From ac4cfb3199ebd7b2d14cdaa98f7df3d089225b71 Mon Sep 17 00:00:00 2001 From: Mike Johanson Date: Tue, 5 May 2026 10:48:07 -0700 Subject: [PATCH] refactor: tweek compose for console --- .env.template | 2 + .gitattributes | 1 - data/init.sql | 127 --------------------------------- docker-compose.yml | 73 +++++++++---------- kong.yaml | 174 +++++++++++---------------------------------- 5 files changed, 77 insertions(+), 300 deletions(-) delete mode 100644 .gitattributes delete mode 100644 data/init.sql diff --git a/.env.template b/.env.template index feef0297..a0914ffa 100644 --- a/.env.template +++ b/.env.template @@ -3,6 +3,7 @@ MPS_COMMON_NAME=localhost MPSPORT=4433 # Console +# openssl rand -hex 16 APP_ENCRYPTION_KEY= LOG_LEVEL=info HTTP_PORT=8181 @@ -13,6 +14,7 @@ AUTH_ADMIN_USERNAME=standalone AUTH_ADMIN_PASSWORD= AUTH_JWT_KEY= AUTH_JWT_EXPIRATION=24h +AUTH_ISSUER=console # RPS RPSWEBPORT=8081 diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index 841d26ec..00000000 --- a/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -mosquitto.conf text eol=lf \ No newline at end of file diff --git a/data/init.sql b/data/init.sql deleted file mode 100644 index 24be6285..00000000 --- a/data/init.sql +++ /dev/null @@ -1,127 +0,0 @@ -/********************************************************************* -* Copyright (c) Intel Corporation 2020 -* SPDX-License-Identifier: Apache-2.0 -**********************************************************************/ -SELECT 'CREATE DATABASE rpsdb' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'rpsdb')\gexec - -\connect rpsdb - -CREATE EXTENSION IF NOT EXISTS citext; - -CREATE TABLE IF NOT EXISTS ciraconfigs( - cira_config_name citext NOT NULL, - mps_server_address varchar(256), - mps_port integer, - user_name varchar(40), - password varchar(63), - common_name varchar(256), - server_address_format integer, - auth_method integer, - mps_root_certificate text, - proxydetails text, - tenant_id varchar(36) NOT NULL, - PRIMARY KEY (cira_config_name, tenant_id) -); -CREATE TABLE IF NOT EXISTS ieee8021xconfigs( - profile_name citext, - auth_protocol integer, - servername VARCHAR(255), - domain VARCHAR(255), - username VARCHAR(255), - password VARCHAR(255), - roaming_identity VARCHAR(255), - active_in_s0 BOOLEAN, - pxe_timeout integer, - wired_interface BOOLEAN NOT NULL, - tenant_id varchar(36) NOT NULL, - PRIMARY KEY (profile_name, tenant_id) -); -CREATE TABLE IF NOT EXISTS wirelessconfigs( - wireless_profile_name citext NOT NULL, - authentication_method integer, - encryption_method integer, - ssid varchar(32), - psk_value integer, - psk_passphrase varchar(63), - link_policy int[], - creation_date timestamp, - created_by varchar(40), - tenant_id varchar(36) NOT NULL, - ieee8021x_profile_name citext, - FOREIGN KEY (ieee8021x_profile_name,tenant_id) REFERENCES ieee8021xconfigs(profile_name,tenant_id), - PRIMARY KEY (wireless_profile_name, tenant_id) -); -CREATE TABLE IF NOT EXISTS profiles( - profile_name citext NOT NULL, - activation varchar(20) NOT NULL, - amt_password varchar(40), - generate_random_password BOOLEAN NOT NULL, - cira_config_name citext, - FOREIGN KEY (cira_config_name,tenant_id) REFERENCES ciraconfigs(cira_config_name,tenant_id), - creation_date timestamp, - created_by varchar(40), - mebx_password varchar(40), - generate_random_mebx_password BOOLEAN NOT NULL, - tags text[], - dhcp_enabled BOOLEAN, - ip_sync_enabled BOOLEAN NULL, - local_wifi_sync_enabled BOOLEAN NULL, - tenant_id varchar(36) NOT NULL, - tls_mode integer NULL, - user_consent