kratos SSOT 재설계

config-restored/compose/compose.ory.yaml

@@ -236,21 +236,12 @@ services:
 
     # 기본 RP (Admin Front 등) 자동 등록 컨테이너
     init-rp:
-        image: alpine:latest
+        image: oryd/hydra:${HYDRA_CLI_VERSION:-v26.2.0}
         env_file:
             - .env
+        entrypoint: ["/bin/sh", "-ec"]
         command:
-            - /bin/sh
-            - -ec
             - |
-                apk add --no-cache curl tar
-                HYDRA_CLI_VERSION="$${HYDRA_VERSION:-v26.2.0}"
-                HYDRA_CLI_VERSION="$${HYDRA_CLI_VERSION%-distroless}"
-                HYDRA_CLI_ARCHIVE_VERSION="$${HYDRA_CLI_VERSION#v}"
-                curl -fsSLo /tmp/hydra.tar.gz "https://github.com/ory/hydra/releases/download/$${HYDRA_CLI_VERSION}/hydra_$${HYDRA_CLI_ARCHIVE_VERSION}-linux_64bit.tar.gz"
-                tar -xzf /tmp/hydra.tar.gz -C /usr/local/bin hydra
-                rm /tmp/hydra.tar.gz
-
                 hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" adminfront >/dev/null 2>&1 || true
                 hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" devfront >/dev/null 2>&1 || true
                 hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" orgfront >/dev/null 2>&1 || true
@@ -270,21 +261,21 @@ services:
                   --endpoint "$${HYDRA_ADMIN_URL}" \
                   --id devfront \
                   --name "DevFront" \
-                --grant-type authorization_code,refresh_token \
-                --response-type code \
-                --scope openid,offline_access,profile,email \
-                --token-endpoint-auth-method none \
-                --redirect-uri ${DEVFRONT_CALLBACK_URLS}
+                  --grant-type authorization_code,refresh_token \
+                  --response-type code \
+                  --scope openid,offline_access,profile,email \
+                  --token-endpoint-auth-method none \
+                  --redirect-uri ${DEVFRONT_CALLBACK_URLS}
 
                 hydra create oauth2-client \
                   --endpoint "$${HYDRA_ADMIN_URL}" \
                   --id orgfront \
                   --name "OrgFront" \
-                --grant-type authorization_code,refresh_token \
-                --response-type code \
-                --scope openid,offline_access,profile,email \
-                --token-endpoint-auth-method none \
-                --redirect-uri ${ORGFRONT_CALLBACK_URLS}
+                  --grant-type authorization_code,refresh_token \
+                  --response-type code \
+                  --scope openid,offline_access,profile,email \
+                  --token-endpoint-auth-method none \
+                  --redirect-uri ${ORGFRONT_CALLBACK_URLS}
 
                 hydra create oauth2-client \
                   --endpoint "$${HYDRA_ADMIN_URL}" \

config-restored/compose/docker-compose.yaml

@@ -55,6 +55,10 @@ services:
         build:
             context: .
             dockerfile: ./adminfront/Dockerfile
+            args:
+                VITE_ADMIN_PUBLIC_URL: ${ADMINFRONT_URL}
+                VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
+                VITE_OIDC_CLIENT_ID: adminfront
         container_name: baron_adminfront
         env_file:
             - .env
@@ -80,6 +84,10 @@ services:
         build:
             context: .
             dockerfile: ./devfront/Dockerfile
+            args:
+                VITE_DEVFRONT_PUBLIC_URL: ${DEVFRONT_URL}
+                VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
+                VITE_OIDC_CLIENT_ID: devfront
         container_name: baron_devfront
         env_file:
             - .env
@@ -105,6 +113,10 @@ services:
         build:
             context: .
             dockerfile: ./orgfront/Dockerfile
+            args:
+                VITE_ORGFRONT_PUBLIC_URL: ${ORGFRONT_URL}
+                VITE_OIDC_AUTHORITY: ${VITE_OIDC_AUTHORITY}
+                VITE_OIDC_CLIENT_ID: orgfront
         container_name: baron_orgfront
         env_file:
             - .env
@@ -172,6 +184,33 @@ services:
         networks:
             - baron_net
 
