Merge pull request #25 from swaroopar/feature/buildDevZitadelImage

Feature/build dev zitadel image

Author: iskey

.github/workflows/build-zitadel-dev-images.yml

@@ -0,0 +1,89 @@
+name: Build Zitadel Dev Images
+
+on:
+  workflow_dispatch:
+
+env:
+  BOT_USER_NAME: eclipse-xpanse-bot
+  BOT_EMAIL_ID: xpanse-bot@eclipse.org
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Github Packages
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ env.BOT_USER_NAME }}
+          password: ${{ secrets.BOT_GITHUB_DOCKER_TOKEN }}
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.1
+
+      - name: build custom postgres image with changed PGDATA
+        run: |
+          docker build -t custom-pg-db:latest .
+        working-directory: zitadel/local/build
+
+      - name: start containers using docker build
+        run: |
+          mkdir ${{ runner.temp }}/machinekey
+          VOLUME_POINT=${{ runner.temp }}/machinekey docker compose up -d
+        working-directory: zitadel/local/build
+
+      - name: Wait for API Response
+        uses: mydea/action-wait-for-api@v1
+        continue-on-error: true
+        with:
+          url: "http://localhost:8088/debug/healthz"
+          expected-status: "200"   # You can specify other 2xx codes as needed
+          timeout: "60"           # Maximum wait time in seconds
+          interval: "10"
+
+      - name: copy admin service account key
+        run: |
+          cp ${{ runner.temp }}/machinekey/* .
+        working-directory: zitadel/terraform
+
+      - name: configure Zitadel
+        run: |
+          terraform init 
+          terraform apply -var-file=environments/local.tfvars -auto-approve
+          terraform output -json > output.json
+        working-directory: zitadel/terraform
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: access details  # Name of the artifact
+          path: zitadel/terraform/*.json
+
+      - name: commit images
+        run: |
+          JOB_LINK="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          docker stop compose-zitadel-1
+          docker stop compose-db-1
+          docker commit  --change="LABEL job_link=\"$JOB_LINK\""  compose-zitadel-1 xpanse-zitadel-dev-server
+          docker commit  --change="LABEL job_link=\"$JOB_LINK\""  compose-db-1 xpanse-zitadel-dev-db
+
+      - name: Build and push Docker image
+        run: |
+          JOB_LINK="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          docker tag xpanse-zitadel-dev-server:latest ${{ env.REGISTRY }}/${{ github.repository_owner }}/xpanse-zitadel-dev-server:latest
+          docker tag xpanse-zitadel-dev-db:latest ${{ env.REGISTRY }}/${{ github.repository_owner }}/xpanse-zitadel-dev-db:latest
+          docker push ${{ env.REGISTRY }}/${{ github.repository_owner }}/xpanse-zitadel-dev-server:latest
+          docker push ${{ env.REGISTRY }}/${{ github.repository_owner }}/xpanse-zitadel-dev-db:latest

.gitignore

@@ -5,4 +5,5 @@
 *.hcl
 *.tfstate
 *token.json
-*.tfstate.backup
+*.tfstate.backup
+zitadel-admin-sa.json

zitadel/README.md

@@ -12,7 +12,7 @@ config the xpanse project with the service instance of Zitadel.
 
 Here are two types of service instance deployment solutions. You can deploy a local service instance
 of Zitadel according
-to the document [local-installation-steps.md](local/local-installation-steps.md) or deploy a
+to the document [local-installation-steps.md](local/run/run-dev-zitadel-containers) or deploy a
 production service instance of
 Zitadel according to the
 document [testbed-installation-steps.md](testlab/testbed-installation-steps.md).

zitadel/local/build/Dockerfile

@@ -0,0 +1,5 @@
+FROM postgres:16-alpine
+
+# This is necessary. Otherwise the data written to the container will not be part of the created image.
+RUN mkdir -p /var/lib/postgresql-static/data
+ENV PGDATA=/var/lib/postgresql-static/data

