├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── clonePeers.sh ├── create-branch.sh ├── fork-repos.sh └── static ├── imgs ├── OmniChannelEndToEnd_security.png ├── apic_catalog_create.png ├── app_architecture.png ├── bluemix_1.png ├── bluemix_2.png ├── bluemix_3.png ├── bluemix_4.png ├── bluemix_9.png ├── github_flow.png ├── github_flow.xml └── jwk_key_generator.png └── security.md /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing to IBM Cloud Architecture reference applications 2 | Anyone can contribute to IBM Cloud Architecture reference applications and their associated projects, whether you are an IBMer or not. 3 | We welcome your collaboration & contributions happily, as our reference applications are meant to reflect your real world scenarios. 4 | There are multiple ways to contribute: report bugs and improvement suggestions, improve documentation, and contribute code. 5 | 6 | 7 | ## Bug reports, documentation changes, and feature requests 8 | 9 | If you would like to contribute your experience with an IBM Cloud Architecture project back to the project in the form of encountered bug reports, necessary documentation changes, or new feature requests, this can be done through the use of the repository's [**Issues**](#) list. 10 | 11 | Before opening a new issue, please reference the existing list to make sure a similar or duplicate item does not already exist. Otherwise, please be as explicit as possible when creating the new item and be sure to include the following: 12 | 13 | - **Bug reports** 14 | - Specific Project Version 15 | - Deployment environment 16 | - A minimal, but complete, setup of steps to recreate the problem 17 | - **Documentation changes** 18 | - URL to existing incorrect or incomplete documentation (either in the project's GitHub repo or external product documentation) 19 | - Updates required to correct current inconsistency 20 | - If possible, a link to a project fork, sample, or workflow to expose the gap in documentation. 21 | - **Feature requests** 22 | - Complete description of project feature request, including but not limited to, components of the existing project that are impacted, as well as additional components that may need to be created. 23 | - A minimal, but complete, setup of steps to recreate environment necessary to identify the new feature's current gap. 24 | 25 | The more explicit and thorough you are in opening GitHub Issues, the more efficient your interaction with the maintainers will be. When creating the GitHub Issue for your bug report, documentation change, or feature request, be sure to add as many relevant labels as necessary (that are defined for that specific project). These will vary by project, but will be helpful to the maintainers in quickly triaging your new GitHub issues. 26 | 27 | ## Code contributions 28 | 29 | We really value contributions, and to maximize the impact of code contributions, we request that any contributions follow the guidelines below. If you are new to open source contribution and would like some more pointers or guidance, you may want to check out [**Your First PR**](http://yourfirstpr.github.io/) and [**First Timers Only**](https://www.firsttimersonly.com/). These are a few projects that help on-board new contributors to the overall process. 30 | 31 | ### Coding and Pull Requests best practices 32 | - Please ensure you follow the coding standard and code formatting used throughout the existing code base. 33 | - This may vary project by project, but any specific diversion from normal language standards will be explicitly noted. 34 | - One feature / bug fix / documentation update per pull request 35 | - Always pull the latest changes from upstream and rebase before creating any pull request. 36 | - New pull requests should be created against the `integration` branch of the repository, if available. 37 | - This ensures new code is included in full-stack integration tests before being merged into the `master` branch 38 | - All new features must be accompanied by associated tests. 39 | - Make sure all tests pass locally before submitting a pull request. 40 | - Include tests with every feature enhancement, improve tests with every bug fix 41 | 42 | ### Github and git flow 43 | 44 | The internet is littered with guides and information on how to use and understand git. 45 | However, here's a compact guide that follows the suggested workflow 46 | 47 | ![Github flow](https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/master/static/imgs/github_flow.png) 48 | 49 | 1. Fork the desired repo in github. 50 | 51 | 2. Clone your repo to your local computer. 52 | 53 | 3. Add the upstream repository 54 | 55 | Note: Guide for step 1-3 here: [forking a repo](https://help.github.com/articles/fork-a-repo/) 56 | 57 | 4. Create new development branch off the targeted upstream branch. This will often be `master`. 