varchar(7) NULL, - ider_enabled BOOLEAN NULL, - kvm_enabled BOOLEAN NULL, - sol_enabled BOOLEAN NULL, - tls_signing_authority varchar(40) NULL, - ieee8021x_profile_name citext, - uefi_wifi_sync_enabled BOOLEAN NULL, - FOREIGN KEY (ieee8021x_profile_name,tenant_id) REFERENCES ieee8021xconfigs(profile_name,tenant_id), - PRIMARY KEY (profile_name, tenant_id) -); -CREATE TABLE IF NOT EXISTS profiles_wirelessconfigs( - wireless_profile_name citext, - profile_name citext, - FOREIGN KEY (wireless_profile_name,tenant_id) REFERENCES wirelessconfigs(wireless_profile_name,tenant_id), - FOREIGN KEY (profile_name,tenant_id) REFERENCES profiles(profile_name,tenant_id), - priority integer, - creation_date timestamp, - created_by varchar(40), - tenant_id varchar(36) NOT NULL, - PRIMARY KEY (wireless_profile_name, profile_name, priority, tenant_id) -); -CREATE TABLE IF NOT EXISTS domains( - name citext NOT NULL, - domain_suffix citext NOT NULL, - provisioning_cert text, - provisioning_cert_storage_format varchar(40), - provisioning_cert_key text, - creation_date timestamp, - expiration_date timestamp, - created_by varchar(40), - tenant_id varchar(36) NOT NULL, - CONSTRAINT domainname UNIQUE (name, tenant_id), - CONSTRAINT domainsuffix UNIQUE (domain_suffix, tenant_id), - PRIMARY KEY (name, domain_suffix, tenant_id) -); -CREATE TABLE IF NOT EXISTS proxyconfigs( - proxy_config_name citext, - address citext NOT NULL, - info_format integer NOT NULL, - port integer NOT NULL, - network_dns_suffix varchar(192), - creation_date timestamp, - tenant_id varchar(36), - CONSTRAINT address_port_tenant_id UNIQUE (address, port, tenant_id), - PRIMARY KEY (proxy_config_name, tenant_id) -); -CREATE TABLE IF NOT EXISTS profiles_proxyconfigs( - proxy_config_name citext, - profile_name citext, - FOREIGN KEY (proxy_config_name,tenant_id) REFERENCES proxyconfigs(proxy_config_name,tenant_id), - FOREIGN KEY (profile_name,tenant_id) REFERENCES profiles(profile_name,tenant_id), - priority integer, - creation_date timestamp, - created_by varchar(40), - tenant_id varchar(36), - PRIMARY KEY (proxy_config_name, profile_name, priority, tenant_id) -); diff --git a/docker-compose.yml b/docker-compose.yml index ca46a7d7..019dfca9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,43 +12,51 @@ services: context: ./services/console dockerfile: ./Dockerfile networks: - - openamtnetwork + - dmtnetwork env_file: - .env environment: + GIN_MODE: release + HEADLESS: "true" APP_COMMON_NAME: ${MPS_COMMON_NAME} + DB_PROVIDER: postgres DB_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb - SECRET_ADDR: http://vault:8200 - SECRET_TOKEN: ${VAULT_TOKEN} + SECRETS_ADDR: http://vault:8200 + SECRETS_TOKEN: ${VAULT_TOKEN} + SECRETS_PATH: ${SECRETS_PATH} + HTTP_HOST: "0.0.0.0" HTTP_PORT: "8181" - LOG_LEVEL: info + HTTP_TLS_ENABLED: "false" + LOG_LEVEL: ${LOG_LEVEL} + APP_DISABLE_CIRA: "false" healthcheck: - test: ["CMD", "wget", "-qO-", "http://localhost:8181/api/v1/health"] + test: ["CMD", "/app", "--health"] interval: 12s timeout: 12s retries: 3 - ports: - - "8181:8181" - - "${MPSPORT}:4433" + expose: + - "8181" + - "4433" webui: restart: always image: intel/oact-webui:latest networks: - - openamtnetwork + - dmtnetwork build: context: ./services/sample-web-ui dockerfile: ./Dockerfile + args: + BUILD_CONFIGURATION: enterprise environment: - RPS_SERVER: https://${MPS_COMMON_NAME}/rps - MPS_SERVER: https://${MPS_COMMON_NAME}/mps + CONSOLE_SERVER_API: https://${MPS_COMMON_NAME} VAULT_SERVER: https://${MPS_COMMON_NAME}/vault rps: restart: always image: intel/oact-rps:latest networks: - - openamtnetwork + - dmtnetwork build: context: ./services/rps dockerfile: ./Dockerfile @@ -69,23 +77,6 @@ services: RPS_CONSUL_HOST: ${CONSUL_HOST} RPS_CONSUL_PORT: ${CONSUL_PORT} - mpsrouter: - restart: always - image: intel/oact-mpsrouter:latest - build: - context: ./services/mps-router - dockerfile: ./Dockerfile - networks: - - openamtnetwork - environment: - MPS_CONNECTION_STRING: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/rpsdb?sslmode=disable - PORT: ${PORT} - MPS_PORT: ${MPSWEBPORT} - healthcheck: - interval: 12s - timeout: 12s - retries: 3 - test: ["CMD", "/app", "--health"] db: restart: always @@ -94,7 +85,7 @@ services: context: ./pg dockerfile: ./Dockerfile networks: - - openamtnetwork + - dmtnetwork healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d rpsdb"] interval: 2s @@ -106,14 +97,13 @@ services: POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} ports: - 5432:5432 - volumes: - - ./data:/docker-entrypoint-initdb.d + vault: restart: always image: hashicorp/vault:1.21 networks: - - openamtnetwork + - dmtnetwork ports: - 8200:8200 environment: @@ -131,34 +121,37 @@ services: timeout: 10s retries: 10 command: - - "kong" - - "start" - - "--vv" + - sh + - -c + - 'awk -v k="$$AUTH_JWT_KEY" ''{gsub(/\$\{AUTH_JWT_KEY\}/, k); print}'' /home/kong/kong.yml.tpl > /tmp/kong.yml && exec kong start --vv' environment: - KONG_DATABASE=off - KONG_CASSANDRA_CONTACT_POINTS=kong-database - KONG_ADMIN_LISTEN=0.0.0.0:8001 - KONG_ADMIN_LISTEN_SSL=0.0.0.0:8444 - KONG_NGINX_DAEMON=off - - KONG_DECLARATIVE_CONFIG=/home/kong/kong.yml + - KONG_DECLARATIVE_CONFIG=/tmp/kong.yml - KONG_PROXY_ERROR_LOG=/dev/stderr - KONG_PROXY_ACCESS_LOG=/dev/stdout - KONG_ADMIN_ACCESS_LOG=/dev/stdout - KONG_ADMIN_ERROR_LOG=/dev/stderr - KONG_DNS_ORDER=LAST,A,CNAME - KONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0 + - KONG_STREAM_LISTEN=0.0.0.0:4433 + - AUTH_JWT_KEY=${AUTH_JWT_KEY} networks: - - openamtnetwork + - dmtnetwork volumes: - - ./kong.yaml:/home/kong/kong.yml + - ./kong.yaml:/home/kong/kong.yml.tpl ports: - 443:8443 - 8001:8001 + - "${MPSPORT}:4433" volumes: app-volume: private-volume: networks: - openamtnetwork: + dmtnetwork: driver: "bridge" diff --git a/kong.yaml b/kong.yaml index 64f58eed..6eda7f85 100644 --- a/kong.yaml +++ b/kong.yaml @@ -1,85 +1,56 @@ #********************************************************************* -# Copyright (c) Intel Corporation 2018-2019 +# Copyright (c) Intel Corporation 2018-2026 # SPDX-License-Identifier: Apache-2.0 #********************************************************************* -# Metadata fields start with an underscore (_) -# Fields that do not start with an underscore represent Kong entities and attributes - -# _format_version is mandatory, -# it specifies the minimum version of Kong that supports the format - _format_version: "3.0" - -# _transform is optional, defaulting to true. -# It specifies whether schema transformations should be applied when importing this file -# as a rule of thumb, leave this setting to true if you are importing credentials -# with plain passwords, which need to be encrypted/hashed before storing on the database. -# On the other hand, if you are reimporting a database with passwords already encrypted/hashed, -# set it to false. - _transform: true -# Each Kong entity (core entity or custom entity introduced by a plugin) -# can be listed in the top-level as an array of objects: - services: -- name: mps-rest - host: mpsrouter - port: 8003 +# Console: subsumes legacy MPS API + KVM/SOL/IDER relay +- name: console + host: console + port: 8181 + protocol: http tags: - - mps + - console routes: - - name: mps-route - strip_path: true + - name: console-login-route + strip_path: false paths: - - /mps - - name: device-power-state-route - strip_path: true + - /api/v1/authorize + - name: console-api-route + strip_path: false paths: - - ~/device/power/state/(?