feat: working infra with sso

2025-12-04 12:49:43 +02:00
parent 67de982754
commit 7e54ee9099
13 changed files with 329 additions and 222 deletions
--- a/infra/scripts/deploy.sh
+++ b/infra/scripts/deploy.sh
@@ -210,6 +210,18 @@ deploy_all() {
    if [ "$ENVIRONMENT" = "local" ]; then
        log_info "Deploying unified stack for local environment..."
        compose_cmd "all" up -d "$@"
+    elif [ "$ENVIRONMENT" = "production" ]; then
+        log_info "Deploying unified stack for production environment..."
+        local cmd="docker compose"
+        cmd="$cmd -f $BASE_DIR/infrastructure.yaml"
+        cmd="$cmd -f $BASE_DIR/services.yaml"
+        cmd="$cmd -f $BASE_DIR/monitoring.yaml"
+
+        if [ -f "$INFRA_DIR/environments/$ENVIRONMENT/compose.override.yaml" ]; then
+            cmd="$cmd -f $INFRA_DIR/environments/$ENVIRONMENT/compose.override.yaml"
+        fi
+
+        $cmd --env-file "$ENV_FILE" --project-name "ai-tax-agent-$ENVIRONMENT" up -d "$@"
    elif [ -f "$unified_compose" ]; then
        log_info "Deploying unified stack for $ENVIRONMENT environment..."
        docker compose -f "$unified_compose" --env-file "$ENV_FILE" --project-name "ai-tax-agent-$ENVIRONMENT" up -d "$@"
@@ -225,6 +237,27 @@ deploy_all() {

    log_success "All stacks deployed successfully!"
    echo ""
+
+    # Post-deployment setup for Production
+    if [ "$ENVIRONMENT" = "production" ]; then
+        log_info "Running post-deployment setup..."
+
+        # Vault Setup
+        if [ -f "$INFRA_DIR/scripts/init-vault.sh" ]; then
+            log_info "Initializing/Unsealing Vault..."
+            chmod +x "$INFRA_DIR/scripts/init-vault.sh"
+            # Wait for Vault to be ready
+            sleep 10
+            "$INFRA_DIR/scripts/init-vault.sh"
+        fi
+
+        if [ -f "$INFRA_DIR/scripts/setup-vault.sh" ]; then
+            log_info "Configuring Vault OIDC..."
+            chmod +x "$INFRA_DIR/scripts/setup-vault.sh"
+            "$INFRA_DIR/scripts/setup-vault.sh"
+        fi
+    fi
+
    log_info "Access your services:"
    echo "  - Grafana: https://grafana.$DOMAIN"
    echo "  - Prometheus: https://prometheus.$DOMAIN"
--- a/infra/scripts/init-vault.sh
+++ b/infra/scripts/init-vault.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -e
+
+# Load environment variables
+source infra/environments/production/.env
+
+VAULT_ADDR="http://127.0.0.1:8200"
+CONTAINER_NAME="apa-vault"
+KEYS_FILE="infra/environments/production/.vault-keys"
+
+echo "Checking Vault status..."
+
+# Helper function to run vault commands inside docker
+vault_cmd() {
+    docker exec -i -e VAULT_ADDR=$VAULT_ADDR $CONTAINER_NAME vault "$@"
+}
+
+# Check if Vault is initialized
+if vault_cmd status -format=json | grep -q '"initialized": true'; then
+    echo "Vault is already initialized."
+else
+    echo "Vault is NOT initialized. Initializing..."
+    INIT_OUTPUT=$(vault_cmd operator init -key-shares=1 -key-threshold=1 -format=json)
+
+    echo "$INIT_OUTPUT" > "$KEYS_FILE"
+    chmod 600 "$KEYS_FILE"
+
+    echo "Vault initialized! Keys saved to $KEYS_FILE"
+    echo "WARNING: BACK UP THIS FILE SECURELY!"
+fi
+
+# Read keys
+# Extract first key from the array (assuming 1 key share)
+UNSEAL_KEY=$(grep -A 1 '"unseal_keys_b64":' "$KEYS_FILE" | tail -n 1 | cut -d'"' -f2)
+ROOT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)
+
+# Unseal
+echo "Unsealing Vault..."
+vault_cmd operator unseal "$UNSEAL_KEY"
+
+echo "Vault is Unsealed!"
+echo "Root Token: $ROOT_TOKEN"
+
+# Export Root Token for setup script
+export VAULT_TOKEN=$ROOT_TOKEN
--- a/infra/scripts/setup-vault.sh
+++ b/infra/scripts/setup-vault.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+set -e
+
+# Load environment variables
+source infra/environments/production/.env
+
+# Vault Configuration
+VAULT_ADDR="http://127.0.0.1:8200"
+KEYS_FILE="infra/environments/production/.vault-keys"
+
+if [ ! -f "$KEYS_FILE" ]; then
+    echo "Error: Keys file not found at $KEYS_FILE. Run init-vault.sh first."
+    exit 1
+fi
+
+VAULT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)
+CONTAINER_NAME="apa-vault"
+
+echo "Configuring Vault..."
+
+# Helper function to run vault commands inside docker
+vault_cmd() {
+    docker exec -i -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$VAULT_TOKEN $CONTAINER_NAME vault "$@"
+}
+
+# Enable OIDC auth method
+echo "Enabling OIDC auth method..."
+if ! vault_cmd auth list | grep -q "oidc/"; then
+    vault_cmd auth enable oidc
+else
+    echo "OIDC auth method already enabled."
+fi
+
+# Configure OIDC
+echo "Configuring OIDC..."
+vault_cmd write auth/oidc/config \
+    oidc_discovery_url="https://auth.${DOMAIN}/application/o/vault-prod/" \
+    oidc_client_id="vault-prod" \
+    oidc_client_secret="${AUTHENTIK_VAULT_CLIENT_SECRET}" \
+    default_role="reader"
+
+# Create Policies
+echo "Creating policies..."
+
+# Admin Policy
+vault_cmd policy write admin - <<EOF
+path "*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+EOF
+
+# Reader Policy
+vault_cmd policy write reader - <<EOF
+path "secret/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+# Create Roles
+echo "Creating roles..."
+
+# Admin Role
+vault_cmd write auth/oidc/role/admin \
+    bound_audiences="vault-prod" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
+    user_claim="email" \
+    policies="admin" \
+    role_type="oidc" \
+    groups_claim="groups" \
+    oidc_scopes="openid,email,profile,groups"
+
+# Reader Role
+vault_cmd write auth/oidc/role/reader \
+    bound_audiences="vault-prod" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
+    user_claim="email" \
+    policies="reader" \
+    role_type="oidc" \
+    groups_claim="groups" \
+    oidc_scopes="openid,email,profile,groups"
+
+echo "Vault configuration complete!"