Fusionauth minio setup (#53)

* Refactor Fusionauth Forms-DB-GQL Admin Key Configuration (#38) * modified hasura-gql-key * Added new enviroment variable for formsdb hasura * Changes (#49) * Minio Fusionauth initial setup * modified kickstart and other changes * removed unused redis service (#45) * Minor fixes * Added manual instructions to readme
samagra-comms · May 8, 2023 · e4c93a0 · e4c93a0
1 parent 17cbc8b
commit e4c93a0
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 11 deletions.
diff --git a/.env b/.env
@@ -18,6 +18,8 @@ FUSIONAUTH_MEMORY=2048M
 FUSIONAUTH_APP_MEMORY=2048M
 FUSIONAUTH_ADMIN_PASSWORD=mySecurePassword
 FUSIONAUTH_ADMIN_EMAIL=chakshu@samagragovernance.in
+FUSIONAUTH_APPLICATION_ID=f7d82f07-d34d-4201-98bb-aa8c3ff174b4
+FUSIONAUTH_CLIENT_SECRET=+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=
 ### ------------------------------------------------------- ###
 
 ### For ODK

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -227,14 +227,6 @@ services:
       interval: 15s
       timeout: 10s
       retries: 10
-
-  redis:
-    restart: always
-    image: "redis:alpine"
-    ports:
-      - "127.0.0.1:6389:6379"
-    volumes:
-      - ./data/redis-data:/data   
 
   formsdb:
     restart: always
@@ -318,6 +310,7 @@ services:
     restart: always
     depends_on:
       - fa-search
+      - fa-db
     environment:
       DATABASE_URL: jdbc:postgresql://fa-db:${FUSIONAUTH_POSTGRES_PORT}/fusionauth
       DATABASE_ROOT_USERNAME: ${FUSIONAUTH_POSTGRES_USER}
@@ -331,6 +324,8 @@ services:
       FUSIONAUTH_APP_KICKSTART_FILE: ${FUSIONAUTH_APP_KICKSTART_FILE}
       FUSIONAUTH_ADMIN_EMAIL: ${FUSIONAUTH_ADMIN_EMAIL}
       FUSIONAUTH_ADMIN_PASSWORD: ${FUSIONAUTH_ADMIN_PASSWORD}
+      FUSIONAUTH_APPLICATION_ID: ${FUSIONAUTH_APPLICATION_ID}
+      FUSIONAUTH_CLIENT_SECRET: ${FUSIONAUTH_CLIENT_SECRET}
     ports:
       - 9011:9011
     volumes:
@@ -358,4 +353,17 @@ services:
       - VAULT_ADDRESS=http://0.0.0.0:8200
     cap_add:
       - IPC_LOCK
-    command: vault server -config=/vault/config/vault.json
+    command: vault server -config=/vault/config/vault.json
+
+  uci-minio:
+    image: quay.io/minio/minio
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    env_file: env.dev/minio.env
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_IDENTITY_OPENID_CLIENT_ID: ${FUSIONAUTH_APPLICATION_ID}
+      MINIO_IDENTITY_OPENID_CLIENT_SECRET: ${FUSIONAUTH_CLIENT_SECRET}
+    depends_on:
+      - fusionauth
diff --git a/env.dev/minio.env b/env.dev/minio.env
@@ -0,0 +1,6 @@
+MINIO_ROOT_USER: minio99
+MINIO_ROOT_PASSWORD: minio123
+MINIO_IDENTITY_OPENID_CONFIG_URL: http://fusionauth:9011/.well-known/openid-configuration/265117b4-5065-42ca-895a-53625b89d380
+MINIO_IDENTITY_OPENID_CLAIM_NAME: roles
+MINIO_IDENTITY_OPENID_SCOPES: openid
+MINIO_IDENTITY_OPENID_REDIRECT_URI: http://minio:9001/oauth_callback
diff --git a/kickstart/kickstart.json b/kickstart/kickstart.json
@@ -2,7 +2,9 @@
   "variables": {
     "apiKey": "#{ENV.FUSIONAUTH_API_KEY}",
     "adminPassword": "#{ENV.FUSIONAUTH_ADMIN_PASSWORD}",
-    "adminEmail": "#{ENV.FUSIONAUTH_ADMIN_EMAIL}"
+    "adminEmail": "#{ENV.FUSIONAUTH_ADMIN_EMAIL}",
+    "applicatoinID": "#{ENV.FUSIONAUTH_APPLICATION_ID}",
+    "clientsecret" : "#{ENV.FUSIONAUTH_CLIENT_SECRET}"
   },
   "apiKeys": [
     {
@@ -25,6 +27,66 @@
           ]
         }
       }
+    },
+    {
+      "method": "POST",
+      "url": "/api/application/#{applicatoinID}",
+      "body": {
+        "application": {
+          "name": "MinIO",
+          "oauthConfiguration": {
+            "authorizedRedirectURLs": [
+              "http://minio:9001/oauth_callback"
+            ],
+            "authorizedURLValidationPolicy": "ExactMatch",
+            "clientAuthenticationPolicy": "Required",
+            "clientSecret": "#{clientsecret}",
+            "enabledGrants": [
+              "authorization_code",
+              "refresh_token"
+            ],
+            "generateRefreshToken": true,
+            "proofKeyForCodeExchangePolicy": "NotRequired"
+          },
+          "roles": [
+            {
+              "description": "Administrators that have access to everything",
+              "id": "#{UUID()}",
+              "name": "consoleAdmin",
+              "isDefault": false,
+              "isSuperRole": true
+            },
+            {
+              "description": "Administrators that have access to everything",
+              "id": "#{UUID()}",
+              "name": "daignostics",
+              "isDefault": false,
+              "isSuperRole": false
+            },
+            {
+              "description": "Administrators that have access to everything",
+              "id": "#{UUID()}",
+              "name": "readonly",
+              "isDefault": true,
+              "isSuperRole": false
+            },
+            {
+              "description": "Administrators that have access to everything",
+              "id": "#{UUID()}",
+              "name": "readwrite",
+              "isDefault": false,
+              "isSuperRole": false
+            },
+            {
+              "description": "Administrators that have access to everything",
+              "id": "#{UUID()}",
+              "name": "writeonly",
+              "isDefault": false,
+              "isSuperRole": false
+            }
+          ]
+        }
+      }
     }
   ]
 }
diff --git a/readme.md b/readme.md
@@ -28,7 +28,7 @@ Any user/ organization that wants to use setup UCI on their own server.
 
 # Manual Setup - one-click deployment is WIP
 
-- Setup a minio + FusionAuth setup following this guide -> https://github.com/Samagra-Development/minio-oauth2-docs. This part will be automated in future versions, but it is manual for now. 
+- Once all the containers are up, you will notice that there will be an minio-fusionauth setup out of the box. Go to minio console at port 9001, navigate to Identity -> Open ID, click on edit and turn `Claim User Info` on.
 
 - Populate the .env file with minio and fusionauth secrets after setup.