Skip to content

feat(iframe): add -fe service separation for iframe proxy URLs#145

Open
dogfootman wants to merge 14 commits into
m-cmp:mainfrom
MZC-CSC:feat/iframe-fe-services
Open

feat(iframe): add -fe service separation for iframe proxy URLs#145
dogfootman wants to merge 14 commits into
m-cmp:mainfrom
MZC-CSC:feat/iframe-fe-services

Conversation

@dogfootman
Copy link
Copy Markdown
Member

@dogfootman dogfootman commented May 20, 2026
edited by MZC-CSC
Loading

Summary

  • iframe으로 접근하는 서비스(workflows, datamigrations, swcatalogs)의 URL이 내부 Docker hostname이어서 외부 브라우저에서 iframe이 빈 화면으로 표시되는 문제를 해결합니다
  • mc-cost-optimizer-fe 패턴을 3개 서비스에 동일하게 적용, API 호출용과 iframe 호출용 서비스를 -fe suffix로 분리합니다
  • Docker 이미지를 csescsta/edgecloudbaristaorg 공식 릴리즈로 전환합니다

Changes

File Description
conf/api.yaml Add mc-cost-optimizer-fe, mc-workflow-manager-fe, mc-data-manager-fe, mc-application-manager-fe service entries
conf/docker/conf/mc-web-console/api/conf/api.yaml Add same -fe service entries
conf/docker/conf/mc-iam-manager/nginx.template.conf Add 3 HTTPS reverse proxy server blocks (ports 18183 / 3400 / 18184)
conf/docker/docker-compose.yaml Add 3 port bindings and 2 network connections to mc-iam-manager-nginx; update images to cloudbaristaorg releases
conf/docker/conf/mc-iam-manager/.env.setup Add MC_WORKFLOW_MANAGER_PROXY_PORT, MC_DATA_MANAGER_PROXY_PORT, MC_APPLICATION_MANAGER_PROXY_PORT
conf/docker/conf/mc-iam-manager/0_preset_dev.sh, 0_preset_prod.sh Add sed substitution for new port variables
conf/docker/conf/mc-iam-manager/1_setup_auto.sh Extend update_public_service_urls() to POST-register and PUT-update -fe services with external HTTPS URLs
bin/installAll.sh Restore container-volume ownership after certbot cert generation

How it works

Each iframe service is split into two entries:

  • mc-workflow-manager — internal API calls (http://mc-workflow-manager:18083)
  • mc-workflow-manager-fe — iframe src, updated to external HTTPS proxy URL (https://<domain>:18183)

nginx proxies HTTPS on the new ports to the internal service, with Content-Security-Policy: frame-ancestors set to allow embedding.

raccoon-mh and others added 11 commits May 17, 2026 04:21
@raccoon-mh
fix(nginx): add HTTPS proxy for cost-optimizer and fix iframe rendering
22b17f5 
- nginx.template.conf: replace X-Frame-Options SAMEORIGIN with
  Content-Security-Policy frame-ancestors on :7781 proxy block;
  add dedicated HTTPS server blocks for mc-cost-optimizer-be (:9090)
  and mc-cost-optimizer-alarm-service (:9000)
- docker-compose.yaml: bind :9090/:9000 on mc-iam-manager-nginx;
  remove host port bindings from mc-cost-optimizer-be and alarm-service
- 1_setup_auto.sh: add update_public_service_urls() to overwrite
  mc-cost-optimizer-fe base_url in DB with the public HTTPS proxy URL
- 0_preset_prod.sh / 0_preset_dev.sh: substitute
  MC_COST_OPTIMIZER_BE_PORT and MC_COST_OPTIMIZER_ALARM_PORT into
  generated nginx.conf
- .env.setup / .env: add MC_COST_OPTIMIZER_FE_PROXY_PORT=7781;
  replace real domain with placeholder in .env
- README / README_kr: document :9090/:9000 proxy check commands,
  Known Issues section for FE JS bundle in-place patch, HSTS note
@dogfootman
Merge pull request #24 from MZC-CSC/fix/cost-optimizer-iframe
6769749 
fix(nginx): add HTTPS proxy for cost-optimizer and fix iframe rendering
@raccoon-mh
fix(certbot): switch to webroot authenticator and add nginx reload hook
667b083 
- conf/docker/scripts/certbot-deploy-hook.sh: new deploy hook that runs
  `docker exec mc-iam-manager-nginx nginx -s reload` after each renewal
  so the new certificate is applied without container restart
- README / README_kr: add "TLS Certificate Auto-Renewal (Mode B)" section
  documenting the one-time webroot migration command, deploy hook
  installation, and dry-run verification step