zitadel/local/build/build-dev-zitadel-images.md

@@ -0,0 +1,21 @@
+# Build Zitadel Dev Docker Images
+
+To enhance developer experience, we prepare the Zitadel development docker images with all necessary configurations. 
+The developer will have to simply start these application and database docker containers and 
+then the environment is ready to use without any additional configuration. 
+
+## Image Build Job
+
+The GitHub action [build-dev-images](../../../.github/workflows/build-zitadel-dev-images.yml) builds the necessary images 
+and uploads it to the GitHub packages and also uploads all configuration details to action artifacts.
+
+> Images will be always simply built with 'latest' tag. 
+
+## Configure Client Systems
+
+Whenever this job is executed, the images generated will contain new information for all clients. 
+Hence, it is necessary for the developer to also update the following files whenever a new image is created 
+and also inform team that the latest images must be pulled. 
+
+- [xpanse UI auth config](https://github.com/eclipse-xpanse/xpanse-ui/blob/main/.env.zitadel-local)
+- [xpanse app auth config](https://github.com/eclipse-xpanse/xpanse/blob/main/runtime/src/main/resources/application-zitadel.properties)

zitadel/local/build/docker-compose.yaml

@@ -0,0 +1,50 @@
+services:
+  zitadel:
+    user: "${UID:-1001}"
+    restart: 'always'
+    networks:
+      - 'zitadel'
+    image: 'ghcr.io/zitadel/zitadel:latest'
+    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
+    environment:
+      ZITADEL_DATABASE_POSTGRES_HOST: db
+      ZITADEL_DATABASE_POSTGRES_PORT: 5432
+      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
+      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
+      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
+      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
+      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
+      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
+      ZITADEL_EXTERNALSECURE: false
+      ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH: /machinekey/zitadel-admin-sa.json
+      ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME: zitadel-admin-sa
+      ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME: Admin
+      ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE: 1
+      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false
+      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD: Zitadel@123 # Default admin password.
+    depends_on:
+      db:
+        condition: 'service_healthy'
+    ports:
+      - '8088:8080'
+    volumes:
+      - ${VOLUME_POINT:-./machinekey}:/machinekey:rw
+
+  db:
+    restart: 'always'
+    image: custom-pg-db # Custom postgres image.
+    environment:
+      PGUSER: postgres
+      POSTGRES_PASSWORD: postgres
+    networks:
+      - 'zitadel'
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres" ]
+      interval: '10s'
+      timeout: '2400s'
+      retries: 500
+      start_period: '20s'
+
+networks:
+  zitadel:

zitadel/local/build/machinekey/.gitkeep

@@ -0,0 +1,29 @@
+services:
+  zitadel:
+    # The user should have the permission to write to ./machinekey
+    user: "${UID:-1001}"
+    restart: 'always'
+    networks:
+      - 'zitadel-dev'
+    image: ghcr.io/eclipse-xpanse/xpanse-zitadel-dev-server:latest # image built locally by commiting an already initialized zitadel server
+    command: 'start --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
+    depends_on:
+      db:
+        condition: 'service_healthy'
+    ports:
+      - '8088:8080'
+
+  db:
+    restart: 'always'
+    image: ghcr.io/eclipse-xpanse/xpanse-zitadel-dev-db:latest # image built locally by commiting an already initialized zitadel Postgres DB
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres" ]
+      interval: '10s'
+      timeout: '2400s'
+      retries: 500
+      start_period: '20s'
+    networks:
+      - 'zitadel-dev'
+
+networks:
+  zitadel-dev:

zitadel/local/compose/docker-compose-local.yaml

@@ -0,0 +1,40 @@
+# Local Development Applications of Xpanse with Local Service of Zitadel
+
+This document will describe how to use docker to build a local service of Zitadel.
+
+Clone project [xpanse-iam](https://github.com/eclipse-xpanse/xpanse-iam.git) from remote to workspace in local machine.
+Then enter the root path.
+
+```shell
+git clone https://github.com/eclipse-xpanse/xpanse-iam.git
+cd xpanse-iam/zitadel/local
+ ```
+
+## Deploy Local Service of Zitadel
+
+Before deploying the local service of Zitadel, please install and start the Docker and Docker Compose service in the
+local machine. Then start the local service of Zitadel using the below command:
+
+```shell
+docker compose up -d --pull always
+ ```
+
+The below display appears to indicate that the service has started normally. 
+This step can take around 2 minutes since the database container must sync the changes from 
+
+```shell
+ ✔ Network run_zitadel-dev  Created                                                                                                                                                                                                                                                                            0.4s 
+ ✔ Container run-db-1       Healthy                                                                                                                                                                                                                                                                           10.1s 
+ ✔ Container run-zitadel-1  Started  
+```
+
+Now you can open favorite internet browser and navigate to http://localhost:8088/ui/console. This is the default IAM
+admin users login:
+
+* username: zitadel-admin@zitadel.localhost
+* password: Zitadel@123
+
+Other application users can be found [here](../../terraform/environments/local.tfvars).
+
+
+

