1.4 KiB
portainer
Docker container management UI — the "operator console" for cloud and edge.
Access
Portainer ingresses through nginx-proxy: https://ops.wbd-rd.nl/. No host port is published by default.
For emergency ops (nginx down, etc.), uncomment the ports: block in compose.yml and docker compose up -d portainer to expose :9443 and :8000 directly.
First-run admin
On first visit, Portainer prompts for an admin username and password. Use a long random password; this account is break-glass — your daily login should come via Keycloak OIDC once that gate is wired (see TODO).
Edge-agent topology
Port 8000 accepts reverse tunnels from edge sites running the portainer/agent image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under sites/<plant>/ once edge stacks are wired up.
Networks
- mgmt — Docker management plane
- Docker socket: read-only mount; effectively root-equivalent on the host. Front with Keycloak SSO as soon as auth is wired.
Volumes
portainer-data— Portainer DB (users, environments, stacks, settings)
TODO
- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
- Edge-agent provisioning workflow per site (agent secret, registration call)
- Disable self-signed
:9443access after nginx-proxy goes live (operational hygiene)