spiffe · mrsabath · May 11, 2023 · Apr 26, 2023 · May 2, 2023 · May 2, 2023
@@ -3,6 +3,7 @@ on:
   push:
     branches:
     - main
+    - v1.2.0
 jobs:
   tornjak-build:
     runs-on: ubuntu-latest
@@ -16,9 +17,9 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: '1.17'
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
         with:
-          node-version: '15'
+          node-version: '18'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
@@ -34,26 +35,26 @@ jobs:
 
       # Deprecating the backend+spire image for now
       # - name: Set backend-spire image name
-      #   run: echo "CONTAINER_BACKEND_WITH_SPIRE_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-be-spire-server:$GITHUB_SHA" >> $GITHUB_ENV
+      #   run: echo "CONTAINER_BACKEND_WITH_SPIRE_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-backend-spire-server:$GITHUB_SHA" >> $GITHUB_ENV
       - name: Set backend image name
-        run: echo "CONTAINER_BACKEND_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-be:$GITHUB_SHA" >> $GITHUB_ENV
+        run: echo "CONTAINER_BACKEND_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-backend:$GITHUB_SHA" >> $GITHUB_ENV
       - name: Set frontend image name
-        run: echo "CONTAINER_FRONTEND_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-fe:$GITHUB_SHA" >> $GITHUB_ENV
+        run: echo "CONTAINER_FRONTEND_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-frontend:$GITHUB_SHA" >> $GITHUB_ENV
       - name: Set Tornjak image name
         run: echo "CONTAINER_TAG=ghcr.io/${{ github.repository_owner }}/tornjak:$GITHUB_SHA" >> $GITHUB_ENV
       - name: Set manager image name
         run: echo "CONTAINER_MANAGER_TAG=ghcr.io/${{ github.repository_owner }}/tornjak-manager:$GITHUB_SHA" >> $GITHUB_ENV
 
       # create images
       # - name: Build and push tornjak backend image
-      #   run: make container-tornjak-be-spire-push
+      #   run: make container-tornjak-backend-spire-push
       # Create tagged versioned images
-      # - name: Push artifacts for tornjak-be-spire-multiversions
-      #   run: make release-tornjak-be-spire-multiversions-ghcr
+      # - name: Push artifacts for tornjak-backend-spire-multiversions
+      #   run: make release-tornjak-backend-spire-multiversions-ghcr
       - name: Build and push tornjak backend image
-        run: make release-tornjak-be-ghcr
+        run: make release-tornjak-backend-ghcr
       - name: Build and push tornjak frontend image
-        run: make release-tornjak-fe-ghcr
+        run: make release-tornjak-frontend-ghcr
       - name: Build and push tornjak image
         run: make release-tornjak-ghcr
       - name: Build and push tornjak manager image

@@ -36,8 +36,8 @@ tornjak-manager
 bin/
 ui/
 ui-agent/
-agent
 node_modules/
 ui-manager/
 .idea/
-Makefile
+Makefile
+
@@ -30,7 +30,7 @@ Building Tornjak manually can be done with the Makefile. Notable make targets fo
 - `make bin/tornjak-backend`: makes the Go executable of the Tornjak backend
 - `make bin/tornjak-manager`: makes the Go executable of the Tornjak manager
 - `make ui-agent`: makes the optimized ReactJS app locally for the Tornjak frontend
-- `make container-tornjak-be`: containerizes Go executable of the Tornjak backend
+- `make container-tornjak-backend`: containerizes Go executable of the Tornjak backend
 - `make container-manager`:containerizes Go executable of the Tornjak manager
 - `make container-frontend`: containerizes React JS app for the Tornjak frontend
 - `make container-tornjak`: containerizes Tornjak backend with Tornjak frontend

@@ -1,4 +1,3 @@
-
 FROM node:16-alpine
 
 WORKDIR /usr/src/app
@@ -12,8 +11,7 @@ RUN npm prune --production
 # set env variables
 ENV REACT_APP_API_SERVER_URI $REACT_APP_API_SERVER_URI
 ENV REACT_APP_AUTH_SERVER_URI $REACT_APP_AUTH_SERVER_URI
-ENV NODE_OPTIONS $NODE_OPTIONS
-ARG NODE_OPTIONS=--openssl-legacy-provider
+ENV REACT_APP_SPIRE_HEALTH_CHECK_ENABLE $REACT_APP_SPIRE_HEALTH_CHECK_ENABLE
 
