diff --git a/.github/workflows/wiki.yml b/.github/workflows/wiki.yml index 80d1896..0700023 100644 --- a/.github/workflows/wiki.yml +++ b/.github/workflows/wiki.yml @@ -1,10 +1,14 @@ # Simple workflow for deploying static content to GitHub Pages -name: Deploy static content to Pages +name: Deploy Wiki to Pages on: # Runs on pushes targeting the default branch push: - branches: ["main"] + branches: + - main + paths: + - 'wiki/**' + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -22,7 +26,32 @@ concurrency: cancel-in-progress: false jobs: - # Single deploy job since we're just deploying + generate_diagrams: + runs-on: ubuntu-latest + defaults: + run: + working-directory: "artifacts/diagrams/" + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + + - name: setup python + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5 + with: + python-version: '3.10' + cache: 'pip' + + - name: install diagram as code library + run: | + pip install -U pip + pip install diagrams + + - name: generate diagrams + run: | + python vault.py + python boundary.py + mv *.png ${{github.workspace}}/artifacts/wiki/ + deploy-wiki: environment: name: github-pages diff --git a/artifacts/diagrams/boundary.py b/artifacts/diagrams/boundary.py new file mode 100644 index 0000000..eea560e --- /dev/null +++ b/artifacts/diagrams/boundary.py @@ -0,0 +1,55 @@ +from diagrams import Diagram, Cluster, Edge, Node +from diagrams.onprem.compute import Server +from diagrams.onprem.auth import Boundary +from diagrams.onprem.security import Vault +from diagrams.onprem.database import PostgreSQL +from diagrams.oci.governance import Audit, Logging + + +graph_attr = { + "fontname": "Roboto", + "fontsize": "24" + } + +with Diagram("Boundary server Workflow", show=False, direction="LR", graph_attr=graph_attr, filename="boundary"): + boundary_controller = Boundary("Boundary Controller") + boundary_worker = Boundary("Boundary Worker") + vault = Vault("Vault Transit Engine") + + with Cluster("Listeners"): + api_listener = Server("API Listener") + cluster_listener = Server("Cluster Listener") + proxy_listener = Server("Proxy Listener") + Node(label="", width="2", height="0", style="invisible") + + + with Cluster("Audit Event Sinks"): + audit_file_sink = Audit("Controller") + auth_sink = Audit("Auth Observation") + session_sink = Audit("Session Authorization") + Node(label="", width="2", height="0", style="invisible") + stderr_sink = Logging("Stderr Sink") + + with Cluster("KMS Keys"): + recovery_key = Boundary("recovery") + worker_auth = Boundary("worker-ath") + root_key = Boundary("root") + + postgres= PostgreSQL("Postgresql") + + # Controller connections + boundary_controller >> Edge(label="TCP connection") >> cluster_listener + boundary_controller >> Edge(label="Audit File Events") >> auth_sink + boundary_controller >> Edge(label="All-events") >> stderr_sink + + # Worker connections + boundary_worker >> Edge(label="Connected to Controller") >> boundary_controller + + # KMS connections + worker_auth >> Edge() >> vault + recovery_key >> Edge() >> vault + root_key >> Edge() >> vault + root_key << Edge(attrs="penwidth: 2.0") << boundary_controller + + # DB connections + postgres << Edge(label="DB Connection") << boundary_controller \ No newline at end of file diff --git a/artifacts/diagrams/vault.py b/artifacts/diagrams/vault.py new file mode 100644 index 0000000..152bfe8 --- /dev/null +++ b/artifacts/diagrams/vault.py @@ -0,0 +1,32 @@ +from diagrams import Diagram, Cluster, Edge, Node +from diagrams.onprem.security import Vault +from diagrams.generic.storage import Storage +from diagrams.onprem.client import Users + +with Diagram("\nVault Server Workflow", show=False, direction="RL", graph_attr={"fontname" : "arial", "fontsize": "28" }, filename="vault"): + cluster_attr= { + "margin" : "20", + "fontsize": "16", + "fontname" : "arial"} + + with Cluster("Vault Setup", graph_attr=cluster_attr): + vault_listener = Vault("TCP Listener") + storage_raft = Storage("\nRaft Storage") + vault_ui = Vault("UI") + + with Cluster("User Management", graph_attr=cluster_attr): + userpass_lockout = Users("\nUserpass Lockout") + users = Users("\nUsers") + + # Vault connections + vault_listener - Edge(label="0.0.0.0:8200\nTLS Disabled") >> [storage_raft, vault_ui] + vault_listener >> Edge(label="Max Entry Size\n1MB") >> storage_raft + + # User Management connections + users >> Edge(label="Lockout Threshold: 3\nLockout Duration: 10m") >> userpass_lockout + + # External connections + api_addr = Vault("API Address\nhttp://localhost:8200") + cluster_addr = Vault("Cluster Address\nhttp://127.0.0.1:8201") + + vault_listener >> Edge(label="API and Cluster Addresses") >> [api_addr, cluster_addr] diff --git a/artifacts/wiki/index.html b/artifacts/wiki/index.html index ec038c5..a718f5d 100644 --- a/artifacts/wiki/index.html +++ b/artifacts/wiki/index.html @@ -87,30 +87,15 @@

About Hashico

Workflows

Vault

Vault workflow involves setting up authentication methods, secret engines, and policies. The key - components include:

- - + components of Vault server setup include:

+ vault diagram +

Boundary

-

Boundary workflow involves managing sessions, targets, and credentials. The key components include: +

Boundary workflow involves managing sessions, targets, and credentials. The key + components of Boundary server setup include:

- + vault diagram + diff --git a/artifacts/wiki/style.css b/artifacts/wiki/style.css index 3679059..dea362e 100644 --- a/artifacts/wiki/style.css +++ b/artifacts/wiki/style.css @@ -204,6 +204,24 @@ a:hover { margin-bottom: var(--margin-small); } +/* workflows */ +.workflows { + display: flex; + flex-direction: column; + max-width: 100%; + margin: 0 auto; + padding: 20px; +} +.workflows img { + width: 100%; + max-width: 700px; + height: auto; + margin-bottom: 20px; + object-fit: contain; + border-radius: 8px; + box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1); + align-self: center; +}