fix(platform-services): provision ClickHouse, MinIO, and MongoDB resources via docker exec instead of host port access
This commit is contained in:
@@ -196,84 +196,28 @@ export class MinioProvider extends BasePlatformServiceProvider {
|
||||
const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
|
||||
const containerName = this.getContainerName();
|
||||
|
||||
// Get container host port for connection from host (overlay network IPs not accessible from host)
|
||||
const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
|
||||
if (!hostPort) {
|
||||
throw new Error('Could not get MinIO container host port');
|
||||
}
|
||||
|
||||
// Generate bucket name and credentials
|
||||
// Generate bucket name
|
||||
const bucketName = this.generateBucketName(userService.name);
|
||||
const accessKey = credentialEncryption.generateAccessKey(20);
|
||||
const secretKey = credentialEncryption.generateSecretKey(40);
|
||||
|
||||
logger.info(`Provisioning MinIO bucket '${bucketName}' for service '${userService.name}'...`);
|
||||
|
||||
// Connect to MinIO via localhost and the mapped host port (for provisioning from host)
|
||||
const provisioningEndpoint = `http://127.0.0.1:${hostPort}`;
|
||||
|
||||
// Import AWS S3 client
|
||||
const { S3Client, CreateBucketCommand, PutBucketPolicyCommand } = await import('npm:@aws-sdk/client-s3@3');
|
||||
|
||||
// Create S3 client with admin credentials - connect via host port
|
||||
const s3Client = new S3Client({
|
||||
endpoint: provisioningEndpoint,
|
||||
region: 'us-east-1',
|
||||
credentials: {
|
||||
accessKeyId: adminCreds.username,
|
||||
secretAccessKey: adminCreds.password,
|
||||
},
|
||||
forcePathStyle: true,
|
||||
});
|
||||
// Use docker exec with mc (MinIO Client) inside the container
|
||||
// First configure mc alias for local server
|
||||
await this.execMc(platformService.containerId, [
|
||||
'alias', 'set', 'local', 'http://localhost:9000',
|
||||
adminCreds.username, adminCreds.password,
|
||||
]);
|
||||
|
||||
// Create the bucket
|
||||
try {
|
||||
await s3Client.send(new CreateBucketCommand({
|
||||
Bucket: bucketName,
|
||||
}));
|
||||
logger.info(`Created MinIO bucket '${bucketName}'`);
|
||||
} catch (e: any) {
|
||||
if (e.name !== 'BucketAlreadyOwnedByYou' && e.name !== 'BucketAlreadyExists') {
|
||||
throw e;
|
||||
}
|
||||
logger.warn(`Bucket '${bucketName}' already exists`);
|
||||
}
|
||||
const mbResult = await this.execMc(platformService.containerId, [
|
||||
'mb', '--ignore-existing', `local/${bucketName}`,
|
||||
]);
|
||||
logger.info(`Created MinIO bucket '${bucketName}'`);
|
||||
|
||||
// Create service account/access key using MinIO Admin API
|
||||
// MinIO Admin API requires mc client or direct API calls
|
||||
// For simplicity, we'll use root credentials and bucket policy isolation
|
||||
// In production, you'd use MinIO's Admin API to create service accounts
|
||||
|
||||
// Set bucket policy to allow access only with this bucket's credentials
|
||||
const bucketPolicy = {
|
||||
Version: '2012-10-17',
|
||||
Statement: [
|
||||
{
|
||||
Effect: 'Allow',
|
||||
Principal: { AWS: ['*'] },
|
||||
Action: ['s3:GetObject', 's3:PutObject', 's3:DeleteObject', 's3:ListBucket'],
|
||||
Resource: [
|
||||
`arn:aws:s3:::${bucketName}`,
|
||||
`arn:aws:s3:::${bucketName}/*`,
|
||||
],
|
||||
},
|
||||
],
|
||||
};
|
||||
|
||||
try {
|
||||
await s3Client.send(new PutBucketPolicyCommand({
|
||||
Bucket: bucketName,
|
||||
Policy: JSON.stringify(bucketPolicy),
|
||||
}));
|
||||
logger.info(`Set bucket policy for '${bucketName}'`);
|
||||
} catch (e) {
|
||||
logger.warn(`Could not set bucket policy: ${getErrorMessage(e)}`);
|
||||
}
|
||||
|
||||
// Note: For proper per-service credentials, MinIO Admin API should be used
|
||||
// For now, we're providing the bucket with root access
|
||||
// TODO: Implement MinIO service account creation
|
||||
