forked from baron/baron-sso
ory스택 버전업 및 하드코딩URL 제거
This commit is contained in:
@@ -18,11 +18,15 @@ echo "🚀 Creating instance: ${INSTANCE_NAME} (Port Prefix: ${PORT_PREFIX}xxx)"
|
||||
|
||||
# 1. 폴더 구조 생성
|
||||
mkdir -p "${TARGET_DIR}/gateway"
|
||||
mkdir -p "${TARGET_DIR}/ory/init-db"
|
||||
mkdir -p "${TARGET_DIR}/ory/kratos"
|
||||
mkdir -p "${TARGET_DIR}/ory/hydra"
|
||||
mkdir -p "${TARGET_DIR}/ory/keto"
|
||||
mkdir -p "${TARGET_DIR}/ory/oathkeeper"
|
||||
mkdir -p "${TARGET_DIR}/userfront"
|
||||
mkdir -p "${TARGET_DIR}/adminfront"
|
||||
mkdir -p "${TARGET_DIR}/devfront"
|
||||
mkdir -p "${TARGET_DIR}/orgfront"
|
||||
|
||||
# 2. .env 생성 및 변수 로드
|
||||
sed "s/{{INSTANCE_NAME}}/${INSTANCE_NAME}/g; s/{{PORT_PREFIX}}/${PORT_PREFIX}/g" \
|
||||
@@ -34,6 +38,7 @@ USERFRONT_PORT="${PORT_PREFIX}500"
|
||||
DOMAIN_SUFFIX=$(grep "DOMAIN_SUFFIX=" "${TARGET_DIR}/.env" | cut -d'=' -f2 | tr -d '\r')
|
||||
ADMINFRONT_DOMAIN="${INSTANCE_NAME}-admin.${DOMAIN_SUFFIX}"
|
||||
DEVFRONT_DOMAIN="${INSTANCE_NAME}-dev.${DOMAIN_SUFFIX}"
|
||||
ORGFRONT_DOMAIN="${INSTANCE_NAME}-org.${DOMAIN_SUFFIX}"
|
||||
|
||||
# 3. Docker Compose & Config 복사 및 치환
|
||||
cp "${BASE_DIR}/templates/docker-compose.yaml" "${TARGET_DIR}/"
|
||||
@@ -55,15 +60,22 @@ sed "s/{{ADMINFRONT_DOMAIN}}/${ADMINFRONT_DOMAIN}/g; s/{{BACKEND_PORT}}/${BACKEN
|
||||
"${BASE_DIR}/templates/adminfront/vite.config.ts" > "${TARGET_DIR}/adminfront/vite.config.ts"
|
||||
sed "s/{{DEVFRONT_DOMAIN}}/${DEVFRONT_DOMAIN}/g; s/{{BACKEND_PORT}}/${BACKEND_PORT}/g" \
|
||||
"${BASE_DIR}/templates/devfront/vite.config.ts" > "${TARGET_DIR}/devfront/vite.config.ts"
|
||||
sed "s/{{ORGFRONT_DOMAIN}}/${ORGFRONT_DOMAIN}/g; s/{{BACKEND_PORT}}/${BACKEND_PORT}/g" \
|
||||
"${BASE_DIR}/templates/orgfront/vite.config.ts" > "${TARGET_DIR}/orgfront/vite.config.ts"
|
||||
|
||||
# 4. 프론트엔드 auth.ts 주입 (하드코딩된 포트 해결)
|
||||
sed "s/{{USERFRONT_PORT}}/${USERFRONT_PORT}/g; s/{{CLIENT_ID}}/adminfront/g" \
|
||||
"${BASE_DIR}/templates/auth.template.ts" > "${TARGET_DIR}/adminfront/auth.ts"
|
||||
sed "s/{{USERFRONT_PORT}}/${USERFRONT_PORT}/g; s/{{CLIENT_ID}}/devfront/g" \
|
||||
"${BASE_DIR}/templates/auth.template.ts" > "${TARGET_DIR}/devfront/auth.ts"
|
||||
sed "s/{{USERFRONT_PORT}}/${USERFRONT_PORT}/g" \
|
||||
"${BASE_DIR}/templates/orgfront/auth.ts" > "${TARGET_DIR}/orgfront/auth.ts"
|
||||
|
||||
# 5. Ory 정적 설정 복사
|
||||
if [ -d "${BASE_DIR}/../docker/ory/init-db" ]; then cp -n "${BASE_DIR}/../docker/ory/init-db/"* "${TARGET_DIR}/ory/init-db/" 2>/dev/null || true; fi
|
||||
if [ -d "${BASE_DIR}/../docker/ory/kratos" ]; then cp -n "${BASE_DIR}/../docker/ory/kratos/"* "${TARGET_DIR}/ory/kratos/" 2>/dev/null || true; fi
|
||||
if [ -d "${BASE_DIR}/../docker/ory/hydra" ]; then cp -n "${BASE_DIR}/../docker/ory/hydra/"* "${TARGET_DIR}/ory/hydra/" 2>/dev/null || true; fi
|
||||
if [ -d "${BASE_DIR}/../docker/ory/keto" ]; then cp -n "${BASE_DIR}/../docker/ory/keto/"* "${TARGET_DIR}/ory/keto/" 2>/dev/null || true; fi
|
||||
