feat: OpenBao integration, Alibaba CSP fix, MCMP API URL normalization, UG improvements#81
Merged
Conversation
feat(mcmp-api): add POST /api/mcmp-apis for single FrameworkService creation
…inx configs - Add Step 5-1 register_framework_services() to 1_setup_auto.sh (conf and asset) sync-mcmp-apis only registers serviceActions, not mcmp_api_services registry; framework service URLs must be registered before sync-projects (ADMIN-BUG-003) - Fix stale upstream container names in nginx.template.conf (conf and asset): mciam-manager -> mc-iam-manager, mciam-keycloak -> mc-iam-manager-kc
fix: sync mc-admin-cli changes to setup scripts and nginx configs
- Add asset/organization/organizations.yaml with MZC org hierarchy preset (leftover from FR-005 organization feature, not included in PR#63) - Exclude build binaries (mc-iam-manager-*) from git tracking
…mes in mcmp_api.yaml
chore(asset): add organization preset seed data
fix(ug): bypass gocloak omitempty bug for enabled=false user filter
Alibaba Cloud STS AssumeRoleWithOIDC requires: 1. id_token (not access_token) - id_token has single-string aud matching ClientId 2. Timestamp parameter in STS API request 3. openid scope in Keycloak LoginClient to get id_token The access_token from client_credentials has aud as array which Alibaba rejects. The id_token has aud as single string matching the registered ClientId.
- alibaba_credential_service: add missing Timestamp parameter to AssumeRoleWithSAML (Alibaba STS requires Timestamp in form data, unlike AWS STS) - keycloak_service: refactor buildSAMLResponse to accept destination parameter and extract Recipient from assertion for SAMLResponse Destination attribute - keycloak_service: add extractRecipientFromAssertion helper - keycloak_service: remove xmlns:saml from outer Response to avoid namespace collision affecting ExcC14N signature canonicalization Verified: Alibaba SAML audience must be 'urn:alibaba:cloudcomputing' (SP Entity ID), not the SAML Provider ARN. Configure Keycloak SAML client ID accordingly.
fix(alibaba): fix SAML/OIDC credential issuance for Alibaba Cloud STS
PR#89/90/92(044_워크스페이스설정보완개선) 작업 중 mcmp-workflow/notion으로 이전된 문서 파일 삭제 - TEST_SCENARIOS.md (283줄) - docs/PROJECT-NAMESPACE-SYNC-API.md (35줄) 두 파일 모두 mcmp-workflow/notion/mc-iam-ep-워크스페이스설정보완개선/ 002_프로젝트네임스페이스동기화관리/ 로 이전 완료됨.
chore: cleanup misadded artifacts (mcmp_api.yaml IPs, migrated docs)
- Add mc-infra-manager (cb-tumblebug) and mc-infra-connector (cb-spider) swagger sources - Update mc-iam-manager version to 0.5.2 - Regenerate service-actions.yaml (887 total actions across 6 frameworks)
Add openbao-config.hcl (file storage + TCP listener) and openbao-entrypoint.sh (wrapper for bao server with automatic init/unseal and fixed service token creation on first run).
…pose docker-compose.yaml mc-iam-manager-post-initial already referenced this script but the file was absent from the repo.
