<!-- Space: qifu -->
<!-- Parent: 后端技术&知识&规范 -->
<!-- Parent: 技术方案 -->
<!-- Parent: 基建 -->
<!-- Title: 20250111-Nacos安装及SSO接入指南 -->
<!-- Attachment: ../材料/nacos.zip -->

<!-- Macro: :anchor\((.*)\):
     Template: ac:anchor
     Anchor: ${1} -->
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
     Template: ac:image
     Url: ${1}
     Width: ${2} -->
<!-- Macro: \<\!\-\- :toc: \-\-\>
     Template: ac:toc
     Printable: 'false'
     MinLevel: 2 
     MaxLevel: 4 -->
<!-- Include: 杂项/声明文件.md -->

<!-- :toc: -->

# Nacos 安装及 SSO 接入指南
- Nacos 版本 `2.1.1`
- JDK 版本 `1.8.0_431`
- Node 版本 `v16.20.2`
- [附件包](../材料/nacos.zip)

## Nacos 打包
### 获取 Nacos 代码
#### 获取代码
```shell
#- 进入工作目录
cd /usr/local/nacos

#- 克隆代码
git clone https://github.com/alibaba/nacos.git

#- 从 2.1.1 tag 中切出新分支
git checkout -b feat/add-oidc-auth 2.1.1
```

### 添加SSO功能
#### 附件包解压
- 将附件包释放到 /usr/local/nacos 文件夹下
```shell
cd /usr/local/nacos

unzip nacos.zip
```

#### 前端变更
```shell
cp /usr/local/nacos/Login.jsx /usr/local/nacos/nacos/console-ui/src/pages/Login/Login.jsx

cp /usr/local/nacos/index.scss /usr/local/nacos/nacos/console-ui/src/pages/Login/index.scss
```

#### 后端变更

```shell
mkdir /usr/local/nacos/nacos/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/oidc

cp /usr/local/nacos/OidcAuthController.java /usr/local/nacos/nacos/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/oidc/OidcAuthController.java

cp /usr/local/nacos/OidcService.java /usr/local/nacos/nacos/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/oidc/OidcService.java

cp /usr/local/nacos/OidcUtil.java /usr/local/nacos/nacos/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/oidc/OidcUtil.java
```

#### 前端构建
```shell
#- 进入目录
cd /usr/local/nacos/nacos/console-ui

#- 安装依赖
npm install --registry https://registry.npmmirror.com

#- 构建项目
npm run build --registry https://registry.npmmirror.com
```
- `npm run build` 执行成功后会自动把 dist 文件夹下的某些文件拷贝到对应的项目下

#### 服务构建
```shell
#- 进入目录
cd /usr/local/nacos/nacos

#- 打包
mvn -Prelease-nacos -Dmaven.test.skip=true clean install -U
```

#### 获取打包服务
```shell
cp /usr/local/nacos/nacos/distribution/target/nacos-server-2.1.1.tar.gz /usr/local/nacos
```

## 镜像构建
### 获取阿里镜像源
- 附件包中的 `Centos-7.repo`
- 或者执行以下命令获取
```shell
wget -O /usr/local/nacos/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
```

### 创建 Dockerfile 文件
- `vi /usr/local/nacos/Dockerfile`
```dockerfile
FROM centos:7.9.2009
MAINTAINER pader "test@test.com"

#- set environment
ENV MODE="cluster" \
    PREFER_HOST_MODE="ip"\
    BASE_DIR="/home/nacos" \
    CLASSPATH=".:/home/nacos/conf:$CLASSPATH" \
    CLUSTER_CONF="/home/nacos/conf/cluster.conf" \
    FUNCTION_MODE="all" \
    JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk" \
    NACOS_USER="nacos" \
    JAVA="/usr/lib/jvm/java-1.8.0-openjdk/bin/java" \
    JVM_XMS="1g" \
    JVM_XMX="1g" \
    JVM_XMN="512m" \
    JVM_MS="128m" \
    JVM_MMS="320m" \
    NACOS_DEBUG="n" \
    TOMCAT_ACCESSLOG_ENABLED="false" \
    TIME_ZONE="Asia/Shanghai"

ARG NACOS_VERSION=2.1.1
ARG HOT_FIX_FLAG=""

WORKDIR $BASE_DIR

COPY ./Centos-7.repo /etc/yum.repos.d/CentOS-Base.repo

RUN set -x \
    && yum update -y \
    && yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel wget iputils nc  vim libcurl

#- RUN wget  https://github.com/alibaba/nacos/releases/download/${NACOS_VERSION}${HOT_FIX_FLAG}/nacos-server-${NACOS_VERSION}.tar.gz -P /home

COPY ./nacos-server-${NACOS_VERSION}.tar.gz /home/

RUN tar -xzvf /home/nacos-server-${NACOS_VERSION}.tar.gz -C /home \
    && rm -rf /home/nacos-server-${NACOS_VERSION}.tar.gz /home/nacos/bin/* /home/nacos/conf/*.properties /home/nacos/conf/*.example /home/nacos/conf/nacos-mysql.sql
RUN yum autoremove -y wget \
    && ln -snf /usr/share/zoneinfo/$TIME_ZONE /etc/localtime && echo $TIME_ZONE > /etc/timezone \
    && yum clean all


ADD bin/docker-startup.sh bin/docker-startup.sh
ADD conf/application.properties conf/application.properties


#- set startup log dir
RUN mkdir -p logs \
	&& cd logs \
	&& touch start.out \
	&& ln -sf /dev/stdout start.out \
	&& ln -sf /dev/stderr start.out
RUN chmod +x bin/docker-startup.sh

EXPOSE 8848
ENTRYPOINT ["bin/docker-startup.sh"]
```