if [ -d "${BASE_DIR}/../docker/ory/oathkeeper" ]; then cp -n "${BASE_DIR}/../docker/ory/oathkeeper/"* "${TARGET_DIR}/ory/oathkeeper/" 2>/dev/null || true; fi
|
||||
|
||||
# 6. 마무리
|
||||
|
||||
@@ -17,6 +17,7 @@ BACKEND_PORT=${P}000
|
||||
USERFRONT_PORT=${P}500
|
||||
ADMINFRONT_PORT=${P}173
|
||||
DEVFRONT_PORT=${P}174
|
||||
ORGFRONT_PORT=${P}175
|
||||
OATHKEEPER_PROXY_PORT=${P}467
|
||||
|
||||
# === [3] 도메인 설정 (별도 도메인 구조) ===
|
||||
@@ -25,23 +26,44 @@ DOMAIN_SUFFIX=hmac.kr
|
||||
USERFRONT_URL=https://{{INSTANCE_NAME}}-sso.${DOMAIN_SUFFIX}
|
||||
ADMINFRONT_URL=https://{{INSTANCE_NAME}}-admin.${DOMAIN_SUFFIX}
|
||||
DEVFRONT_URL=https://{{INSTANCE_NAME}}-dev.${DOMAIN_SUFFIX}
|
||||
ORGFRONT_URL=https://{{INSTANCE_NAME}}-org.${DOMAIN_SUFFIX}
|
||||
|
||||
# OIDC/Auth URL
|
||||
VITE_OIDC_AUTHORITY=${USERFRONT_URL}/oidc
|
||||
ADMINFRONT_CALLBACK_URLS=${ADMINFRONT_URL}/auth/callback
|
||||
DEVFRONT_CALLBACK_URLS=${DEVFRONT_URL}/auth/callback
|
||||
ORGFRONT_CALLBACK_URLS=${ORGFRONT_URL}/auth/callback
|
||||
|
||||
# Ory URL
|
||||
KRATOS_UI_URL=${USERFRONT_URL}/auth
|
||||
KRATOS_BROWSER_URL=${USERFRONT_URL}/auth
|
||||
KRATOS_ADMIN_URL=http://kratos:4434
|
||||
HYDRA_PUBLIC_URL=${USERFRONT_URL}/oidc
|
||||
HYDRA_ADMIN_URL=http://hydra:4445
|
||||
OATHKEEPER_PUBLIC_URL=${USERFRONT_URL}
|
||||
KETO_READ_URL=http://keto:4466
|
||||
KETO_WRITE_URL=http://keto:4467
|
||||
|
||||
# Ory versions
|
||||
KRATOS_VERSION=v26.2.0
|
||||
HYDRA_VERSION=v26.2.0
|
||||
KETO_VERSION=v26.2.0
|
||||
OATHKEEPER_VERSION=v26.2.0
|
||||
ORY_POSTGRES_TAG=17-alpine
|
||||
|
||||
# === [4] IDP 및 DB Config ===
|
||||
IDP_PROVIDER=ory
|
||||
DB_PASSWORD=password
|
||||
ORY_POSTGRES_USER=ory
|
||||
ORY_POSTGRES_PASSWORD=generated_secret_here
|
||||
ORY_POSTGRES_DB=ory
|
||||
KRATOS_DB=ory_kratos
|
||||
HYDRA_DB=ory_hydra
|
||||
KETO_DB=ory_keto
|
||||
OATHKEEPER_UID=1001
|
||||
OATHKEEPER_GID=1001
|
||||
OATHKEEPER_INTROSPECT_CLIENT_ID=oathkeeper-introspect
|
||||
OATHKEEPER_INTROSPECT_CLIENT_SECRET=oathkeeper-secret
|
||||
CLICKHOUSE_PASSWORD=password
|
||||
REDIS_ADDR=redis:6379
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ services:
|
||||
ports:
|
||||
- "${DB_PORT}:5432"
|
||||
volumes:
|
||||
- db_data_${INSTANCE_NAME}:/var/lib/postgresql/data
|
||||
- db_data:/var/lib/postgresql/data
|
||||
networks: [app_net]
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
||||
@@ -33,42 +33,228 @@ services:
|
||||
- "${CLICKHOUSE_PORT_HTTP}:8123"
|
||||
- "${CLICKHOUSE_PORT_NATIVE}:9000"
|
||||
volumes:
|
||||
- clickhouse_data_${INSTANCE_NAME}:/var/lib/clickhouse
|
||||
- clickhouse_data:/var/lib/clickhouse
|
||||
networks: [app_net]
|
||||
|
||||
# --- Ory Stack ---
|
||||
postgres_ory:
|
||||
image: postgres:17-alpine
|
||||
image: postgres:${ORY_POSTGRES_TAG:-17-alpine}
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_ory_db
|
||||
environment:
|
||||
- POSTGRES_USER=${ORY_POSTGRES_USER}
|
||||
- POSTGRES_USER=${ORY_POSTGRES_USER:-ory}
|
||||
- POSTGRES_PASSWORD=${ORY_POSTGRES_PASSWORD}
|
||||
