Assumptions: Setting it on AWS EC2 with Google Auth
Set up any one oAuth for Roost control-plane
Steps - Set up Google Auth Client
Create Credentials, Select OAuth Client and Application Type as Web Application
Add Authorised JavaScript Origin as
https://<DNS_NAME
Add Authorised redirect URIs
https://<DNS_NAME>/login
https://<DNS_NAME>/api/auth/redirect/google
Download the JSON
Make a note of the Google Client ID and the Client Secret (It is needed later in the config below)
Steps - Set up OKTA Auth Client
Sign-in to your OKTA account with admin privileges (If you do not have an existing Okta account then sign-up at http://developer.okta.com )
From the left navigation menu, go to Applications -> Applications
Select Create App Integration → OIDC - OpenID Connect → Web Application, then click Next
Fill in the suitable App integration name, upload the logo
Add Sign-in redirect URIs
https://<DNS_NAME>/login
https://<DNS_NAME>/api/auth/login/okta
Allow Access to users thru Assignments → Controlled Access
Select the groups of users or Allow access to everyone
Save and Make a note of the Okta Client ID and the Client Secret (It is needed later in the config below)
From the left navigation menu, go to Security -> API
Make note of Issuer URI for default Authorization Server
something like https://{your_domain}.okta.com/oauth2/default
Optional Step - Set up AWS RDS database
Select RDS
Choose Create Database
You can select “Easy Create” for “Amazon Aurora with MYSQL compatibility”
Make a note of the writer instance database end-point, user and password (It is needed later in the config below)
As a good practice, you can create a new user with read-write privileges and avoid using admin login.
Steps - EC2 Instance
Launch EC2 instance
Choose Ubuntu 20 (ubuntu-focal-20.04) AMI
Instance Type as t3.medium
Security group to allow from any source IP
SSH (port 22)
HTTP (port 80)
HTTPS (port 443) and
Custom TCP Port 2502, 60002, 5000, 5002, 60001 (for Stun, Docker, Roost)
Root volume storage should be 20 GB or more
Preferred separate EBS volume of 100GB
Enable Avoid Accidental Termination and disable EBS delete on termination
Add tags and key-pair and launch
Download key-pair; change permissions to 0400
Review configuration and Launch Instance
Connect to EC2 using SSH once it is running
Steps - Installing dependencies on EC2 Instance
Mount the EBS volume
Check the 100GB disk NAMElsblk
Use the EBS disk name that is not mountedsudo mkfs -t ext4 /dev/nvme1n1
sudo mkdir /var/tmp/Roost
sudo mount /dev/nvme1n1 /var/tmp/Roost
sudo chown `id -u`:`id -g` /var/tmp/Roost/
Steps - Install SSL Certs
Get the SSL_certs.key and SSL_certs.crt file for your organisation domain and put it under a folder that will be accessible to the current user. Preferred to be kept under /var/tmp/Roost/certs
It is possible to use a self generated certificate (not recommended though)
You can generate a self-signed certificate using command given below
The “root.cer” will have to be installed to the certificate authority on all Roost user systems as a trusted certificate. Article with steps for all OS is mentioned here Install the Certificate Authority
Instructions for generating the self-signed certs is given below.
if [ ! -d /var/tmp/Roost ]; then sudo mkdir /var/tmp/Roost sudo chown `id -u`:`id -g` /var/tmp/Roost/ fi mkdir certs; cd /var/tmp/Roost/certs curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/get-cert.sh -o get-cert.sh chmod +x get-cert.sh # Follow the instructions displayed after executing this script ./get-cert.sh
6. Update the root.cnf and server.cnf to reflect your organisation name and the DNS entries
7. Run the open_ssl commands displayed in the output of get-certs.sh
Steps - Configure Roost Environment and Start Docker containers
cd /var/tmp/Roost
curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/roost-enterprise.sh -o roost-enterprise.sh
chmod +x roost-enterprise.sh
download config.json
curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/main-config.json -o config.json
Sample Config looks like the below
Replace the values to reflect for your organisation
Remove the client_id/secrets for the 3rd party that is not needed
Remove the ENV_DATABASE detail if database is not external
Add JWT_SECRET
{
"enterprise_name": "MyCompany",
"enterprise_logo": "https://mycompany.ai/logos/LOGO-mycompany.png",
"enterprise_email_domain": "mycompany.io",
"enterprise_dns": "mycompany.io",
"admin_email": "admin@mycompany.io",
"email_sender": "noreply@mycompany.io",
"email_sender_pass": "",
"enterprise_ssl_certificate_path": "/var/tmp/Roost/certs/server.cer",
"enterprise_ssl_certificate_key_path": "/var/tmp/Roost/certs/server.key",
"ENV_SERVER": {
"DEFAULT_PORT": 3000,
"JWT_SECRET": "32-character-secure-long-secret",
"GOOGLE_CLIENT_ID": "",
"GOOGLE_CLIENT_SECRET": "",
"AZURE_CLIENT_ID": "",
"AZURE_CLIENT_SECRET": "",
"GITHUB_CLIENT_ID": "",
"GITHUB_CLIENT_SECRET": "",
"LINKEDIN_CLIENT_ID": "",
"LINKEDIN_CLIENT_SECRET": ""
},
"is_own_sql": "true",
"ENV_DATABASE": {
"MYSQL_HOST": "database-1-instance-1.region.rds.amazonaws.com",
"MYSQL_PORT": 3306,
"MYSQL_USERNAME": "MyUser",
"MYSQL_PASSWORD": "MyPassword",
"MYSQL_ROOT_PASSWORD": "AdminPassword"
}
}
Starting the Roost.ai containers for the first time
cd /var/tmp/Roost ./roost-enterprise.sh -i all -c config.json
Setting up Roost Proxy Server
Setting up Roost Proxy for Web Console
Verifying the Roost.ai components
Connect to the public_ip/login using a browser
Use the 3rd party auth to connect to the control-plane
Update Roost.ai Control-plane, when there is a new Roost release
cd /var/tmp/Roost; chmod +x roost-enterprise.sh; # assumption that the update is to a specific version export WEB_VERSION=$react_app_tag DB_VERSION=$image_tag NESTJS_VERSION=$image_tag; # skip the above, if idea is to update to latest image version ./roost-enterprise.sh -i upd-roostai -c config.json
0 Comments