Jeffrey Craig
04/04/2023, 3:05 AMRobert Moucha
04/04/2023, 10:04 AMJeffrey Craig
04/04/2023, 12:43 PMRobert Moucha
04/04/2023, 1:17 PMRobert Moucha
04/04/2023, 1:22 PMdocker run
command line). There's environment variable GDCN_PUBLIC_URL that is responsible for setting external url (where users will be connecting to).Jeffrey Craig
04/04/2023, 1:53 PMRobert Moucha
04/04/2023, 2:02 PMdocker run
command but not in docker start
.
It might be possible to stop and delete the old container, and run a new one with that updated env. If you have data stored on docker volume, this volume can be preserved and mounted to freshly started container.
But I recommend creating dump of the whole organization layout first as a backup.
One more thing to consider - even if you change hostname by the steps described above, the UI authentication won't work because redirect_url will not change. This limitation applies only if you use built-in OIDC provider (Dex). If you use external OIDC service, simply update redirect_url to match your new hostname in your Identity Provider client configuration.Jeffrey Craig
04/04/2023, 5:37 PMRobert Moucha
04/05/2023, 8:40 AM-e GDCN_DISABLE_DEMO_USER=0
)
My proposal on how to migrate to a new hostname and set up OICD follows:
1. export the full organization layout from the existing container (GET /api/v1/layout/organization
). DataSource credentials will NOT be exported. So db passwords need to be added to the exported JSON file. User logins and passwords from the internal oidc will not be exported as well, but you don't need them, because you will use external oidc anyway.
2. stop the old container. I assume you have data stored in docker volume. To play safe, keep this volume until the final deployment works as expected.
3. run new container with new empty volume, all the env vars suggested above, including -e GDCN_PUBLIC_URL=<https://analytics.novelcx.com>
(this is the hostname that resolves to your SSL-terminating proxy or loadbalancer, that sends traffic to your ec2 instance with gooddata)
4. using bootstrap token, upload Organization layout with data source passwords (PUT /api/v1/layout/organization
). Since the organization still has internal oidc set up, ui logins won't work at this moment.
5. using bootstrap token, update Organization to use external OIDC (PUT /api/v1/entities/admin/organizations/default
).
6. Create user mappings (or you may also update the existing ones) so the will have proper authenticationId attributes corresponding to your sub
claim provided by your external OIDC - as described in docs.
(The steps 5 and 6 may be done at once, if you prefill the organization layout json file with properly configured users).
Rollback: If everything goes south, delete the new container and start the old one with the old preserved volume.Robert Moucha
04/05/2023, 8:42 AMcurl
and plain text editor will work as well.