…dmin-cli Key changes: - 0_preset_dev/prod.sh: use MC_IAM_MANAGER_PUBLIC_DOMAIN instead of KC_DOMAIN; output nginx.conf to container-volume/mc-iam-manager/nginx/ - 1_setup_auto.sh: source .env conditionally (env_file fallback), add Keycloak client redirect URI step, MCWEBCONSOLE_ -> MC_WEB_CONSOLE_, dynamic api.yaml-driven service registration with upsert on 409 - 1_setup_manual.sh: MCWEBCONSOLE_ -> MC_WEB_CONSOLE_ - nginx.template.conf: PUBLIC_DOMAIN substitution, add web-console-front SSL proxy block (3001), Grafana proxy, cost-optimizer-fe proxy
…port) Sync mc-iam-manager docker environment from mc-admin-cli post FW-003: - docker-compose.yaml: add mc-infra-manager-openbao service, update images (cb-spider 0.12.18, cb-tumblebug 0.12.9, etcd v3.5.21, web-console csescsta:edge), enable TB_AUTH_ENABLED + VAULT_*, variabilize all hard-coded ports, fix KC_HOSTNAME -> KC_HOSTNAME_URL + KC_PROXY_HEADERS + KC_FEATURES, fix nginx certs path (container-volume/mc-iam-manager/certs), post-initial condition service_healthy -> service_started - .env / .env.setup: HEALTH_CHECK_RETIES -> RETRIES, MCWEBCONSOLE_* -> MC_WEB_CONSOLE_*, CONSOLE_POSTGRES_* -> MC_WEB_CONSOLE_POSTGRES_*, add MC_INFRA_MANAGER_API_USERNAME=spider (Spider-Tumblebug auth parity), add MC_INFRA_MANAGER_OPENBAO_* vars, add MC_IAM_MANAGER_PUBLIC_DOMAIN, add MC_INFRA_MANAGER_POSTGRES_* vars, add port host vars - .gitignore: add conf/mc-iam-manager/*.bak.* exclusion
… test - Fix nginx.template.conf lookup: use SCRIPT_DIR instead of cwd in 0_preset_dev.sh and 0_preset_prod.sh so scripts work when invoked from the repo root - Add MC_OBSERVABILITY_GRAFANA_PROXY_PORT and MC_COST_OPTIMIZER_FE_PROXY_PORT to .env.setup; template substitution left blank ports in nginx listen directives - Add conf/mc-web-console/init.sql (uuid-ossp extension) and mount it in mc-web-console-db; mc-web-console-api crashed on uuid_generate_v4() missing - Fix nginx healthcheck to use 127.0.0.1 (IPv4); wget resolved localhost to IPv6 on this host, causing Connection refused - Replace mcc binary healthchecks with wget for Alpine-based services (mc-infra-manager, mc-iam-manager, mc-web-console-front); glibc mcc binary fails with symbol not found on musl libc
feat(fw-003): backport OpenBao + env normalization from mc-admin-cli
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. OpenBao 연동 및 Docker 기동 안정화 (FW-003)
conf/mc-infra-manager/openbao-entrypoint.sh신규 — 최초 기동 시 init, 재시작 시 자동 unseal, 고정 서비스 토큰(dev-only-token) 생성conf/mc-infra-manager/openbao-config.hcl수정 —storage "file"적용,disable_mlock제거(OpenBao 2.5.1 미지원)MC_INFRA_MANAGER_VAULT_TOKEN→MC_INFRA_MANAGER_OPENBAO_VAULT_TOKEN,MCWEBCONSOLE_*→MC_WEB_CONSOLE_*0_preset_dev.sh/0_preset_prod.sh:TEMPLATE_FILEcwd 상대경로 →${SCRIPT_DIR}기준으로 수정mc-web-console-db:uuid-ossp확장 init.sql 마운트 추가 (uuid_generate_v4()오류 해소)localhost→127.0.0.1(IPv6 resolve 방지)mcc바이너리 →wget대체 (Alpine musl 호환).env.setup:MC_OBSERVABILITY_GRAFANA_PROXY_PORT,MC_COST_OPTIMIZER_FE_PROXY_PORT추가 (nginx 템플릿 치환 누락 방지)conf/mc-iam-manager/docker-post-init.sh추가 (post-initial 컨테이너 진입점)2. MCMP API 내부 URL 정규화
asset/mcmpapi/mcmp_api.yaml: 하드코딩된 IP/localhost → Docker Compose 서비스명으로 변경asset/mcmpapi/frameworks.yaml,asset/mcmpapi/service-actions.yaml업데이트asset/organization/organizations.yaml신규 추가 (조직 프리셋 seed 데이터)3. CSP 임시 자격증명 버그 수정 (Alibaba)
alibaba_credential_service.go):AssumeRoleWithOIDC호출 시id_token사용 및Timestamp파라미터 추가alibaba_credential_service.go):AssumeRoleWithSAML자격증명 발급 오류 수정4. 사용자 목록 조회 개선 (M2-UG)
user_handler.go: ListUsers 핸들러에 request 파라미터 로깅 추가keycloak_service.go:enabled=false필터 적용 시 gocloakomitempty버그 우회 처리