Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@raccoon-mh
raccoon-mh authored Oct 31, 2024
1 parent 9363d2d commit dc480c4
Showing 1 changed file with 79 additions and 139 deletions.
218 changes: 79 additions & 139 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,11 @@ Use this guide to start MC-IAM-MANAGER using the docker. The Quick Start guide s
- Ubuntu (22.04 is tested) with external access (https-443, http-80, ssh-ANY)
- docker and docker-compose
- Domain (for Keycloak and Public buffalo) and Email for register SSL with certbot
- Stop or Disable Services using 80 or 443 ports such as nginx

### Step one : Clone this repo

```bash
git clone https://github.com/m-cmp/mc-iam-manager <YourFolderName>
git clone <https://github.com/m-cmp/mc-iam-manager> <YourFolderName>
```

### Step two : Go to Scripts Folder
Expand All @@ -40,168 +39,109 @@ git clone https://github.com/m-cmp/mc-iam-manager <YourFolderName>
cd <YourFolderName>/scripts
```

### Step three : Excute generate_nginx_conf.sh
### Step three : Excute keycloakimportsetting.sh

```bash
./generate_nginx_conf.sh
./keycloakimportsetting.sh

# >.env (DOMAIN): yourdomain.com
# >.env (EMAIL): [email protected]
## MC-IAM-MANAGER Init Setup ##
- Please enter the changes. If not, use the environment variable.
- You can set Values in ./.mciammanager_init_env

================================================
* DOMAIN = yourdomain.com
* EMAIL = [email protected]
================================================

** Nginx configuration file has been created at ./nginx/nginx.conf **
```

This process creates two versions of nginx.conf:

the first (nginx-cert.conf) to receive SSL certificates and the second (nginx.conf) to set up an internal proxy for mc-iam-manager and keycloak, and certbot, as well as an SSL reverse proxy

### Step four : Excute init docker-compose for SSL setup

```bash
docker-compose -f docker-compose.init.yml up
# check the log "Successfully received certificate." and "ertbot exited with code 0"
# ctrl + C to exit docker-compose and shutdown with below command
docker-compose -f docker-compose.init.yml down
```

This process creates a SSL certificate in the `~/.m-cmp/data/certbot` path through the nginx-cert.conf setting. ****If you have checked the console log (Successfully received certificate. ~~ certbot exited with code 0) as below, you have successfully issued an SSL certificate and created it at the designated location.

```bash
$ docker-compose -f docker-compose.init.yml up
....
certbot | Successfully received certificate.
certbot | Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
certbot | Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
certbot | This certificate expires on 2024-09-11.
certbot | These files will be updated when the certificate renews.
certbot | NEXT STEPS:
certbot | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
certbot |
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | If you like Certbot, please consider supporting our work by:
certbot | * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
certbot | * Donating to EFF: https://eff.org/donate-le
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot exited with code 0
COMPANY_NAME :
...
```

And you don't have to consider the renewal. The next docker-compose checks the certificate every 12 hours and automatically updates it to the symbol link if it needs to be renewed. In other words, this is only the first time you need it, and it doesn't need to be applied from the next update.
This step defines the environment variables that you want to use by default or creates `./scripts/container-volume/mc-iam-manager/keycloak/data/import/realm-import.json` based on the variables defined in `./scripts/.env`. Therefore, "Keycloak" completes the initial setup based on the file, creating the first login user in the process.

### Step five : Excute docker-compose
### Step four: Excute docker-compose

```bash
docker-compose up --build -d
cd scripts
sudo docker-compose up --build -d
```

If you check the log as below, it seems that you have successfully built and deployed the mc-iam-manager without any problems.
This step is time consuming. Don't worry if the console fails. "Keycloak" is a natural error that occurs during initial installation when MC-IAM-MANAGER requests Keyclaok readiness and certification to initialize the database and import the required data.

