Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Internal instructions for setting up Control Plane on the side of the customer.

Update Docker

Check if any updates for Docker are available. For the best experience your Docker installation should always be up to date.

https://docs.docker.com/get-docker/ 

docker -v

Useful links

Overview

Docker Compose

Commands:

docker compose pull
docker compose up -d

Do not forget to adjust the frontend/backend url (aws url instead of localhost if necessary).

NOTE**
BACKEND_URL now has the “https://” removed from earlier versions. Also WSS is no longer needed.

Add the DEV_PORTAL_TOKEN to the controlplane-devportal.

Do not forget your certificates!

controlplane-backend:

  • 'frontend.url=https://localhost:3000'

controlplane-frontend:

  • 'BACKEND_URL=localhost:8080'

controlplane-devportal:

  • 'BACKEND_URL=localhost:8080'

  • 'DEV_PORTAL_TOKEN=XYZ'

version: "3.3"
services:
  # database
  controlplane-backend-db:
    image: mysql:8
    container_name: controlplane-backend-db
    restart: always
    ports:
      - "3309:3306"
    environment:
      MYSQL_ROOT_PASSWORD: "123"
      MYSQL_DATABASE: obsidian-backend
      MYSQL_USER: obsidian
      MYSQL_PASSWORD: "123"
    volumes:
      - controlplane-backend-db-vol:/var/lib/mysql

  # backend
  controlplane-backend:
    image: ghcr.io/apiida/controlplane-backend:latest
    container_name: controlplane-backend
    depends_on:
      - controlplane-backend-db
    ports:
      - "8080:8080"
    environment:
      # The initial admin. You should change the password later.
      initial-admin.username: admin
      initial-admin.password: admin
      # The connection to the Developer Portal is created directly at startup. The token can be freely selected but must match the one set in the Developer Portal.
      dev-portal.default.url: https://localhost:3009
      dev-portal.default.token: vpfw2d823h8uQRN
      # It is important that you provide a secure password here! This is used to encrypt secrets like git passwords in the database!
      jasypt.encryptor.password: Dont4get$1
      spring.datasource.url: "jdbc:mysql://controlplane-backend-db:3306/obsidian-backend"
      spring.datasource.username: obsidian
      spring.datasource.password: "123"
      # required for CORS
      frontend.url: https://localhost:3000
      # you can also configure smtp while ACP is running, so this is optional
      mail.smtp.host: smtp.mailtrap.io
      mail.smtp.port: 25
      mail.smtp.encryption: TLS
      mail.smtp.username: 49c711575e9ab4
      mail.smtp.password: 626cca80501586
      # currently, we open a database connection for each incomming request, so the pool size determines how many requests we can process in parallel
      # you can reduce this, but don't go too small. I would recommend at the very least 20!
      spring.datasource.hikari.maximum-pool-size: 50
      # ssl configuration - if you disable ssl, the other ssl settings are irrelevant.
      server.ssl.enabled: true
      server.ssl.key-store-type: PKCS12
      # if you want to change the p12, then mount it into the container and set this to the correct absolute path
      server.ssl.key-store: "classpath:certificates/server.p12"
      server.ssl.key-store-password: Dont4get$1
      server.ssl.protocol: TLS
      server.ssl.enabled-protocols: TLSv1.3
    volumes:
      - controlplane-backend-files-vol:/application/files
      # you probably want to add another volume, for your SSL certificate (.p12 format!)

  # frontend
  controlplane-frontend:
    image: ghcr.io/apiida/controlplane-frontend:latest
    container_name: controlplane-frontend
    depends_on:
      - controlplane-backend
    ports:
      - "3000:443"
    environment:
      BACKEND_URL: localhost:8080
      # To disable the insertion of the tenant ID the string must not contain 'addTenantIdToBack'.
      INSERT_TENANT_ID: doNotInsertIt
      # ssl configuration - here you can mount your certificate in the container and if you want, also change the whole nginx configuration.
      # volumes:
      #   - ./frontend.crt:/etc/ssl/certs/frontend.crt
      #   - ./frontend.key:/etc/ssl/private/frontend.key
      # http://nginx.org/en/docs/
      #   - ./nginx.conf:/etc/nginx/conf.d/default.conf

  # devportal
  controlplane-devportal:
    image: ghcr.io/apiida/controlplane-devportal:latest
    container_name: controlplane-devportal
    depends_on:
      - controlplane-backend
    ports:
      - "3009:443"
    environment:
      BACKEND_URL: localhost:8080
      # To disable the insertion of the tenant ID the string must not contain 'addTenantIdToBack'.
      INSERT_TENANT_ID: doNotInsertIt
      DEV_PORTAL_TOKEN: vpfw2d823h8uQRN
      # ssl configuration - here you can mount your certificate in the container and if you want, also change the whole nginx configuration.
      # volumes:
      #   - ./frontend.crt:/etc/ssl/certs/frontend.crt
      #   - ./frontend.key:/etc/ssl/private/frontend.key
      # http://nginx.org/en/docs/
      #   - ./nginx.conf:/etc/nginx/conf.d/default.conf

networks:
  default:
    name: controlplane

volumes:
  controlplane-backend-db-vol:
  controlplane-backend-files-vol:

Frontend Certificates

To use production SSL certificates you must move your cert components to the following locations:

Mount the certificate in /etc/ssl/certs/frontend.crt
Mount the private key in /etc/ssl/private/frontend.key

These locations are static and not configurable via Environment Variables.

Backend Setup

First Admin User

Ensure the following environment variables are set:

      - 'initial-admin.username=admin'
      - 'initial-admin.password=admin'

Then the initial credentials are username admin and password admin. The user and password should be changed later.

Configure TLS Certificate

If you want to enable ssl and provide a certificate + private key, it must be in form of a .p12 file, which must contain your private key and the certificate chain. See these commands on how to create a certificate chain file and then create a .p12 from it and your private key:

cat backend.crt > backend-chain.pem
cat root.crt >> backend-chain.pem

openssl pkcs12 -export -inkey backend.key -in backend-chain.pem -name backend -out backend.p12 -passout pass:Dont4get$1

Mount the certificate to some location in the backend container and then set server.ssl.key-store to that location.

About Backend scalability

The backend does currently not support multiple parallel instances. Do not run more than 1 backend process The main issue is that agents would connect their websocket to only 1 backend instance and then to some instances the agent would appear connected and to others it would not.

What else can happen

  1. Cross origin: Either the backend is not up yet or the certificate from it is not trusted either.

    1. Once call the backend directly and accept the certificate as in 1.

  • No labels