Skip to content
This repository has been archived by the owner on Mar 4, 2024. It is now read-only.

Initial proposal for integration with Zitadel #148

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# ======================= GENERAL CONTAINERS PARAMS ======================================
# Domain name Everest is exposed.
# Default=127.0.0.1.nip.io - points to 127.0.0.1
# Mandatory.
EVEREST_DOMAIN=127.0.0.1.nip.io

# The prefix name for all Everest containers.
# Default=everest
# Optional.
EVEREST_CONTAINER_PREFIX=everest

# ======================== TRAEFIK PARAMS ======================================================
# Exposed secured port.
# Default 443
# Optional.
TRAEFIK_SECURE_HOST_PORT=443

# Exposed incured port.
# Traefik is configured to redirect all requests to SECURE ENDPOINT.
# Default 80
# Optional.
TRAEFIK_INSECURE_HOST_PORT=80

# ======================== ZITADEL PARAMS ==========================================================
# Master encryption key for Zitadel.
# Must be >=32 chars.
# Mandatory.
ZITADEL_MASTERKEY=

# Used for sending e-mail to users.
# Mandatory.
SMTP_HOST=

# Used for sending e-mail to users.
# Mandatory.
SMTP_USER=

# Used for sending e-mail to users.
# Mandatory.
SMTP_PASSWORD=

# ======================== EVERST BACKEND PARAMS ====================================
# Everest backend docker container tag.
# Default='dev-latest'.
# Optional.
#EVEREST_TAG=v0.1.0

# OAuth Everest client JWT key path.
# Mandatory.
OAUTH_CLIENT_KEY_PATH=

7 changes: 4 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FILES = $(shell find . -type f -name '*.go')
include .env

default: help

Expand Down Expand Up @@ -45,14 +46,14 @@ run-debug: build-debug ## Run binary
bin/percona-everest-backend-debug

local-env-up: ## Start development environment
docker-compose up --detach --remove-orphans
CAROOT_PATH="$(shell mkcert -CAROOT)" docker-compose up --detach --remove-orphans

local-env-down: ## Stop development environment
docker-compose down --volumes --remove-orphans
CAROOT_PATH="$(shell mkcert -CAROOT)" docker-compose down --volumes --remove-orphans

cert: ## Install dev TLS certificates
mkcert -install
mkcert -cert-file=dev-cert.pem -key-file=dev-key.pem percona-everest-backend percona-everest-backend.localhost 127.0.0.1
mkcert -cert-file=dev-cert.pem -key-file=dev-key.pem percona-everest-backend percona-everest-backend.localhost *.${EVEREST_DOMAIN} ${EVEREST_DOMAIN} 127.0.0.1

k8s: ## Create a local minikube cluster
minikube start --nodes=3 --cpus=4 --memory=4g --apiserver-names host.docker.internal
Expand Down
8 changes: 8 additions & 0 deletions api/everest.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import (
"github.com/percona/percona-everest-backend/model"
"github.com/percona/percona-everest-backend/pkg/kubernetes"
"github.com/percona/percona-everest-backend/public"
zitadel_introspect "github.com/zitadel/zitadel-go/v2/pkg/api/middleware/http"
)

const (
Expand Down Expand Up @@ -136,6 +137,13 @@ func (e *EverestServer) initHTTPServer() error {

// Use our validation middleware to check all requests against the OpenAPI schema.
apiGroup := e.echo.Group(basePath)

introspection, err := zitadel_introspect.NewIntrospectionInterceptor(e.config.OAuthIssuerUrl, e.config.OAuthClientKeyPath)
if err != nil {
return errors.Wrap(err, "could not init auth middleware")
}

apiGroup.Use(echo.WrapMiddleware(introspection.Handler))
apiGroup.Use(middleware.OapiRequestValidatorWithOptions(swagger, &middleware.Options{
SilenceServersWarning: true,
}))
Expand Down
8 changes: 5 additions & 3 deletions cmd/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,11 @@ import "github.com/kelseyhightower/envconfig"

// EverestConfig stores the configuration for the application.
type EverestConfig struct {
DSN string `default:"postgres://admin:pwd@127.0.0.1:5432/postgres?sslmode=disable" envconfig:"DSN"`
HTTPPort int `default:"8080" envconfig:"HTTP_PORT"`
Verbose bool `default:"false" envconfig:"VERBOSE"`
DSN string `default:"postgres://admin:pwd@127.0.0.1:5432/postgres?sslmode=disable" envconfig:"DSN"`
HTTPPort int `default:"8080" envconfig:"HTTP_PORT"`
Verbose bool `default:"false" envconfig:"VERBOSE"`
OAuthIssuerUrl string `default:"" envconfig:"OAUTH_ISSUER_URL"`
OAuthClientKeyPath string `default:"" envconfig:"OAUTH_CLIENT_KEY_PATH"`
}

// ParseConfig parses env vars and fills EverestConfig.
Expand Down
147 changes: 143 additions & 4 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,148 @@
version: "3"
version: '3.8'

services:
traefik:
image: traefik:v2.10.1
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-traefik"
hostname: account.${EVEREST_DOMAIN}
networks:
- everest
restart: unless-stopped
environment:
# static configuration: https://docs.traefik.io/reference/static-configuration/env/

TRAEFIK_ACCESSLOG: "info"
TRAEFIK_LOG_LEVEL: "info"

TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
# in case browser doesn't support TLS1.3 change the value below to "tls12"
TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_OPTIONS: "tls13"

# setup traffic redirection to secured port.
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: "websecure"
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: "https"
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT: "true"

TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/traefik-dynamic.yml"

