From 675c2b07f7038fd6f474597347a89dce1952c165 Mon Sep 17 00:00:00 2001
From: Michele Zanotti <m.zanotti@nebuly.ai>
Date: Wed, 11 Sep 2024 16:59:44 +0200
Subject: [PATCH] doc: update examples

---
 CHANGELOG.md                |   7 ++-
 examples/okta-sso/README.md |  77 +++++++++++++++++++++++++
 examples/okta-sso/main.tf   | 112 ++++++++++++++++++++++++++++++++++++
 3 files changed, 195 insertions(+), 1 deletion(-)
 create mode 100644 examples/okta-sso/README.md
 create mode 100644 examples/okta-sso/main.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e812ab..129f758 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,17 @@
 # Changelog
 
+## v0.5.0
+
+### Features
+
+- Okta SSO integration
+
 ## v0.4.4
 
 ### Fixes
 
 - Run Actions Processsing job on multiple GPUs.
 
-
 ## v0.4.3
 
 ### Fixes
diff --git a/examples/okta-sso/README.md b/examples/okta-sso/README.md
new file mode 100644
index 0000000..84bddde
--- /dev/null
+++ b/examples/okta-sso/README.md
@@ -0,0 +1,77 @@
+# Okta OICD Example
+
+Nebuly supports several authentication methods. This example shows how to use [Okta OIDC](https://www.okta.com/openid-connect/) to authenticate users.
+
+## Prerequisites
+
+Before you begin, ensure you have an Okta account and access to the Okta Admin Console.
+
+### Step 1: Create an Okta Application
+
+1. **Log in to the Okta Admin Console**.
+2. Navigate to the **Applications** menu and select **Create App Integration**.
+
+3. In the **Sign-in method** section, choose **OIDC - OpenID Connect**.
+
+4. For **Application type**, select **Web Application** and click **Next**.
+
+5. Configure the application with the following settings:
+
+   - **App Integration Name**: Enter a name for your app.
+   - **Grant Type**: Choose **Authorization Code** and **Refresh Token**.
+   - **Sign-In Redirect URIs**: Specify the following redirect URI, where `<platform_domain>` is the same value you provided
+     for the Terraform variable `platform_domain`:
+     ```
+     https://<platform_domain>/backend/auth/oauth/okta/callback
+     ```
+   - **Sign-Out Redirect URIs**: Specify the following redirect URI, where `<platform_domain>` is the same value you provided
+     for the Terraform variable `platform_domain`:
+     ```
+     http://<platform_domain>/logout
+     ```
+   - **Controlled Access**: Decide whether to assign the app integration to everyone in your organization or to specific groups. This can be adjusted after the app is created.
+
+6. Take note of the **Client ID** and **Client Secret** values. You will need to provide these values as Terraform variables.
+
+### Step 2: Configure Nebuly roles on Okta Application
+
+1. In the **Okta Admin Console**, navigate to **Directory > Profile Editor**.
+
+2. Locate and select the **Okta Application Profile** you created earlier (by default, this is named `<App name> User`).
+
+3. Click **Add Attribute** and fill out the following fields:
+
+   - **Data Type**: `string`
+   - **Display Name**: `Nebuly Role`
+   - **Variable Name**: `nebuly_role`
+   - **Description** (optional): Include a description for the role. Example: `The role of the user in Nebuly Platform.`
+   - **Enum**: Select **Define enumerated list of values** and add the following:
+     - **Display Name**: `Admin` | **Value**: `admin`
+     - **Display Name**: `Member` | **Value**: `member`
+     - **Display Name**: `Viewer` | **Value**: `viewer`
+   - The remaining fields are optional and can be configured as needed.
+
+4. Click **Save**.
+
+### Step 3: Assign the roles to users
+
+1. In the **Okta Admin Console**, navigate to **Directory > People**.
+
+2. Locate and select the user you want to assign a role to.
+
