Merge branch 'main' into fix_eol_filtering

canonical · Nov 8, 2024 · c28721b · c28721b
2 parents b20304a + 000b072
commit c28721b
Show file tree

Hide file tree

Showing 23 changed files with 520 additions and 29 deletions.
diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml
@@ -32,6 +32,8 @@ env:
   TEST_IMAGE_NAME: 'test-img'
   TEST_IMAGE_TAG: 'test'
   SKOPEO_IMAGE: 'quay.io/skopeo/stable:v1.15.1'
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
 
 jobs:
   test-vulnerabilities:
@@ -96,7 +98,7 @@ jobs:
           echo "file=$file" >> "$GITHUB_OUTPUT"
 
       - name: Scan for vulnerabilities
-        uses: aquasecurity/trivy-action@0.9.2
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           # NOTE: we're allowing images with vulnerabilities to be published
           ignore-unfixed: true
@@ -198,7 +200,7 @@ jobs:
       - test-vulnerabilities
     env:
       GITHUB_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }}
-    if: ${{ !cancelled() }}
+    if: ${{ !cancelled() && github.event_name != 'pull_request' }}
     steps:
       - uses: actions/checkout@v4
 

diff --git a/oci/hydra/_releases.json b/oci/hydra/_releases.json
@@ -0,0 +1,47 @@
+{
+    "2.2.0-22.04": {
+        "end-of-life": "2025-05-01T00:00:00Z",
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "1"
+        },
+        "beta": {
+            "target": "2.2.0-22.04_candidate"
+        },
+        "edge": {
+            "target": "1"
+        }
+    },
+    "2-22.04": {
+        "end-of-life": "2025-02-07T00:00:00Z",
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "2-22.04_stable"
+        },
+        "beta": {
+            "target": "2-22.04_candidate"
+        },
+        "edge": {
+            "target": "2-22.04_beta"
+        }
+    },
+    "2canonical-22.04": {
+        "end-of-life": "2025-02-07T00:00:00Z",
+        "stable": {
+            "target": "4"
+        },
+        "candidate": {
+            "target": "2canonical-22.04_stable"
+        },
+        "beta": {
+            "target": "2canonical-22.04_candidate"
+        },
+        "edge": {
+            "target": "2canonical-22.04_beta"
+        }
+    }
+}
diff --git a/oci/hydra/contacts.yaml b/oci/hydra/contacts.yaml
@@ -2,4 +2,6 @@ notify:
   emails:
     - [email protected]
   mattermost-channels:
-    - ofi4for9obfq8m978h318x56ar
+    - ofi4for9obfq8m978h318x56ar
+maintainers:
+  - canonical-iam
diff --git a/oci/hydra/documentation.yaml b/oci/hydra/documentation.yaml
@@ -1,6 +1,6 @@
 version: 1
 application: hydra
-is_chiselled: False
+is_chiselled: True
 description: |
   Ory Hydra is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider
   optimized for low-latency, high throughput, and low resource consumption.
@@ -43,4 +43,6 @@ parameters:
   - type: CMD
     value: "hydra serve all --config /hydra.yaml"
     description: >
-      Launch Hydra web server(s) using a mix of environment variables and the config mounted via volume.
+      Launch Hydra web server(s) using a mix of environment variables and the config mounted via volume.
+debug:
+  text: ""
diff --git a/oci/identity-platform-admin-ui/_releases.json b/oci/identity-platform-admin-ui/_releases.json
@@ -0,0 +1,44 @@
+{
+    "1.19.0-22.04": {
+        "end-of-life": "2025-03-01T00:00:00Z",
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "1"
+        },
+        "beta": {
+            "target": "1.19.0-22.04_candidate"
+        },
+        "edge": {
+            "target": "1"
+        }
+    },
+    "1-22.04": {
+        "end-of-life": "2025-04-24T00:00:00Z",
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "1-22.04_stable"
+        },
+        "beta": {
+            "target": "1-22.04_candidate"
+        },
+        "edge": {
+            "target": "1-22.04_beta"
+        }
+    },
+    "1.21.0-22.04": {
+        "end-of-life": "2024-11-07T00:00:00Z",
+        "candidate": {
+            "target": "3"
+        },
+        "beta": {
+            "target": "1.21.0-22.04_candidate"
+        },
+        "edge": {
+            "target": "3"
+        }
+    }
+}
diff --git a/oci/identity-platform-admin-ui/contacts.yaml b/oci/identity-platform-admin-ui/contacts.yaml
@@ -0,0 +1,7 @@
+notify:
+  emails:
+    - [email protected]
+  mattermost-channels:
+    - ofi4for9obfq8m978h318x56ar
+maintainers:
+  - canonical-iam
diff --git a/oci/identity-platform-admin-ui/documentation.yaml b/oci/identity-platform-admin-ui/documentation.yaml
@@ -0,0 +1,139 @@
+version: 1
+application: identity-platform-admin-ui
