-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BoxyHQ #997
Merged
Merged
Add BoxyHQ #997
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,252 @@ | ||
captainVersion: 4 | ||
services: | ||
$$cap_appname: | ||
image: boxyhq/jackson:$$cap_boxyhq_jackson_version | ||
restart: always | ||
caproverExtra: | ||
containerHttpPort: '5225' | ||
environment: | ||
EXTERNAL_URL: $$cap_external_url | ||
SAML_AUDIENCE: $$cap_saml_audience | ||
JACKSON_API_KEYS: $$cap_jackson_api_keys | ||
ADMIN_PORTAL_SSO_TENANT: $$cap_admin_portal_sso_tenant | ||
ADMIN_PORTAL_SSO_PRODUCT: $$cap_admin_portal_sso_product | ||
IDP_ENABLED: $$cap_idp_enabled | ||
PRE_LOADED_CONNECTION: $$cap_pre_loaded_connection | ||
CLIENT_SECRET_VERIFIER: $$cap_client_secret_verifier | ||
|
||
DB_ENGINE: $$cap_db_engine | ||
DB_URL: $$cap_db_url | ||
DB_TYPE: $$cap_db_type | ||
DB_TTL: $$cap_db_ttl | ||
DB_CLEANUP_LIMIT: $$cap_db_cleanup_limit | ||
DB_PAGE_LIMIT: $$cap_db_page_limit | ||
DB_ENCRYPTION_KEY: $$cap_db_encryption_key | ||
|
||
SMTP_HOST: $$cap_smtp_host | ||
SMTP_PORT: $$cap_smtp_port | ||
SMTP_USER: $$cap_smtp_user | ||
SMTP_PASSWORD: $$cap_smtp_password | ||
SMTP_FROM: $$cap_smtp_from | ||
|
||
NEXTAUTH_ACL: $$cap_nextauth_acl | ||
NEXTAUTH_URL: $$cap_nextauth_url | ||
NEXTAUTH_SECRET: $$cap_nextauth_secret | ||
NEXTAUTH_ADMIN_CREDENTIALS: $$cap_nextauth_admin_credentials | ||
|
||
RETRACED_HOST_URL: $$cap_retraced_host_url | ||
RETRACED_EXTERNAL_URL: $$cap_retraced_external_url | ||
RETRACED_ADMIN_ROOT_TOKEN: $$cap_retraced_admin_root_token | ||
|
||
TERMINUS_PROXY_HOST_URL: $$cap_terminus_proxy_host_url | ||
TERMINUS_ADMIN_ROOT_TOKEN: $$cap_terminus_admin_root_token | ||
|
||
OTEL_EXPORTER_OTLP_METRICS_ENDPOINT: $$cap_otel_exporter_otlp_metrics_endpoint | ||
OTEL_EXPORTER_OTLP_METRICS_HEADERS: $$cap_otel_exporter_otlp_metrics_headers | ||
|
||
OPENID_JWS_ALG: $$cap_openid_jws_alg | ||
OPENID_RSA_PRIVATE_KEY: $$cap_openid_rsa_private_key | ||
OPENID_RSA_PUBLIC_KEY: $$cap_openid_rsa_public_key | ||
PUBLIC_KEY: $$cap_public_key | ||
PRIVATE_KEY: $$cap_private_key | ||
|
||
BOXYHQ_LICENSE_KEY: $$cap_boxyhq_license_key | ||
|
||
WEBHOOK_URL: $$cap_webhook_url | ||
WEBHOOK_SECRET: $$cap_webhook_secret | ||
|
||
node_options: $$cap_node_options | ||
NEXT_TELEMETRY_DISABLED: $$cap_next_telemetry_disabled | ||
caproverOneClickApp: | ||
variables: | ||
- id: $$cap_external_url | ||
label: External URL | ||
description: The public URL to reach this service. This is used internally to construct the callback url at which the SAML/OIDC IdP sends back the authorization response. (https://boxyhq.com/docs/jackson/deploy/env-variables#external_url) | ||
validRegex: '/.{1,}/' | ||
defaultValue: $$cap_appname.$$cap_root_domain | ||
- id: $$cap_saml_audience | ||
label: SAML Audience | ||
validRegex: '/.{1,}/' | ||
description: The value of this setting (same as SP EntityID of Jackson) allows the Jackson instance to verify that it is the intended recipient of a SAML response. The same value is also set in the SAML App created on the IdP end by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML App again. It is case-sensitive. This does not have to be a real URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#saml_audience) | ||
defaultValue: $$cap_appname.$$cap_root_domain | ||
- id: $$cap_jackson_api_keys | ||
label: API Keys | ||
validRegex: '/.{1,}/' | ||
description: A comma separated list of API keys that will be validated when serving the API requests for SSO connection (/api/v1/connections) and Directory Sync (/api/v1/directory-sync). (https://boxyhq.com/docs/jackson/deploy/env-variables#jackson_api_keys) | ||
defaultValue: $$cap_gen_random_hex(64) | ||
- id: $$cap_admin_portal_sso_tenant | ||
label: Admin Portal SSO Tenant | ||
description: This will be used as the tenant for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_tenant) | ||
validRegex: '/.{1,}/' | ||