+    promtail:
+        image: grafana/promtail:2.9.0
+        container_name: baron_promtail
+        restart: unless-stopped
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock:ro
+            - /var/lib/docker/containers:/var/lib/docker/containers:ro
+            - ./docker/promtail-config.template.yaml:/etc/promtail/promtail-config.yaml:ro
+        command: -config.file=/etc/promtail/promtail-config.yaml -config.expand-env=true
+        environment:
+            - LOKI_URL=${LOKI_URL:-http://loki:3100/loki/api/v1/push}
+            - APP_ENV=${APP_ENV:-development}
+        networks:
+            - baron_net
+
+    blackbox-exporter:
+        image: prom/blackbox-exporter:v0.25.0
+        container_name: baron_blackbox_exporter
+        restart: unless-stopped
+        ports:
+            - "9115:9115"
+        volumes:
+            - ./docker/monitor/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
+        networks:
+            - baron_net
+            - ory-net
+
 networks:
     baron_net:
         external: true

config-restored/env.redacted

@@ -1,6 +1,8 @@
-APP_ENV=dev
+APP_ENV=stage
 BACKEND_LOG_LEVEL=debug
 CLIENT_LOG_DEBUG=true
+WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com
+WORKS_ADMIN_OAUTH_TOKEN_URL=REDACTED
 TZ=Asia/Seoul
 IDP_PROVIDER=ory
 
@@ -16,6 +18,7 @@ CLICKHOUSE_PASSWORD=REDACTED
 BACKEND_PORT=3000
 ADMINFRONT_PORT=5173
 DEVFRONT_PORT=5174
+ORGFRONT_PORT=
 USERFRONT_PORT=5000
 
 OATHKEEPER_API_URL=http://oathkeeper:4456
@@ -26,10 +29,11 @@ DB_NAME=baron_sso
 COOKIE_SECRET=REDACTED
 JWT_SECRET=REDACTED
 REDIS_ADDR=redis:6389
-CORS_ALLOWED_ORIGINS='*'
+CORS_ALLOWED_ORIGINS=https://sso.hmac.kr
 AUDIT_WORKER_COUNT=5
 AUDIT_QUEUE_SIZE=2000
-PROFILE_CACHE_TTL=
+PROFILE_CACHE_TTL=30m
+ORGFRONT_ORGCHART_CACHE_TTL_SECONDS=3600
 NAVER_CLOUD_ACCESS_KEY=REDACTED
 NAVER_CLOUD_SECRET_KEY=REDACTED
 NAVER_CLOUD_SERVICE_ID=ncp:sms:kr:364022321777:baroncs
@@ -38,19 +42,15 @@ AWS_REGION=ap-northeast-2
 AWS_ACCESS_KEY_ID=REDACTED
 AWS_SECRET_ACCESS_KEY=REDACTED
 AWS_SES_SENDER=support@baroncs.co.kr
-# ADMIN_EMAIL=admin@hmac.kr
-ADMIN_EMAIL=su-@samaneng.com
+ADMIN_EMAIL=admin@hmac.kr
 ADMIN_PASSWORD=REDACTED
-USERFRONT_URL=http://localhost:5000
-# USERFRONT_URL=http://172.16.9.189:5000
-ADMINFRONT_URL=http://localhost:5173
-DEVFRONT_URL=http://localhost:5174
-VITE_ORGCHART_URL=http://localhost:5175
-ORGFRONT_URL=http://localhost:5175
+USERFRONT_URL=https://sso.hmac.kr
+ADMINFRONT_URL=https://sadmin.hmac.kr
+DEVFRONT_URL=https://sdev.hmac.kr
+ORGFRONT_URL=https://sorg.hmac.kr
 BACKEND_PUBLIC_URL=${USERFRONT_URL}
 BACKEND_URL=${USERFRONT_URL}
-# OATHKEEPER_PUBLIC_URL=http://172.16.9.189:5000
-OATHKEEPER_PUBLIC_URL=http://localhost:5000
+OATHKEEPER_PUBLIC_URL=https://sso.hmac.kr
 
