Skip to content

Detailed Setup Instructions

Jump to bottom
Tom Anderson edited this page Sep 18, 2025 · 1 revision

Note

If creating a multipass instance, allocate at least 32Gb disk, 8Gb RAM, and 4 cores.

Clone repository

git clone [email protected]:canonical/identity-platform-admin-ui.git

Install dependencies

sudo snap install --classic go
sudo snap install --classic helm
sudo snap install --classic kubectl
sudo snap install --classic microk8s
sudo snap install --classic rockcraft
sudo snap install docker
sudo snap install yq
sudo apt install make

# Setup aliases
sudo snap alias rockcraft.skopeo skopeo

Note

Depending on how Docker is installed, additional steps may be required to get it working.

Note

Depending on how Go is installed, $PATH may need to be updated to include installed go binaries:

export PATH="$PATH:$HOME/go/bin"

fga CLI

Option 1: Snap (unofficial, easy)

sudo snap install --edge nsakkos-openfga-cli
sudo snap alias nsakkos-openfga-cli.fga fga

Option 2: From official release

# Look at openfga/cli repo to determine latest version and supported architectures.
VERSION='0.7.4'
ARCH='amd64'
curl -LO "https://github.com/openfga/cli/releases/download/v${VERSION}/fga_${VERSION}_linux_${ARCH}.deb"

sudo apt install "./fga_${VERSION}_linux_${ARCH}.deb"

skaffold

ARCH='amd64' # or 'arm64'
curl -Lo skaffold "https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-${ARCH}"
sudo install skaffold /usr/local/bin/

container-structure-test

ARCH='amd64' # or 'arm64'
curl -LO "https://github.com/GoogleContainerTools/container-structure-test/releases/latest/download/container-structure-test-linux-${ARCH}"
chmod +x "container-structure-test-linux-${ARCH}"
sudo mv "container-structure-test-linux-${ARCH}" /usr/local/bin/container-structure-test

microk8s

Setup user groups

Note

This may not be required if microk8s has already been setup

sudo usermod -a -G microk8s $USER
mkdir -p ~/.kube                   # Incase directory doesn't exist
sudo chown -R ubuntu ~/.kube

# Login with new group, or reload shell
newgrp microk8s

Setup

# Allow microk8s to load
microk8s status --wait-ready

# Enable registry add-on
microk8s enable registry

# Export config so it can be used with regular `kubectl`
microk8s.kubectl config view --raw > ~/.kube/config

lxd

sudo lxd init --auto

Start platform

This will start all required pods, set up port forwarding, and run any required start-up jobs. It will take some time to start, so wait until it begins outputting HTTP logs from identity-platform-admin-ui.

make dev

Database setup

In a new terminal:

# Install `goose`, used for maintaining database migrations.
make install-goose

# Run database migrations.
make db

OIDC provider setup

Fetch an OAuth client ID and client secret (such as Canonical staging from Bitwarden), then open the configuration map for identity-platform-admin-ui.

kubectl edit cm identity-platform-admin-ui

Replace OAUTH2_CLIENT_ID with the client ID, and OAUTH2_CLIENT_SECRET with the client secret.

Access UI

The admin UI is exposed on port 80 of the identity-platform-admin-ui service, which can be forwarded to localhost:8000 with (this may not be required if make dev is still running):

kubectl port-forward services/identity-platform-admin-ui 8000:80

The UI must be accessible at http://localhost:8000/ui, as it must match the pre-configured OAuth redirect URI. Visiting http://localhost:8000/ui should prompt for login with an external OAuth provider.

Note

If running within multipass, additional work will be required in order to access port 8000 of the instance on localhost of the host.

sudo ssh -i /var/snap/multipass/common/data/multipassd/ssh-keys/id_rsa -L 8000:localhost:8000 "ubuntu@${MULTIPASS_IP}"

Final setup

After inital login, additional configuration is required to ensure the user has correct permissions. This only needs to be done once.

Visit http://localhost:8000/api/v0/auth/me in the browser after logging into the UI, and note the email field in the response. This will be need to grant your user full access to the platform.

Visit https://github.com/canonical/identity-platform-admin-ui/wiki/OpenFGA-setup#seeding and save the sample tuples into openfga-tuples.yaml.

# Email from `/api/v0/auth/me` response.
USER_EMAIL="[email protected]" 

# Forward openfga service to `localhost:8080`.
kubectl port-forward service/openfga 8080:8080 &

# Fetch store ID and model ID, preferring the most recent of each.
STORE_ID=$(fga store list | jq '.stores[-1].id' -r)
MODEL_ID=$(fga model list --store-id $STORE_ID | jq '.authorization_models[-1].id' -r)

# Write tuple to grant user superuser access.
fga tuple write --model-id $MODEL_ID --store-id $STORE_ID user:$USER_EMAIL admin privileged:superuser

# Seed user tuples.
fga tuple write --model-id $MODEL_ID --store-id $STORE_ID --file openfga-tuples.yaml

# Terminate port forward process.
kill %-
Clone this wiki locally