defaultValue: _jackson_boxyhq | ||
- id: $$cap_admin_portal_sso_product | ||
label: Admin Portal SSO Product | ||
description: This will be used as the product for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_product) | ||
validRegex: '/.{1,}/' | ||
defaultValue: _jackson_admin_portal | ||
- id: $$cap_idp_enabled | ||
label: IDP Enabled | ||
description: Set to true to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. (https://boxyhq.com/docs/jackson/deploy/env-variables#idp_enabled) | ||
defaultValue: true | ||
- id: $$cap_pre_loaded_connection | ||
label: Pre loaded connection | ||
description: If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load IdP (both OpenID and SAML)connections. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. (https://boxyhq.com/docs/jackson/deploy/env-variables#pre_loaded_connection) | ||
- id: $$cap_client_secret_verifier | ||
label: Client secret verifier | ||
description: When tenant and product are used for the SAML flow (and PKCE is not being used) then we use dummy as placeholders for client_id and client_secret. This is not a security issue because SAML is tenanted and hence your Identity Provider will block access to anyone trying to log into your SAML tenant. However for additional security you should set CLIENT_SECRET_VERIFIER to a random secret and use that value as the client_secret during the OAuth 2.0 flow. (https://boxyhq.com/docs/jackson/deploy/env-variables#client_secret_verifier) | ||
validRegex: '/.{1,}/' | ||
defaultValue: $$cap_gen_random_hex(64) | ||
|
||
- id: $$cap_db_engine | ||
label: DB Engine | ||
description: Supported values are redis, sql, mongo, mem, planetscale, dynamodb (https://boxyhq.com/docs/jackson/deploy/env-variables#db_engine) | ||
validRegex: '/.{1,}/' | ||
defaultValue: sql | ||
- id: $$cap_db_url | ||
label: DB URL | ||
description: The database URL to connect to. If you are using self-signed certificates then pass sslmode=no-verify instead of sslmode=require in the DB_URL. This is because self-signed certs will be rejected as unauthorized in strict mode. Also, set DB_SSL=true and DB_SSL_REJECT_UNAUTHORIZED=false (see env vars below for more details). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_url) | ||
validRegex: '/.{1,}/' | ||
defaultValue: postgres://postgres_user:postgres_password@localhost:5432/postgres_db | ||
- id: $$cap_db_type | ||
label: DB Type | ||
description: Only needed when DB_ENGINE is sql. Supported values are postgres, mysql, mariadb, mssql (https://boxyhq.com/docs/jackson/deploy/env-variables#db_type) | ||
validRegex: '/.{1,}/' | ||
defaultValue: postgres | ||
- id: $$cap_db_ttl | ||
label: DB TTL | ||
description: TTL for the code, session and token stores (in seconds). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_ttl) | ||
defaultValue: 300 | ||
- id: $$cap_db_cleanup_limit | ||
label: DB Cleanup limit | ||
description: Limit cleanup of TTL entries to this number. (https://boxyhq.com/docs/jackson/deploy/env-variables#db_cleanup_limit) | ||
defaultValue: 1000 | ||
- id: $$cap_db_page_limit | ||
label: DB Page limit | ||
description: Page limit | ||
defaultValue: 50 | ||
- id: $$cap_db_encryption_key | ||
label: DB Encryption key | ||
description: To encrypt data at rest specify a 32 character key. You can use openssl to generate a random 32 character key 'openssl rand -base64 24' (https://boxyhq.com/docs/jackson/deploy/env-variables#db_encryption_key) | ||
|
||
- id: $$cap_smtp_host | ||
label: SMTP Host | ||
description: The SMTP host. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_host) | ||
defaultValue: smtp.example.com | ||
- id: $$cap_smtp_port | ||
label: SMTP Port | ||
description: The SMTP server port. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_port) | ||
defaultValue: 587 | ||
- id: $$cap_smtp_user | ||
label: SMTP User | ||