 ENV PORT_FE=3000
 EXPOSE $PORT_FE

@@ -3,7 +3,7 @@ FROM alpine:latest
 RUN apk add curl
 WORKDIR /
 COPY bin/tornjak-manager tornjak-manager
-COPY ui-manager ui-manager
+#COPY ui-manager ui-manager
 
 # Add init
 ENTRYPOINT ["/tornjak-manager"]
@@ -1,23 +1,23 @@
-.PHONY: ui vendor build ui-agent ui-manager container-tornjak-be-spire container-tornjak-be-spire-push container-manager container-manager-push release-tornjak-be-spire-multiversions push container-frontend container-frontend-push container-tornjak-be container-tornjak-be-push
+.PHONY: ui vendor build container-tornjak-backend-spire container-tornjak-backend-spire-push container-manager container-manager-push release-tornjak-backend-spire-multiversions push container-frontend container-frontend-push container-tornjak-backend container-tornjak-backend-push
 
 VERSION=$(shell cat version.txt)
 
 CONTAINER_TAG ?= tsidentity/tornjak:$(VERSION)
-CONTAINER_BACKEND_TAG ?= tsidentity/tornjak-be:$(VERSION)
-CONTAINER_BACKEND_WITH_SPIRE_TAG ?= tsidentity/tornjak-be-spire-server:latest
-CONTAINER_FRONTEND_TAG ?= tsidentity/tornjak-fe:$(VERSION)
-CONTAINER_BACKEND_SPIRE_VERSION_IMAGEPATH ?= tsidentity/tornjak-be-spire-server
+CONTAINER_BACKEND_TAG ?= tsidentity/tornjak-backend:$(VERSION)
+CONTAINER_BACKEND_WITH_SPIRE_TAG ?= tsidentity/tornjak-backend-spire-server:latest
+CONTAINER_FRONTEND_TAG ?= tsidentity/tornjak-frontend:$(VERSION)
+CONTAINER_BACKEND_SPIRE_VERSION_IMAGEPATH ?= tsidentity/tornjak-backend-spire-server
 
 CONTAINER_TORNJAK_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak
-CONTAINER_BACKEND_SPIRE_VERSION_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-be-spire-server
-CONTAINER_BACKEND_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-be
-CONTAINER_FRONTEND_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-fe
+CONTAINER_BACKEND_SPIRE_VERSION_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-backend-spire-server
+CONTAINER_BACKEND_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-backend
+CONTAINER_FRONTEND_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-frontend
 CONTAINER_MANAGER_GHCR_IMAGEPATH ?= ghcr.io/spiffe/tornjak-manager
 
 CONTAINER_MANAGER_TAG ?= tsidentity/tornjak-manager:$(VERSION)
 GO_FILES := $(shell find . -type f -name '*.go' -not -name '*_test.go' -not -path './vendor/*')
 
-all: bin/tornjak-backend bin/tornjak-manager ui-manager container-manager container-frontend container-tornjak-be
+all: bin/tornjak-backend bin/tornjak-manager ui-manager container-manager container-frontend container-tornjak-backend
 
 bin/tornjak-backend: $(GO_FILES) vendor
 	# Build hack because of flake of imported go module
@@ -51,19 +51,19 @@ vendor:
 
 
 # Containerized components
-container-tornjak-be: bin/tornjak-backend
+container-tornjak-backend: bin/tornjak-backend
 	docker build --no-cache -f Dockerfile.backend-container -t ${CONTAINER_BACKEND_TAG} .
 
-container-tornjak-be-push: container-tornjak-be
+container-tornjak-backend-push: container-tornjak-backend
 	docker push ${CONTAINER_BACKEND_TAG}
 
-container-tornjak-be-spire: bin/tornjak-backend
+container-tornjak-backend-spire: bin/tornjak-backend
 	docker build --no-cache -f Dockerfile.add-backend -t ${CONTAINER_BACKEND_WITH_SPIRE_TAG} .
 
-container-tornjak-be-spire-push: container-tornjak-be-spire
+container-tornjak-backend-spire-push: container-tornjak-backend-spire
 	docker push ${CONTAINER_BACKEND_WITH_SPIRE_TAG}
 
-container-manager: bin/tornjak-manager ui-manager
+container-manager: bin/tornjak-manager #ui-manager
 	docker build --no-cache -f Dockerfile.tornjak-manager -t ${CONTAINER_MANAGER_TAG} .
 
 container-manager-push: container-manager
@@ -72,6 +72,10 @@ container-manager-push: container-manager
 container-frontend: #ui-agent 
 	docker build --no-cache -f Dockerfile.frontend-container -t ${CONTAINER_FRONTEND_TAG} .
 