- POSTGRES_DB=${ORY_POSTGRES_DB:-ory}
|
||||
volumes:
|
||||
- ory_db_data_${INSTANCE_NAME}:/var/lib/postgresql/data
|
||||
- ory_db_data:/var/lib/postgresql/data
|
||||
- ./ory/init-db:/docker-entrypoint-initdb.d:ro
|
||||
networks: [app_net]
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U ${ORY_POSTGRES_USER}"]
|
||||
test: ["CMD-SHELL", "pg_isready -U ${ORY_POSTGRES_USER:-ory} -d ${KRATOS_DB:-ory_kratos}"]
|
||||
interval: 5s
|
||||
|
||||
kratos:
|
||||
image: oryd/kratos:v25.4.0
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_kratos
|
||||
kratos-migrate:
|
||||
image: oryd/kratos:${KRATOS_VERSION:-v26.2.0}
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
|
||||
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL}
|
||||
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
|
||||
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}
|
||||
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["${KRATOS_UI_URL}","${KRATOS_UI_URL}/","${USERFRONT_URL}","${USERFRONT_URL}/","${USERFRONT_URL}/ko","${USERFRONT_URL}/ko/","${USERFRONT_URL}/en","${USERFRONT_URL}/en/","${USERFRONT_URL}/auth/callback","${USERFRONT_URL}/ko/auth/callback","${USERFRONT_URL}/en/auth/callback","${ADMINFRONT_URL}/auth/callback","${DEVFRONT_URL}/auth/callback","${ORGFRONT_URL}/auth/callback"]}
|
||||
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL}/error
|
||||
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL}/error?error=settings_disabled
|
||||
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL}/recovery
|
||||
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL}/verification
|
||||
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL}/login
|
||||
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL}/registration
|
||||
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}/login
|
||||
volumes:
|
||||
- ./ory/kratos:/etc/config/kratos:ro
|
||||
command: serve -c /etc/config/kratos/kratos.yml --dev
|
||||
command: migrate sql up -e -c /etc/config/kratos/kratos.yml --yes
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
postgres_ory: { condition: service_healthy }
|
||||
|
||||
kratos:
|
||||
image: oryd/kratos:${KRATOS_VERSION:-v26.2.0}
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_kratos
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
|
||||
- COOKIE_SECRET=${COOKIE_SECRET}
|
||||
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL}
|
||||
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
|
||||
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}
|
||||
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["${KRATOS_UI_URL}","${KRATOS_UI_URL}/","${USERFRONT_URL}","${USERFRONT_URL}/","${USERFRONT_URL}/ko","${USERFRONT_URL}/ko/","${USERFRONT_URL}/en","${USERFRONT_URL}/en/","${USERFRONT_URL}/auth/callback","${USERFRONT_URL}/ko/auth/callback","${USERFRONT_URL}/en/auth/callback","${ADMINFRONT_URL}/auth/callback","${DEVFRONT_URL}/auth/callback","${ORGFRONT_URL}/auth/callback"]}
|
||||
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL}/error