description: Username for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_user) | ||
defaultValue: [email protected] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same ^ |
||
- id: $$cap_smtp_password | ||
label: SMTP Password | ||
description: Password for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_password) | ||
- id: $$cap_smtp_from | ||
label: SMTP From | ||
description: From address used to send mail. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_from) | ||
defaultValue: [email protected] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same ^ |
||
|
||
- id: $$cap_nextauth_acl | ||
label: NextAuth ACL | ||
description: Set this to a comma separated string of email addresses or glob patterns like [email protected],*@marvel.com. Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_acl) | ||
defaultValue: [email protected],*@marvel.com | ||
- id: $$cap_nextauth_url | ||
label: NextAuth URL | ||
description: When running locally this will point to the local server https://boxyhq.my-domain.com. When deploying to production, set this to the canonical URL of the site. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_url) | ||
validRegex: '/.{1,}/' | ||
defaultValue: $$cap_appname.$$cap_root_domain | ||
- id: $$cap_nextauth_secret | ||
label: NextAuth Secret | ||
description: Set this to a random string. You can use openssl rand -base64 32 to get one. This secret is used to encrypt JWT and hash the email verification token. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_secret) | ||
validRegex: '/.{1,}/' | ||
defaultValue: $$cap_gen_random_hex(64) | ||
- id: $$cap_nextauth_admin_credentials | ||
label: NextAuth Admin credentials | ||
description: Set this to a comma separated string of the pattern email:password to enable login to the Admin Portal, for example [email protected]:Password123. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_admin_credentials) | ||
|
||
- id: $$cap_retraced_host_url | ||
label: Retraced Host URL | ||
description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the URL of the service. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_host_url) | ||
- id: $$cap_retraced_external_url | ||
label: Retraced External URL | ||
description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the Public URL of the service. If this is the same as RETRACED_HOST_URL above then you can skip this and it will default to the value of RETRACED_HOST_URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_external_url) | ||
- id: $$cap_retraced_admin_root_token | ||
label: Retraced Admin root token | ||
description: you need to set the admin root token for Retraced so that we can connect to Retraced and fetch projects and audit logs. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_admin_root_token) | ||
|
||
- id: $$cap_terminus_proxy_host_url | ||
label: Terminus Proxy Host URL | ||
- id: $$cap_terminus_admin_root_token | ||
label: Terminus Admin root token | ||
|
||
- id: $$cap_otel_exporter_otlp_metrics_endpoint | ||
label: OTEL Exporter OTLP Metrics endpoint | ||
description: Target URL to which the exporter is going to send metrics.. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_endpoint-or-otel_exporter_otlp_metrics_endpoint) | ||
- id: $$cap_otel_exporter_otlp_metrics_headers | ||
label: OTEL Exporter OTLP Metrics headers | ||
description: Headers relevant for the endpoint, useful for specifying authentication details for providers. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_headers-or-otel_exporter_otlp_metrics_headers) | ||
|
||
- id: $$cap_openid_jws_alg | ||
label: OpenID JWS algorithms | ||
description: The algorithm used to sign the id_token. Jackson uses jose to create the ID token. Supported algorithms can be found at https://github.com/panva/jose/issues/114#digital-signatures. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_jws_alg) | ||
defaultValue: RS256 | ||