EVEREST_DOMAIN: "${EVEREST_DOMAIN}"

ports:
- "${TRAEFIK_INSECURE_HOST_PORT:-80}:80"
- "${TRAEFIK_SECURE_HOST_PORT:-443}:443"
volumes:
- ./traefik-dynamic.yml:/etc/traefik/traefik-dynamic.yml
- ./dev-cert.pem:/etc/traefik-ssl-cert/tls.crt
- ./dev-key.pem:/etc/traefik-ssl-cert/tls.key

zitadel:
image: ghcr.io/zitadel/zitadel:v2.35.0
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-zitadel"
restart: unless-stopped
networks:
- everest
command:
- start-from-init
- --config=/zitadel-config.yml
- --steps=/zitadel-init-steps.yml
- --masterkeyFromEnv
- --tlsMode=external
environment:
- ZITADEL_MASTERKEY=${ZITADEL_MASTERKEY}
- ZITADEL_EXTERNALDOMAIN=account.${EVEREST_DOMAIN}
- ZITADEL_EXTERNALPORT=${TRAEFIK_SECURE_HOST_PORT:-443}
- ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_HOST=${SMTP_HOST}
- ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_USER=${SMTP_USER}
- ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_PASSWORD=${SMTP_PASSWORD}
depends_on:
crdb:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can it use Postgres?

condition: service_healthy
certs:
condition: service_completed_successfully
healthcheck:
test: [ "CMD", "/app/zitadel", "ready" ]
interval: 10s
timeout: 10s
retries: 5
start_period: 20s
volumes:
- ./zitadel-config.yml:/zitadel-config.yml:ro
- ./zitadel-init-steps.yml:/zitadel-init-steps.yml:ro
- zitadel-certs:/crdb-certs:ro

certs:
image: cockroachdb/cockroach:v22.2.2
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-certs"
entrypoint: [ '/bin/bash', '-c' ]
command: [ 'cp /certs/* /zitadel-certs/ &&
cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown 1000:1000 /zitadel-certs/*'
]
volumes:
- certs:/certs:ro
- zitadel-certs:/zitadel-certs:rw
depends_on:
crdb:
condition: service_healthy

crdb:
image: cockroachdb/cockroach:v22.2.2
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-crdb"
restart: unless-stopped
networks:
- everest
command:
- start-single-node
- --advertise-addr=crdb
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
interval: 10s
timeout: 30s
retries: 5
start_period: 10s
volumes:
- certs:/cockroach/certs:rw
- cockroach-data:/cockroach/cockroach-data:rw

pg:
image: postgres
image: postgres:15.4
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-pg"
restart: unless-stopped
networks:
- everest
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=pwd
ports:
- 5432:5432
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U admin" ]
interval: 5s
timeout: 5s
retries: 5

everest:
image: perconalab/everest:${EVEREST_TAG:-dev-latest}
container_name: "${EVEREST_CONTAINER_PREFIX:-everest}-backend"
pull_policy: always
restart: unless-stopped
networks:
- everest
depends_on:
pg:
condition: service_healthy
zitadel:
condition: service_healthy
environment:
- DSN=postgres://admin:pwd@pg:5432/postgres?sslmode=disable
- OAUTH_ISSUER_URL=https://account.${EVEREST_DOMAIN}
- OAUTH_CLIENT_KEY_PATH=/oauth_client_key.json
volumes:
- ${OAUTH_CLIENT_KEY_PATH}:/oauth_client_key.json:ro
- ${CAROOT_PATH:-.}:/etc/ssl/certs:ro

networks:
everest:

volumes:
certs:
zitadel-certs:
cockroach-data:
7 changes: 6 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@ require (
github.com/getkin/kin-openapi v0.118.0
github.com/go-logr/zapr v1.2.4
github.com/golang-migrate/migrate/v4 v4.16.2
github.com/google/uuid v1.3.0
github.com/google/uuid v1.3.1
github.com/jinzhu/gorm v1.9.16
github.com/kelseyhightower/envconfig v1.4.0
github.com/labstack/echo/v4 v4.11.1
github.com/lib/pq v1.10.9
github.com/percona/everest-operator v0.0.9
github.com/pkg/errors v0.9.1
github.com/stretchr/testify v1.8.4
github.com/zitadel/zitadel-go/v2 v2.0.17
go.uber.org/zap v1.25.0
k8s.io/api v0.28.0
k8s.io/apimachinery v0.28.0
Expand Down Expand Up @@ -53,6 +54,8 @@ require (
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/gorilla/schema v1.2.0 // indirect
github.com/gorilla/securecookie v1.1.1 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
Expand Down Expand Up @@ -86,6 +89,7 @@ require (
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasttemplate v1.2.2 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
github.com/zitadel/oidc v1.13.4 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
Expand All @@ -102,6 +106,7 @@ require (
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
Expand Down
14 changes: 12 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -140,10 +140,14 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJY
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc=
github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
Expand Down Expand Up @@ -286,6 +290,10 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/zitadel/oidc v1.13.4 h1:+k2GKqP9Ld9S2MSFlj+KaNsoZ3J9oy+Ezw51EzSFuC8=
github.com/zitadel/oidc v1.13.4/go.mod h1:3h2DhUcP02YV6q/CA/BG4yla0o6rXjK+DkJGK/dwJfw=
github.com/zitadel/zitadel-go/v2 v2.0.17 h1:MKsiKxJqE0o3IxKd0zg6NLAnWxvdze5nRrXk0kLEvKc=
github.com/zitadel/zitadel-go/v2 v2.0.17/go.mod h1:pCT8y65qnRqTDBFf7UT5+6NAsAdfjgQCfn4BQ6pMWZ0=
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY=
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
Expand Down Expand Up @@ -433,6 +441,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
Expand Down
Loading