1
0
forked from baron/baron-sso

kratos SSOT 재설계

This commit is contained in:
2026-06-12 18:36:18 +09:00
parent b96c8100e0
commit 8e9d015443
39 changed files with 3960 additions and 501 deletions

View File

@@ -236,21 +236,12 @@ services:
# 기본 RP (Admin Front 등) 자동 등록 컨테이너
init-rp:
image: alpine:latest
image: oryd/hydra:${HYDRA_CLI_VERSION:-v26.2.0}
env_file:
- .env
entrypoint: ["/bin/sh", "-ec"]
command:
- /bin/sh
- -ec
- |
apk add --no-cache curl tar
HYDRA_CLI_VERSION="$${HYDRA_VERSION:-v26.2.0}"
HYDRA_CLI_VERSION="$${HYDRA_CLI_VERSION%-distroless}"
HYDRA_CLI_ARCHIVE_VERSION="$${HYDRA_CLI_VERSION#v}"
curl -fsSLo /tmp/hydra.tar.gz "https://github.com/ory/hydra/releases/download/$${HYDRA_CLI_VERSION}/hydra_$${HYDRA_CLI_ARCHIVE_VERSION}-linux_64bit.tar.gz"
tar -xzf /tmp/hydra.tar.gz -C /usr/local/bin hydra
rm /tmp/hydra.tar.gz
hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" adminfront >/dev/null 2>&1 || true
hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" devfront >/dev/null 2>&1 || true
hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" orgfront >/dev/null 2>&1 || true
@@ -270,21 +261,21 @@ services:
--endpoint "$${HYDRA_ADMIN_URL}" \
--id devfront \
--name "DevFront" \
--grant-type authorization_code,refresh_token \
--response-type code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--redirect-uri ${DEVFRONT_CALLBACK_URLS}
--grant-type authorization_code,refresh_token \
--response-type code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--redirect-uri ${DEVFRONT_CALLBACK_URLS}
hydra create oauth2-client \
--endpoint "$${HYDRA_ADMIN_URL}" \
--id orgfront \
--name "OrgFront" \
--grant-type authorization_code,refresh_token \
--response-type code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--redirect-uri ${ORGFRONT_CALLBACK_URLS}
--grant-type authorization_code,refresh_token \
--response-type code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--redirect-uri ${ORGFRONT_CALLBACK_URLS}
hydra create oauth2-client \
--endpoint "$${HYDRA_ADMIN_URL}" \

View File

@@ -55,6 +55,10 @@ services:
build:
context: .
dockerfile: ./adminfront/Dockerfile
args:
VITE_ADMIN_PUBLIC_URL: ${ADMINFRONT_URL}
VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
VITE_OIDC_CLIENT_ID: adminfront
container_name: baron_adminfront
env_file:
- .env
@@ -80,6 +84,10 @@ services:
build:
context: .
dockerfile: ./devfront/Dockerfile
args:
VITE_DEVFRONT_PUBLIC_URL: ${DEVFRONT_URL}
VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
VITE_OIDC_CLIENT_ID: devfront
container_name: baron_devfront
env_file:
- .env
@@ -105,6 +113,10 @@ services:
build:
context: .
dockerfile: ./orgfront/Dockerfile
args:
VITE_ORGFRONT_PUBLIC_URL: ${ORGFRONT_URL}
VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
VITE_OIDC_CLIENT_ID: orgfront
container_name: baron_orgfront
env_file:
- .env
@@ -172,6 +184,33 @@ services:
networks:
- baron_net
promtail:
image: grafana/promtail:2.9.0
container_name: baron_promtail
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- ./docker/promtail-config.template.yaml:/etc/promtail/promtail-config.yaml:ro
command: -config.file=/etc/promtail/promtail-config.yaml -config.expand-env=true
environment:
- LOKI_URL=${LOKI_URL:-http://loki:3100/loki/api/v1/push}
- APP_ENV=${APP_ENV:-development}
networks:
- baron_net
blackbox-exporter:
image: prom/blackbox-exporter:v0.25.0
container_name: baron_blackbox_exporter
restart: unless-stopped
ports:
- "9115:9115"
volumes:
- ./docker/monitor/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
networks:
- baron_net
- ory-net
networks:
baron_net:
external: true

