33 lines
1.4 KiB
Markdown
33 lines
1.4 KiB
Markdown
# portainer
|
|
|
|
Docker container management UI — the "operator console" for cloud and edge.
|
|
|
|
## Access
|
|
|
|
Portainer ingresses through nginx-proxy: `https://ops.wbd-rd.nl/`. No host port is published by default.
|
|
|
|
For emergency ops (nginx down, etc.), uncomment the `ports:` block in `compose.yml` and `docker compose up -d portainer` to expose `:9443` and `:8000` directly.
|
|
|
|
## First-run admin
|
|
|
|
On first visit, Portainer prompts for an admin username and password. Use a long random password; this account is break-glass — your daily login should come via Keycloak OIDC once that gate is wired (see TODO).
|
|
|
|
## Edge-agent topology
|
|
|
|
Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.
|
|
|
|
## Networks
|
|
|
|
- **mgmt** — Docker management plane
|
|
- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired.
|
|
|
|
## Volumes
|
|
|
|
- `portainer-data` — Portainer DB (users, environments, stacks, settings)
|
|
|
|
## TODO
|
|
|
|
- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
|
|
- Edge-agent provisioning workflow per site (agent secret, registration call)
|
|
- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)
|