zitadel/local/local-installation-steps.md

@@ -4,43 +4,5 @@ resource "zitadel_machine_user" "api_client_user" {
   name        = "api-client"
   description = "user for xpanse to make authenticated API calls"
   access_token_type = "ACCESS_TOKEN_TYPE_JWT"
-}
-
-// get the default organization ID. The deployer user is on the default organization.
-data "zitadel_orgs" "default" {
-  name = "ZITADEL"
-  name_method = "TEXT_QUERY_METHOD_EQUALS"
-}
-
-// get the user ID of the deployer user.
-data "zitadel_machine_users" "deployer" {
-  user_name        = "deployer"
-  user_name_method = "TEXT_QUERY_METHOD_EQUALS"
-}
-
-resource "zitadel_instance_member" "default" {
-  user_id = data.zitadel_machine_users.deployer.user_ids[0]
-  roles   = ["IAM_OWNER"]
-}
-
-resource "zitadel_personal_access_token" "apiclient_user_id_token" {
-  org_id          = data.zitadel_orgs.default.ids[0]
-  user_id         = data.zitadel_machine_users.deployer.user_ids[0]
-}
-
-// direct API call since no terraform module available for creating client credentials
-resource "terracurl_request" "machine_secret" {
-    name = "machine_secret"
-    url = "https://${var.domain}:${var.port}/management/v1/users/${resource.zitadel_machine_user.api_client_user.id}/secret"
-    method = "PUT"
-    response_codes = [
-        200
-      ]
-    headers = {
-        x-zitadel-orgid = zitadel_org.xpanse.id
-        Content-Type = "application/json"
-        Accept = "application/json"
-        Authorization = "Bearer ${resource.zitadel_personal_access_token.apiclient_user_id_token.token}"
-        }
-    request_body = ""
+  with_secret = true
 }

zitadel/local/run/docker-compose.yml

@@ -0,0 +1,12 @@
+// get the user ID of the deployer user.
+data "zitadel_machine_users" "deployer" {
+  count = var.is_local_dev_env ? 0 : 1
+  user_name        = "deployer"
+  user_name_method = "TEXT_QUERY_METHOD_EQUALS"
+}
+
+resource "zitadel_instance_member" "default" {
+  count = var.is_local_dev_env ? 0 : 1
+  user_id = data.zitadel_machine_users.deployer[count.index].user_ids[0]
+  roles   = ["IAM_OWNER"]
+}

zitadel/local/run/run-dev-zitadel-containers.md

@@ -0,0 +1,9 @@
+module "create-dev-users" {
+  source = "./dev-users"
+  count = var.is_local_dev_env ? 1 : 0
+  test_users = var.test_users
+  xpanse_org_id = zitadel_org.xpanse.id
+  xpanse_project_id = zitadel_project.eclipse-xpanse.id
+  domain = var.domain
+  port = var.port
+}