[a-fA-F0-9\-]+) - - name: device-power-action-route - strip_path: true + - /api + - name: console-health-route + strip_path: false paths: - - ~/device/power/action/(?[a-fA-F0-9\-]+) - - -- name: mps-redirection - host: mps - port: 3000 - path: /relay - tags: - - mps - routes: - - name: mps-redirection-route - strip_path: true + - /healthz + - name: console-version-route + strip_path: false paths: - - /mps/ws/relay - + - /version + - name: console-relay-route + strip_path: false + paths: + - /relay/webrelay.ashx -- name: mps-rest-v2 - host: mps - port: 3000 - path: /api/v1/authorize +# Console CIRA: L4 TCP passthrough from edge to console:4433 +- name: console-cira + host: console + port: 4433 + protocol: tcp tags: - - mps + - console routes: - - name: mps-login-route - strip_path: true - paths: - - /mps/login/api/v1/authorize - -- name: rps-rest - host: rps - port: 8081 - tags: - - rps - routes: - - name: rps-route - strip_path: true - paths: - - /rps + - name: console-cira-route + protocols: + - tcp + destinations: + - port: 4433 +# RPS WebSocket (provisioning) - name: rps-ws host: rps port: 8080 @@ -113,7 +84,7 @@ services: - name: vault-api host: vault - port: 8200 + port: 8200 tags: - vault routes: @@ -122,17 +93,6 @@ services: paths: - /vault -- name: mosquitto-ws - host: mosquitto - port: 9001 - tags: - - mosquitto - routes: - - name: mosquitto-route - strip_path: true - paths: - - /mosquitto - - name: web host: webui port: 80 @@ -144,72 +104,22 @@ services: - / plugins: -- name: cors +- name: cors + - name: jwt - route: rps-route + route: console-api-route config: claims_to_verify: - exp - name: jwt - service: mps-rest + route: console-relay-route config: claims_to_verify: - exp -- name: request-transformer - route: device-power-state-route - config: - replace: - uri: "/api/v1/amt/power/state/$(uri_captures['id'])" -- name: request-transformer - route: device-power-action-route - config: - replace: - uri: "/api/v1/amt/power/action/$(uri_captures['id'])" - consumers: - username: admin jwt_secrets: - consumer: admin - key: 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc #sample key - secret: - - - -# routes: -# - name: another-route -# # Relationships can also be specified between top-level entities, -# # either by name or by id -# service: example-service -# hosts: ["hello.com"] - -# consumers: -# - username: example-user -# # Custom entities from plugin can also be specified -# # If they specify a foreign-key relationshp, they can also be nested -# keyauth_credentials: -# - key: my-key -# plugins: -# - name: rate-limiting -# _comment: "these are default rate-limits for user example-user" -# config: -# policy: local -# second: 5 -# hour: 10000 - -# When an entity has multiple foreign-key relationships -# (e.g. a plugin matching on both consumer and service) -# it must be specified as a top-level entity, and not through -# nesting. - -# plugins: -# - name: rate-limiting -# consumer: example-user -# service: another-service -# _comment: "example-user is extra limited when using another-service" -# config: -# hour: 2 -# # tags are for your organization only and have no meaning for Kong: -# tags: -# - extra_limits -# - my_tag + key: console + secret: ${AUTH_JWT_KEY}