Background: the default standalone authenticator requires port 80 to be
free, but mc-iam-manager-nginx holds :80 permanently. Auto-renewal would
fail silently every run. nginx already serves /.well-known/acme-challenge/
via the certbot/www volume, so webroot renewal works without stopping nginx.
@dogfootman
Merge pull request #25 from MZC-CSC/fix/certbot-webroot
bb1f2a1 
fix(certbot): switch to webroot authenticator and add nginx reload hook
@raccoon-mh
fix(keycloak): set realm frontendUrl in configure_keycloak_client_uris
2f99cf7 
Keycloak의 realm Frontend URL이 설정되지 않으면 토큰의 iss 클레임이
내부 호스트명(mc-iam-manager-kc:8080)으로 발급되어 외부 도메인으로
접근 시 kc_id 조회 실패로 workspace/project 조회가 빈 배열을 반환하는
문제가 있었음. configure_keycloak_client_uris 실행 시 realm frontendUrl을
MC_IAM_MANAGER_PUBLIC_HOST로 갱신하여 올바른 iss 클레임이 발급되도록 수정.
@dogfootman
Merge pull request #26 from MZC-CSC/fix/keycloak-frontend-url
1586e9b 
fix(keycloak): set realm frontendUrl in configure_keycloak_client_uris
@raccoon-mh
docs(installAll): clarify domain/IP input guide for local and remote VM
52e737f 
dev 모드 도메인 입력 시 세 가지 시나리오를 명확히 안내:
- Local PC: Enter 키로 mciam.local 기본값 사용 (/etc/hosts 자동 추가)
- Remote VM: VM 공인 IP 입력 (자가서명 인증서에 IP SAN 포함)
- 도메인 보유 시: prod 모드 사용 (Let's Encrypt)

usage 헬프 메시지 및 Examples도 동일하게 업데이트
@dogfootman
Merge pull request #27 from MZC-CSC/fix/installall-domain-guide
5239bde 
docs(installAll): clarify domain/IP input guide for local and remote VM
@raccoon-mh
feat(iframe): add -fe service separation for iframe proxy URLs
7b4d228 
브라우저에서 iframe으로 접근하는 서비스(workflows, datamigrations, swcatalogs)가
내부 Docker hostname URL로 인해 빈 화면으로 표시되는 문제를 해결합니다.
mc-cost-optimizer-fe 패턴을 3개 서비스에 동일하게 적용합니다.

- conf/api.yaml: mc-cost-optimizer-fe, mc-workflow-manager-fe,
  mc-data-manager-fe, mc-application-manager-fe 서비스 항목 추가
- conf/docker/conf/mc-web-console/api/conf/api.yaml: 동일 -fe 서비스 추가
- conf/docker/conf/mc-iam-manager/nginx.template.conf: 3개 HTTPS 프록시
  server block 추가 (포트 18183, 3400, 18184)
- conf/docker/docker-compose.yaml: mc-iam-manager-nginx에 3개 포트 바인딩
  및 mc-workflow-manager-network, mc-data-manager-network 연결 추가
- conf/docker/conf/mc-iam-manager/.env.setup: PROXY_PORT 3개 변수 추가
- conf/docker/conf/mc-iam-manager/0_preset_dev.sh,0_preset_prod.sh:
  신규 포트 변수 sed 치환 처리 추가
- conf/docker/conf/mc-iam-manager/1_setup_auto.sh:
  update_public_service_urls()에 -fe 서비스 POST 등록 + PUT 외부URL 갱신 추가
  (원본 서비스는 내부 URL 유지, -fe 서비스만 외부 HTTPS URL로 설정)
- bin/installAll.sh: certbot 인증서 생성 후 container-volume 소유권 복구 추가
@raccoon-mh
chore(docker): update mc-iam-manager, mc-web-console images to cloudb…
bf92fd6 
…aristaorg releases

csescsta/edge 이미지를 cloudbaristaorg 공식 릴리즈로 교체
- csescsta/mc-iam-manager:edge → cloudbaristaorg/mc-iam-manager:0.5.2
- csescsta/mc-web-console-api:edge → cloudbaristaorg/mc-web-console-api:0.5.4
- csescsta/mc-web-console-front:edge → cloudbaristaorg/mc-web-console-front:0.5.3
@raccoon-mh
Merge remote-tracking branch 'mzc-csc/develop' into feat/iframe-fe-se…
072338a 
…rvices