zitadel/static/docker_run_zitadel_services.png

@@ -0,0 +1,110 @@
+// get the default organization ID. The deployer user is on the default organization.
+data "zitadel_orgs" "default" {
+  name        = "ZITADEL"
+  name_method = "TEXT_QUERY_METHOD_EQUALS"
+}
+
+// get the user ID of the default service account admin user.
+data "zitadel_machine_users" "zitadel-admin-sa" {
+  user_name        = "zitadel-admin-sa"
+  user_name_method = "TEXT_QUERY_METHOD_EQUALS"
+}
+
+# get access token to make API calls.
+resource "zitadel_personal_access_token" "apiclient_user_id_token" {
+  org_id  = data.zitadel_orgs.default.ids[0]
+  user_id = data.zitadel_machine_users.zitadel-admin-sa.user_ids[0]
+}
+
+
+resource "zitadel_human_user" "test-users" {
+  for_each = {for i, item in var.test_users : i => item}
+
+  org_id             = var.xpanse_org_id
+  user_name          = each.value.email
+  first_name         = each.value.name
+  last_name          = each.value.name
+  nick_name          = each.value.name
+  display_name       = each.value.name
+  preferred_language = "en"
+  gender             = "GENDER_MALE"
+  phone              = "+41799999999"
+  is_phone_verified  = true
+  email              = each.value.email
+  is_email_verified  = true
+  initial_password   = "Password1!"
+}
+
+locals {
+  roles_map = {
+    for created_users in zitadel_human_user.test-users : created_users.user_name => [
+      for test_user in var.test_users : { id : created_users.id, roles : test_user.roles }
+      if test_user.email == created_users.user_name
+    ]
+  }
+
+  passwords_map = {
+    for created_users in zitadel_human_user.test-users : created_users.user_name => [
+      for test_user in var.test_users : { id : created_users.id, password : test_user.password }
+      if test_user.email == created_users.user_name
+    ]
+  }
+
+  meta_data_map = flatten([
+    for created_users in zitadel_human_user.test-users : [
+      for test_user in var.test_users : [
+        for meta_data_entry in test_user.meta-data :{
+          id : created_users.id, user_name : created_users.user_name, data_key : meta_data_entry.key,
+          data_value : meta_data_entry.value
+        } if created_users.user_name == test_user.email
+      ]
+    ]
+  ])
+}
+
+resource "zitadel_user_grant" "test-roles" {
+  for_each = local.roles_map
+
+  project_id = var.xpanse_project_id
+  org_id     = var.xpanse_org_id
+  role_keys  = each.value[0].roles
+  user_id    = each.value[0].id
+}
+
+resource "zitadel_user_metadata" "meta-data" {
+  for_each = {for obj in local.meta_data_map : "${obj.user_name}-${obj.data_key}" => obj}
+
+  org_id  = var.xpanse_org_id
+  user_id = each.value.id
+  key     = each.value.data_key
+  value   = each.value.data_value
+}
+
+//direct API call since no terraform module available for creating client credentials
+resource "terracurl_request" "update_password" {
+  lifecycle {
+    ignore_changes = all
+  }
+  for_each = local.passwords_map
+  name     = "update_password"
+  url      = "http://${var.domain}:${var.port}/v2/users/${each.value[0].id}/password"
+  method   = "POST"
+  response_codes = [
+    200
+  ]
+  headers = {
+    x-zitadel-orgid = var.xpanse_org_id
+    Content-Type    = "application/json"
+    Accept          = "application/json"
+    Authorization   = "Bearer ${resource.zitadel_personal_access_token.apiclient_user_id_token.token}"
+  }
+  request_body = <<EOF
+  {
+   "newPassword":{
+      "password": "${each.value[0].password}",
+      "changeRequired":false
+   },
+   "currentPassword":"Password1!"
+}
+  EOF
+}

zitadel/terraform/client-credentials.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    zitadel = {
+      source  = "zitadel/zitadel"
+      version = "1.2.0"
+    }
+    terracurl = {
+      source  = "devops-rob/terracurl"
+      version = "1.1.0"
+    }
+  }
+}

zitadel/terraform/configure-deployer-user.tf

@@ -0,0 +1,33 @@
+variable "test_users" {
+  type = list(object({
+    name     = string
+    email    = string
+    password = string
+    roles = list(string)
+    meta-data = list(object({
+      key   = string
+      value = string
+    }))
+  }))
+
+}
+
+variable "xpanse_org_id" {
+  description = "ID of xpanse organization"
+  type        = string
+}
+
+variable "xpanse_project_id" {
+  description = "ID of eclipse-xpanse project"
+  type        = string
+}
+
+variable "domain" {
+  description = "Domain name of the zitadel instance"
+  type        = string
+}
+
+variable "port" {
+  description = "Port of the zitadel application instance"
+  type        = number
+}

zitadel/terraform/configure-dev-users.tf

@@ -1,8 +1,89 @@
 domain                             = "localhost"
 insecure                           = "true"
-port                               = "8081"
+port                               = "8088"
 xpanse-ui_base_uri                 = "http://localhost:3000"
 xpanse_swagger-ui_base_uri         = "http://localhost:8080"
 terraform-boot_swagger-ui_base_uri = "http://localhost:9090"
 tofu-maker_swagger-ui_base_uri     = "http://localhost:9092"
-auth_token_type                    = "JWT"
+auth_token_type                    = "JWT"
+jwt_profile_file                   = "zitadel-admin-sa.json"
+is_local_dev_env                   = true
+test_users = [
+  {
+    "name" : "test-user",
+    "email" : "test-user@localhost.com",
+    "password" : "Zitadel@123",
+    "roles" : [
+      "isv",
+      "admin",
+      "csp",
+      "user"
+    ],
+    "meta-data" : [
+      {
+        "key" : "csp",
+        "value" : "HuaweiCloud"
+      },
+      {
+        "key" : "isv",
+        "value" : "ISV-A"
+      }
+    ]
+  },
+  {
+    "name" : "openstack-lab-csp",
+    "email" : "openstacklab@localhost.com",
+    "password" : "Zitadel@123",
+    "roles" : [
+      "csp"
+    ],
+    "meta-data" : [
+      {
+        "key" : "csp",
+        "value" : "OpenstackTestlab"
+      }
+    ]
+  },
+  {
+    "name" : "flexible-engine-csp",
+    "email" : "flexible-engine@localhost.com",
+    "password" : "Zitadel@123",
+    "roles" : [
+      "csp"
+    ],
+    "meta-data" : [
+      {
+        "key" : "csp",
+        "value" : "FlexibleEngine"
+      }
+    ]
+  },
+  {
+    "name" : "plus-server-csp",
+    "email" : "plus-server@localhost.com",
+    "password" : "Zitadel@123",
+    "roles" : [
+      "csp"
+    ],
+    "meta-data" : [
+      {
+        "key" : "csp",
+        "value" : "PlusServer"
+      }
+    ]
+  },
+  {
+    "name" : "regio-cloud-csp",
+    "email" : "regio-cloud@localhost.com",
+    "password" : "Zitadel@123",
+    "roles" : [
+      "csp"
+    ],
+    "meta-data" : [
+      {
+        "key" : "csp",
+        "value" : "RegioCloud"
+      }
+    ]
+  }
+]

zitadel/terraform/dev-users/main.tf

@@ -2,11 +2,11 @@ terraform {
   required_providers {
     zitadel = {
       source  = "zitadel/zitadel"
-      version = "1.0.7"
+      version = "1.2.0"
     }
     terracurl = {
-          source  = "devops-rob/terracurl"
-          version = "1.1.0"
+      source  = "devops-rob/terracurl"
+      version = "1.1.0"
     }
   }
 }

zitadel/terraform/dev-users/provider.tf

@@ -39,11 +39,11 @@ output "REACT_APP_ZITADEL_CLIENT_ID" {
 }
 
 output "oauth-protected-api-client-id" {
-  value       = jsondecode(resource.terracurl_request.machine_secret.response).clientId
+  value       = nonsensitive(zitadel_machine_user.api_client_user.client_id)
   description = "Output the value of oauth.protected.api.client.id for configuring the consuming application 'Xpanse-Api'."
 }
 
 output "oauth-protected-api-client-secret" {
-  value       = jsondecode(resource.terracurl_request.machine_secret.response).clientSecret
+  value       = nonsensitive(zitadel_machine_user.api_client_user.client_secret)
   description = "Output the value of oauth.protected.api.client.secret for configuring the consuming application 'Xpanse-Api'."
 }

zitadel/terraform/dev-users/variables.tf

@@ -5,19 +5,19 @@ variable "auth_token_type" {
 }
 
 variable "domain" {
-  type    = string
+  type = string
 }
 
 variable "insecure" {
-  type    = bool
+  type = bool
 }
 
 variable "port" {
-  type    = number
+  type = number
 }
 
 variable "jwt_profile_file" {
-  type    = string
+  type = string
 }
 
 variable "smtp_sender_address" {
@@ -46,29 +46,49 @@ variable "smtp_login_password" {
 }
 
 variable "redirect_xpanse-ui_uris" {
-  type    = list(string)
+  type = list(string)
 }
 
-variable "post_logout_redirect_uris"{
-  type    = list(string)
+variable "post_logout_redirect_uris" {
+  type = list(string)
 }
 
 variable "redirect_swagger-ui_uris" {
-  type    = list(string)
+  type = list(string)
 }
 
 variable "xpanse-ui_base_uri" {
-  type    = string
+  type = string
 }
 
 variable "xpanse_swagger-ui_base_uri" {
-  type    = string
+  type = string
 }
 
 variable "terraform-boot_swagger-ui_base_uri" {
-  type    = string
+  type = string
 }
 
 variable "tofu-maker_swagger-ui_base_uri" {
-  type    = string
+  type = string
+}
+
+variable "is_local_dev_env" {
+  type        = bool
+  description = "Flag to control changes to be done only for dev environments"
+}
+
+variable "test_users" {
+  description = "list of test users that must be created on non-production environments"
+  type = list(object({
+    name = string
+    email = string
+    password = string
+    roles = list(string)
+    meta-data = list(object({
+      key = string
+      value = string
+    }))
+  }))
+
 }

zitadel/terraform/environments/local.tfvars

@@ -8,7 +8,7 @@ This installation is a replica of production setup but without high availability
 the following components running
 
 1. Zitadel
-2. Cockroach DB
+2. Postgres DB
 3. Nginx Load Balancer
 4. CertBot - Not actively running