Project 5: Design IAM Architecture in OCI.
OCI has its own tool kit called OKIT to design this Architecture.
Git : https://github.com/oracle/oci-designer-toolkit/blob/master/documentation/Installation.md
Blog For Governance: https://docs.oracle.com/en/solutions/iam-governance-solution/index.html#GUID-9EA304AE-A9F3-4955-9965-144BE4714319
Blog for IAM, IDCS and OKTA integration: https://blogs.oracle.com/futurestate/post/oci-implementation-series-integrate-okta-iam-with-oci-identity-domain-in-hybrid-cloud-environment-setup
OKIT Installation guide:
Reference: https://www.linkedin.com/pulse/how-set-up-headless-okit-oci-badr-tharwat
Oracle recently announced the launch of The OCI Designer Toolkit (OKIT) this cool tool can generate OCI compatible Terraform file using a drag and drop interface it is also able to graphically represent an OCI compartment visually (more on OKIT here). Currently the tool can be run locally through Docker or Vagrant, however this doesn’t work for people using lower spec'd machines or are using popular platforms that doesn’t allow for a local docker instance to work (iPad pro and the likes). In this How to I'll explain how to build an OKIT instance on a headless OCI compute node that can be accessed securely through SSH tunnel.
https://www.ateam-oracle.com/introduction-to-okit-the-oci-designer-toolkit
No alt text provided for this image
To set up and securely avail OKIT to your local host you need to do 4 things:
Set up a headless linux machine on OCI and enable SSH access Install Docker Pull OKIT docker container and run it Access using ssh tunnel I. Set up the linux machine
I.A Provision
Through the OCI console, provision a compute node using the lowest available specs, make sure to check the assign public IP checkbox and use SSH key that you have access to.
No alt text provided for this image No alt text provided for this image Once the machine is provisioned note down the public IP assigned to the machine. Make sure that 22 port is added to the public subnet the machine is created in, from the instance page click on public subnet > Default security group and then make sure there is a rule availing port 22.
No alt text provided for this image No alt text provided for this image Connect to the machine over SSH using the key you used while creating the instance
#ssh opc@158.101.230.4 -i .ssh/id_rsa_okit
I. B. Configure
- Disable Firewall
#sudo systemctl disable firewalld
- Install Docker
https://blogs.oracle.com/virtualization/install-docker-on-oracle-linux-7-v2
sudo cd /etc/yum.repos.d/
#sudo wget http://yum.oracle.com/public-yum-ol7.repo
#sudo nano public-yum-ol7.repo
Edit the file to enable repos ol7_UEKR4, ol7_addons
No alt text provided for this image No alt text provided for this image Install docker
sudo yum install docker-engine
Start the services
sudo systemctl start docker
sudo systemctl enable docker
Validate that the service is up
sudo systemctl status docker
sudo systemctl start docker
Output should look similar to this
No alt text provided for this image Validate the installation by running the hello-world container
sudo docker run hello-world
No alt text provided for this image Now docker is up and running, next step would be installing OKIT
III. Install and start OKIT container
The A-team have prepared an installation how to which I'm using portions of here, the full version can be found here
III.A Install git
cd $HOME
sudo yum install git
III. B Clone the OKIT repo
git clone -b v0.6.0 --depth 1 https://github.com/oracle/oci-designer-toolkit.git
III.C Build the container
cd oci-designer-toolkit/
#sudo docker build --tag okit --file ./containers/docker/Dockerfile --force-rm ./containers/docker/
EXPORT PATHS
export OKIT_ROOT_DIR=pwd
export OCI_CONFIG_DIR=$OKIT_ROOT_DIR/containers/oci
III.D Start OKIT image
#sudo docker run -d --rm -p 80:80 --name okit --hostname okit -v $OCI_CONFIG_DIR:/root/.oci -v $OKIT_ROOT_DIR/okitweb:/okit/okitweb -v $OKIT_ROOT_DIR/visualiser:/okit/visualiser -v $OKIT_ROOT_DIR/log:/okit/log okit
The output should look like this
No alt text provided for this image
IV. Set up the SSH tunnel (On your Local Machine)
SSH tunneling is used to secure OKIT, even though technically it is possible to avail OKIT directly to the internet I strongly recommend not to do so as it'll be significantly less secure than the approach used here
From your local machine set up the tunnel as follows
#ssh -v -N -L 8888:127.0.0.1:80 opc@<OCI_SERVER_IP> -i <PRIVATE_KEY>
Alternatively you can create the tunnel using putty as described here, From your browser navigate to
http://localhost:8888/okit/designer
No alt text provided for this image You can then integrate OKIT with your own tenancy by placing your configuration file in the following location on the OKIT server $OKIT_ROOT_DIR/containers/oci as per the instructions available in the OKIT installation guide here
IMPORTANT NOTE NEVER UPLOAD YOUR KEYS INTO A SHARED TENANCY, the configuration of OKIT calls for that however under a shared model this would put your keys and accessed tenancies at risk**