# Conflicts:
#	conf/docker/conf/mc-iam-manager/.env.setup
#	conf/docker/conf/mc-iam-manager/0_preset_dev.sh
#	conf/docker/conf/mc-iam-manager/0_preset_prod.sh
#	conf/docker/conf/mc-iam-manager/1_setup_auto.sh
#	conf/docker/conf/mc-iam-manager/nginx.template.conf
#	conf/docker/docker-compose.yaml
seokho-son
seokho-son reviewed May 20, 2026
View reviewed changes
Comment thread conf/docker/conf/mc-iam-manager/0_preset_prod.sh Outdated
sed -i "s/\${MC_APPLICATION_MANAGER_PROXY_PORT}/$MC_APPLICATION_MANAGER_PROXY_PORT/g" "$OUTPUT_FILE"
echo "✓ MC_APPLICATION_MANAGER_PROXY_PORT 대치 완료: $MC_APPLICATION_MANAGER_PROXY_PORT"
else
echo "경고: MC_APPLICATION_MANAGER_PROXY_PORT 환경변수가 설정되지 않았습니다."
Copy link
Copy Markdown
Member

@seokho-son seokho-son May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI
기본적으로는 소스코드 내부는 영어만 사용하도록 하는 방침이 있습니다.
향후 전체 업데이트가 필요할 것 같네요.

dogfootman added 3 commits May 21, 2026 06:55
@dogfootman
feat(docker): add iframe-fe service entries and standardize env var p…
a082802 
…refix

ADMINCLI-TECH-002: api.yaml에 mc-workflow-manager-fe, mc-data-manager-fe,
mc-application-manager-fe, mc-cost-optimizer-fe 서비스 항목 추가.
.env.setup, conf/mc-iam-manager/.env*에 WORKFLOW/DATA/APPLICATION
PROXY_PORT + PUBLIC_HOST 변수 추가. 1_setup_auto.sh 인라인 URL 3곳을
${MC_*_PUBLIC_HOST} 변수 참조로 교체.

ADMINCLI-TECH-001: conf/docker/.env.setup, conf/mc-iam-manager/.env*,
conf/mc-data-manager/.env, conf/mc-web-console/.env의 변수명을
MC_<FRAMEWORK>_* prefix 규칙으로 통일.
- USE_TICKET_VALID, PREDEFINED_*ROLE, DEFAULT_WORKSPACE_NAME,
  AWS_ACCOUNT_ID, IDENTITY_*_ARN_AWS, CSP_ROLE_PREFIX →
  MC_IAM_MANAGER_* prefix 부여
- MCINFRAMANAGER → MC_INFRA_MANAGER_TUMBLEBUG_URL (legacy 2종 삭제)
- MCADMINCLI_APIYAML → MC_ADMIN_CLI_APIYAML
- CONSOLE_POSTGRES_* → MC_WEB_CONSOLE_POSTGRES_*
- USER_NAME/GROUP_NAME/ENCODING_SECRET_KEY → MC_DATA_MANAGER_* prefix
- MC_IAM_MANAGER_PORT 중복 라인 및
  MC_IAM_MANAGER_KEYCLOAK_DB_DATABASE_NAME dead var 정리
@dogfootman
fix(install): sync missing .env vars from .env.setup on each run
691b377 
Add sync_missing_env_vars() to installAll.sh so that variables present
in .env.setup but absent from an existing .env are appended automatically.
This prevents docker compose failures (no port specified: :<empty>) when
MC_WORKFLOW_MANAGER_PROXY_PORT, MC_DATA_MANAGER_PROXY_PORT, or
MC_APPLICATION_MANAGER_PROXY_PORT are missing from a stale .env file.

- Append-only: never overwrites existing user-set values
- Idempotent: safe to run multiple times
- Applies to both conf/docker/.env and conf/mc-iam-manager/.env
@dogfootman
fix(setup): align api.yaml env var name with .env convention
4de3894 
MCADMINCLI_APIYAML -> MC_ADMIN_CLI_APIYAML in 1_setup_auto.sh and
1_setup_manual.sh to match the variable name defined in .env.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seokho-son seokho-son seokho-son left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dogfootman @seokho-son @raccoon-mh