58 | 59 | ``` 60 | git checkout -b master 61 | ``` 62 | 63 | 5. Do your work: 64 | - Write your code 65 | - Write your tests 66 | - Pass your tests locally 67 | - Commit your intermediate changes as you go and as appropriate 68 | - Repeat until satisfied 69 | 70 | 6. Fetch latest upstream changes (in case other changes had been delivered upstream while you were developing your new feature). 71 | 72 | ``` 73 | git fetch upstream 74 | ``` 75 | 7. Rebase to the latest upstream changes, resolving any conflicts. This will 'replay' your local commits, one by one, after the changes delivered upstream while you were locally developing, letting you manually resolve any conflict. 76 | 77 | ``` 78 | git branch --set-upstream-to=upstream/master 79 | git rebase 80 | ``` 81 | Instructions on how to manually resolve a conflict and commit the new change or skip your local replayed commit will be presented on screen by the git CLI. 82 | 83 | 8. Push the changes to your repository 84 | 85 | ``` 86 | git push origin 87 | ``` 88 | 89 | 9. Create a pull request against the same targeted upstream branch. 90 | 91 | [Creating a pull request](https://help.github.com/articles/creating-a-pull-request/) 92 | 93 | Once the pull request has been reviewed, accepted and merged into the main github repository, you should synchronise your remote and local forked github repository `master` branch with the upstream master branch. To do so: 94 | 95 | 10. Pull to your local forked repository the latest changes upstream (that is, the pull request). 96 | 97 | ``` 98 | git pull upstream master 99 | ``` 100 | 101 | 11. Push those latest upstream changes pulled locally to your remote forked repository. 102 | 103 | ``` 104 | git push origin master 105 | ``` 106 | 107 | ### What happens next? 108 | - All pull requests will be automatically built and unit tested by travis-ci, when implemented by that specific project. 109 | - You can determine if a given project is enabled for travis-ci unit tests by the existence of a `.travis.yml` file in the root of the repository or branch. 110 | - When in use, all travis-ci unit tests must pass completely before any further review or discussion takes place. 111 | - The repository maintainer will then inspect the commit and, if accepted, will pull the code into the upstream branch. 112 | - Should a maintainer or reviewer ask for changes to be made to the pull request, these can be made locally and pushed to your forked repository and branch. 113 | - Commits passing this stage will make it into the next release cycle for the given project. 114 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the 13 | copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other 16 | entities that control, are controlled by, or are under common control with 17 | that entity. For the purposes of this definition, "control" means (i) the 18 | power, direct or indirect, to cause the direction or management of such 19 | entity, whether by contract or otherwise, or (ii) ownership of 20 | fifty percent (50%) or more of the outstanding shares, or (iii) beneficial 21 | ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity exercising 24 | permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation source, 28 | and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical transformation 31 | or translation of a Source form, including but not limited to compiled 32 | object code, generated documentation, and conversions to 33 | other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or Object 36 | form, made available under the License, as indicated by a copyright notice 37 | that is included in or attached to the work (an example is provided in the 38 | Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object form, 41 | that is based on (or derived from) the Work and for which the editorial 42 | revisions, annotations, elaborations, or other modifications represent, 43 | as a whole, an original work of authorship. For the purposes of this 44 | License, Derivative Works shall not include works that remain separable 45 | from, or merely link (or bind by name) to the interfaces of, the Work and 46 | Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including the original 49 | version of the Work and any modifications or additions to that Work or 50 | Derivative Works thereof, that is intentionally submitted to Licensor for 51 | inclusion in the Work by the copyright owner or by an individual or 52 | Legal Entity authorized to submit on behalf of the copyright owner. 53 | For the purposes of this definition, "submitted" means any form of 54 | electronic, verbal, or written communication sent to the Licensor or its 55 | representatives, including but not limited to communication on electronic 56 | mailing lists, source code control systems, and issue tracking systems 57 | that are managed by, or on behalf of, the Licensor for the purpose of 58 | discussing and improving the Work, but excluding communication that is 59 | conspicuously marked or otherwise designated in writing by the copyright 60 | owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity on 63 | behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. 