+is_chiselled: True
+description: |
+  Canonical IAM Admin UI is a component that allows you to interact with the components
+  that are part of the Identity Platform solution.
+  
+  It provides a set of API to view,modify and delete resources on Ory Kratos, Ory Hydra 
+  Ory Oathkeeper and OpenFGA
+
+  For further information check our repository on Github https://github.com/canonical/identity-platform-admin-ui
+docker:
+  parameters:
+    - -p 8080:8080
+  access: Access the API at `http://localhost:8080`.
+parameters:
+  - type: -e
+    value: 'TRACING_ENABLED=true'
+    description: Tracing enablement.
+  - type: -e
+    value: 'OTEL_GRPC_ENDPOINT=tempo-0.tempo-endpoints.stg-identity-jaas-dev.svc.cluster.local:4317'
+    description: Tracing server GRPC endpoint, has priority on OTEL_HTTP_ENDPOINT.
+  - type: -e
+    value: 'OTEL_HTTP_ENDPOINT=http://tempo-0.tempo-endpoints.stg-identity-jaas-dev.svc.cluster.local:4318'
+    description: Tracing server HTTP endpoint.
+  - type: -e
+    value: 'MFA_ENABLED="true"'
+    description: Enable MFA validation on logins.
+  - type: -e
+    value: 'HYDRA_ADMIN_URL=http://hydra.io:4445'
+    description: Hydra Admin API URL, used to manage clients
+  - type: -e
+    value: 'KRATOS_ADMIN_URL=http://kratos.io:4434'
+    description: Kratos Admin API URL, used to manage identities
+  - type: -e
+    value: 'KRATOS_PUBLIC_URL=http://kratos.io:4433'
+    description: Kratos Public API URL, used to manage identities
+  - type: -e
+    value: 'OATHKEEPER_PUBLIC_URL=http://oathkeeper.io:4455'
+    description: Oathkeeper Public API URL, used to manage rules
+  - type: -e
+    value: 'BASE_URL=https://iam.io/dev/path'
+    description: Public URL Login UI will be served from.
+  - type: -e
+    value: 'ACCESS_TOKEN_VERIFICATION_STRATEGY=jwks'
+    description: Strategy used to verify JWT tokens.
+  - type: -e
+    value: 'AUTHENTICATION_ENABLED="true"'
+    description: Authentication enable flag.
+  - type: -e
+    value: 'AUTHORIZATION_ENABLED="true"'
+    description: Authorization enable flag.
+  - type: -e
+    value: 'CONTEXT_PATH=/dev/path'
+    description: Path needed by the UI to work behind an ingress proxy.
+  - type: -e
+    value: 'IDP_CONFIGMAP_NAME=providers'
+    description: Name of kubernetes configmap where Kratos IDP are configured.
+  - type: -e
+    value: 'IDP_CONFIGMAP_NAMESPACE=default'
+    description: Namespace of kubernetes configmap where Kratos IDP are configured.
+  - type: -e
+    value: 'RULES_CONFIGMAP_NAME=rules'
+    description: Name of kubernetes configmap where Oathkeeper rules are configured.
+  - type: -e
+    value: 'RULES_CONFIGMAP_NAMESPACE=default'
+    description: Namespace of kubernetes configmap where Oathkeeper rules are configured.
+  - type: -e
+    value: 'RULES_CONFIGMAP_FILENAME=rules.yaml'
+    description: Name of the file where Oathkeeper rules are configured.
+  - type: -e
+    value: 'SCHEMAS_CONFIGMAP_NAME=schemas'
+    description: Name of kubernetes configmap where Kratos identity schemas are configured.
+  - type: -e
+    value: 'SCHEMAS_CONFIGMAP_NAMESPACE=default'
+    description: Namespace of kubernetes configmap where Kratos identity schemas are configured.
+  - type: -e
+    value: '[email protected]'
+    description: Email sender
+  - type: -e
+    value: 'MAIL_HOST=smtp.io'
+    description: SMPT server host
+  - type: -e
+    value: 'MAIL_PASSWORD="***********************************"'
+    description: SMTP password
+  - type: -e
+    value: 'MAIL_PORT="1025"'
+    description: SMTP server port
+  - type: -e
+    value: 'MAIL_USERNAME="***********************************"'
+    description: SMTP password
+  - type: -e
+    value: 'OAUTH2_AUTH_COOKIES_ENCRYPTION_KEY="***********************************"'
+    description: Key used to encrypt authentication cookies
+  - type: -e
+    value: 'OAUTH2_CLIENT_ID=***********************************'
+    description: OAuth2 client ID, needed for OIDC authentication
+  - type: -e
+    value: 'OAUTH2_CLIENT_SECRET=***********************************'
+    description: OAuth2 client secret, needed for OIDC authentication
+  - type: -e
+    value: 'OAUTH2_CODEGRANT_SCOPES=openid,email,profile,offline_access'
+    description: OAuth2 scopes needed by the application, needed for OIDC authentication 
+  - type: -e
+    value: 'OAUTH2_REDIRECT_URI=https://iam..io/dev/api/v0/auth/callback'
+    description: OAuth2 redirect uri where /api/v0/auth/callback is the endpoint used by the application, needed for OIDC authentication
