Adds ZTA support for offline deployment (#2136)

2025-09-08 05:54:20 +08:00 · 2023-08-04 00:25:05 +07:00 · 2023-08-04 00:25:05 +07:00 · 8e26fe6287
commit 8e26fe6287
parent 2521e42108
1 changed files with 100 additions and 12 deletions
--- a/lib/livebook_web/live/hub/edit/team_component.ex
+++ b/lib/livebook_web/live/hub/edit/team_component.ex
@ -13,6 +13,7 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
    show_key? = assigns.params["show-key"] == "true"
    secrets = Livebook.Hubs.get_secrets(assigns.hub)
    secret_name = assigns.params["secret_name"]
+    zta = %{"provider" => "", "key" => ""}

    secret_value =
      if assigns.live_action == :edit_secret do
@ -27,7 +28,8 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
       show_key: show_key?,
       secret_name: secret_name,
       secret_value: secret_value,
-       hub_metadata: Provider.to_metadata(assigns.hub)
+       hub_metadata: Provider.to_metadata(assigns.hub),
+       zta: zta
     )
     |> assign_dockerfile()
     |> assign_form(changeset)}
@ -136,6 +138,62 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
              />
            </div>

+            <div class="flex flex-col space-y-4">
+              <h2 class="text-xl text-gray-800 font-medium pb-2 border-b border-gray-200">
+                Zero Trust Authentication
+              </h2>
+
+              <p class="text-gray-700">
+                Enables Zero Trust Authentication to be used as the identity provider.
+              </p>
+
+              <.form :let={f} for={@zta} phx-change="change_zta" phx-target={@myself}>
+                <div class="grid grid-cols-1 md:grid-cols-2 gap-3">
+                  <.select_field
+                    name="provider"
+                    label="Provider"
+                    value={@zta["provider"]}
+                    options={[
+                      {"None", ""},
+                      {"Cloudflare", "cloudflare"},
+                      {"GoogleIAP", "google_iap"}
+                    ]}
+                  />
+                  <span class={[@zta["provider"] == "" && "hidden"]}>
+                    <.text_field
+                      field={f[:key]}
+                      label={"#{if @zta["provider"] == "cloudflare", do: "Team name (domain)", else: "Audience (aud)"}"}
+                      phx-debounce
+                    />
+                  </span>
+                </div>
+                <%= if @zta["provider"] == "cloudflare" do %>
+                  <span>
+                    See the
+                    <a
+                      class="text-blue-800 hover:text-blue-600"
+                      href="https://developers.cloudflare.com/cloudflare-one/"
+                    >
+                      CloudFlare docs
+                    </a>
+                    for more information about Cloudflare Zero Trust.
+                  </span>
+                <% end %>
+                <%= if @zta["provider"] == "google_iap" do %>
+                  <span>
+                    See the
+                    <a
+                      class="text-blue-800 hover:text-blue-600"
+                      href="https://cloud.google.com/iap/docs/concepts-overview"
+                    >
+                      Google docs
+                    </a>
+                    for more information about Google Identity-Aware Proxy (IAP).
+                  </span>
+                <% end %>
+              </.form>
+            </div>
+
            <div class="flex flex-col space-y-4">
              <h2 class="text-xl text-gray-800 font-medium pb-2 border-b border-gray-200">
                Airgapped Deployment
@ -387,6 +445,16 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
     )}
  end

+  def handle_event("change_zta", %{"provider" => ""}, socket) do
+    zta = %{"provider" => "", "key" => ""}
+    {:noreply, assign(socket, zta: zta) |> assign_dockerfile()}
+  end
+
+  def handle_event("change_zta", %{"provider" => provider, "key" => key}, socket) do
+    zta = %{"provider" => provider, "key" => key}
+    {:noreply, assign(socket, zta: zta) |> assign_dockerfile()}
+  end
+
  defp assign_form(socket, %Ecto.Changeset{} = changeset) do
    assign(socket, form: to_form(changeset))
  end
@ -395,19 +463,29 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
    version = to_string(Application.spec(:livebook, :vsn))
    version = if version =~ "dev", do: "edge", else: version

-    assign(socket, :dockerfile, """
-    FROM ghcr.io/livebook-dev/livebook:#{version}
+    base =
+      """
+      FROM ghcr.io/livebook-dev/livebook:#{version}

-    ENV LIVEBOOK_APPS_PATH_HUB_ID "#{socket.assigns.hub.id}"
-    ENV LIVEBOOK_TEAMS_NAME "#{socket.assigns.hub.hub_name}"
-    ENV LIVEBOOK_TEAMS_OFFLINE_KEY "#{socket.assigns.hub.org_public_key}"
-    ENV LIVEBOOK_TEAMS_SECRETS "#{encrypt_secrets_to_dockerfile(socket)}"
+      ENV LIVEBOOK_APPS_PATH_HUB_ID "#{socket.assigns.hub.id}"
+      ENV LIVEBOOK_TEAMS_NAME "#{socket.assigns.hub.hub_name}"
+      ENV LIVEBOOK_TEAMS_OFFLINE_KEY "#{socket.assigns.hub.org_public_key}"
+      ENV LIVEBOOK_TEAMS_SECRETS "#{encrypt_secrets_to_dockerfile(socket)}"

-    COPY /path/to/my/notebooks /apps
-    ENV LIVEBOOK_APPS_PATH "/apps"
-    ENV LIVEBOOK_APPS_PATH_WARMUP "manual"
-    RUN /app/bin/warmup_apps.sh\
-    """)
+      """
+
+    apps =
+      """
+      COPY /path/to/my/notebooks /apps
+      ENV LIVEBOOK_APPS_PATH "/apps"
+      ENV LIVEBOOK_APPS_PATH_WARMUP "manual"
+      RUN /app/bin/warmup_apps.sh\
+      """
+
+    zta = zta_env(socket.assigns.zta)
+    dockerfile = if zta, do: base <> zta <> apps, else: base <> apps
+
+    assign(socket, :dockerfile, dockerfile)
  end

  defp encrypt_secrets_to_dockerfile(socket) do
@ -422,4 +500,14 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do

    Livebook.Teams.encrypt(stringified_secrets, secret_key, sign_secret)
  end
+
+  defp zta_env(%{"provider" => ""}), do: nil
+  defp zta_env(%{"key" => ""}), do: nil
+
+  defp zta_env(%{"provider" => provider, "key" => key}) do
+    """
+    ENV LIVEBOOK_IDENTITY_PROVIDER "#{provider}:#{key}"
+
+    """
+  end
 end