|
||||
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL}/error?error=settings_disabled
|
||||
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL}/recovery
|
||||
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL}/verification
|
||||
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL}/login
|
||||
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL}/registration
|
||||
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}/login
|
||||
volumes:
|
||||
- ./ory/kratos:/etc/config/kratos:ro
|
||||
command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
kratos-migrate: { condition: service_completed_successfully }
|
||||
|
||||
hydra-migrate:
|
||||
image: oryd/hydra:${HYDRA_VERSION:-v26.2.0}
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
|
||||
command: migrate sql up -e --yes
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
postgres_ory: { condition: service_healthy }
|
||||
|
||||
hydra:
|
||||
image: oryd/hydra:${HYDRA_VERSION:-v26.2.0}
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_hydra
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
|
||||
- URLS_SELF_ISSUER=${HYDRA_PUBLIC_URL}
|
||||
- URLS_LOGIN=${HYDRA_LOGIN_URL:-${USERFRONT_URL}/login}
|
||||
- URLS_CONSENT=${HYDRA_CONSENT_URL:-${USERFRONT_URL}/consent}
|
||||
- URLS_ERROR=${HYDRA_ERROR_URL:-${USERFRONT_URL}/error}
|
||||
- SECRETS_SYSTEM=${ORY_POSTGRES_PASSWORD}
|
||||
volumes:
|
||||
- ./ory/hydra:/etc/config/hydra:ro
|
||||
command: serve -c /etc/config/hydra/hydra.yml all --dev
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
hydra-migrate: { condition: service_completed_successfully }
|
||||
|
||||
keto-migrate:
|
||||
image: oryd/keto:${KETO_VERSION:-v26.2.0}
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
|
||||
volumes:
|
||||
- ./ory/keto:/etc/config/keto:ro
|
||||
command: ["migrate", "up", "-c", "/etc/config/keto/keto.yml", "--yes"]
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
postgres_ory: { condition: service_healthy }
|
||||
|
||||
keto:
|
||||
image: oryd/keto:${KETO_VERSION:-v26.2.0}
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_keto
|
||||
env_file: .env
|
||||
environment:
|
||||
- DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
|
||||
volumes:
|
||||
- ./ory/keto:/etc/config/keto:ro
|
||||
command: serve -c /etc/config/keto/keto.yml
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
keto-migrate: { condition: service_completed_successfully }
|
||||
|
||||
oathkeeper_logs_init:
|
||||
image: alpine:latest
|
||||
command: ["sh", "-c", "mkdir -p /var/log/oathkeeper && chown -R ${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001} /var/log/oathkeeper"]
|
||||
volumes:
|
||||
- oathkeeper_logs:/var/log/oathkeeper
|
||||
networks: [app_net]
|
||||
|
||||
oathkeeper:
|
||||
image: oryd/oathkeeper:v25.4.0
|
||||
image: oryd/oathkeeper:${OATHKEEPER_VERSION:-v26.2.0}
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_oathkeeper
|
||||
env_file: .env
|
||||
