oceanbox/Poseidon
6
0
Fork 0
Code Issues 48 Pull Requests 6 Actions Packages Projects Releases 149 Wiki Activity
Files
1c14274cdbdd9dbe940742d5116be5b1e32e9dff
Poseidon/README.md

4.8 KiB
Raw Blame History

built with nix

Atlantis

Oceanbox's Single Page Application used for Visualizations and Analysis.

Bootstrapping Guide

To bootstrap Atlantis for development, build and run it using Tilt. Some setup is required:

k8s access

To run our application on the kubernetes cluster, Tilt needs access. You need to authenticate with oidc, using your microsoft account. Authentication configuration must be added to your ~/.kube/config:

---
- name: oidc
  user:
      exec:
          apiVersion: client.authentication.k8s.io/v1beta1
          args:
              - oidc-login
              - get-token
              - --oidc-issuer-url=https://login.microsoftonline.com/<...>/v2.0
              - --oidc-client-id=<...>
              - --oidc-client-secret=<...>
          command: kubectl
          env: null
          interactiveMode: IfAvailable
          provideClusterInfo: false

Substitute each <...> for the values corresponding to the correct Entra tenant.

Next, configure the required contexts to use oidc (also in your ~/.kube/config):

---
- context:
      cluster: ekman
      namespace: sorcerer
      user: oidc
  name: ekman
- context:
      cluster: oceanbox
      user: oidc
  name: oceanbox
---

Finally, you must be granted the necessary priveleges in Entra to access the clusters. Verify that you have access with kubectl:

kubectl --context oceanbox -n default get pods

Manifests

Required helm manifests are hosted in a separate repository: https://gitlab.com/oceanbox/manifests. Clone it into a directory in the same parent directory as this repository.

The Bitnami respository must also be added to helm:

helm repo add bitnami https://charts.bitnami.com/bitnami

DNS

Some DNS masking is required. Add the following to your NixOS configuration:

  services.dnsmasq = {
    enable = true;
    settings.address = [
      "/.local/127.0.0.1"
      "/.local.oceanbox.io/127.0.0.1"
    ];
  };

NuGet

To retrieve packages from the private Oceanbox nuget registry, configure it with credentials in your ~/.nuget/NuGet/NuGet.Config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
        <add key="oceanbox" value="https://gitlab.com/api/v4/groups/14873744/-/packages/nuget/index.json" />
    </packageSources>
    <packageSourceCredentials>
        <oceanbox>
            <add key="Username" value="oceanbox-nuget" />
            <add key="ClearTextPassword" value="<...>" />
        </oceanbox>
    </packageSourceCredentials>
</configuration>

Substitute <...> for the corresponding secret.

Now, we should be able to restore:

dotnet tool restore
dotnet restore Poseidon.slnx

Mkcert

To generate certificates correctly, vite needs the mkcert binary in a predefined path in our home directory. mkcert is included in our dev shell, so we can create a symlink to its location in the nix store:

which mkcert | xargs -I{} ln -s {} ~/.vite-plugin-mkcert

If this directory does not exist, create it first with mkdir.

Docker Login

In order for Tilt to push the images it builds to the oceanbox registry, we must use docker login to authenticate with it. First, create a personal access token in your gitlab account. It should have the read_registry and write_registry scopes set. Then, supply it to docker login:

docker login registry.gitlab.com/oceanbox

When prompted, authenticate with your gitlab username and the PAT you just created.

Create k8s Namespace

A namespace must be created for your tilt application to live in on the cluster.

kubectl create ns "$APP_NAMESPACE" --context oceanbox

Running Tilt

In the project root, run tilt with the following command:

tilt up --context oceanbox

You should now be able to access the Atlantis client (with HMR) on atlantis.local.oceanbox.io:8080.

Trust Root Certificate

In order for your browser to allow you to access the web application, you must add the root certificate generated by mkcert to the list of trusted authorities in your browser:

  1. In firefox, navigate to settings and search for "Certificates".
  2. Click on "View Certificates", then "Import..." in the "Authorities" tab.
  3. Select the root certificate; ~/.vite-plugin-mkcert/certs/rootCA.pem.
    • Make sure to check "This certificate can identify websites".

Add user to OpenFGA

Ask sales to add your azure-ad-user to OpenFGA.

CORS for Sorcerer

Add the url of your instance to the CORS list of Sorcerer here.

Reference in New Issue View Git Blame Copy Permalink