+compose-frontend: 
+	docker-compose -f docker-compose-frontend.yml up --build --force-recreate -d
+	docker tag tornjak-public_tornjak-frontend:latest ${CONTAINER_FRONTEND_TAG}
+
 container-frontend-push: container-frontend
 	docker push ${CONTAINER_FRONTEND_TAG}
 
@@ -84,24 +88,24 @@ container-tornjak-push: container-tornjak
 
 
 # releases for Github Container Registry
-release-tornjak-be-ghcr: container-tornjak-be
+release-tornjak-backend-ghcr: container-tornjak-backend
 	docker tag ${CONTAINER_BACKEND_TAG} ${CONTAINER_BACKEND_GHCR_IMAGEPATH}:latest
 	docker tag ${CONTAINER_BACKEND_TAG} ${CONTAINER_BACKEND_GHCR_IMAGEPATH}:$(VERSION)
 	docker push ${CONTAINER_BACKEND_TAG}
 	docker push ${CONTAINER_BACKEND_GHCR_IMAGEPATH}:latest
 	docker push ${CONTAINER_BACKEND_GHCR_IMAGEPATH}:${VERSION}
 
-release-tornjak-be-spire-multiversions: bin/tornjak-backend
+release-tornjak-backend-spire-multiversions: bin/tornjak-backend
 	for i in $(shell cat SPIRE_BUILD_VERSIONS); do \
 		./build-and-push-versioned-container.sh $$i ${CONTAINER_BACKEND_SPIRE_VERSION_IMAGEPATH}; \
 	done
 
-release-tornjak-be-spire-multiversions-ghcr: bin/tornjak-backend
+release-tornjak-backend-spire-multiversions-ghcr: bin/tornjak-backend
 	for i in $(shell cat SPIRE_BUILD_VERSIONS); do \
 		./build-and-push-versioned-container.sh $$i ${CONTAINER_BACKEND_SPIRE_VERSION_GHCR_IMAGEPATH}; \
 	done
 
-release-tornjak-fe-ghcr: container-frontend
+release-tornjak-frontend-ghcr: container-frontend
 	docker tag ${CONTAINER_FRONTEND_TAG} ${CONTAINER_FRONTEND_GHCR_IMAGEPATH}:latest
 	docker tag ${CONTAINER_FRONTEND_TAG} ${CONTAINER_FRONTEND_GHCR_IMAGEPATH}:$(VERSION)
 	docker push ${CONTAINER_FRONTEND_TAG}

@@ -18,7 +18,7 @@ This can be thought about as a central management plane for identities across SP
 The following are guides on how to try out Tornjak:
 - [Tornjak simple deployment with SPIRE k8s quickstart](docs/quickstart/README.md)
 
-A list of releases can be found at [https://github.com/spiffe/tornjak/releases](https://github.com/spiffe/tornjak/releases). These releases include source code for each stable version of Tornjak image tags. The tag `tornjak-X.Y.Z` corresponds to official pre-built released image. For example, for `tornjak-be`, the pre-built image corresponding to the code at release `tornjak-X.Y.Z` is `tornjak-be:vX.Y.Z`. 
+A list of releases can be found at [https://github.com/spiffe/tornjak/releases](https://github.com/spiffe/tornjak/releases). These releases include source code for each stable version of Tornjak image tags. The tag `tornjak-X.Y.Z` corresponds to official pre-built released image. For example, for `tornjak-backend`, the pre-built image corresponding to the code at release `tornjak-X.Y.Z` is `tornjak-backend:vX.Y.Z`. 
 
 Here are a few additional resources:
 - [Tornjak basic functions demo](https://www.youtube.com/watch?v=dOdRu4psKJ8)

@@ -1,9 +1,9 @@
 # Usage
 
 We publish four container images currently:
-- [Tornjak Backend](https://github.com/spiffe/tornjak/pkgs/container/tornjak-be): This image can be deployed as a sidecar with any SPIRE server. 
+- [Tornjak Backend](https://github.com/spiffe/tornjak/pkgs/container/tornjak-backend): This image can be deployed as a sidecar with any SPIRE server. 
 - [Tornjak Manager](https://github.com/spiffe/tornjak/pkgs/container/tornjak-manager): A container that runs this image exposes a port to register multiple Tornjak backends and forward typical commands to multiple Tornjak backends from one API. 
-- [Tornjak Frontend](https://github.com/spiffe/tornjak/pkgs/container/tornjak-fe): This image is typically deployed after the Tornjak Backend or Manager are deployed, as it requires a URL to connect directly to the Tornjak backend API.  
+- [Tornjak Frontend](https://github.com/spiffe/tornjak/pkgs/container/tornjak-frontend): This image is typically deployed after the Tornjak Backend or Manager are deployed, as it requires a URL to connect directly to the Tornjak backend API.  
 - [Tornjak](https://github.com/spiffe/tornjak/pkgs/container/tornjak): This image containing both Tornjak Backend and Frontend components can deployed as a sidecar alongside a SPIRE Server container
 