user: "${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001}"
|
||||
ports:
|
||||
- "${OATHKEEPER_PROXY_PORT}:4455"
|
||||
environment:
|
||||
- APP_ENV=${APP_ENV:-production}
|
||||
- LOG_LEVEL=debug
|
||||
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
|
||||
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
|
||||
volumes:
|
||||
- ./ory/oathkeeper:/etc/config/oathkeeper:ro
|
||||
- oathkeeper_logs:/var/log/oathkeeper
|
||||
entrypoint: ["/etc/config/oathkeeper/entrypoint.sh"]
|
||||
networks: [app_net]
|
||||
depends_on:
|
||||
oathkeeper_logs_init: { condition: service_completed_successfully }
|
||||
kratos: { condition: service_started }
|
||||
hydra: { condition: service_started }
|
||||
|
||||
ory_stack_check:
|
||||
image: alpine:latest
|
||||
container_name: ${COMPOSE_PROJECT_NAME}_ory_stack_check
|
||||
command: >
|
||||
/bin/sh -c "
|
||||
apk add --no-cache curl;
|
||||
echo 'Wait for Ory services...';
|
||||
until curl -s http://kratos:4433/health/ready; do sleep 1; done;
|
||||
until curl -s http://hydra:4444/health/ready; do sleep 1; done;
|
||||
until curl -s http://keto:4466/health/ready; do sleep 1; done;
|
||||
echo 'Ory stack is ready.';"
|
||||
depends_on:
|
||||
- kratos
|
||||
- hydra
|
||||
- keto
|
||||
networks: [app_net]
|
||||
|
||||
init-rp:
|
||||
image: alpine:latest
|
||||
env_file: .env
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
apk add --no-cache curl tar
|
||||
HYDRA_CLI_VERSION="$${HYDRA_VERSION:-v26.2.0}"
|
||||
HYDRA_CLI_VERSION="$${HYDRA_CLI_VERSION%-distroless}"
|
||||
HYDRA_CLI_ARCHIVE_VERSION="$${HYDRA_CLI_VERSION#v}"
|
||||
curl -fsSLo /tmp/hydra.tar.gz "https://github.com/ory/hydra/releases/download/$${HYDRA_CLI_VERSION}/hydra_$${HYDRA_CLI_ARCHIVE_VERSION}-linux_64bit.tar.gz"
|
||||
tar -xzf /tmp/hydra.tar.gz -C /usr/local/bin hydra
|
||||
rm /tmp/hydra.tar.gz
|
||||
|
||||
upsert_client() {
|
||||
ID=$$1
|
||||
shift
|
||||
if hydra get oauth2-client --endpoint "$${HYDRA_ADMIN_URL:-http://hydra:4445}" "$$ID" >/dev/null 2>&1; then
|
||||
hydra update oauth2-client --endpoint "$${HYDRA_ADMIN_URL:-http://hydra:4445}" "$$ID" "$$@"
|
||||
else
|
||||
hydra create oauth2-client --endpoint "$${HYDRA_ADMIN_URL:-http://hydra:4445}" --id "$$ID" "$$@"
|
||||
fi
|
||||
}
|
||||
|
||||
upsert_client "adminfront" \
|
||||
--name "AdminFront" \
|
||||
--grant-type authorization_code,refresh_token \
|
||||
--response-type code \
|
||||
--scope openid,offline_access,profile,email \
|
||||
--token-endpoint-auth-method none \
|
||||
--redirect-uri "$${ADMINFRONT_CALLBACK_URLS:-$${ADMINFRONT_URL}/auth/callback}"
|
||||
|
||||
upsert_client "devfront" \
|
||||
--name "DevFront" \
|
||||
--grant-type authorization_code,refresh_token \
|
||||
--response-type code \
|
||||
--scope openid,offline_access,profile,email \
|
||||
--token-endpoint-auth-method none \
|
||||
--redirect-uri "$${DEVFRONT_CALLBACK_URLS:-$${DEVFRONT_URL}/auth/callback}"
|
||||
|
||||
upsert_client "orgfront" \
|
||||
--name "OrgFront" \
|
||||
--grant-type authorization_code,refresh_token \
