From 998707c4caecb696e74767a488986b428638b533 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Sat, 9 Nov 2024 21:09:53 +0800 Subject: [PATCH] README.md: update --- README.md | 99 +++++++++++++++++++++++++++++++++++++- docs/auth0-oidc-setup.md | 27 +++++++++++ docs/aws-oidc-setup.md | 42 ++++++++++++++++ docs/azure-oidc-setup.md | 26 ++++++++++ docs/gcp-oidc-setup.md | 38 +++++++++++++++ docs/github-oidc-setup.md | 32 ++++++++++++ docs/grafana-oidc-setup.md | 22 +++++++++ 7 files changed, 284 insertions(+), 2 deletions(-) create mode 100644 docs/auth0-oidc-setup.md create mode 100644 docs/aws-oidc-setup.md create mode 100644 docs/azure-oidc-setup.md create mode 100644 docs/gcp-oidc-setup.md create mode 100644 docs/github-oidc-setup.md create mode 100644 docs/grafana-oidc-setup.md diff --git a/README.md b/README.md index d998df48..f9281008 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,103 @@ Welcome to the repository for the Modern Container Application Reference Architecture. This repository contains a comprehensive guide and reference architecture for building scalable, portable, resilient, and agile containerized applications. +## Overview + +The project aims to create a multi-cloud environment that leverages containers for deploying modern applications. The key objective is to set up a unified authentication system using **OIDC** via **Auth0 by Okta** for **AWS**, **GCP**, **Azure**, **GitHub**, and **Grafana Cloud**. + +## Phase 1: Implementing OIDC Login + +In this first phase, we focus on implementing OpenID Connect (OIDC) login functionality for the following platforms: +- [AWS](docs/aws-oidc-setup.md) +- [GCP](docs/gcp-oidc-setup.md) +- [Azure](docs/azure-oidc-setup.md) +- [GitHub](docs/github-oidc-setup.md) +- [Grafana Cloud](docs/grafana-oidc-setup.md) + + +## Key Components Overview + +| **Component** | **Description** | **Tools/Technologies** | +|---------------------------------------------|------------------------------------------------------------------------------------------------------------------|----------------------------------------------| +| **1. LDP (Login Delegation Protocol)** | Centralized authentication and Single Sign-On (SSO) using **Auth0 by Okta** for various platforms. | Auth0 by Okta, OIDC | +| **2. IaC (Infrastructure as Code)** | Infrastructure management and provisioning using automated tools. | Terraform, Pulumi | +| **3. Monitoring** | Comprehensive observability and monitoring for the application, including system metrics, network, and performance.| Grafana Cloud, Prometheus, DeepFlow, ClickHouse | +| **4. Git Repository** | Version control and source code management for the project. | GitHub | +| **5. CI/CD (Continuous Integration/Delivery)**| Automated build, test, and deployment pipelines. | GitHub Actions | +## key Components Service + +| **Name** | **Domain** | **Version** | **Deploy** | **Docker Compose** | **Chart** | **CI/CD** | +|-------------------|--------------------------------|-------------|-----------------------|---------------------|------------------------|-----------------------| +| **1. Keycloak** | keycloak.onwalk.net | 26.0 | Docker | Yes | Yes | GitHub Actions | +| **2. Harbor** | images.onwalk.net | 2.12 | Docker | Yes | Yes | GitHub Actions | +| **3. ChartMuseum** | charts.onwalk.net | 0.14.0 | Docker | Yes | Yes | GitHub Actions | +| **4. Vault** | vault.onwalk.net | 1.15 | Docker | Yes | Yes | GitHub Actions | +| **5. Nginx/OSS** | mirrors.onwalk.net | 1.21 | Kubernetes | Yes | Yes | GitHub Actions | + +| **Name** | **Domain** | **Version | Deploy | Docker Compose** | **Chart** | **CI/CD** | +|-------------------|--------------------------------|-------------|---------------------------|---------------------|------------------------|-----------------------| +| **5. OpenIPA** | freeipa.onwalk.net | 4.10 | Kubernetes, Docker, BareMetal| Yes | Yes | GitHub Actions | +| **1. PostgreSQL** | db.onwalk.net | 16.0 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **8. Prometheus** | monitoring.onwalk.net | 2.35 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **9. Grafana** | monitoring.onwalk.net | 8.4 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **10. Consul** | consul.onwalk.net | 1.12 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **12. Jenkins** | jenkins.onwalk.net | 2.319 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **13. GitLab** | gitlab.onwalk.net | 15.5 | Kubernetes, Docker | Yes | Yes | GitHub Actions | +| **14. MinIO** | minio.onwalk.net | 2023.2.0 | Kubernetes, Docker | Yes | Yes | GitHub Actions | + + +--- + +### 1. **LDP (Login Delegation Protocol)** - **Auth0 by Okta** + - Set up **Auth0 by Okta** as the identity provider to enable **OpenID Connect (OIDC)** login for multiple platforms: + - **AWS**, **GCP**, **Azure**, **GitHub**, **Grafana Cloud** + - OIDC allows secure Single Sign-On (SSO) across all these platforms. + - For more details, refer to [Platform-Specific OIDC Setup Docs](./docs). + +### 2. **IaC (Infrastructure as Code)** - **Terraform / Pulumi** + - Infrastructure for AWS, GCP, and Azure is provisioned using **Terraform** and **Pulumi** scripts. + - These scripts allow easy and reproducible deployment and management of cloud resources. + - See the `iac/` folder for the setup files. + +### 3. **Monitoring** - **Grafana Cloud / Prometheus / DeepFlow / ClickHouse** + - Monitoring stack includes: + - **Prometheus** for metrics collection. + - **DeepFlow** for network and system observability. + - **ClickHouse** for storing and querying large amounts of observability data. + - **Grafana Cloud** for visualizing all collected metrics and logs. + - Configuration files for monitoring tools can be found in the `monitoring/` folder. + +### 4. **Git Repository** - **GitHub** + - All project code, infrastructure configurations, and documentation are managed within this **GitHub** repository. + - GitHub also integrates with **GitHub Actions** for CI/CD. + +### 5. **CI/CD** - **GitHub Actions** + - Automated CI/CD pipeline is set up using **GitHub Actions** to ensure continuous integration and deployment. + - Pipelines handle code testing, building, and multi-cloud deployments for platforms like AWS, GCP, and Azure. + - YAML workflow files for GitHub Actions can be found in the `.github/workflows/` directory. + +--- + +For detailed instructions on configuring each platform, see: + +- [Set up Auth0 by Okta for OIDC](./docs/auth0-oidc-setup.md) +- [Configure OIDC login for AWS](./docs/aws-oidc-setup.md) +- [Configure OIDC login for GCP](./docs/gcp-oidc-setup.md) +- [Configure OIDC login for Azure](./docs/azure-oidc-setup.md) +- [Configure OIDC login for GitHub](./docs/github-oidc-setup.md) +- [Configure OIDC login for Grafana Cloud](./docs/grafana-oidc-setup.md) +- [Test and validate OIDC logins](./docs/testing-oidc-logins.md) + +## TODO + +- [ ] Set up **Auth0 by Okta** as the identity provider for OIDC authentication. +- [ ] Configure OIDC login for **AWS**. +- [ ] Configure OIDC login for **GCP**. +- [ ] Configure OIDC login for **Azure**. +- [ ] Configure OIDC login for **GitHub**. +- [ ] Configure OIDC login for **Grafana Cloud**. +- [ ] Test and validate login workflows across all platforms. + ## Documentation For more detailed information, please refer to the documentation available in two languages: @@ -21,8 +118,6 @@ Follow the links above to the documentation in your preferred language to get st We welcome contributions to this project. If you have suggestions, improvements, or find any issues, feel free to submit a pull request. - - ## License This project is released