Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add BoxyHQ #997

Merged
merged 6 commits into from
Oct 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
252 changes: 252 additions & 0 deletions public/v4/apps/boxy-hq-only.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,252 @@
captainVersion: 4
services:
$$cap_appname:
image: boxyhq/jackson:$$cap_boxyhq_jackson_version
restart: always
caproverExtra:
containerHttpPort: '5225'
environment:
EXTERNAL_URL: $$cap_external_url
SAML_AUDIENCE: $$cap_saml_audience
JACKSON_API_KEYS: $$cap_jackson_api_keys
ADMIN_PORTAL_SSO_TENANT: $$cap_admin_portal_sso_tenant
ADMIN_PORTAL_SSO_PRODUCT: $$cap_admin_portal_sso_product
IDP_ENABLED: $$cap_idp_enabled
PRE_LOADED_CONNECTION: $$cap_pre_loaded_connection
CLIENT_SECRET_VERIFIER: $$cap_client_secret_verifier

DB_ENGINE: $$cap_db_engine
DB_URL: $$cap_db_url
DB_TYPE: $$cap_db_type
DB_TTL: $$cap_db_ttl
DB_CLEANUP_LIMIT: $$cap_db_cleanup_limit
DB_PAGE_LIMIT: $$cap_db_page_limit
DB_ENCRYPTION_KEY: $$cap_db_encryption_key

SMTP_HOST: $$cap_smtp_host
SMTP_PORT: $$cap_smtp_port
SMTP_USER: $$cap_smtp_user
SMTP_PASSWORD: $$cap_smtp_password
SMTP_FROM: $$cap_smtp_from

NEXTAUTH_ACL: $$cap_nextauth_acl
NEXTAUTH_URL: $$cap_nextauth_url
NEXTAUTH_SECRET: $$cap_nextauth_secret
NEXTAUTH_ADMIN_CREDENTIALS: $$cap_nextauth_admin_credentials

RETRACED_HOST_URL: $$cap_retraced_host_url
RETRACED_EXTERNAL_URL: $$cap_retraced_external_url
RETRACED_ADMIN_ROOT_TOKEN: $$cap_retraced_admin_root_token

TERMINUS_PROXY_HOST_URL: $$cap_terminus_proxy_host_url
TERMINUS_ADMIN_ROOT_TOKEN: $$cap_terminus_admin_root_token

OTEL_EXPORTER_OTLP_METRICS_ENDPOINT: $$cap_otel_exporter_otlp_metrics_endpoint
OTEL_EXPORTER_OTLP_METRICS_HEADERS: $$cap_otel_exporter_otlp_metrics_headers

OPENID_JWS_ALG: $$cap_openid_jws_alg
OPENID_RSA_PRIVATE_KEY: $$cap_openid_rsa_private_key
OPENID_RSA_PUBLIC_KEY: $$cap_openid_rsa_public_key
PUBLIC_KEY: $$cap_public_key
PRIVATE_KEY: $$cap_private_key

BOXYHQ_LICENSE_KEY: $$cap_boxyhq_license_key

WEBHOOK_URL: $$cap_webhook_url
WEBHOOK_SECRET: $$cap_webhook_secret

node_options: $$cap_node_options
NEXT_TELEMETRY_DISABLED: $$cap_next_telemetry_disabled
caproverOneClickApp:
variables:
- id: $$cap_external_url
label: External URL
description: The public URL to reach this service. This is used internally to construct the callback url at which the SAML/OIDC IdP sends back the authorization response. (https://boxyhq.com/docs/jackson/deploy/env-variables#external_url)
validRegex: '/.{1,}/'
defaultValue: $$cap_appname.$$cap_root_domain
- id: $$cap_saml_audience
label: SAML Audience
validRegex: '/.{1,}/'
description: The value of this setting (same as SP EntityID of Jackson) allows the Jackson instance to verify that it is the intended recipient of a SAML response. The same value is also set in the SAML App created on the IdP end by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML App again. It is case-sensitive. This does not have to be a real URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#saml_audience)
defaultValue: $$cap_appname.$$cap_root_domain
- id: $$cap_jackson_api_keys
label: API Keys
validRegex: '/.{1,}/'
description: A comma separated list of API keys that will be validated when serving the API requests for SSO connection (/api/v1/connections) and Directory Sync (/api/v1/directory-sync). (https://boxyhq.com/docs/jackson/deploy/env-variables#jackson_api_keys)
defaultValue: $$cap_gen_random_hex(64)
- id: $$cap_admin_portal_sso_tenant
label: Admin Portal SSO Tenant
description: This will be used as the tenant for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_tenant)
validRegex: '/.{1,}/'
defaultValue: _jackson_boxyhq
- id: $$cap_admin_portal_sso_product
label: Admin Portal SSO Product
description: This will be used as the product for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_product)
validRegex: '/.{1,}/'
defaultValue: _jackson_admin_portal
- id: $$cap_idp_enabled
label: IDP Enabled
description: Set to true to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. (https://boxyhq.com/docs/jackson/deploy/env-variables#idp_enabled)
defaultValue: true
- id: $$cap_pre_loaded_connection
label: Pre loaded connection
description: If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load IdP (both OpenID and SAML)connections. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. (https://boxyhq.com/docs/jackson/deploy/env-variables#pre_loaded_connection)
- id: $$cap_client_secret_verifier
label: Client secret verifier
description: When tenant and product are used for the SAML flow (and PKCE is not being used) then we use dummy as placeholders for client_id and client_secret. This is not a security issue because SAML is tenanted and hence your Identity Provider will block access to anyone trying to log into your SAML tenant. However for additional security you should set CLIENT_SECRET_VERIFIER to a random secret and use that value as the client_secret during the OAuth 2.0 flow. (https://boxyhq.com/docs/jackson/deploy/env-variables#client_secret_verifier)
validRegex: '/.{1,}/'
defaultValue: $$cap_gen_random_hex(64)

