def webhooked_vault_agent_architecture():
with Diagram(name="Mutating Webhook", show=False):
with Cluster("Control Plane"):
apiserver = APIServer()
with Cluster(""):
webhook = SQS("Mutating Webhook")
with Cluster(""):
vault = Vault("Vault")
with Cluster("Secure Pod"):
with Cluster("Injected"):
vault_init_agent = Custom("Init Vault Agent", crio_icon)
vault_agent = Custom("Vault Agent", crio_icon)
injected = [vault_init_agent, vault_agent]
app_container = Custom("App", crio_icon)
inMemory = Vol("In Memory")
vault_init_agent >> inMemory
app_container << inMemory
vault >> Edge() << vault_agent >> Edge() << app_container
apiserver >> Edge() << webhook
apiserver >> Edge() << vault
webhook >> vault_agent
def basic_vault_agent_architecture():
with Diagram(name="Vault Agent Architecture", show=False, direction="LR"):
with Cluster("Control Plane"):
apiserver = APIServer()
with Cluster("Vault"):
svc = Service(":8200")
certs_secret = Secret("Certs Secret")
vault_configmap = ConfigMap("Vault Config")
vault = Vault("Vault")
file_backend = PV("Encrypted Store")
vault >> file_backend
vault >> Edge() << svc
vault << certs_secret
vault << vault_configmap
with Cluster("Secure Pod"):
vault_agent = Custom("Vault Agent", crio_icon)
vault_init_agent = Custom("Init Vault Agent", crio_icon)
manual = [vault_init_agent, vault_agent]
app_container = Custom("App", crio_icon)
inMemory = Vol("In Memory")
manual >> inMemory
app_container << inMemory
manual << svc << manual >> Edge() << app_container
apiserver >> Edge() << vault
from diagrams.aws.general import GenericSamlToken
from diagrams.k8s.controlplane import CM
from diagrams import Diagram, Edge, Cluster
from diagrams.onprem.network import Envoy
from diagrams.onprem.container import Containerd
from diagrams.k8s.compute import Pod
graph_attr = {"fontsize": "15", "pad": "0.5", "bgcolor": "transparent"}
with Diagram(
show=False,
filename="../../img/sidecar_full",
graph_attr=graph_attr,
):
integration = Server("Target")
idp = Vault("IdP")
with Cluster("Kubernetes-based Internal Platform"):
controller = CM("Custom\nController")
with Cluster("Pod boundary"):
Pod("Istio-enabled")
envoy = Envoy("Envoy")
sidecar = Containerd("Sidecar")
primary = Containerd("Primary")
token = GenericSamlToken("")
sidecar >> Edge(
label="1. refresh token (out-of-band)") >> envoy >> idp
sidecar - Edge(
label="2. provide token",
style="dashed") - token - Edge(style="dashed") - primary
primary >> Edge(label="3. RPC with token") >> envoy >> integration
def main():
graph_attr = {
"fontsize": "45",
'overlap_scaling': '100',
'size': '24!',
'ratio': 'expand'
}
with Diagram(name='Automation Framework Swarm', direction='LR', graph_attr=graph_attr):
with Cluster('Docker Cluster'):
docker = Docker('Docker')
with Cluster('container1'):
python_container = Python('APIs\nOther Microservices')
with Cluster('Kafka Cluster'):
with Cluster('Zookeeper'):
Zookeeper('Zookeeper\ntcp:2181')
with Cluster('REST Proxy'):
rest_proxy = Custom('REST Proxy\ntcp:8082', 'custom_icons/REST-API.png')
with Cluster('Control Center'):
control_center = Kafka('Control Center\ntcp:9021')
with Cluster('Schema Registry'):
schema_registry = Storage('Schema Registry\ntcp:8081')
with Cluster('Brokers'):
broker_1 = Kafka('Broker 1\ntcp:9092')
kafka_brokers = [
broker_1,
Kafka('Broker 2\ntcp:9093'),
Kafka('Broker 3\ntcp:9094')
]
with Cluster('Secrets Managers'):
vault = Vault('HashiCorp Vault\ntcp:8200')
secrets_managers = [
vault,
]
with Cluster('Logging and Search'):
with Cluster('Search and Logging'):
elastic_search = Elasticsearch('Elastic Search\ntcp:9200')
kibana = Kibana('Kibana\ntcp:5601')
logstash = Logstash('Logstash\ntcp:5044')
search_log = [
elastic_search,
kibana,
logstash
]
with Cluster('Inventory and Connectivity'):
with Cluster('Inventory'):
nautobot = Custom('Nautobot\ntcp:8000', 'custom_icons/Nautobot.jpeg')
kafka_brokers - python_container
python_container - vault