under the GPL V3 license. For more details, see the LICENSE file. diff --git a/docs/auth0-oidc-setup.md b/docs/auth0-oidc-setup.md new file mode 100644 index 00000000..32b86ff4 --- /dev/null +++ b/docs/auth0-oidc-setup.md @@ -0,0 +1,27 @@ +# Set up Auth0 by Okta as the identity provider for OIDC authentication + +This document provides the steps to configure **Auth0 by Okta** as the identity provider (IdP) for OpenID Connect (OIDC) authentication. + +## Steps: + +1. **Create an Auth0 Account**: + - Go to [Auth0](https://auth0.com/) and create an account if you don’t already have one. + +2. **Create a New Application**: + - Navigate to the **Applications** tab. + - Click **Create Application**. + - Select **Regular Web Application** or **Machine to Machine Applications** based on your need. + +3. **Configure OIDC Settings**: + - Record the **Client ID** and **Client Secret** for future reference. + - Configure allowed callback URLs for the platforms you want to authenticate (AWS, GCP, etc.). + +4. **Set Up Tenant Domain**: + - The domain for your Auth0 instance will look like: `your-tenant-name.us.auth0.com`. + +5. **OIDC Configuration**: + - Use the `.well-known/openid-configuration` URL for your Auth0 tenant. + - Example: `https://your-tenant-name.us.auth0.com/.well-known/openid-configuration`. + +6. **Test OIDC Configuration**: + - Before integrating with cloud services, ensure that the OIDC configuration works by testing with tools like **Postman**. diff --git a/docs/aws-oidc-setup.md b/docs/aws-oidc-setup.md new file mode 100644 index 00000000..21c434b1 --- /dev/null +++ b/docs/aws-oidc-setup.md @@ -0,0 +1,42 @@ +# Configure OIDC login for AWS + +This document outlines the steps to configure OpenID Connect (OIDC) login for AWS using **Auth0 by Okta**. + +## Prerequisites: +- Auth0 by Okta set up as an OIDC provider. +- AWS IAM access. + +## Steps: + +1. **Set Up Identity Provider in AWS**: + - Open the **IAM** console in AWS. + - Go to **Identity Providers** > **Add Provider**. + - Choose **OpenID Connect** as the provider type. + - Enter the Auth0 **Issuer URL**: `https://your-tenant-name.us.auth0.com/`. + - Upload the OIDC metadata or configure manually. + +2. **Create an IAM Role for OIDC**: + - Navigate to **Roles** > **Create role**. + - Select **Web identity** as the trusted entity. + - Choose your newly created **Auth0 OIDC provider**. + - Configure access policies to AWS services (e.g., S3, EC2). + +3. **Trust Relationship Configuration**: + - Update the trust relationship to allow Auth0 users to assume the role: + ```json + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::123456789012:oidc-provider/your-tenant-name.us.auth0.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "your-tenant-name.us.auth0.com:sub": "user_id" + } + } + } + ``` + +4. **Test Authentication**: + - Use OIDC tokens generated by Auth0 to authenticate and assume the IAM role. diff --git a/docs/azure-oidc-setup.md b/docs/azure-oidc-setup.md new file mode 100644 index 00000000..6942048e --- /dev/null +++ b/docs/azure-oidc-setup.md @@ -0,0 +1,26 @@ +# Configure OIDC login for Azure + +This document outlines the steps to configure OpenID Connect (OIDC) login for Microsoft Azure using **Auth0 by Okta**. + +## Prerequisites: +- Auth0 by Okta set up as an OIDC provider. +- Azure Active Directory (AAD) access. + +## Steps: + +1. **Set Up a New Enterprise Application**: + - Open **Azure Portal**. + - Go to **Azure Active Directory** > **Enterprise Applications** > **New Application**. + - Select **Non-gallery application** and configure the app. + +2. **Configure OIDC Single Sign-On**: + - Go to the **Single Sign-On** tab. + - Select **OpenID Connect**. + - Enter the Auth0 **Client ID**, **Client Secret**, and **Issuer URL** (`https://your-tenant-name.us.auth0.com/`). + +3. **Configure