+  - type: -e
+    value: 'OIDC_ISSUER=https://iam.dev.canonical.com/stg-identity-jaas-dev-hydra'
+    description: OAuth2 server issuer
+  - type: -e
+    value: 'OPENFGA_API_HOST=openfga:8443'
+    description: OpenFGA server address 
+  - type: -e
+    value: 'OPENFGA_API_SCHEME=http'
+    description: OpenFGA server scheme
+  - type: -e
+    value: 'OPENFGA_API_TOKEN=***********************************'
+    description: OpenFGA server API token, needed for authentication to the server
+  - type: -e
+    value: 'OPENFGA_AUTHORIZATION_MODEL_ID=***********************************'
+    description: OpenFGA model ID
+  - type: -e
+    value: 'OPENFGA_STORE_ID=***********************************'
+    description: OpenFGA store ID 
+  - type: -e
+    value: 'LOG_FILE=log.txt'
+    description: Destination file for logs.
+  - type: -e
+    value: 'LOG_LEVEL=error'
+    description: Log level.
+  - type: -p
+    value: '8080:8080'
+    description: Server API port.
+  - type: CMD
+    value: '/usr/bin/identity-platform-admin-ui serve'
+    description: >
+      Launch Admin UI web server(s) using environment variables.
+debug:
+  text: ""
diff --git a/oci/identity-platform-admin-ui/image.yaml b/oci/identity-platform-admin-ui/image.yaml
@@ -0,0 +1,12 @@
+version: 1
+upload:
+  - source: "canonical/identity-platform-admin-ui"
+    commit: c46a9568f9be665f86aa5a274d8ac9d90054ba6b
+    directory: .
+    release:
+      1.19.0-22.04:
+        risks:
+          - stable
+          - candidate
+          - edge
+        end-of-life: "2025-03-01T00:00:00Z"
diff --git a/oci/identity-platform-login-ui/contacts.yaml b/oci/identity-platform-login-ui/contacts.yaml
@@ -0,0 +1,7 @@
+notify:
+  emails:
+    - [email protected]
+  mattermost-channels:
+    - ofi4for9obfq8m978h318x56ar
+maintainers:
+  - canonical-iam
diff --git a/oci/identity-platform-login-ui/documentation.yaml b/oci/identity-platform-login-ui/documentation.yaml
@@ -0,0 +1,54 @@
+version: 1
+application: identity-platform-login-ui
+is_chiselled: True
+description: |
+  Canonical IAM Login UI is a core components of the Identity Platform solution.
+  
+  It provides a way to login using OIDC via interactions with Ory Kratos and Ory Hydra, also allows
+  you to manage self service functionalities for everything related to authentication 
+
+  For further information check our repository on Github https://github.com/canonical/identity-platform-login-ui
+docker:
+  parameters:
+    - -p 8080:8080
+  access: Access the API at `http://localhost:8080`.
+parameters:
+  - type: -e
+    value: 'TRACING_ENABLED=true'
+    description: Tracing enablement.
+  - type: -e
+    value: 'OTEL_GRPC_ENDPOINT=tempo-0.tempo-endpoints.stg-identity-jaas-dev.svc.cluster.local:4317'
+    description: Tracing server GRPC endpoint, has priority on OTEL_HTTP_ENDPOINT.
+  - type: -e
+    value: 'OTEL_HTTP_ENDPOINT=http://tempo-0.tempo-endpoints.stg-identity-jaas-dev.svc.cluster.local:4318'
+    description: Tracing server HTTP endpoint.
+  - type: -e
+    value: 'MFA_ENABLED="true"'
+    description: Enable MFA validation on logins.
+  - type: -e
+    value: 'HYDRA_ADMIN_URL=http://hydra.io:4445'
+    description: Hydra Admin API URL, used to validate logins 
+  - type: -e
+    value: 'KRATOS_ADMIN_URL=http://kratos.io:4434'
+    description: Kratos Admin API URL, used to manage identities
+  - type: -e
+    value: 'KRATOS_PUBLIC_URL=http://kratos.io:4433'
+    description: Kratos Public API URL, used to manage identities
+  - type: -e
+    value: 'BASE_URL=https://iam.io/dev/path'
+    description: Public URL Login UI will be served from.
+  - type: -e
+    value: 'LOG_FILE=log.txt'
+    description: Destination file for logs.
+  - type: -e
+    value: 'LOG_LEVEL=error'
+    description: Log level.
+  - type: -p
+    value: '8080:8080'
+    description: Server API port.
+  - type: CMD
+    value: '/usr/bin/identity-platform-login-ui serve'
+    description: >
+      Launch Login UI web server(s) using environment variables.
+debug:
+  text: ""
diff --git a/oci/identity-platform-login-ui/image.yaml b/oci/identity-platform-login-ui/image.yaml
@@ -0,0 +1,12 @@
+version: 1
+upload:
+  - source: "canonical/identity-platform-login-ui"
+    commit: 3c03717429801d1334ca7feb4dd2a2e2793ca4ff
+    directory: .
+    release:
+      0.18.3-22.04:
+        risks:
+          - stable
+          - candidate
+          - edge
+        end-of-life: "2025-03-01T00:00:00Z"