll(containerSpec.getLabels());
+        }
+        containerLabels.putAll(StackClient.getStackNameLabelMap());
+        containerSpec.withLabels(containerLabels);
 
         interpolateEnvironmentVariables(containerSpec);
 

stack-clients/src/main/java/com/cmclinnovations/stack/services/NginxService.java

@@ -14,8 +14,6 @@
 import com.cmclinnovations.stack.exceptions.InvalidTemplateException;
 import com.cmclinnovations.stack.services.config.Connection;
 import com.cmclinnovations.stack.services.config.ServiceConfig;
-import com.github.dockerjava.api.model.EndpointSpec;
-import com.github.dockerjava.api.model.PortConfig;
 import com.github.odiszapc.nginxparser.NgxBlock;
 import com.github.odiszapc.nginxparser.NgxComment;
 import com.github.odiszapc.nginxparser.NgxConfig;
@@ -27,8 +25,6 @@
 
 public final class NginxService extends ContainerService implements ReverseProxyService {
 
-    private static final String EXTERNAL_PORT = "EXTERNAL_PORT";
-
     public static final String TYPE = "nginx";
 
     private static final String TEMPLATE_TYPE = "Nginx config";
@@ -63,22 +59,7 @@ protected void doPreStartUpConfiguration() {
         }
     }
 
-    private void updateExternalPort(ServiceConfig config) {
-        String externalPort = System.getenv(EXTERNAL_PORT);
-        if (null != externalPort) {
-            EndpointSpec endpointSpec = config.getDockerServiceSpec().getEndpointSpec();
-            if (null != endpointSpec) {
-                List<PortConfig> ports = endpointSpec.getPorts();
-                if (null != ports) {
-                    ports.stream()
-                            .filter(port -> port.getTargetPort() == 80)
-                            .forEach(port -> port.withPublishedPort(Integer.parseInt(externalPort)));
-                }
-            }
-        }
-    }
-
-    public void addService(ContainerService service) {
+    public void addStackServiceToReverseProxy(ContainerService service) {
 
         NgxConfig locationConfigOut = new NgxConfig();
 
@@ -170,9 +151,7 @@ private String getProxyPassValue(Connection connection, String hostname) {
     }
 
     private String getServerURL(Connection connection, String hostname) {
-        URL url = connection.getUrl();
-        int port = url.getPort();
-        return hostname + ":" + ((-1 == port) ? 80 : port);
+        return hostname + ":" + getPortOrDefault(connection.getUrl());
     }
 
     private final class ConfigSender {

stack-clients/src/main/java/com/cmclinnovations/stack/services/ReverseProxyService.java

@@ -1,6 +1,49 @@
 package com.cmclinnovations.stack.services;
 
+import java.net.URL;
+import java.util.List;
+
+import com.cmclinnovations.stack.services.config.ServiceConfig;
+import com.github.dockerjava.api.model.EndpointSpec;
+import com.github.dockerjava.api.model.PortConfig;
+
 public interface ReverseProxyService extends Service {
 
-    public void addService(ContainerService service);
+    public void addStackServiceToReverseProxy(ContainerService service);
+
+    /**
+     * Updates the external port mapping for the reverse proxy service.
+     * This allows multiple stacks to run on the same host by exposing each stack's
+     * reverse proxy on a different external port.
+     * 
+     * @param config The service configuration containing the endpoint
+     *               specifications
+     */
+    default void updateExternalPort(ServiceConfig config) {
+        String externalPort = System.getenv("EXTERNAL_PORT");
+        if (null != externalPort) {
+            EndpointSpec endpointSpec = config.getDockerServiceSpec().getEndpointSpec();
+            if (null != endpointSpec) {
+                List<PortConfig> ports = endpointSpec.getPorts();
+                if (null != ports) {
+                    ports.stream()
+                            .filter(port -> port.getTargetPort() == 80)
+                            .forEach(port -> port.withPublishedPort(Integer.parseInt(externalPort)));
+                }
+            }
+        }
+    }
+
+    /**
+     * Gets the port from a URL, defaulting to 80 if not specified.
+     * This is a common pattern when working with HTTP services that don't
+     * explicitly specify a port.
+     * 
+     * @param url The URL to extract the port from
+     * @return The port number, or 80 if the URL doesn't specify a port (-1)
+     */
+    default int getPortOrDefault(URL url) {
+        int port = url.getPort();
+        return (port == -1) ? 80 : port;
+    }
 }

stack-clients/src/main/java/com/cmclinnovations/stack/services/ServiceManager.java

@@ -167,15 +167,17 @@ public <S extends Service> S initialiseService(String stackName, String serviceN
             DockerService dockerService = getOrInitialiseService(stackName, StackClient.getContainerEngineName());
             dockerService.doPreStartUpConfiguration(newContainerService);
 
+            if (!StackClient.getReverseProxyName().equals(serviceName)) {
+                ReverseProxyService reverseProxyService = getOrInitialiseService(stackName,
+                        StackClient.getReverseProxyName());
+                reverseProxyService.addStackServiceToReverseProxy(newContainerService);
+            }
+
             dockerService.writeEndpointConfigs(newContainerService);
             if (dockerService.startContainer(newContainerService)) {
                 dockerService.doFirstTimePostStartUpConfiguration(newContainerService);
             }
             dockerService.doEveryTimePostStartUpConfiguration(newContainerService);
-            if (!NginxService.TYPE.equals(serviceName)) {
-                ReverseProxyService reverseProxyService = getOrInitialiseService(stackName, NginxService.TYPE);
-                reverseProxyService.addService(newContainerService);
-            }
         }
 
         services.put(serviceName, newService);