Permissions and Roles**: + - In **Azure AD**, assign users or groups to the newly created enterprise application. + - Configure role assignments based on access needs (e.g., Reader, Contributor roles). + +4. **Test Authentication**: + - Use Auth0 credentials to authenticate through Azure. diff --git a/docs/gcp-oidc-setup.md b/docs/gcp-oidc-setup.md new file mode 100644 index 00000000..51dba965 --- /dev/null +++ b/docs/gcp-oidc-setup.md @@ -0,0 +1,38 @@ +# Configure OIDC login for GCP + +This document outlines the steps to configure OpenID Connect (OIDC) login for Google Cloud Platform (GCP) using **Auth0 by Okta**. + +## Prerequisites: +- Auth0 by Okta set up as an OIDC provider. +- GCP IAM access. + +## Steps: + +1. **Create a Workload Identity Pool**: + - Open the **Google Cloud Console**. + - Navigate to **IAM & Admin** > **Workload Identity Federation**. + - Create a new **Workload Identity Pool**. + +2. **Configure OIDC Identity Provider**: + - Choose **OIDC** as the identity provider type. + - Enter the Auth0 **Issuer URL**: `https://your-tenant-name.us.auth0.com/`. + +3. **Configure Service Account Binding**: + - Choose a service account that will be authenticated through OIDC. + - Bind the service account to the Workload Identity Pool. + - Grant necessary IAM roles (e.g., `roles/storage.admin` for GCS access). + +4. **Trust Policy Configuration**: + - Configure the trust policy to allow Auth0 users to authenticate: + ```json + { + "issuer": "https://your-tenant-name.us.auth0.com/", + "subject": "user_id", + "audiences": [ + "your-client-id" + ] + } + ``` + +5. **Test Authentication**: + - Use OIDC tokens generated by Auth0 to authenticate and access GCP services. diff --git a/docs/github-oidc-setup.md b/docs/github-oidc-setup.md new file mode 100644 index 00000000..beed15ee --- /dev/null +++ b/docs/github-oidc-setup.md @@ -0,0 +1,32 @@ +# Configure OIDC login for GitHub + +This document outlines the steps to configure OpenID Connect (OIDC) login for GitHub using **Auth0 by Okta**. + +## Prerequisites: +- Auth0 by Okta set up as an OIDC provider. +- GitHub repository access. + +## Steps: + +1. **Configure OIDC in GitHub Actions**: + - Create or update the `.github/workflows/` directory in your GitHub repo. + - Configure OIDC login by adding the following steps in your workflow file: + ```yaml + jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Configure OIDC Login + uses: actions/oidc-login-action@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + client-secret: ${{ secrets.CLIENT_SECRET }} + issuer-url: https://your-tenant-name.us.auth0.com/ + ``` + +2. **Add GitHub Secrets**: + - Go to your GitHub repo settings. + - Add **CLIENT_ID** and **CLIENT_SECRET** from your Auth0 application. + +3. **Test GitHub Action**: + - Trigger the GitHub action to validate the OIDC login. diff --git a/docs/grafana-oidc-setup.md b/docs/grafana-oidc-setup.md new file mode 100644 index 00000000..e9ac3513 --- /dev/null +++ b/docs/grafana-oidc-setup.md @@ -0,0 +1,22 @@ +# Configure OIDC login for Grafana Cloud + +This document outlines the steps to configure OpenID Connect (OIDC) login for Grafana Cloud using **Auth0 by Okta**. + +## Prerequisites: +- Auth0 by Okta set up as an OIDC provider. +- Grafana Cloud admin access. + +## Steps: + +1. **Set Up Grafana OIDC Integration**: + - Open the **Grafana Cloud** dashboard. + - Navigate to **Authentication** settings. + - Select **OIDC** as the authentication type. + +2. **Configure OIDC Settings**: + - Enter the Auth0 **Issuer URL**: `https://your-tenant-name.us.auth0.com/`. + - Provide the **Client ID** and **Client Secret** from Auth0. + - Configure allowed callback URLs. + +3. **Test OIDC Authentication**: + - Log in using Auth0 credentials and validate the Grafana dashboard access.