|
||||
--response-type code \
|
||||
--scope openid,offline_access,profile,email \
|
||||
--token-endpoint-auth-method none \
|
||||
--redirect-uri "$${ORGFRONT_CALLBACK_URLS:-$${ORGFRONT_URL}/auth/callback}"
|
||||
|
||||
upsert_client "$${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}" \
|
||||
--secret "$${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}" \
|
||||
--grant-type client_credentials \
|
||||
--response-type token \
|
||||
--scope openid,offline_access,profile,email
|
||||
depends_on:
|
||||
ory_stack_check: { condition: service_completed_successfully }
|
||||
networks: [app_net]
|
||||
|
||||
# --- Application Services ---
|
||||
@@ -78,6 +264,14 @@ services:
|
||||
env_file: .env
|
||||
environment:
|
||||
- PORT=${BACKEND_PORT}
|
||||
- APP_ENV=${APP_ENV:-production}
|
||||
- IDP_PROVIDER=${IDP_PROVIDER:-ory}
|
||||
- USERFRONT_URL=${USERFRONT_URL}
|
||||
- KRATOS_ADMIN_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
|
||||
- HYDRA_ADMIN_URL=${HYDRA_ADMIN_URL:-http://hydra:4445}
|
||||
- HYDRA_PUBLIC_URL=${HYDRA_PUBLIC_URL}
|
||||
- KETO_READ_URL=${KETO_READ_URL:-http://keto:4466}
|
||||
- KETO_WRITE_URL=${KETO_WRITE_URL:-http://keto:4467}
|
||||
- DB_HOST=postgres
|
||||
- REDIS_ADDR=redis:6379
|
||||
- CLICKHOUSE_HOST=clickhouse
|
||||
@@ -90,6 +284,7 @@ services:
|
||||
depends_on:
|
||||
postgres: { condition: service_healthy }
|
||||
redis: { condition: service_started }
|
||||
oathkeeper: { condition: service_started }
|
||||
|
||||
gateway:
|
||||
image: nginx:alpine
|
||||
@@ -147,6 +342,11 @@ networks:
|
||||
name: ${COMPOSE_PROJECT_NAME}_net
|
||||
|
||||
volumes:
|
||||
db_data_${INSTANCE_NAME}:
|
||||
ory_db_data_${INSTANCE_NAME}:
|
||||
clickhouse_data_${INSTANCE_NAME}:
|
||||
db_data:
|
||||
name: db_data_${INSTANCE_NAME}
|
||||
ory_db_data:
|
||||
name: ory_db_data_${INSTANCE_NAME}
|
||||
clickhouse_data:
|
||||
name: clickhouse_data_${INSTANCE_NAME}
|
||||
oathkeeper_logs:
|
||||
name: oathkeeper_logs_${INSTANCE_NAME}
|
||||
|
||||
@@ -29,7 +29,6 @@ http {
|
||||
}
|
||||
|
||||
location /oidc {
|
||||
rewrite ^/oidc/(.*)$ /$1 break;
|
||||
proxy_pass http://oathkeeper_srv;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
@@ -1,16 +1,20 @@
|
||||
version: v25.4.0
|
||||
version: v26.2.0
|
||||
|
||||
dsn: ${DSN}
|
||||
|
||||
serve:
|
||||
public:
|
||||
base_url: http://localhost:4433/
|
||||
base_url: ${KRATOS_BROWSER_URL}
|
||||
cors:
|
||||
enabled: true
|
||||
allowed_origins:
|
||||
- http://backend:{{BACKEND_PORT}}
|
||||
- ${USERFRONT_URL}
|
||||
- ${ADMINFRONT_URL}
|
||||
- ${DEVFRONT_URL}
|
||||
- ${ORGFRONT_URL}
|
||||
admin:
|
||||
base_url: http://localhost:4434/
|
||||
base_url: ${KRATOS_ADMIN_URL}
|
||||
|
||||
session:
|
||||
cookie:
|
||||
@@ -19,30 +23,22 @@ session:
|
||||
path: /
|
||||
|
||||
selfservice:
|
||||
default_browser_return_url: http://localhost:{{USERFRONT_PORT}}/
|
||||
default_browser_return_url: ${KRATOS_UI_URL}
|
||||
allowed_return_urls:
|
||||
