netbird/management/README.md
Maycon Santos fd7282d3cf
Link account id with the external user store (#184)
* get account id from access token claim

* use GetOrCreateAccountByUser and add test

* correct account id claim

* remove unused account

* Idp manager interface

* auth0 idp manager

* use if instead of switch case

* remove unnecessary lock

* NewAuth0Manager

* move idpmanager to its own package

* update metadata when accountId is not supplied

* update tests with idpmanager field

* format

* new idp manager and config support

* validate if we fetch the interface before converting to string

* split getJWTToken

* improve tests

* proper json fields and handle defer body close

* fix ci lint notes

* documentation and proper defer position

* UpdateUserAppMetadata tests

* update documentation

* ManagerCredentials interface

* Marshal and Unmarshal functions

* fix tests

* ManagerHelper and ManagerHTTPClient

* further tests with mocking

* rename package and custom http client

* sync local packages

* remove idp suffix
2022-01-24 11:21:30 +01:00

114 lines
4.6 KiB
Markdown

# Wiretrustee Management Server
Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network.
## Command Options
The CLI accepts the command **management** with the following options:
```shell
start Wiretrustee Management Server
Usage:
wiretrustee-mgmt management [flags]
Flags:
--datadir string server data directory location (default "/var/lib/wiretrustee/")
-h, --help help for management
--letsencrypt-domain string a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS
--port int server port to listen on (default 33073)
--cert-file string Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
--cert-key string Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
Global Flags:
--config string Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json")
--log-level string (default "info")
--log-file string sets Wiretrustee log path. If console is specified the the log will be output to stdout (default "/var/log/wiretrustee/management.log")
```
## Run Management service (Docker)
You can run service in 2 modes - with TLS or without (not recommended).
### Run with TLS (Let's Encrypt).
By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration.
In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API.
> The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).
```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \
-p 33073:33073 \
-p 443:443 \
-v wiretrustee-mgmt:/var/lib/wiretrustee \
-v ./config.json:/etc/wiretrustee/config.json \
wiretrustee/management:latest \
--letsencrypt-domain <YOUR-DOMAIN>
```
> An example of config.json can be found here [management.json](../infrastructure_files/management.json.tmpl)
Trigger Let's encrypt certificate generation:
```bash
curl https://<YOUR-DOMAIN>
```
The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container.
Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint:
```shell
docker volume inspect wiretrustee-mgmt
[
{
"CreatedAt": "2021-07-25T20:45:28Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/mgmt/_data",
"Name": "wiretrustee-mgmt",
"Options": {},
"Scope": "local"
}
]
```
Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart.
### Run without TLS.
```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \
-p 33073:33073 \
-v wiretrustee-mgmt:/var/lib/wiretrustee \
-v ./config.json:/etc/wiretrustee/config.json \
wiretrustee/management:latest
```
### Debug tag
We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container.
```shell
shell $ docker run -d --name wiretrustee-management-debug \
-p 33073:33073 \
-v wiretrustee-mgmt:/var/lib/wiretrustee \
-v ./config.json:/etc/wiretrustee/config.json \
wiretrustee/management:debug-latest
shell $ docker exec -ti wiretrustee-management-debug /bin/sh
container-shell $
```
## For development purposes:
Install golang gRpc tools:
```bash
#!/bin/bash
go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
```
Generate gRpc code:
```bash
#!/bin/bash
protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.
```