You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> ⚠️ **Do not use `localhost` in `DATABASE_URL` when services run inside Docker containers.** Inside a container, `localhost` resolves to the container itself — not the host. Use your machine's LAN IP (e.g. `192.168.x.x`) or a Docker service name instead. This applies to `KEYCLOAK_DOMAIN` and `KEYCLOAK_ADMIN_URL` as well (see Step 5).
72
+
73
+
---
74
+
75
+
### Step 3 — Run Prisma Migrations (Schema Generation)
76
+
77
+
> ⚠️ **Migrations must run before seeding.** If you seed first, it will fail because the tables don't exist yet.
NATS is used for inter-service communication. The only prerequisite here is to install Docker.
97
+
Keycloak is required for authentication. It is **not started automatically** — you must run it separately and configure it fully before seeding.
98
+
99
+
#### 4a — Run the Keycloak container
100
+
101
+
> ⚠️ **Keycloak must be on the same Docker network as the platform services** (`platform_default`), otherwise the containers cannot reach it. Include `--network platform_default` when creating the container.
54
102
55
103
```bash
56
-
docker pull nats:latest
104
+
docker run --name credebl-keycloak \
105
+
-p 8080:8080 \
106
+
-e KEYCLOAK_ADMIN=admin \
107
+
-e KEYCLOAK_ADMIN_PASSWORD=admin \
108
+
--network platform_default \
109
+
-d quay.io/keycloak/keycloak:latest start-dev
110
+
```
111
+
112
+
#### 4b — Create a Realm
113
+
114
+
1. Open the Keycloak Admin Console: `http://localhost:8080`
115
+
2. Log in with `admin` / `admin`
116
+
3. Create a new **Realm** named exactly: `credebl-platform`
117
+
118
+
#### 4c — Create Client 1: `adminClient`
119
+
120
+
This client is used by the platform seed script and user-service to authenticate platform admin users.
121
+
122
+
1. In the `credebl-platform` realm → **Clients** → **Create client**
123
+
2.**Client ID:**`adminClient`
124
+
3.**Client authentication:** ON (confidential)
125
+
4.**Service accounts enabled:** ON
126
+
5. Go to **Service account roles** tab → **Assign role** → filter by `realm-management` → add:
127
+
-`manage-users`
128
+
-`view-users`
129
+
-`query-users`
130
+
6. Go to **Credentials** tab → copy the **Client Secret**
> ⚠️ **If platform services run in Docker containers, do NOT use `localhost` for Keycloak URLs.**
164
+
> Use your machine's LAN IP address instead (e.g. `192.168.1.x`). You can find it with `ip addr show` or `hostname -I`.
165
+
166
+
```env
167
+
# For Docker-based deployments — replace with your actual LAN IP:
168
+
KEYCLOAK_DOMAIN=http://192.168.x.x:8080/
169
+
KEYCLOAK_ADMIN_URL=http://192.168.x.x:8080
170
+
171
+
# For host-only (no Docker for platform services):
172
+
# KEYCLOAK_DOMAIN=http://localhost:8080/
173
+
# KEYCLOAK_ADMIN_URL=http://localhost:8080
174
+
```
175
+
176
+
---
177
+
178
+
### Step 5 — Configure Remaining `.env` Values
179
+
180
+
Set the following before seeding:
181
+
182
+
```env
183
+
PLATFORM_ADMIN_EMAIL=platform.admin@yopmail.com
184
+
CRYPTO_PRIVATE_KEY=YourSecretPrivateKeyHere
57
185
```
58
186
59
-
### • Run NATS using Docker Compose
60
-
The `docker-compose.yml` file is available in the root folder.
187
+
> `CRYPTO_PRIVATE_KEY` is used to encrypt/decrypt Keycloak client credentials stored in the DB. Keep it consistent across all runs — changing it after seeding will break decryption.