- http://backend:{{BACKEND_PORT}}
|
||||
- http://backend:{{BACKEND_PORT}}/
|
||||
- http://localhost:{{USERFRONT_PORT}}
|
||||
- https://app.brsw.kr
|
||||
- https://app.brsw.kr/
|
||||
- https://sss.hmac.kr
|
||||
- https://sss.hmac.kr/
|
||||
- https://sso.hmac.kr
|
||||
- https://sso.hmac.kr/
|
||||
- https://ssologin.hmac.kr
|
||||
- https://ssologin.hmac.kr/
|
||||
- https://sso-test.hmac.kr
|
||||
- https://sso-test.hmac.kr/
|
||||
- https://ssob.hmac.kr
|
||||
- https://ssob.hmac.kr/
|
||||
- https://ssob.hmac.kr/ko
|
||||
- https://ssob.hmac.kr/ko/
|
||||
- https://ssob.hmac.kr/en
|
||||
- https://ssob.hmac.kr/en/
|
||||
- https://ssob.hmac.kr/auth/callback
|
||||
- https://ssob.hmac.kr/ko/auth/callback
|
||||
- https://ssob.hmac.kr/en/auth/callback
|
||||
- ${KRATOS_UI_URL}
|
||||
- ${KRATOS_UI_URL}/
|
||||
- ${USERFRONT_URL}
|
||||
- ${USERFRONT_URL}/
|
||||
- ${USERFRONT_URL}/ko
|
||||
- ${USERFRONT_URL}/ko/
|
||||
- ${USERFRONT_URL}/en
|
||||
- ${USERFRONT_URL}/en/
|
||||
- ${USERFRONT_URL}/auth/callback
|
||||
- ${USERFRONT_URL}/ko/auth/callback
|
||||
- ${USERFRONT_URL}/en/auth/callback
|
||||
- ${ADMINFRONT_URL}/auth/callback
|
||||
- ${DEVFRONT_URL}/auth/callback
|
||||
- ${ORGFRONT_URL}/auth/callback
|
||||
|
||||
methods:
|
||||
password:
|
||||
@@ -55,24 +51,24 @@ selfservice:
|
||||
|
||||
flows:
|
||||
error:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/error
|
||||
ui_url: ${KRATOS_UI_URL}/error
|
||||
settings:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/error?error=settings_disabled
|
||||
ui_url: ${KRATOS_UI_URL}/error?error=settings_disabled
|
||||
privileged_session_max_age: 15m
|
||||
recovery:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/recovery
|
||||
ui_url: ${KRATOS_UI_URL}/recovery
|
||||
use: code
|
||||
verification:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/verification
|
||||
ui_url: ${KRATOS_UI_URL}/verification
|
||||
use: code
|
||||
logout:
|
||||
after:
|
||||
default_browser_return_url: http://localhost:{{USERFRONT_PORT}}/login
|
||||
default_browser_return_url: ${KRATOS_UI_URL}/login
|
||||
login:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/login
|
||||
ui_url: ${KRATOS_UI_URL}/login
|
||||
lifespan: 10m
|
||||
registration:
|
||||
ui_url: http://localhost:{{USERFRONT_PORT}}/registration
|
||||
ui_url: ${KRATOS_UI_URL}/registration
|
||||
lifespan: 10m
|
||||
|
||||
log:
|
||||
|
||||
@@ -1,9 +1,52 @@
|
||||
[
|
||||
{
|
||||
"id": "backend-api-rule",
|
||||
"id": "public-health",
|
||||
"description": "공개 헬스체크",
|
||||
"match": {
|
||||
"url": "<.*>://<.*>/api/v1/<.*>",
|
||||
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH"]
|
||||
"url": "<.*>://<[^/]+>/health",
|
||||
"methods": ["GET"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://backend:{{BACKEND_PORT}}"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "public-preflight",
|
||||
"description": "CORS preflight",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/api/v1/<.*>",
|
||||
