Deployment Changes

This page highlights important changes in deployment configuration and services. Review the updates below to ensure compatibility with the latest release.

Target Audience

This is only relevant for users that don't use docker-compose.

Services

Please inspect the docker-compose.yml diff for breaking changes in service deployment. Note that the caddy container is not run from a upstream image anymore but instead is now built from a Dockerfile found in the deployment repository. This migration step is required for TRUST to work correctly.

diff --git a/docker-compose.yml b/docker-compose.yml
index 5512f45..f13d010 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
     travel-autod:
         <<: *21-defaults
         container_name: travel-autod
-        image: registry.21analytics.ch/21analytics/21travel:8.0.0
+        image: registry.21analytics.ch/21analytics/21travel:8.1.0
         depends_on:
             - 'travel-trpd'
             - 'travel-aopd'
@@ -32,10 +32,31 @@ services:
                 'http://caddy:2019',
             ]

+    travel-trustd:
+        <<: *21-defaults
+        container_name: travel-trustd
+        image: registry.21analytics.ch/21analytics/21travel:8.1.0
+        depends_on:
+            - 'postgres'
+        environment:
+            RUST_LOG: ${TRAVEL_LOG}
+        command:
+            [
+                './trustd',
+                '--log-format',
+                'json',
+                '--external',
+                '0.0.0.0:3030',
+                '--status',
+                '0.0.0.0:3040',
+                '--database',
+                'postgresql://trustd:$TRUSTD_DB_PW@postgres/21travel',
+            ]
+
     travel-trpd:
         <<: *21-defaults
         container_name: travel-trpd
-        image: registry.21analytics.ch/21analytics/21travel:8.0.0
+        image: registry.21analytics.ch/21analytics/21travel:8.1.0
         depends_on:
             - 'postgres'
         environment:
@@ -56,7 +77,7 @@ services:
     travel-aopd:
         <<: *21-defaults
         container_name: travel-aopd
-        image: registry.21analytics.ch/21analytics/21travel:8.0.0
+        image: registry.21analytics.ch/21analytics/21travel:8.1.0
         depends_on:
             - 'postgres'
         environment:
@@ -79,6 +100,7 @@ services:
         environment:
             AOPD_DB_PW: ${AOPD_DB_PW:?set AOPD_DB_PW please}
             TRPD_DB_PW: ${TRPD_DB_PW:?set TRPD_DB_PW please}
+            TRUSTD_DB_PW: ${TRUSTD_DB_PW:?set TRUSTD_DB_PW please}
             AUTOD_DB_PW: ${AUTOD_DB_PW:?set AUTOD_DB_PW please}
             KEYCLOAK_DB_PW: ${KEYCLOAK_DB_PW:?set KEYCLOAK_DB_PW please}
             POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD please}
@@ -95,7 +117,7 @@ services:
     seaweedfs:
         <<: *21-defaults
         container_name: seaweedfs
-        image: docker.io/chrislusf/seaweedfs:3.92
+        image: docker.io/chrislusf/seaweedfs:4.17
         command:
             [
                 # if `server` is the first argument then the container's `entrypoint.sh`
@@ -115,12 +137,12 @@ services:
               source: ${PWD}/swfs_data/
               target: /data

-    travel-web-ui:
+    compliance-dashboard:
         <<: *21-defaults
-        container_name: travel-web-ui
+        container_name: compliance-dashboard
         depends_on:
             - 'travel-autod'
-        image: registry.21analytics.ch/21analytics/21-travel-web-ui:8.0.0
+        image: registry.21analytics.ch/21analytics/compliance-dashboard:8.1.0

     aopp-portal:
         <<: *21-defaults
@@ -128,7 +150,7 @@ services:
         depends_on:
             - 'travel-autod'
             - 'travel-aopd'
-        image: registry.21analytics.ch/21analytics/aopp-portal:8.0.4
+        image: registry.21analytics.ch/21analytics/aopp-portal:8.1.0

     beosin:
         <<: *21-defaults
@@ -198,7 +220,8 @@ services:
     caddy:
         <<: *21-defaults
         container_name: caddy
-        image: docker.io/library/caddy:2.10.0-alpine
+        build:
+            context: caddy
         volumes:
             - type: bind
               source: ${PWD}/graphiql/
@@ -221,7 +244,7 @@ services:
         container_name: keycloak
         depends_on:
             - 'postgres'
-        image: quay.io/keycloak/keycloak:26.2.5
+        image: quay.io/keycloak/keycloak:26.5.6
         volumes:
             - type: bind
               source: ${PWD}/21theme/

Reverse Proxy

Please inspect the Caddyfile diff for breaking changes in the reverse proxy.

diff --git a/Caddyfile b/Caddyfile
index 76fc0f4..aecfbb9 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -17,10 +17,36 @@

 {
 	admin :2019
+	https_port 8443
+
+	layer4 {
+		:443 {
+			# Replace trust.yourdomain.com with the public domain name you plan to use (see below).
+			@trust tls sni trust.yourdomain.com
+			route @trust {
+				proxy travel-trustd:3030
+			}
+
+			route {
+				proxy 127.0.0.1:8443
+			}
+		}
+	}
 }

+# Replace trust.yourdomain.com with the public domain name you plan to use.
+trust.yourdomain.com {
+	reverse_proxy travel-trustd:3030
+	reverse_proxy /version travel-trustd:3040
+
+	log
+	encode gzip
+
+	header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'"
+}
+
@@ -39,18 +65,18 @@ trp.yourDomain.com {
 # this domain the user interface for the compliance dashboard will
 # be served using HTTPS.
 compliance-dashboard.yourDomain.com {
-	reverse_proxy travel-web-ui:8080
+	reverse_proxy compliance-dashboard:8080
 	reverse_proxy /graphql-ws travel-autod:8765
 	reverse_proxy /media/* travel-autod:8765