 ORY_POSTGRES_TAG=17-trixie
 ORY_POSTGRES_USER=ory
@@ -60,15 +60,16 @@ KRATOS_DB=ory_kratos
 HYDRA_DB=ory_hydra
 KETO_DB=ory_keto
 KRATOS_VERSION=v26.2.0-distroless
+KRATOS_UI_NODE_VERSION=v26.2.0
 HYDRA_VERSION=v26.2.0-distroless
 KETO_VERSION=v26.2.0-distroless
 ORY_SDK_URL=http://kratos:4433
 KRATOS_PUBLIC_URL=http://kratos:4433
 KRATOS_ADMIN_URL=http://kratos:4434
-KRATOS_BROWSER_URL=http://localhost:5000/auth
-KRATOS_UI_URL=http://localhost:5000
+KRATOS_BROWSER_URL=https://sso.hmac.kr/auth
+KRATOS_UI_URL=https://sso.hmac.kr
 HYDRA_ADMIN_URL=http://hydra:4445
-HYDRA_PUBLIC_URL=http://localhost:5000/oidc
+HYDRA_PUBLIC_URL=https://sso.hmac.kr/oidc
 JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
 OATHKEEPER_VERSION=v26.2.0
 OATHKEEPER_UID=1001
@@ -80,40 +81,17 @@ OATHKEEPER_HEALTH_ENABLED=true
 CSRF_COOKIE_NAME=REDACTED
 CSRF_COOKIE_SECRET=REDACTED
 
-# Frontend OIDC configs for Staging
-VITE_OIDC_AUTHORITY=http://localhost:5000/oidc
-ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback
-DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback
-ORGFRONT_CALLBACK_URLS=http://localhost:5175/auth/callback
+# Frontend/Ory URL configs for Staging
+VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc
+ADMINFRONT_CALLBACK_URLS=https://sadmin.hmac.kr/auth/callback
+DEVFRONT_CALLBACK_URLS=https://sdev.hmac.kr/auth/callback
+ORGFRONT_CALLBACK_URLS=https://sorg.hmac.kr/auth/callback
+KRATOS_ALLOWED_RETURN_URLS_JSON=
+KRATOS_ALLOWED_RETURN_URLS_EXTRA=
 # OATHKEEPER_INTROSPECT_CLIENT_ID=
 # OATHKEEPER_INTROSPECT_CLIENT_SECRET=
 
-#Worksmobile
-SAMAN_DOMAIN_ID=300285955
-HANMAC_DOMAIN_ID=300286336
-GPDTDC_DOMAIN_ID=300286337
-BARONGROUP_DOMAIN_ID=300286645
-HALLA_DOMAIN_ID=300293726
-SAMAN_TENANT_ID=300285955
-SAMAN_SCIM_LONGLIVE_TOKEN=REDACTED
-WORKS_ADMIN_OAUTH_CLIENT_ID=JrD1iPz73ugTFV5XL_zO
-WORKS_ADMIN_OAUTH_CLIENT_SECRET=REDACTED
-WORKS_ADMIN_OAUTH_CLIENT_SERVICE_ACCOUNT=e3n9j.serviceaccount@samaneng.com
-WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE=REDACTED
-WORKS_DEFAULT_DOMAIN_SAMAN=samaneng.com
-WORKS_DEFAULT_DOMAIN_HANMAC=hanmaceng.co.kr
-WORKS_DEFAULT_DOMAIN_GPDTDC=baroncs.co.kr
-WORKS_DEFAULT_DOMAIN_BARONGROUP=brsw.kr
-WORKS_DEFAULT_DOMAIN_HALLA=hallasanup.com
-WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com
-WORKS_ADMIN_OAUTH_TOKEN_URL=REDACTED
-
-WORKS_DRIVE_OAUTH_CLIENT_ID=9JapAnmjI9M_1SqDp4Uj
-WORKS_DRIVE_OAUTH_CLIENT_SECRET=REDACTED
-WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT=h4bq6.serviceaccount@samaneng.com
-WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY_FILE=REDACTED
-WORKS_DRIVE_APP_PASSWORD=REDACTED
-WORKS_DRIVE_OAUTH_REDIRECT_URI=https://drive.hmac.kr/works/callback
-WORKS_DRIVE_OAUTH_REFRESH_TOKEN=REDACTED
-WORKS_DRIVE_SHARED_DRIVE_ID=@2001000000540386
-WORKS_DRIVE_PARENT_FILE_ID=QDIwMDEwMDAwMDA1NDAzODZ8MzQ3MjYxMzYwMzE0NjY2NDk2OXxEfDA
+# Monitoring & Alerts
+SMS_WEBHOOK_PORT=8080
+MONITOR_RECIPIENT_PHONES=01012345678,01098765432
+LOKI_URL=http://llm_gateway_loki:3100/loki/api/v1/push