Create Tornjak image v1.3.0 (#258)

.github/workflows/master-build.yaml

@@ -4,6 +4,7 @@ on:
     branches:
     - main
     - v1.2
+    - v1.3
 jobs:
   tornjak-build:
     runs-on: ubuntu-latest

.gitignore

@@ -5,7 +5,7 @@
 !tornjak-backend/
 
 # golang vendor
-vendor/
+vendor
 
 # dependencies
 tornjak-frontend/node_modules
@@ -36,11 +36,14 @@ agentlocaldb
 tornjak-manager
 
 # build artifacts
-bin/
-ui/
-node_modules/
-frontend-local-build/
-.idea/
-Makefile
+bin
+ui
+frontend-local-build
+.idea
+
+# accidental local builds
+node_modules
+package.json
+package-lock.json
 
 /agent

Dockerfile.add-backend

@@ -0,0 +1,17 @@
+FROM ghcr.io/spiffe/spire-server:1.1.3
+ENTRYPOINT ["/opt/spire/run_server.sh"]
+RUN apk add curl
+COPY sample-keys sample-keys
+COPY bin/tornjak-backend tornjak-backend
+# Add init
+COPY run_server.sh run_server.sh
+
+# add a version link to the image description
+ARG version
+ARG github_sha
+LABEL org.opencontainers.image.description="Tornjak backend + SPIRE server 1.1.3: https://github.com/spiffe/tornjak/releases/tag/$version" \
+      org.opencontainers.image.source="https://github.com/spiffe/tornjak" \
+      org.opencontainers.image.documentation="https://github.com/spiffe/tornjak/tree/main/docs" 
+# create env. variables with the build details
+ENV VERSION=$version
+ENV GITHUB_SHA=$github_sha

Dockerfile.add-keycloak

@@ -0,0 +1,7 @@
+FROM quay.io/keycloak/keycloak:19.0.1
+# copy realm json file to container
+COPY examples/keycloak/realm /opt/keycloak/data/import/
+# import realm from dir
+RUN /opt/keycloak/bin/kc.sh import --dir /opt/keycloak/data/import/ --override true; exit 0
+# start the image
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "-v", "start-dev"]

Dockerfile.backend-container

@@ -4,7 +4,6 @@ RUN mkdir -p /opt/spire
 WORKDIR /opt/spire
 ENTRYPOINT ["/opt/spire/run_backend.sh"]
 
-COPY sample-keys sample-keys
 # Add init
 COPY run_backend.sh run_backend.sh
 COPY bin/tornjak-backend tornjak-backend

Dockerfile.frontend-container

@@ -2,7 +2,7 @@
 FROM node:16-alpine3.14 AS build
 WORKDIR /usr/src/app
 COPY tornjak-frontend .
-RUN npm install --omit=dev && \
+RUN npm install && \
     npm run build
 
 ## Runtime stage

Dockerfile.tornjak-container

@@ -31,6 +31,5 @@ ENV GITHUB_SHA=$github_sha
 RUN mkdir -p /opt/spire
 
 COPY bin/tornjak-backend /opt/spire/tornjak-backend
-COPY sample-keys /opt/spire/sample-keys
 COPY run_tornjak.sh /opt/spire/run_tornjak.sh
 COPY --from=build /usr/src/app ./

USAGE.md

@@ -10,18 +10,26 @@ NOTE: Previously, we had images placing the Tornjak backend and SPIRE server in
 
 Pre-built images can be found at the above links. To decide which tag to use, typically choose a release from [this page](https://github.com/spiffe/tornjak/releases) and choose the corresponding tag. For example, if you are interested in release `tornjak-1.0.2`, then choose image tag `v1.0.2`.
 
+### Compatibility Table
+
+Please see below for compatibility charts of SPIRE server versions with Tornjak:
+
+| Tornjak version        | SPIRE Server version |
+| :--------------------- | :------------------- |
+| v1.1.x, v1.2.x, v1.3.x | v1.1.x, v1.2.x, v1.3.x, v1.4.x |
+
 ## Tornjak Backend
 
 This is meant to be deployed where it can access a SPIRE server. To run, the container has three arguments:
 
 | Flag                   | Description                                                 | Default | Arguments | Required |
 |:-----------------------|:------------------------------------------------------------|:--------|:----------|:---------|
-| `--spire-config`       | Config file path for SPIRE server                           |         | `<path>`  | true     |
+| `--spire-config`       | Config file path for SPIRE server                           |         | `<path>`  | false    |
 | `--tornjak-config`     | Config file path for Tornjak (see our [configuration reference](./docs/config-tornjak-agent.md)) | | `<path>` | true |
 | `--expandEnv`          | If included, expand environment variables in Tornjak config | False   |           | false    |
 
 ```
-docker run -p 10000:10000 ghcr.io/spiffe/tornjak-backend:latest -c <SPIRE CONFIG PATH> -t <TORNJAK CONFIG PATH> -expandEnv
+docker run -p 10000:10000 ghcr.io/spiffe/tornjak-backend:latest --spire-config <SPIRE CONFIG PATH> --tornjak-config <TORNJAK CONFIG PATH> -expandEnv
 ```
 