"methods": ["OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://backend:{{BACKEND_PORT}}"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "public-auth",
|
||||
"description": "인증/회원가입 등 공개 엔드포인트",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/api/v1/auth/<.*>",
|
||||
"methods": ["GET", "POST", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://backend:{{BACKEND_PORT}}"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "backend-command",
|
||||
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/api/v1/<.*>",
|
||||
"methods": ["POST", "PUT", "PATCH", "DELETE"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://backend:{{BACKEND_PORT}}"
|
||||
@@ -11,5 +54,106 @@
|
||||
"authenticators": [{ "handler": "cookie_session" }],
|
||||
"authorizer": { "handler": "remote_json" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "backend-query",
|
||||
"description": "Backend Query (admin/dev 포함)",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/api/v1/<.*>",
|
||||
"methods": ["GET"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://backend:{{BACKEND_PORT}}"
|
||||
},
|
||||
"authenticators": [{ "handler": "cookie_session" }],
|
||||
"authorizer": { "handler": "remote_json" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-well-known",
|
||||
"description": "Hydra OIDC Discovery & JWKS",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/.well-known/<.*>",
|
||||
"methods": ["GET", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-well-known-oidc",
|
||||
"description": "Hydra OIDC Discovery & JWKS (with /oidc prefix)",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/oidc/.well-known/<.*>",
|
||||
"methods": ["GET", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444",
|
||||
"strip_path": "/oidc"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-oauth2",
|
||||
"description": "Hydra OAuth2 Endpoints",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/oauth2/<.*>",
|
||||
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-oauth2-oidc",
|
||||
"description": "Hydra OAuth2 Endpoints (with /oidc prefix)",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/oidc/oauth2/<.*>",
|
||||
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444",
|
||||
"strip_path": "/oidc"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-userinfo",
|
||||
"description": "Hydra Userinfo",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/userinfo",
|
||||
"methods": ["GET", "POST", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
},
|
||||
{
|
||||
"id": "hydra-userinfo-oidc",
|
||||
"description": "Hydra Userinfo (with /oidc prefix)",
|
||||
"match": {
|
||||
"url": "<.*>://<[^/]+>/oidc/userinfo",
|
||||
"methods": ["GET", "POST", "OPTIONS"]
|
||||
},
|
||||
"upstream": {
|
||||
"url": "http://hydra:4444",
|
||||
"strip_path": "/oidc"
|
||||
},
|
||||
"authenticators": [{ "handler": "noop" }],
|
||||
"authorizer": { "handler": "allow" },
|
||||
"mutators": [{ "handler": "noop" }]
|
||||
}
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user