python_container - nautobot
nautobot - logstash
python_container - logstash
from diagrams.aws.general import GenericSamlToken
from diagrams import Diagram, Edge, Cluster
from diagrams.onprem.security import Vault
from diagrams.onprem.vcs import Github
from diagrams.onprem.client import User
graph_attr = {"fontsize": "15", "pad": "0.5", "bgcolor": "transparent"}
with Diagram(
show=False,
filename="../../img/vault_github_plugin",
graph_attr=graph_attr,
):
user = User("Authenticated User")
with Cluster("https://vault.acme.corp"):
vault_plugin = [Vault("GitHub Plugin")]
key = GenericSamlToken("GitHub App\nPrivate Key")
with Cluster("https://api.github.com"):
app = Github("GitHub App")
user << Edge(
color="black",
style="bold",
label="""
1. GET /github/token
X-Vault-Token: <Vault token>""",
) << vault_plugin << Edge(
color="black",
style="bold",
label="""
def main():
graph_attr = {
"fontsize": "45",
'overlap_scaling': '100',
'size': '24!',
'ratio': 'expand'
}
with Diagram(name='Automation Framework Compose',
direction='LR',
graph_attr=graph_attr):
with Cluster('Docker Cluster'):
docker = Docker('Docker')
with Cluster('container1'):
python_container = Python('APIs\nOther Microservices')
with Cluster('Docker Registry'):
docker_registry_container = Docker('Docker Registry\ntcp:5000')
with Cluster('Docker Registry Browser'):
docker_registry_browser_container = Python(
'Docker Registry Browser\ntcp:8088')
with Cluster('BatFish'):
batfish_container = Custom(
'BatFish\ntcp:8888\ntcp:9997\ntcp:9996',
'custom_icons/BatFish.png')
with Cluster('Kafka Cluster'):
with Cluster('Zookeeper'):
Zookeeper('Zookeeper\ntcp:2181')
with Cluster('REST Proxy'):
rest_proxy = Custom('REST Proxy\ntcp:8082',
'custom_icons/REST-API.png')
with Cluster('Control Center'):
control_center = Kafka('Control Center\ntcp:9021')
with Cluster('Schema Registry'):
schema_registry = Storage('Schema Registry\ntcp:8081')
with Cluster('Brokers'):
broker_1 = Kafka('Broker 1\ntcp:9092')
kafka_brokers = [
broker_1,
Kafka('Broker 2\ntcp:9093'),
Kafka('Broker 3\ntcp:9094')
]
with Cluster('Secrets Managers'):
vault = Vault('HashiCorp Vault\ntcp:8200')
secrets_managers = [
vault,
]
with Cluster('Logging and Search'):
with Cluster('ELK Stack'):
elastic_search = Elasticsearch('Elastic Search\ntcp:9200')
kibana = Kibana('Kibana\ntcp:5601')
logstash = Logstash('Logstash\ntcp:5044')
search_log = [elastic_search, kibana, logstash]
with Cluster('Influxdb'):
infulxdb = Influxdb('Influxdb\ntcp:8086')
with Cluster('Grafana'):
grafana = Grafana('Grafana\ntcp:3000')
with Cluster('Inventory and Connectivity'):
with Cluster('Inventory'):
nautobot = Custom('Nautobot\ntcp:8000',
'custom_icons/Nautobot.jpeg')
with Cluster('Database'):
with Cluster('Mongo dB'):
mongodb = Mongodb('MongoDb\ntcp:27017')
mongodb_express = Mongodb('MongoDb Express\ntcp:8181')
mongo_group = [mongodb, mongodb_express]
with Cluster('CI/CD'):
team_city = TC('TeamCity')
kafka_brokers - python_container
python_container - vault
python_container - nautobot
nautobot - logstash
python_container - logstash
nautobot - infulxdb
python_container - infulxdb
python_container - mongodb
Custom("Bitbucket CI", "./resources/bitbucket.png")
] << openldap
devops_team >> continous_integration
with Cluster("Provisioning"):
provisioning = Terraform("Terraform")
provisioning - [
Custom("Packer", "./resources/packer.png"),
Custom("Helm", "./resources/helm.png")
]
devops_team >> provisioning
with Cluster("Secret Management"):
secret_management = Vault("Vault")
secret_management << Edge(
label="collect key/value") << [Consul("Consul")] << openldap
devops_team >> secret_management
with Cluster("Edge Stack", direction="LR"):
edge_stack = Ambassador("Ambassador Ingress Gateway")
edge_stack >> [Kong("KONG API Gateway")]
devops_team >> edge_stack
with Cluster("Service Discovery and Mesh"):
service_discovery_mesh = Consul("Consul")
service_discovery_mesh << [Envoy("Consul Connect+Envoy")]