- id: $$cap_db_engine
label: DB Engine
description: Supported values are redis, sql, mongo, mem, planetscale, dynamodb (https://boxyhq.com/docs/jackson/deploy/env-variables#db_engine)
validRegex: '/.{1,}/'
defaultValue: sql
- id: $$cap_db_url
label: DB URL
description: The database URL to connect to. If you are using self-signed certificates then pass sslmode=no-verify instead of sslmode=require in the DB_URL. This is because self-signed certs will be rejected as unauthorized in strict mode. Also, set DB_SSL=true and DB_SSL_REJECT_UNAUTHORIZED=false (see env vars below for more details). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_url)
validRegex: '/.{1,}/'
defaultValue: postgres://postgres_user:postgres_password@localhost:5432/postgres_db
- id: $$cap_db_type
label: DB Type
description: Only needed when DB_ENGINE is sql. Supported values are postgres, mysql, mariadb, mssql (https://boxyhq.com/docs/jackson/deploy/env-variables#db_type)
validRegex: '/.{1,}/'
defaultValue: postgres
- id: $$cap_db_ttl
label: DB TTL
description: TTL for the code, session and token stores (in seconds). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_ttl)
defaultValue: 300
- id: $$cap_db_cleanup_limit
label: DB Cleanup limit
description: Limit cleanup of TTL entries to this number. (https://boxyhq.com/docs/jackson/deploy/env-variables#db_cleanup_limit)
defaultValue: 1000
- id: $$cap_db_page_limit
label: DB Page limit
description: Page limit
defaultValue: 50
- id: $$cap_db_encryption_key
label: DB Encryption key
description: To encrypt data at rest specify a 32 character key. You can use openssl to generate a random 32 character key 'openssl rand -base64 24' (https://boxyhq.com/docs/jackson/deploy/env-variables#db_encryption_key)

- id: $$cap_smtp_host
label: SMTP Host
description: The SMTP host. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_host)
defaultValue: smtp.example.com
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use examples as default values, move smtp.example.com to description.

- id: $$cap_smtp_port
label: SMTP Port
description: The SMTP server port. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_port)
defaultValue: 587
- id: $$cap_smtp_user
label: SMTP User
description: Username for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_user)
defaultValue: [email protected]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same ^

- id: $$cap_smtp_password
label: SMTP Password
description: Password for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_password)
- id: $$cap_smtp_from
label: SMTP From
description: From address used to send mail. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_from)
defaultValue: [email protected]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same ^


- id: $$cap_nextauth_acl
label: NextAuth ACL
description: Set this to a comma separated string of email addresses or glob patterns like [email protected],*@marvel.com. Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_acl)
defaultValue: [email protected],*@marvel.com
- id: $$cap_nextauth_url
label: NextAuth URL
description: When running locally this will point to the local server https://boxyhq.my-domain.com. When deploying to production, set this to the canonical URL of the site. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_url)
validRegex: '/.{1,}/'
defaultValue: $$cap_appname.$$cap_root_domain
- id: $$cap_nextauth_secret
label: NextAuth Secret
description: Set this to a random string. You can use openssl rand -base64 32 to get one. This secret is used to encrypt JWT and hash the email verification token. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_secret)
validRegex: '/.{1,}/'
defaultValue: $$cap_gen_random_hex(64)
- id: $$cap_nextauth_admin_credentials
label: NextAuth Admin credentials
description: Set this to a comma separated string of the pattern email:password to enable login to the Admin Portal, for example [email protected]:Password123. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_admin_credentials)