View File

@@ -1,6 +1,8 @@
APP_ENV=dev
APP_ENV=stage
BACKEND_LOG_LEVEL=debug
CLIENT_LOG_DEBUG=true
WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com
WORKS_ADMIN_OAUTH_TOKEN_URL=REDACTED
TZ=Asia/Seoul
IDP_PROVIDER=ory
@@ -16,6 +18,7 @@ CLICKHOUSE_PASSWORD=REDACTED
BACKEND_PORT=3000
ADMINFRONT_PORT=5173
DEVFRONT_PORT=5174
ORGFRONT_PORT=
USERFRONT_PORT=5000
OATHKEEPER_API_URL=http://oathkeeper:4456
@@ -26,10 +29,11 @@ DB_NAME=baron_sso
COOKIE_SECRET=REDACTED
JWT_SECRET=REDACTED
REDIS_ADDR=redis:6389
CORS_ALLOWED_ORIGINS='*'
CORS_ALLOWED_ORIGINS=https://sso.hmac.kr
AUDIT_WORKER_COUNT=5
AUDIT_QUEUE_SIZE=2000
PROFILE_CACHE_TTL=
PROFILE_CACHE_TTL=30m
ORGFRONT_ORGCHART_CACHE_TTL_SECONDS=3600
NAVER_CLOUD_ACCESS_KEY=REDACTED
NAVER_CLOUD_SECRET_KEY=REDACTED
NAVER_CLOUD_SERVICE_ID=ncp:sms:kr:364022321777:baroncs
@@ -38,19 +42,15 @@ AWS_REGION=ap-northeast-2
AWS_ACCESS_KEY_ID=REDACTED
AWS_SECRET_ACCESS_KEY=REDACTED
AWS_SES_SENDER=support@baroncs.co.kr
# ADMIN_EMAIL=admin@hmac.kr
ADMIN_EMAIL=su-@samaneng.com
ADMIN_EMAIL=admin@hmac.kr
ADMIN_PASSWORD=REDACTED
USERFRONT_URL=http://localhost:5000
# USERFRONT_URL=http://172.16.9.189:5000
ADMINFRONT_URL=http://localhost:5173
DEVFRONT_URL=http://localhost:5174
VITE_ORGCHART_URL=http://localhost:5175
ORGFRONT_URL=http://localhost:5175
USERFRONT_URL=https://sso.hmac.kr
ADMINFRONT_URL=https://sadmin.hmac.kr
DEVFRONT_URL=https://sdev.hmac.kr
ORGFRONT_URL=https://sorg.hmac.kr
BACKEND_PUBLIC_URL=${USERFRONT_URL}
BACKEND_URL=${USERFRONT_URL}
# OATHKEEPER_PUBLIC_URL=http://172.16.9.189:5000
OATHKEEPER_PUBLIC_URL=http://localhost:5000
OATHKEEPER_PUBLIC_URL=https://sso.hmac.kr
ORY_POSTGRES_TAG=17-trixie
ORY_POSTGRES_USER=ory
@@ -60,15 +60,16 @@ KRATOS_DB=ory_kratos
HYDRA_DB=ory_hydra
KETO_DB=ory_keto
KRATOS_VERSION=v26.2.0-distroless
KRATOS_UI_NODE_VERSION=v26.2.0
HYDRA_VERSION=v26.2.0-distroless
KETO_VERSION=v26.2.0-distroless
ORY_SDK_URL=http://kratos:4433
KRATOS_PUBLIC_URL=http://kratos:4433
KRATOS_ADMIN_URL=http://kratos:4434
KRATOS_BROWSER_URL=http://localhost:5000/auth
KRATOS_UI_URL=http://localhost:5000
KRATOS_BROWSER_URL=https://sso.hmac.kr/auth
KRATOS_UI_URL=https://sso.hmac.kr
HYDRA_ADMIN_URL=http://hydra:4445
HYDRA_PUBLIC_URL=http://localhost:5000/oidc
HYDRA_PUBLIC_URL=https://sso.hmac.kr/oidc
JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
OATHKEEPER_VERSION=v26.2.0
OATHKEEPER_UID=1001
@@ -80,40 +81,17 @@ OATHKEEPER_HEALTH_ENABLED=true
CSRF_COOKIE_NAME=REDACTED
CSRF_COOKIE_SECRET=REDACTED
# Frontend OIDC configs for Staging
VITE_OIDC_AUTHORITY=http://localhost:5000/oidc
ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback
DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback
ORGFRONT_CALLBACK_URLS=http://localhost:5175/auth/callback
# Frontend/Ory URL configs for Staging
VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc
ADMINFRONT_CALLBACK_URLS=https://sadmin.hmac.kr/auth/callback
DEVFRONT_CALLBACK_URLS=https://sdev.hmac.kr/auth/callback
ORGFRONT_CALLBACK_URLS=https://sorg.hmac.kr/auth/callback
KRATOS_ALLOWED_RETURN_URLS_JSON=
KRATOS_ALLOWED_RETURN_URLS_EXTRA=
# OATHKEEPER_INTROSPECT_CLIENT_ID=
# OATHKEEPER_INTROSPECT_CLIENT_SECRET=
#Worksmobile
SAMAN_DOMAIN_ID=300285955
HANMAC_DOMAIN_ID=300286336
GPDTDC_DOMAIN_ID=300286337
BARONGROUP_DOMAIN_ID=300286645
HALLA_DOMAIN_ID=300293726
SAMAN_TENANT_ID=300285955
SAMAN_SCIM_LONGLIVE_TOKEN=REDACTED
WORKS_ADMIN_OAUTH_CLIENT_ID=JrD1iPz73ugTFV5XL_zO
WORKS_ADMIN_OAUTH_CLIENT_SECRET=REDACTED
WORKS_ADMIN_OAUTH_CLIENT_SERVICE_ACCOUNT=e3n9j.serviceaccount@samaneng.com
WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE=REDACTED
WORKS_DEFAULT_DOMAIN_SAMAN=samaneng.com
WORKS_DEFAULT_DOMAIN_HANMAC=hanmaceng.co.kr
WORKS_DEFAULT_DOMAIN_GPDTDC=baroncs.co.kr
WORKS_DEFAULT_DOMAIN_BARONGROUP=brsw.kr
WORKS_DEFAULT_DOMAIN_HALLA=hallasanup.com
WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com
WORKS_ADMIN_OAUTH_TOKEN_URL=REDACTED
WORKS_DRIVE_OAUTH_CLIENT_ID=9JapAnmjI9M_1SqDp4Uj
WORKS_DRIVE_OAUTH_CLIENT_SECRET=REDACTED
WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT=h4bq6.serviceaccount@samaneng.com
WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY_FILE=REDACTED
WORKS_DRIVE_APP_PASSWORD=REDACTED
WORKS_DRIVE_OAUTH_REDIRECT_URI=https://drive.hmac.kr/works/callback
WORKS_DRIVE_OAUTH_REFRESH_TOKEN=REDACTED
WORKS_DRIVE_SHARED_DRIVE_ID=@2001000000540386
WORKS_DRIVE_PARENT_FILE_ID=QDIwMDEwMDAwMDA1NDAzODZ8MzQ3MjYxMzYwMzE0NjY2NDk2OXxEfDA
# Monitoring & Alerts
SMS_WEBHOOK_PORT=8080
MONITOR_RECIPIENT_PHONES=01012345678,01098765432
LOKI_URL=http://llm_gateway_loki:3100/loki/api/v1/push

Binary file not shown.