### 构建镜像
#### 添加启动脚本
```shell
#- 创建文件夹
mkdir /usr/local/naco/bin
mkdir /usr/local/nacos/conf

cp /usr/local/nacos/docker-startup.sh /usr/local/nacos/bin/docker-startup.sh
cp /usr/local/nacos/application.properties /usr/local/nacos/conf/application.properties
```

#### 构建
```shell
#- 进入工作目录
cd /usr/local/nacos

#- 构建镜像
docker build -f Dockerfile -t nacos/nacos-server:v2.1.1 . 
```

## 服务启动
### 创建 Docker Compose 文件
- `vi /usr/local/nacos/docker-compose.yaml`
```yaml
version: "3.6"
services:
  nacos:
    image: nacos/nacos-server:v2.1.1
    container_name: nacos-standalone
    environment:
      - PREFER_HOST_MODE=hostname
      - MODE=standalone
      - NACOS_AUTH_IDENTITY_KEY=serverIdentity
      - NACOS_AUTH_IDENTITY_VALUE=security
      - NACOS_AUTH_TOKEN=SecretKey012345678901234567890123456789012345678901234567890123456789
    volumes:
      - ./standalone-logs/:/home/nacos/logs
      - ./init.d/application.properties:/home/nacos/conf/application.properties
    ports:
      - "8848:8848"
      - "9848:9848"
```
### 启动服务
```shell
docker compose -f /usr/local/nacos/docker-compose.yaml up -d
```

### 配置 OIDC
- `vi /usr/local/nacos/init.d/application.properties`
- 在最后面追加
```properties
#*************** OIDC Related Configurations ***************#

### OpenId providers' key, list is supported(separated by comma)
nacos.core.auth.oidc-idp=keycloak
### corresponding OpenId providers' name, displayed in the login page
nacos.core.auth.oidc-idp.keycloak.name=企业微信
### the url of the corresponding OpenId provider used to initialize the authentication
nacos.core.auth.oidc-idp.keycloak.auth-url=http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/auth
### the url of the corresponding OpenId provider used to get the access token
nacos.core.auth.oidc-idp.keycloak.exchange-token-url=http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/token
### the url of the corresponding OpenId provider used to get the user information
nacos.core.auth.oidc-idp.keycloak.userinfo-url=http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/userinfo
### the client_id of the corresponding OpenId provider
nacos.core.auth.oidc-idp.keycloak.client-id=nacos
### the client_secret of the corresponding OpenId provider
nacos.core.auth.oidc-idp.keycloak.client-secret=7bBJVwRRAxb6PGzrGOj2SyIaSpxcPC9Y
### the scopes of the corresponding OpenId provider, sometimes it can be omitted (e.g. Github)
nacos.core.auth.oidc-idp.keycloak.scope=openid profile email
### the jsonpath expression of the corresponding OpenId provider used to extract the user's unique identifier from the user information
nacos.core.auth.oidc-idp.keycloak.username-key=preferred_username
nacos.core.auth.oidc-idp.keycloak.email-key=email
nacos.core.auth.oidc-idp.keycloak.full-name-key=name
nacos.core.auth.oidc-idp.keycloak.enable-create=true
```

### 重启服务
```shell
#- 停止
docker compose -f /usr/local/nacos/docker-compose.yaml down
#- 启动
docker compose -f /usr/local/nacos/docker-compose.yaml up -d
```
- 或者使用 `docker compose restart` 重启服务

## 参考

- [Support for logining to console through OIDC #7747](https://github.com/alibaba/nacos/pull/7747/files)
- [Nacos安装](https://nacos.io/docs/v2/quickstart/quick-start/?spm=5238cd80.47ee59c.0.0.189fcd362F2139)