logger.warn('Using root credentials for MinIO access. Consider implementing service accounts for production.');
|
||||
// Set bucket policy to allow public read/write (services on the same network use root creds)
|
||||
await this.execMc(platformService.containerId, [
|
||||
'anonymous', 'set', 'none', `local/${bucketName}`,
|
||||
]);
|
||||
|
||||
// Use container name for the endpoint in credentials (user services run in same network)
|
||||
const serviceEndpoint = `http://${containerName}:9000`;
|
||||
@@ -281,7 +225,7 @@ export class MinioProvider extends BasePlatformServiceProvider {
|
||||
const credentials: Record<string, string> = {
|
||||
endpoint: serviceEndpoint,
|
||||
bucket: bucketName,
|
||||
accessKey: adminCreds.username, // Using root for now
|
||||
accessKey: adminCreds.username,
|
||||
secretKey: adminCreds.password,
|
||||
region: 'us-east-1',
|
||||
};
|
||||
@@ -312,57 +256,37 @@ export class MinioProvider extends BasePlatformServiceProvider {
|
||||
|
||||
const adminCreds = await credentialEncryption.decrypt(platformService.adminCredentialsEncrypted);
|
||||
|
||||
// Get container host port for connection from host (overlay network IPs not accessible from host)
|
||||
const hostPort = await this.oneboxRef.docker.getContainerHostPort(platformService.containerId, 9000);
|
||||
if (!hostPort) {
|
||||
throw new Error('Could not get MinIO container host port');
|
||||
}
|
||||
|
||||
logger.info(`Deprovisioning MinIO bucket '${resource.resourceName}'...`);
|
||||
|
||||
const { S3Client, DeleteBucketCommand, ListObjectsV2Command, DeleteObjectsCommand } = await import('npm:@aws-sdk/client-s3@3');
|
||||
|
||||
const s3Client = new S3Client({
|
||||
endpoint: `http://127.0.0.1:${hostPort}`,
|
||||
region: 'us-east-1',
|
||||
credentials: {
|
||||
accessKeyId: adminCreds.username,
|
||||
secretAccessKey: adminCreds.password,
|
||||
},
|
||||
forcePathStyle: true,
|
||||
});
|
||||
// Configure mc alias
|
||||
await this.execMc(platformService.containerId, [
|
||||
'alias', 'set', 'local', 'http://localhost:9000',
|
||||
adminCreds.username, adminCreds.password,
|
||||
]);
|
||||
|
||||
try {
|
||||
// First, delete all objects in the bucket
|
||||
let continuationToken: string | undefined;
|
||||
do {
|
||||
const listResponse = await s3Client.send(new ListObjectsV2Command({
|
||||
Bucket: resource.resourceName,
|
||||
ContinuationToken: continuationToken,
|
||||
}));
|
||||
|
||||
if (listResponse.Contents && listResponse.Contents.length > 0) {
|
||||
await s3Client.send(new DeleteObjectsCommand({
|
||||
Bucket: resource.resourceName,
|
||||
Delete: {
|
||||
Objects: listResponse.Contents.map(obj => ({ Key: obj.Key! })),
|
||||
},
|
||||
}));
|
||||
logger.info(`Deleted ${listResponse.Contents.length} objects from bucket`);
|
||||
}
|
||||
|
||||
continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : undefined;
|
||||
} while (continuationToken);
|
||||
|
||||
// Now delete the bucket
|
||||
await s3Client.send(new DeleteBucketCommand({
|
||||
Bucket: resource.resourceName,
|
||||
}));
|
||||
|
||||
// Remove all objects and the bucket
|
||||
await this.execMc(platformService.containerId, [
|
||||
'rb', '--force', `local/${resource.resourceName}`,
|
||||
]);
|
||||
logger.success(`MinIO bucket '${resource.resourceName}' deleted`);
|
||||
} catch (e) {
|
||||
logger.error(`Failed to delete MinIO bucket: ${getErrorMessage(e)}`);
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Execute mc (MinIO Client) command inside the container
|
||||
*/
|
||||
private async execMc(
|
||||
containerId: string,
|
||||
args: string[],
|
||||
): Promise<{ stdout: string; stderr: string }> {
|
||||
const result = await this.oneboxRef.docker.execInContainer(containerId, ['mc', ...args]);
|
||||
if (result.exitCode !== 0) {
|
||||
throw new Error(`mc command failed (exit ${result.exitCode}): ${result.stderr.substring(0, 200)}`);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user