 NOTE: Previously, we had images placing the Tornjak backend and SPIRE server in the same container, but these are currently deprecated. The above is a comprehensive list of images
@@ -16,12 +16,12 @@ This is meant to be deployed where it can access a SPIRE server. To run, the con
 
 | Flag                   | Description                                                 | Default | Arguments | Required |
 |:-----------------------|:------------------------------------------------------------|:--------|:----------|:---------|
-| `--config, -c`         | Config file path for SPIRE server                           |         | `<path>`  | true     |
-| `--tornjak-config, -t` | Config file path for Tornjak (see our [configuration reference](./docs/config-tornjak-agent.md)) | | `<path>` | false |
+| `--spire-config`       | Config file path for SPIRE server                           |         | `<path>`  | true     |
+| `--tornjak-config`     | Config file path for Tornjak (see our [configuration reference](./docs/config-tornjak-agent.md)) | | `<path>` | true |
 | `--expandEnv`          | If included, expand environment variables in Tornjak config | False   |           | false    |
 
 ```
-docker run -p 10000:10000 ghcr.io/spiffe/tornjak-be:latest -c <SPIRE CONFIG PATH> -t <TORNJAK CONFIG PATH> -expandEnv
+docker run -p 10000:10000 ghcr.io/spiffe/tornjak-backend:latest -c <SPIRE CONFIG PATH> -t <TORNJAK CONFIG PATH> -expandEnv
 ```
 
 The above command creates a container listening at http://localhost:10000 for Tornjak API calls. Note that the config files must be accessible from INSIDE the container. Also note, this expands the container's environment variables in the Tornjak config map. 
@@ -50,14 +50,13 @@ The frontend is meant to connect to either the Tornjak backend or the Tornjak ma
 | `REACT_APP_AUTH_SERVER_URI` | URI for the Keycloak instance to obtain access tokens |  | `http://localhost:8080` | false |
 | `PORT_FE` | Port for the frontend to run | `3000` | `3000` | true |
 | `PORT_BE` | Port for the backend to run | `10000` | `10000` | true |
-| `REACT_APP_SPIRE_HEALTH_CHECK` | Enable SPIRE health check component | `true` | `true` | false |
-| `REACT_APP_SPIRE_HEALTH_CHECK_TIME` | Set how often SPIRE health should be checked, if component enabled | `120` | `240` | false |
+| `REACT_APP_SPIRE_HEALTH_CHECK_ENABLE` | Enable SPIRE health check component | `false` | `true` | false |
 
 ```
-docker run -p 3000:8080 -e REACT_APP_API_SERVER_URI='http://localhost:50000' -e REACT_APP_TORNJAK_MANAGER=true -e PORT_FE-8080 -e REACT_APP_SPIRE_HEALTH_CHECK=true -e REACT_APP_SPIRE_HEALTH_CHECK_TIME=120 ghcr.io/spiffe/tornjak-fe:latest
+docker run -p 3000:8080 -e REACT_APP_API_SERVER_URI='http://localhost:50000' -e REACT_APP_TORNJAK_MANAGER=true -e PORT_FE-8080 -e REACT_APP_SPIRE_HEALTH_CHECK=true ghcr.io/spiffe/tornjak-frontend:latest
 ```
 
-The above command is an example of how to run the frontend. This creates a UI available at http://localhost:3000 forwarded from container port `8080`. It is listening to a Tornjak manager component available at http://localhost:50000, and knows to run in manager mode with the `REACT_APP_TORNJAK_MANAGER` flag. The last two environment variables namely, [`REACT_APP_SPIRE_HEALTH_CHECK` & `REACT_APP_SPIRE_HEALTH_CHECK_TIME`] are used to enable the SPIRE health check component and set how often it should be checked respectively. 
+The above command is an example of how to run the frontend. This creates a UI available at http://localhost:3000 forwarded from container port `8080`. It is listening to a Tornjak manager component available at http://localhost:50000, and knows to run in manager mode with the `REACT_APP_TORNJAK_MANAGER` flag. The last environment variables namely, `REACT_APP_SPIRE_HEALTH_CHECK_ENABLE` is used to enable the SPIRE health check component. 
 