- id: $$cap_openid_rsa_private_key | ||
label: OpenID RSA Private key | ||
description: Base64 value of private key. To generate one 'openssl genrsa -out private-key.pem 3072' then 'openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem' and 'cat private_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_private_key) | ||
- id: $$cap_openid_rsa_public_key | ||
label: OpenID RSA Public key | ||
description: Base64 value of public key. You can generate the public key from the private key as shown below 'openssl rsa -in private_key.pem -pubout -out public_key.pem' and than 'cat public_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_public_key) | ||
- id: $$cap_public_key | ||
label: Public key | ||
description: This is the public key of the private key used to sign the SAML requests. Jackson expects the public key to be base64 encoded. (https://boxyhq.com/docs/jackson/deploy/env-variables#public_key) | ||
|
||
- id: $$cap_private_key | ||
label: Private key | ||
description: This is the private key used to sign the SAML requests. Jackson expects the private key to be base64 encoded. To generate a private key and public key pair you can use the following command 'openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes' then 'cat public.crt | base64' and that 'cat key.pem | base64' (https://boxyhq.com/docs/jackson/deploy/env-variables#private_key) | ||
- id: $$cap_boxyhq_license_key | ||
label: BoxyHQ License key | ||
|
||
- id: $$cap_webhook_url | ||
label: Webhook URL | ||
description: Specify a webhook URL to receive events about sso and directory connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_url) | ||
- id: $$cap_webhook_secret | ||
label: Webhook Secret | ||
description: Specify a secret to be used to sign the webhook payload. This is used to verify the authenticity of the webhook payload. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_secret) | ||
|
||
- id: $$cap_node_options | ||
label: Node Options | ||
defaultValue: --max-http-header-size=81920 --dns-result-order=ipv4first | ||
- id: $$cap_next_telemetry_disabled | ||
label: Next Telemetry disabled | ||
defaultValue: 1 | ||
|
||
- id: $$cap_boxyhq_jackson_version | ||
label: BoxyHQ Jackson Version | ||
defaultValue: 1.13.0 | ||
description: Check out their Docker page for the valid tags https://hub.docker.com/r/boxyhq/jackson/tags/ | ||
validRegex: /^([^\s^\/])+$/ | ||
instructions: | ||
start: >- | ||
Reduce Time to Market without sacrificing your security posture! | ||
|
||
BoxyHQ’s suite of APIs for security and privacy helps engineering teams build and ship compliant cloud applications faster. | ||
|
||
SAML Jackson can be used with any web application to integrate the Single Sign-On (SSO) authentication. | ||
|
||
NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain' | ||
|
||
Note: This app is intended for advanced users who'd like to have a central DB in a single container for BoxyHQ Jackson. You should start by configuring your DB at you self, you can it do before or after you installed the BoxyHQ Jackson. | ||
end: >- | ||
BoxyHQ is deployed and available as http://$$cap_appname.$$cap_root_domain. | ||
|
||
NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain' | ||
|
||
IMPORTANT: It will take up to 2 minutes for BoxyHQ Jackson to be ready. Before that, you might see a 502 error page. | ||
|
||
Remember that this app will not create a Database by itself. You need to provide all that information. | ||
displayName: BoxyHQ Jackson (SAML to OAuht) - No Database | ||
isOfficial: true | ||
description: This will create a BoxyHQ Jackson only. You will need to create and configure the database information manually. Intended for advanced users. | ||
documentation: Taken from https://hub.docker.com/r/boxyhq/jackson/. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use examples as default values, move
smtp.example.com
to description.