```bash
$ docker-compose up --build -d
Creating network "scripts_mciammanagernet" with the default driver
Building mciammanager
Step 1/19 : FROM gobuffalo/buffalo:v0.18.14 as builder
---> dbcc9d3a40f5
Step 2/19 : ENV GOPROXY http://proxy.golang.org
---> Using cache
---> 05e55ac7f5eb
....
Step 10/19 : RUN buffalo build --static -o /bin/app
---> Running in 3c1d37d71384
....
Successfully built 7d0ed2aa6a89
Successfully tagged scripts_mciammanager:latest
Creating scripts_postgresdb_1 ... done
Creating certbot ... done
Creating scripts_keycloak_1 ... done
Creating scripts_mciammanager_1 ... done
Creating nginx ... done
```
Once the server completes successfully, you can access the readyz endpoint with the message that it has been loaded successfully.

### Step six : Check Alive enpoint
### Step final: Check Readyzenpoint

```bash
$ curl https://<yourdomain.com>:5000/alive
$ curl https://<yourdomain.com>:5000/readyz
# {"ststus":"ok"}
```

If `{"stststus":"ok"}` is received from the endpoint, it means that the service is being deployed normally.

### WELCOME : Now you can use MC-IAM-MANAGER

You can get tokens issued and see the default Role created through some of the built-in accounts below. For more API information, check the following swagger link.
```bash
$ curl --location 'https://yourdomain.com:5000/api/auth/login' \
--header 'Content-Type: application/json' \
--data '{
"id":"mcpsuper",
"password":"mcpuserpassword"
}'
$ curl --location 'https://yourdomain.com:5000/api/auth/login' \
--header 'Content-Type: application/json' \
--data '{
"id":"mcpadmin",
"password":"mcpuserpassword"
}'
$ curl --location 'https://yourdomain.com:5000/api/auth/login' \
--header 'Content-Type: application/json' \
--data '{
"id":"mcpoperator",
"password":"mcpuserpassword"
}'
$ curl --location 'https://yourdomain.com:5000/api/auth/login' \
--header 'Content-Type: application/json' \
--data '{
"id":"mcpviewer",
"password":"mcpuserpassword"
}'
200 OK application/json
{
"access_token": "xxxxx", # Rolelist in token (claims : realmRole[])
"id_token": "xxxxx",
"expires_in": 36000,
"refresh_expires_in": 1800,
"refresh_token": "xxxxx",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "xxxxx",
"scope": "openid microprofile-jwt profile email"
}
```
To use MC-IAM-MANAGER, you need to register the resources of the framework to be used as the first registered user.

For example, MC-WEB-CONSOLE must register a menu so that the user can load the web screen normally.

This section describes how to use scripts that made the process simple.

- init.sh

```bash
# ./scripts/init/init.sh
./init.sh

--------------------
0. exit

1. login

2. Init Resource Data from api.yaml
(MCADMINCLI_APIYAML: https://raw.githubusercontent.com/m-cmp/mc-admin-cli/refs/heads/main/conf/api.yaml)

3. Init Menu Data from menu.yaml
(MCWEBCONSOLE_MENUYAML: https://raw.githubusercontent.com/m-cmp/mc-web-console/refs/heads/main/conf/webconsole_menu_resources.yaml)

4. Init Role Data PREDEFINED_ROLE
(PREDEFINED_ROLE: admin,operator,viewer,billadmin,billviewer)

5. Get permission CSV

6. Update permission CSV
(./permission.csv)

99. auto init

--------------------
select Number :
```
Running this script allows you to view the menu above, using the information defined in .env to perform tasks according to the numbers you enter.
However, the first priority is to log in by entering the user's information that you entered. If you run number 1 and run numbers 2 to 6, you will be able to use MC-WEB-CONSOLE.
- initauto.sh
```
# ./scripts/init/initauto.sh
./initauto.sh
```
This script automatically performs all procedures based on the user defined in the environment variables, but it cannot define detailed role-specific menus, and it is automatically imported to the version listed in GitHub.
If you want more detailed settings, we recommend init.sh .
- add_demo_user.sh
```
# ./scripts/init/add_demo_user.sh
./add_demo_user.sh
```
This script registers the demo user defined in ./scripts/init/add_demo_user.json. The process of registering is very simple and you can automatically activate the registered user. Use MC-WEB-CONSOLE for role setup and workspace interworking.
swagger docs
### swagger docs
https://m-cmp.github.io/mc-iam-manager/
```
# https://m-cmp.github.io/mc-iam-manager/
```
### Get CB-Tumblebug namespace Data
You can run the following script to assign the configured existing data to the Default Workplace.
```bash
$ cd <yourfolder>/scripts/init
$ nano ./init.env
# TB_HOST=<tumblegub host>
# TB_username=<TB_username>
# TB_password=<TB_password>
#
# MCIAM_HOST=<https://yourdomain.com:5000>
$ ./init-default-workspace-project.sh
```
---
Expand Down

0 comments on commit dc480c4

Please sign in to comment.