 ## Tornjak
 

@@ -0,0 +1,15 @@
+version: "3.8"
+services:
+  tornjak-frontend:
+    build:
+      context: ./
+      dockerfile: Dockerfile.frontend-container
+    container_name: tornjak-frontend
+    restart: always
+    ports:
+      - "3000:8080"
+    environment:
+      - "PORT_FE=8080"
+      - "REACT_APP_API_SERVER_URI=http://localhost:10000"
+    #   - "REACT_APP_AUTH_SERVER_URI=http://localhost:8080"
+      - REACT_APP_SPIRE_HEALTH_CHECK_ENABLE=false
@@ -1,14 +1,22 @@
 server {
-  metadata = "insert metadata"
+  # location of SPIRE socket
+  # here, set to default SPIRE socket path
+  spire_socket_path = "unix:///tmp/spire-server/private/api.sock"
+
+  # configure HTTP connection to Tornjak server
+  http {
+    enabled = true
+    port = 10000 # opens at port 10000
+  }
+
 }
 
 plugins {
-  DataStore "sql" {
+  DataStore "sql" { # local database plugin
     plugin_data {
       drivername = "sqlite3"
-      filename = "/run/spire/data/tornjak.sqlite3"
+      filename = "/run/spire/data/tornjak.sqlite3" # stores locally in this file
     }
   }
 
 }
-
@@ -0,0 +1,74 @@
+server {
+  # location of SPIRE socket
+  # here, set to default SPIRE socket path
+  spire_socket_path = "unix:///tmp/spire-server/private/api.sock"
+
+  ### BEGIN SERVER CONNECTION CONFIGURATION ###
+  # Note: at least one of http, tls, and mtls must be configured
+  # The server can open multiple if multiple sections included
+  # The server only ends when all connections error
+
+  # configure HTTP connection to Tornjak server
+  http {
+    enabled = true
+    port = 10000 # container port for HTTP connection
+  }
+
+  # configure TLS connection to Tornjak server
+  tls {
+    enabled = true
+    port = 20000                 # container port for TLS connection
+    cert = "sample-keys/tls.pem" # TLS cert
+    key = "sample-keys/key.pem"  # TLS key
+  }
+
+  # configure mTLS connection to Tornjak server
+  mtls {
+    enabled = true
+    port = 30000                  # container port for mTLS connection
+    cert = "sample-keys/tls.pem"  # mTLS cert
+    key = "sample-keys/key.pem"   # mTLS key
+    ca = "sample-keys/rootCA.pem" # mTLS CA
+  }
+
+  ### END SERVER CONNECTION CONFIGURATION ###
+}
+
+plugins {
+
+  ### BEGIN DATASTORE PLUGIN CONFIGURATION ###
+
+  # Configure SQL local database for Tornjak
+  DataStore "sql" {
+    plugin_data {
+      drivername = "sqlite3"
+      filename = "/run/spire/data/tornjak.sqlite3" # location of database
+    }
+  }
+
+  ### END DATASTORE PLUGIN CONFIGURATION
+
+  ### BEGIN IAM PLUGIN CONFIGURATION ###
+  # Note: if no UserManagement configuration included, authentication treated as noop
+
+  # Configure Keycloak as external Authentication server
+  UserManagement "KeycloakAuth" {
+    plugin_data {
+      # jwksURL - URL for JWKS verification
+      # here is a sample for Keycloak running locally on Minikube
+      jwksURL = "http://host.minikube.internal:8080/realms/tornjak/protocol/openid-connect/certs"
+      # for cloud deployment it would be something like:
+      # jwksURL = "http://<ingress_access>/realms/tornjak/protocol/openid-connect/certs"
+
+      # redirectURL - URL for redirecting after successful authentication
+      # here is a sample for Keycloak running locally on minikube
+      redirectURL = "http://localhost:8080/realms/tornjak/protocol/openid-connect/auth?client_id=Tornjak-React-auth"
+      # for a cloud deployment it would look something like:
+      # redirectURL= "http://<ingress_access>/realms/tornjak/protocol/openid-connect/auth?client_id=Tornjak-React-auth"
+    }
+  }
+
+  ### END IAM PLUGIN CONFIGURATION
+
+
+}