67 | 68 | Subject to the terms and conditions of this License, each Contributor 69 | hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, 70 | royalty-free, irrevocable copyright license to reproduce, prepare 71 | Derivative Works of, publicly display, publicly perform, sublicense, 72 | and distribute the Work and such Derivative Works in 73 | Source or Object form. 74 | 75 | 3. Grant of Patent License. 76 | 77 | Subject to the terms and conditions of this License, each Contributor 78 | hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, 79 | royalty-free, irrevocable (except as stated in this section) patent 80 | license to make, have made, use, offer to sell, sell, import, and 81 | otherwise transfer the Work, where such license applies only to those 82 | patent claims licensable by such Contributor that are necessarily 83 | infringed by their Contribution(s) alone or by combination of their 84 | Contribution(s) with the Work to which such Contribution(s) was submitted. 85 | If You institute patent litigation against any entity (including a 86 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 87 | Contribution incorporated within the Work constitutes direct or 88 | contributory patent infringement, then any patent licenses granted to 89 | You under this License for that Work shall terminate as of the date such 90 | litigation is filed. 91 | 92 | 4. Redistribution. 93 | 94 | You may reproduce and distribute copies of the Work or Derivative Works 95 | thereof in any medium, with or without modifications, and in Source or 96 | Object form, provided that You meet the following conditions: 97 | 98 | 1. You must give any other recipients of the Work or Derivative Works a 99 | copy of this License; and 100 | 101 | 2. You must cause any modified files to carry prominent notices stating 102 | that You changed the files; and 103 | 104 | 3. You must retain, in the Source form of any Derivative Works that You 105 | distribute, all copyright, patent, trademark, and attribution notices from 106 | the Source form of the Work, excluding those notices that do not pertain 107 | to any part of the Derivative Works; and 108 | 109 | 4. If the Work includes a "NOTICE" text file as part of its distribution, 110 | then any Derivative Works that You distribute must include a readable copy 111 | of the attribution notices contained within such NOTICE file, excluding 112 | those notices that do not pertain to any part of the Derivative Works, 113 | in at least one of the following places: within a NOTICE text file 114 | distributed as part of the Derivative Works; within the Source form or 115 | documentation, if provided along with the Derivative Works; or, within a 116 | display generated by the Derivative Works, if and wherever such 117 | third-party notices normally appear. The contents of the NOTICE file are 118 | for informational purposes only and do not modify the License. 119 | You may add Your own attribution notices within Derivative Works that You 120 | distribute, alongside or as an addendum to the NOTICE text from the Work, 121 | provided that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and may 125 | provide additional or different license terms and conditions for use, 126 | reproduction, or distribution of Your modifications, or for any such 127 | Derivative Works as a whole, provided Your use, reproduction, and 128 | distribution of the Work otherwise complies with the conditions 129 | stated in this License. 130 | 131 | 5. Submission of Contributions. 132 | 133 | Unless You explicitly state otherwise, any Contribution intentionally 134 | submitted for inclusion in the Work by You to the Licensor shall be under 135 | the terms and conditions of this License, without any additional 136 | terms or conditions. Notwithstanding the above, nothing herein shall 137 | supersede or modify the terms of any separate license agreement you may 138 | have executed with Licensor regarding such Contributions. 139 | 140 | 6. Trademarks. 141 | 142 | This License does not grant permission to use the trade names, trademarks, 143 | service marks, or product names of the Licensor, except as required for 144 | reasonable and customary use in describing the origin of the Work and 145 | reproducing the content of the NOTICE file. 146 | 147 | 7. Disclaimer of Warranty. 148 | 149 | Unless required by applicable law or agreed to in writing, Licensor 150 | provides the Work (and each Contributor provides its Contributions) 151 | on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 152 | either express or implied, including, without limitation, any warranties 153 | or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS 154 | FOR A PARTICULAR PURPOSE. You are solely responsible for determining the 155 | appropriateness of using or redistributing the Work and assume any risks 156 | associated with Your exercise of permissions under this License. 157 | 158 | 8. Limitation of Liability. 