+3. Click on **Assign Applications** and select the application you created in Step 1.
+
+4. In the **Application Assignment** dialog, select the role you want to assign to the user. The role
+   can be set using the field **Nebuly Role**, which is the last one in the list.
+
+## Terraform configuration
+
+To enable Okta OIDC authentication in Nebuly, you need to provide the following Terraform variables:
+
+```hcl
+okta_sso = {
+    client_id     = "<client-id-from-step-1>"
+    client_secret = "<client-secret-from-step-1>"
+    issuer        = "https://<okta-tenant>.okta.com"
+}
+```
diff --git a/examples/okta-sso/main.tf b/examples/okta-sso/main.tf
new file mode 100644
index 0000000..97715da
--- /dev/null
+++ b/examples/okta-sso/main.tf
@@ -0,0 +1,112 @@
+# ------ Variables ------ #
+variable "aws_access_key" {
+  type = string
+}
+variable "aws_secret_key" {
+  type = string
+}
+variable "region" {
+  type    = string
+  default = "us-east-1"
+}
+variable "availability_zones" {
+  type    = list(string)
+  default = ["us-east-1a", "us-east-1b"]
+}
+
+
+# ----------- Terraform setup ----------- #
+terraform {
+  required_version = ">1.8"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.45"
+    }
+  }
+}
+provider "aws" {
+  access_key = "<access-key>"
+  secret_key = "<secret-key>"
+  region     = "us-east-1"
+}
+
+
+# ------ Data Sources ------ #
+data "aws_vpc" "default" {
+  default = true
+}
+data "aws_subnets" "default" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = data.aws_vpc.default.id
+}
+
+
+# ------ Main ------ #
+module "main" {
+  source  = "nebuly-ai/nebuly-platform/aws"
+  version = "0.5.0"
+
+  security_group = data.aws_security_group.default
+
+  eks_cloudwatch_observability_enabled = true
+  eks_cluster_endpoint_public_access   = true
+  eks_kubernetes_version               = "1.28"
+  allowed_inbound_cidr_blocks          = {}
+
+  rds_multi_availability_zone_enabled = false
+  rds_availability_zone               = var.availability_zones[0]
+
+  openai_endpoint             = "<your-openai-endpoint>"
+  openai_gpt4_deployment_name = "<your-openai-gpt4-deployment-name>"
+  platform_domain             = "your.domain.com"
+  nebuly_credentials = {
+    client_id     = "<your-nebuly-client-id>"
+    client_secret = "<your-nebuly-client-secret>"
+  }
+  okta_sso = {
+    client_id     = "<your-okta-client-id>"
+    client_secret = "<your-okta-client-secret>"
+    issuer        = "<your-okta-issuer>"
+  }
+
+  vpc_id          = data.aws_vpc.default.id
+  region          = var.region
+  subnet_ids      = data.aws_subnets.default.ids
+  resource_prefix = "nebuly"
+  openai_api_key  = "my-key"
+}
+
+
+# ------ Outputs ------ #
+output "helm_values_bootstrap" {
+  value       = module.main.helm_values_bootstrap
+  sensitive   = true
+  description = <<EOT
+  The `bootrap.values.yaml` file for installing the Nebuly AWS Boostrap chart with Helm.
+  EOT
+}
+output "helm_values" {
+  value       = module.main.helm_values
+  sensitive   = true
+  description = <<EOT
+  The `values.yaml` file for installing Nebuly with Helm.
+
+  The default standard configuration is used, which uses Nginx as ingress controller and exposes the application to the Internet. This configuration can be customized according to specific needs.
+  EOT
+}
+output "secret_provider_class" {
+  value       = module.main.secret_provider_class
+  sensitive   = true
+  description = "The `secret-provider-class.yaml` file to make Kubernetes reference the secrets stored in the Key Vault."
+}
+output "eks_cluster_get_credentials" {
+  description = "Command for getting the credentials for accessing the Kubernetes Cluster."
+  value       = module.main.eks_cluster_get_credentials
+}