188
+
189
+
---
190
+
191
+
### Step 6 — Seed Initial Data
192
+
193
+
```bash
194
+
# From repo root
195
+
cd libs/prisma-service
196
+
npx prisma db seed
197
+
```
198
+
199
+
The seed script will:
200
+
1. Create org roles, agent types, ecosystem roles, ledgers, and user roles
201
+
2. Create the platform admin user and organization
202
+
3. Create the Keycloak user for the platform admin (or look up an existing one — see note below)
203
+
4. Encrypt and store Keycloak `clientId` / `clientSecret` in the DB
204
+
205
+
> **Re-seeding note:** If the Keycloak user already exists (e.g. on a re-seed), the script will look up the existing user's Keycloak ID and still update the DB record — so `keycloakUserId`, `clientId`, and `clientSecret` are always kept in sync.
206
+
207
+
---
208
+
209
+
### Step 7 — Install NATS Message Broker
210
+
211
+
NATS is used for inter-service communication.
61
212
62
213
```bash
63
-
docker-compose up
214
+
docker pull nats:latest
64
215
```
65
216
66
-
## Run CREDEBL Microservices
217
+
Then start it (along with other infrastructure) using Docker Compose:
67
218
68
-
### • Install Dependencies
69
219
```bash
70
-
npm install
220
+
docker compose up -d
71
221
```
72
222
73
-
### • Configure Environment Variables
74
-
Configure environment variables in `.env` before you start the API Gateway.
223
+
---
75
224
76
-
### • Running the API Gateway
77
-
You can optionally use the `--watch` flag during development/testing.
225
+
### Step 8 — Install Dependencies
78
226
79
227
```bash
80
-
nest start [--watch]
228
+
# From repo root — use pnpm, not npm
229
+
pnpm install
81
230
```
82
231
83
-
### • Starting Individual Microservices
232
+
---
233
+
234
+
### Step 9 — Run CREDEBL Microservices
235
+
236
+
#### Configure environment variables
237
+
238
+
Ensure all values in `.env` are set correctly before starting services (see Steps 4–5 above).
84
239
85
-
For example, to start the `organization service` microservice, run the following command in a separate terminal window:
240
+
#### Running the API Gateway
86
241
87
242
```bash
88
-
nest start organization [--watch]
243
+
nest start [--watch]
89
244
```
90
245
91
-
Start all the microservices one after another in separate terminal windows:
246
+
#### Starting Individual Microservices
247
+
248
+
Start each microservice in a separate terminal window:
To access microservice endpoints using the API Gateway, navigate to:
264
+
Once the API Gateway is running, Swagger UI is available at:
106
265
107
266
```
108
267
http://localhost:5000/api
109
268
```
110
269
270
+
---
271
+
272
+
## Troubleshooting
273
+
274
+
### Sign-in returns 401 after setup
275
+
276
+
1.**Check `keycloakUserId` in the DB** — it must not be empty for the platform admin user. If it is, re-run the seed (it will now look up and fix this automatically).
277
+
2.**Check `KEYCLOAK_DOMAIN`** — if services run in Docker, `localhost` won't resolve to your host machine. Use your LAN IP.
278
+
3.**Check Keycloak logs** to confirm the password grant is succeeding.
279
+
280
+
### Seeding fails with Prisma errors
281
+
282
+
Ensure `prisma migrate deploy` ran successfully **before** running `prisma db seed`. The tables must exist first.
283
+
284
+
### Seeding fails with connection errors
285
+
286
+
Ensure `DATABASE_URL` in `.env` is reachable from where you're running the seed command (host vs. inside Docker makes a difference).
287
+
288
+
### `npm install` fails or produces wrong results
289
+
290
+
Use `pnpm install` — the project is configured for `pnpm` and will not work correctly with `npm`.
291
+
292
+
---
293
+
111
294
## Credit
112
295
113
-
The CREDEBL platform is built by AYANWORKS team.
114
-
For the core SSI capabilities, it leverages the great work from multiple open-source projects such as Hyperledger Aries, Bifold, Asker, Indy, etc.
296
+
The CREDEBL platform is built by the AYANWORKS team.
297
+
For core SSI capabilities, it leverages the great work from multiple open-source projects such as Hyperledger Aries, Bifold, Askar, Indy, and others.
0 commit comments