 The above command creates a container listening at http://localhost:10000 for Tornjak API calls. Note that the config files must be accessible from INSIDE the container. Also note, this expands the container's environment variables in the Tornjak config map. 
@@ -65,7 +73,7 @@ This container may be used as an alternative to having a frontend and backend co
 An example command:
 
 ```
-docker run -p 10000:10000 -p 3000:8080 -e REACT_APP_API_SERVER_URI='http://localhost:10000' -e PORT_FE-8080 -e PORT_BE-10000 ghcr.io/spiffe/tornjak:latest -c <SPIRE CONFIG PATH> -t <TORNJAK CONFIG PATH>
+docker run -p 10000:10000 -p 3000:8080 -e REACT_APP_API_SERVER_URI='http://localhost:10000' -e PORT_FE-8080 -e PORT_BE-10000 ghcr.io/spiffe/tornjak:latest --spire-config <SPIRE CONFIG PATH> --tornjak-config <TORNJAK CONFIG PATH>
 ```
 
 The above command creates a UI available at `http://localhost:3000` forwarded from container port `8080`. It is listening to the Tornjak backend at `http://localhost:10000`, as given by the `REACT_APP_API_SERVER_URI` value. At the same time, the container is exposing port `10000` for the backend, which reads the SPIRE config and Tornjak config at `<SPIRE CONFIG PATH>` and `<TORNJAK CONFIG PATH>` respectively. 

docker-compose-keycloak.yml

@@ -0,0 +1,15 @@
+version: "3.8"
+services:
+  keycloak:
+    build:
+      context: ./
+      dockerfile: Dockerfile.add-keycloak
+    container_name: tornjak-keycloak
+    restart: always
+    ports:
+      - "8080:8080"
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    volumes:
+      - ./examples/keycloak/realm:/opt/keycloak/data/import

docs/config-tornjak-server.md

@@ -16,7 +16,7 @@ The following flags are available for all tornjak-agent commands:
 
 | Command                | Action                             | Default | Required |
 |:-----------------------|:-----------------------------------|:--------| :--------|
-| `--spire-config`       | Config file path for SPIRE server  |         | true     |
+| `--spire-config`       | Config file path for SPIRE server  |         | false    |
 | `--tornjak-config`     | Config file path for Tornjak agent |         | true     |
 | `--expandEnv`          | If flag included, expand environment variables in Tornjak config | false   | false    |
 
@@ -67,6 +67,8 @@ We have three connection types that can be opened by the server simultaneously:
 
 If a specific section is omitted or not enabled, that connection will not be created. If all are omitted or disabled, the program will exit immediately with an appropriate error log. 
 
+For examples on enabling TLS and mTLS connections, please see [our TLS and mTLS documentation](../sample-keys/README.md). 
+
 ## About Tornjak plugins
 
 ### Plugin types

docs/quickstart/server-statefulset-examples/backend-sidecar-server-statefulset.yaml

@@ -51,7 +51,7 @@ spec:
             periodSeconds: 5
         ### 👈 BEGIN ADDITIONAL CONTAINER ###
         - name: tornjak-backend
-          image: ghcr.io/spiffe/tornjak-backend:latest
+          image: ghcr.io/spiffe/tornjak-backend:v1.2.2
           args:
             - --spire-config
             - /run/spire/config/server.conf

docs/quickstart/server-statefulset-examples/tornjak-sidecar-server-statefulset.yaml

@@ -51,7 +51,7 @@ spec:
             periodSeconds: 5
         ### 👈 BEGIN ADDITIONAL CONTAINER ###
         - name: tornjak
-          image: ghcr.io/spiffe/tornjak:latest
+          image: ghcr.io/spiffe/tornjak:v1.2.2
           imagePullPolicy: Always
           args:
             - --spire-config

docs/quickstart/server-statefulset.yaml

@@ -20,7 +20,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.5.1
+          image: ghcr.io/spiffe/spire-server:1.4.4
           args:
             - -config
             - /run/spire/config/server.conf

docs/user-management.md

@@ -1,8 +1,8 @@
 # User Management
 
-This document compiles all the information on the user management integration we have experimented with. 
+This document compiles all the information on the integration of user management with Tornjak. 
 
