Moritz Jörg
54c40d7acc
Previously we used `id_token_hint`, but it's saved in the cookie. This will instead require a client_id (which identifies your application), so Keycloak knows which application you’re requesting a redirect for.
Poseidon
Oceanbox's comprehensive platform for oceanic data visualization, analysis, and processing.
Documentation
- Nix Build System - Comprehensive guide to the Nix-based build system, packages, containers, and workflows
- Scripts - Available utility scripts for development and deployment
Bootstrapping Guide
To bootstrap Atlantis for development, build and run it using Tilt.
Some setup is required:
Kubernetes Access
To run our application on the kubernetes cluster, Tilt needs access.
You need to authenticate with oidc, using your microsoft account.
Authentication configuration must be added to your ~/.kube/config:
---
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://login.microsoftonline.com/<...>/v2.0
- --oidc-client-id=<...>
- --oidc-client-secret=<...>
command: kubectl
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
Substitute each <...> for the values corresponding to the correct Entra tenant.
Next, configure the required contexts to use oidc (also in your ~/.kube/config):
---
- context:
cluster: ekman
namespace: sorcerer
user: oidc
name: ekman
- context:
cluster: oceanbox
namespace: atlantis
user: oidc
name: oceanbox
Finally, you must be granted the necessary priveleges in Entra to access the clusters.
Verify that you have access with kubectl:
kubectl --context oceanbox -n default get pods
Manifests
Required helm manifests are hosted in a separate repository: https://gitlab.com/oceanbox/manifests. Clone it into a directory in the same parent directory as this repository.
You'll have to run helm dependency update in the atlantis directory within the manifest repo to download the charts.
NuGet
To retrieve packages from the private Oceanbox nuget registry, configure it with credentials in your ~/.nuget/NuGet/NuGet.Config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="oceanbox" value="https://gitlab.com/api/v4/groups/14873744/-/packages/nuget/index.json" />
</packageSources>
<packageSourceCredentials>
<oceanbox>
<add key="Username" value="<Your-GitLab-Username>" />
<add key="ClearTextPassword" value="<Your-GitLab-PAT>" />
</oceanbox>
</packageSourceCredentials>
<packageSourceMapping>
<packageSource key="nuget.org">
<package pattern="*" />
</packageSource>
<packageSource key="oceanbox">
<package pattern="Oceanbox.*" />
<package pattern="ProjNet.FSharp" />
<package pattern="Drifters.Api" />
<package pattern="Fable.Lit" />
<package pattern="Fable.Lit.*" />
<package pattern="Fable.SignalR" />
<package pattern="Fable.SignalR.*" />
<package pattern="Fable.OpenLayers" />
<package pattern="Matplotlib.*" />
</packageSource>
</packageSourceMapping>
</configuration>
Substitute with your own gitlab username and PAT in the credentials.
Now, we should be able to restore:
dotnet restore Poseidon.slnx
for dotnet-tools we use nix, so entering the shell using nix-shell or direnv is enough.
Mkcert
To generate certificates correctly, vite needs the mkcert binary in a predefined path in our home directory.
mkcert is included in our dev shell, so we can create a symlink to its location in the nix store:
which mkcert | xargs -I{} ln -s {} ~/.vite-plugin-mkcert
If this directory does not exist, create it first with
mkdir.
Docker Login
In order for Tilt to push the images it builds to the oceanbox registry, we must use docker login to authenticate with it.
First, create a personal access token in your gitlab account. It should have the read_registry and write_registry scopes set.
set -x TOKEN glpat-xxxx
Then, supply it to docker login:
echo "$TOKEN" | docker login gitlab.com -u <user> --password-stdin
When prompted, authenticate with your gitlab username and the PAT you just created.
Create k8s Namespace
A namespace must be created for your tilt application to live in on the cluster.
kubectl create ns "$APP_NAMESPACE" --context oceanbox
Running Tilt
In the project root, run tilt with the following command:
tilt up --context oceanbox
You should now be able to access the Atlantis client (with HMR) on atlantis.local.oceanbox.io:8080.
Trust Root Certificate
Note
You'll need to run
just run-clientinsrc/Atlantisto generate the certificates in~/.vite-plugin-mkcert/certs
In order for your browser to allow you to access the web application, you must add the root certificate generated by mkcert to the list of trusted authorities in your browser:
- In firefox, navigate to settings and search for "Certificates".
- Click on "View Certificates", then "Import..." in the "Authorities" tab.
- Select the root certificate;
~/.vite-plugin-mkcert/certs/rootCA.pem.- Make sure to check "This certificate can identify websites".
Add user to OpenFGA
Ask sales to add your azure-ad-user to OpenFGA.
CORS for Sorcerer
Add the url of your instance to the CORS list of Sorcerer
here.