- id: $$cap_retraced_host_url
label: Retraced Host URL
description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the URL of the service. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_host_url)
- id: $$cap_retraced_external_url
label: Retraced External URL
description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the Public URL of the service. If this is the same as RETRACED_HOST_URL above then you can skip this and it will default to the value of RETRACED_HOST_URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_external_url)
- id: $$cap_retraced_admin_root_token
label: Retraced Admin root token
description: you need to set the admin root token for Retraced so that we can connect to Retraced and fetch projects and audit logs. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_admin_root_token)

- id: $$cap_terminus_proxy_host_url
label: Terminus Proxy Host URL
- id: $$cap_terminus_admin_root_token
label: Terminus Admin root token

- id: $$cap_otel_exporter_otlp_metrics_endpoint
label: OTEL Exporter OTLP Metrics endpoint
description: Target URL to which the exporter is going to send metrics.. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_endpoint-or-otel_exporter_otlp_metrics_endpoint)
- id: $$cap_otel_exporter_otlp_metrics_headers
label: OTEL Exporter OTLP Metrics headers
description: Headers relevant for the endpoint, useful for specifying authentication details for providers. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_headers-or-otel_exporter_otlp_metrics_headers)

- id: $$cap_openid_jws_alg
label: OpenID JWS algorithms
description: The algorithm used to sign the id_token. Jackson uses jose to create the ID token. Supported algorithms can be found at https://github.com/panva/jose/issues/114#digital-signatures. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_jws_alg)
defaultValue: RS256
- id: $$cap_openid_rsa_private_key
label: OpenID RSA Private key
description: Base64 value of private key. To generate one 'openssl genrsa -out private-key.pem 3072' then 'openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem' and 'cat private_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_private_key)
- id: $$cap_openid_rsa_public_key
label: OpenID RSA Public key
description: Base64 value of public key. You can generate the public key from the private key as shown below 'openssl rsa -in private_key.pem -pubout -out public_key.pem' and than 'cat public_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_public_key)
- id: $$cap_public_key
label: Public key
description: This is the public key of the private key used to sign the SAML requests. Jackson expects the public key to be base64 encoded. (https://boxyhq.com/docs/jackson/deploy/env-variables#public_key)

- id: $$cap_private_key
label: Private key
description: This is the private key used to sign the SAML requests. Jackson expects the private key to be base64 encoded. To generate a private key and public key pair you can use the following command 'openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes' then 'cat public.crt | base64' and that 'cat key.pem | base64' (https://boxyhq.com/docs/jackson/deploy/env-variables#private_key)
- id: $$cap_boxyhq_license_key
label: BoxyHQ License key

- id: $$cap_webhook_url
label: Webhook URL
description: Specify a webhook URL to receive events about sso and directory connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_url)
- id: $$cap_webhook_secret
label: Webhook Secret
description: Specify a secret to be used to sign the webhook payload. This is used to verify the authenticity of the webhook payload. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_secret)

- id: $$cap_node_options
label: Node Options
defaultValue: --max-http-header-size=81920 --dns-result-order=ipv4first
- id: $$cap_next_telemetry_disabled
label: Next Telemetry disabled
defaultValue: 1

- id: $$cap_boxyhq_jackson_version
label: BoxyHQ Jackson Version
defaultValue: 1.13.0
description: Check out their Docker page for the valid tags https://hub.docker.com/r/boxyhq/jackson/tags/
validRegex: /^([^\s^\/])+$/
instructions:
start: >-
Reduce Time to Market without sacrificing your security posture!

BoxyHQ’s suite of APIs for security and privacy helps engineering teams build and ship compliant cloud applications faster.

SAML Jackson can be used with any web application to integrate the Single Sign-On (SSO) authentication.

NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain'

Note: This app is intended for advanced users who'd like to have a central DB in a single container for BoxyHQ Jackson. You should start by configuring your DB at you self, you can it do before or after you installed the BoxyHQ Jackson.
end: >-
BoxyHQ is deployed and available as http://$$cap_appname.$$cap_root_domain.

NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain'

IMPORTANT: It will take up to 2 minutes for BoxyHQ Jackson to be ready. Before that, you might see a 502 error page.

Remember that this app will not create a Database by itself. You need to provide all that information.
displayName: BoxyHQ Jackson (SAML to OAuht) - No Database
isOfficial: true
description: This will create a BoxyHQ Jackson only. You will need to create and configure the database information manually. Intended for advanced users.
documentation: Taken from https://hub.docker.com/r/boxyhq/jackson/.
Binary file added public/v4/logos/boxy-hq-only.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading