idp: add emqx authn/authz example

Signed-off-by: hmoazzem <moazzem@edgeflare.io>

Author: hmoazzem

README.md

@@ -4,16 +4,17 @@ edge configures and manages:
 
 | Component         | Technology / Tool       | Description |
 |-------------------|-----------------------|-------------|
-| Platform          | Linux, Docker, [Kubernetes](https://kubernetes.io)            | Native and containerized deployments provideing ease and scalability |
 | Database          | [PostgreSQL](https://www.postgresql.org) + [pgvector](https://github.com/pgvector/pgvector)  | The world's most advanced open source database. Vector search using pgvector |
-| (IAM) AuthN/AuthZ | [ZITADEL](https://github.com/zitadel/zitadel) + [Postgres RLS](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) | Comprehensive authN and authZ through ZITADEL, PostgreSQL Row-Level Security and envoy filters eg ext-authz |
-| Object Storage    | [MinIO](https://github.com/minio/minio) / [SeaweedFS](https://github.com/seaweedfs/seaweedfs)                 | Offers high-performance, Kubernetes-native object storage. |
+| (IAM) AuthN/AuthZ | Any OIDC compliant IdP eg Keykloak, Auth0, [ZITADEL](https://github.com/zitadel/zitadel) (default) + [Postgres RLS](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) | Comprehensive authN and authZ through OIDC claims, PostgreSQL Row-Level Security and envoy filters eg ext-authz |
+| Object Storage    | Any S3 compliant storage eg AWS S3, Cloudflare R2, [MinIO](https://github.com/minio/minio), Ceph RGW, [SeaweedFS](https://github.com/seaweedfs/seaweedfs) (default)                 | Offers high-performance, Kubernetes-native object storage. |
 | REST API / Events | [edgeflare/pgo](https://github.com/edgeflare/pgo) | PostgREST-compatible REST API, Debezium-compatible CDC |
 | API Gateway       | [Istio](https://istio.io)/[Envoy](https://www.envoyproxy.io), [cert-manager](https://cert-manager.io) and optionally [Cloudflare](https://cloudflare.com)         | Manages, secures, and monitors traffic between microservices as well as from and to the Internet |
 
-for a unified backend - similar to Firebase, Supabase etc. And with scaling capabilities. **We use [PostgREST](https://docs.postgrest.org) where reliability is important; writing similar in Go to be able to 1. embed in a go binary and 2. run in serverless env.**
+to build a unified backend - similar to Firebase, Supabase etc. And with scaling capabilities. The stack runs on Linux, Docker and [Kubernetes](https://kubernetes.io) allowing it to start on a RaspberryPi-like device and scale to a multi-region Kubernetes cluster.
 
+edge allows (is purposefully designed) to mix-match existing, external (incl proprietary) components from anywhere - eg GCP Cloud SQL, Auth0 IdP, AWS S3, etc. it simply ensures all these are configred to function as a single unit.
 
+> **We use [PostgREST](https://docs.postgrest.org) where reliability is important; writing [edgeflare/pgo](https://github.com/edgeflare/pgo) in Go to be able to 1. embed in a go binary and 2. run in serverless env.**
 
 ## Deployment options
 
@@ -32,7 +33,7 @@ git clone git@github.com:edgeflare/edge.git && cd edge
 1. determine a root domain (hostname) eg `example.org`. if such a globally routable domain isn't available,
 utilize https://sslip.io resolver, which returns embedded IP address in domain name. that's what this demo setup does
 
-> when containers dependent on zitadel (it being the centralized IdP) fail, try restarting it once zitadel is healthy
+> when containers dependent on zitadel (it being the centralized IdP) fail, try restarting them once zitadel is healthy
 
 ```sh
 export EDGE_DOMAIN_ROOT=192-168-0-121.sslip.io              # resolves to 192.168.0.121 (gateway/envoy IP). use LAN or accesible IP/hostname
@@ -69,6 +70,7 @@ For publicly trusted certificates, enable TLS by updating env vars in ZITADEL.
 
 5. start containers
 ```sh
+# docker compose build
 docker compose up -d
 ```
 

docker-compose.yaml

@@ -55,29 +55,6 @@ services:
     volumes:
     - $PWD/__zitadel:/machinekey:rw,Z
 
-  edge:
-    user: "${UID:-1000}"
-    build:
-      context: "."
-      dockerfile: "./internal/stack/Containerfile"
-    entrypoint: sh -c "id && ls -la /workspace/zitadel/admin-sa.json && while [ ! -f /workspace/zitadel/admin-sa.json ]; do sleep 1; done; sleep 2; /edge serve"
-    ports:
-    # - 18000:18000 # xds-server
-    - 8081:8081   # http-admin
-    environment:
-      EDGE_DOMAIN_ROOT: ${EDGE_DOMAIN_ROOT}
-      EDGE_IAM_ZITADEL_MACHINEKEYPATH: "/workspace/zitadel/admin-sa.json"
-    healthcheck:
-      test: [CMD, /edge, healthz]
-      interval: 5s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-      start_interval: 5s
-    volumes:
-    - $PWD/__zitadel:/workspace/zitadel:rw,Z,U
-    restart: on-failure
-
   db-app:
     image: docker.io/bitnami/postgresql:17.3.0
     environment:
@@ -155,11 +132,14 @@ services:
       MINIO_IDENTITY_OPENID_CLAIM_USERINFO: on
       MINIO_IDENTITY_OPENID_COMMENT: "OIDC Identity Provider"
       # notify postgres
-      MINIO_NOTIFY_POSTGRES_ENABLE: on
-      MINIO_NOTIFY_POSTGRES_CONNECTION_STRING: "host=db-app port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer" 
-      MINIO_NOTIFY_POSTGRES_FORMAT: namespace
-      MINIO_NOTIFY_POSTGRES_ID: minioevents
-      MINIO_NOTIFY_POSTGRES_TABLE: minioevents
+      MINIO_NOTIFY_POSTGRES_ENABLE_PRIMARY: on
+      MINIO_NOTIFY_POSTGRES_CONNECTION_STRING_PRIMARY: "host=db-app port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer"
+      MINIO_NOTIFY_POSTGRES_TABLE_PRIMARY: minioevents
+      MINIO_NOTIFY_POSTGRES_FORMAT_PRIMARY: namespace
+      MINIO_NOTIFY_POSTGRES_MAX_OPEN_CONNECTIONS_PRIMARY: 2
+      MINIO_NOTIFY_POSTGRES_QUEUE_DIR_PRIMARY: /opt/minio/events
+      MINIO_NOTIFY_POSTGRES_QUEUE_LIMIT_PRIMARY: 100000
+      MINIO_NOTIFY_POSTGRES_COMMENT_PRIMARY: "PostgreSQL Notification Event Logging for MinIO"
     volumes:
     - s3-minio:/mnt/data
     ports:
@@ -238,8 +218,57 @@ services:
         GRANT ALL PRIVILEGES ON TABLE public.minioevents TO minio;
       "
     restart: on-failure
+  emqx:  # MQTT broker. prefer NATS' MQTT
+    image: docker.io/emqx:5.8
+    environment:
+      EMQX_DASHBOARD__DEFAULT_PASSWORD: public
+      EMQX_DASHBOARD__DEFAULT_USERNAME: admin
+    ports:
+    - 1883:1883   # MQTT
+    - 8883:8883   # MQTTS
+    - 8083:8083   # WS
+    - 8084:8084   # WSS
+    - 18083:18083 # http-dashboard
+    volumes:
+    - emqx:/opt/emqx/data
+    healthcheck:
+      test: ["CMD", "emqx_ctl", "status"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  edge:
+    user: "${UID:-1000}"
+    build:
+      context: "."
+      dockerfile: "./internal/stack/Containerfile"
+    entrypoint: sh -c "id && ls -la /workspace/zitadel/admin-sa.json && while [ ! -f /workspace/zitadel/admin-sa.json ]; do sleep 1; done; sleep 2; /edge serve  --configure-addons=emqx"
+    # extra comma-separated add-ons eg emqx,nats, ...
+    ports:
+    # - 18000:18000 # xds-server
+    - 8081:8081   # http-admin
+    environment:
+      EDGE_DOMAIN_ROOT: ${EDGE_DOMAIN_ROOT}
+      EDGE_IAM_ZITADEL_MACHINEKEYPATH: "/workspace/zitadel/admin-sa.json"
+    healthcheck:
+      test: [CMD, /edge, healthz]
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+      start_interval: 5s
+    volumes:
+    - $PWD/__zitadel:/workspace/zitadel:rw,Z,U
+    restart: on-failure
 
 volumes:
   db-app:
   db-auth:
   s3-minio:
+  emqx:
+
+# MINIO_NOTIFY_POSTGRES_ENABLE: on
+# MINIO_NOTIFY_POSTGRES_CONNECTION_STRING: "host=db-app port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer" 
+# MINIO_NOTIFY_POSTGRES_FORMAT: namespace
+# MINIO_NOTIFY_POSTGRES_ID: minioevents
+# MINIO_NOTIFY_POSTGRES_TABLE: minioevents