-Currently, this feature is available only for a single instance of a Tornjak agent with a frontend. 
+Currently, user management is available only for a single instance of a Tornjak agent with a Frontend. 
 
 ## Overview
 
@@ -22,21 +22,31 @@ The architecture integrates with a separate Auth server. This Auth server is use
 
 ## General Deployment
 
-In order to deploy, there are several steps:
+User management requires the following:
 
-1. There must be an existing, preconfigured auth server for Tornjak components to integrate with. 
-2. The backend is deployed with a configuration pointing to said auth server. 
-3. The frontend must be deployed configured to obtain access tokens from said auth server before sending calls to the backend. 
+*  There must be an existing, pre-configured Auth Server to integrate with Tornjak (e.g. Keycloak)
+*  The Tornjak Backend is deployed with a configuration pointing to said Auth Server. 
+*  The Tornjak Frontend must be deployed configured to obtain access tokens from said Auth Server before sending calls to the Tornjak Backend. 
 
 ## Examples and Tutorials
 
-We have experimented extensively with the open source Keycloak Auth server. Specifically, it is very easy to set up a Tornjak secured by Keycloak today. 
+We have experimented extensively with the open source Keycloak Auth Server. 
+Specifically, it is very easy to set up a Tornjak secured by Keycloak today, by following these steps: 
 
-To configure the Auth server, please see our [Medium blog](https://medium.com/universal-workload-identity/step-by-step-guide-to-setup-keycloak-configuration-for-tornjak-dbe5c3049034) for a walkthrough on configuring the auth server. For more in-depth documentation on this setup, please see [this document on Keycloak configuration](./keycloak-configuration.md).
+1. **Configure Auth Server**
+To configure the Auth Server, please see our [Medium blog](https://medium.com/universal-workload-identity/step-by-step-guide-to-setup-keycloak-configuration-for-tornjak-dbe5c3049034) for a walkthrough on configuring the Auth Server. For more in-depth documentation on this setup, please see [this document on Keycloak configuration](./keycloak-configuration.md).
 
-Once the Auth server is set up, we can deploy the backend to require access tokens from our auth server, as detailed in [this followup Medium blog](https://medium.com/universal-workload-identity/guide-to-integrating-tornjak-with-keycloak-for-access-control-to-spire-40a3d5ee5f5a), with more details on the general configuration [here](https://github.com/spiffe/tornjak/blob/main/docs/config-tornjak-agent.md). 
+1. **Enable User Management for Tornjak Backend**
+Once the Auth Server is set up, we can deploy the Tornjak Backend to require access tokens from our Auth Server, 
+as detailed in 
+[this followup Medium blog](https://medium.com/universal-workload-identity/guide-to-integrating-tornjak-with-keycloak-for-access-control-to-spire-40a3d5ee5f5a), 
+with more details on the general configuration 
+[here](https://github.com/spiffe/tornjak/blob/main/docs/config-tornjak-agent.md). 
 
-Finally, the frontend must be deployed and configured to obtain access tokens from this auth server. This can be done locally with the environment variable `REACT_APP_AUTH_SERVER_URI`:
+1. **Configure Tornjak Frontend**
+Finally, the Frontend must be deployed and configured to obtain access tokens from this auth server. 
+This can be done locally with the environment variable 
+`REACT_APP_AUTH_SERVER_URI`:
 
 ```
 cd tornjak-frontend
@@ -47,10 +57,15 @@ REACT_APP_AUTH_SERVER_URI=http://localhost:8080/ npm start
 Alternatively, we can do the same on the containerized version:
 
 ```
-docker run -p 3000:3000 -d -e REACT_APP_API_SERVER_URI='http://localhost:10000' -e REACT_APP_AUTH_SERVER_URI='http://localhost:8080' tsidentity/tornjak-frontend:latest
+docker run -p 3000:3000 -d -e REACT_APP_API_SERVER_URI='http://localhost:10000' -e REACT_APP_AUTH_SERVER_URI='http://localhost:8080' ghcr.io/spiffe/tornjak-frontend:v1.2.2
+`
 ```
 
-This will start a server on `http://localhost:3000`
+This will start a Tornjak frontend on `http://localhost:3000`
 Please be patient, as it might take a few minutes to compile and start the server.
 
-Given the Auth server configuration above, we have an admin and a viewer user type. An Admin User will have an Admin portal with admin privilages and a viewer user will have restricted access for the Tornjak UI only for viewing.  
+For a cloud deployment change the URLs accordingly using the cloud provider ingress.
+
+Given the Auth Server configuration above, we have an `admin` and a `viewer` user type. 
+An Admin User has an admin level privileges allowing create, configure, and delete operations. 
+The Viewer User has a restricted access for the Tornjak UI, allowing only read and list operations.