159 | 160 | In no event and under no legal theory, whether in tort 161 | (including negligence), contract, or otherwise, unless required by 162 | applicable law (such as deliberate and grossly negligent acts) or agreed 163 | to in writing, shall any Contributor be liable to You for damages, 164 | including any direct, indirect, special, incidental, or consequential 165 | damages of any character arising as a result of this License or out of 166 | the use or inability to use the Work (including but not limited to damages 167 | for loss of goodwill, work stoppage, computer failure or malfunction, 168 | or any and all other commercial damages or losses), even if such 169 | Contributor has been advised of the possibility of such damages. 170 | 171 | 9. Accepting Warranty or Additional Liability. 172 | 173 | While redistributing the Work or Derivative Works thereof, You may choose 174 | to offer, and charge a fee for, acceptance of support, warranty, 175 | indemnity, or other liability obligations and/or rights consistent with 176 | this License. However, in accepting such obligations, You may act only 177 | on Your own behalf and on Your sole responsibility, not on behalf of any 178 | other Contributor, and only if You agree to indemnify, defend, and hold 179 | each Contributor harmless for any liability incurred by, or claims 180 | asserted against, such Contributor by reason of your accepting any such 181 | warranty or additional liability. 182 | 183 | END OF TERMS AND CONDITIONS 184 | 185 | APPENDIX: How to apply the Apache License to your work 186 | 187 | To apply the Apache License to your work, attach the following boilerplate 188 | notice, with the fields enclosed by brackets "[]" replaced with your own 189 | identifying information. (Don't include the brackets!) The text should be 190 | enclosed in the appropriate comment syntax for the file format. We also 191 | recommend that a file or class name and description of purpose be included 192 | on the same "printed page" as the copyright notice for easier 193 | identification within third-party archives. 194 | 195 | Copyright {{ year }} {{ organization }} 196 | 197 | Licensed under the Apache License, Version 2.0 (the "License"); 198 | you may not use this file except in compliance with the License. 199 | You may obtain a copy of the License at 200 | 201 | http://www.apache.org/licenses/LICENSE-2.0 202 | 203 | Unless required by applicable law or agreed to in writing, software 204 | distributed under the License is distributed on an "AS IS" BASIS, 205 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express 206 | or implied. See the License for the specific language governing 207 | permissions and limitations under the License. 208 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Digital Applications using a Microservice Architecture 2 | 3 | ## Architecture 4 | 5 | This project provides is a Reference Implementation for building a cloud-native OmniChannel Application using a Microservices architecture. The Logical Architecture for this reference implementation is shown in the picture below. 6 | 7 | ![Application Architecture](static/imgs/app_architecture.png?raw=true) 8 | 9 | ## Application Overview 10 | 11 | The application is a simple store front shopping application that displays a catalog of antique computing devices, where users can buy and add review comments. It has Web and Mobile interface, both the Mobile App and Web App rely on separate BFF (Backend for Frontend) services to interact with the backend data. 12 | 13 | There are several components of this architecture. 14 | 15 | - This OmniChannel application contains both a [Native iOS Application](https://developer.apple.com/library/content/referencelibrary/GettingStarted/DevelopiOSAppsSwift/) and an [AngularJS](https://angularjs.org/) based web application. The diagram depicts them as a Device and Browser. 16 | - The iOS application uses the [IBM Mobile Analytics Service](https://new-console.ng.bluemix.net/catalog/services/mobile-analytics/) to collect device analytics for operations and business 17 | - Both Client Applications (or via BFF) make API calls through an API Gateway. The API Gateway is [API Connect](https://new-console.ng.bluemix.net/catalog/services/api-connect/). API Connect provides an OAuth Provider as well, allowing you to implement API Security. 18 | - The Web and Mobile app invoke their own backend Microservices to fetch data, we call this component BFFs following the [Backend for Frontends](http://samnewman.io/patterns/architectural/bff/) pattern. In this Layer, front end developers usually write backend logic for their front end. The Web BFF is implemented using the Node.js Express Framework. The Mobile iOS BFF is implemented using Server side [Swift](https://www.ibm.com/cloud-computing/bluemix/swift). These Microservices run in Bluemix as Cloud Foundry Applications. 19 | - These BFFs invoke another layer of reusable Java Microservices. In a real world project, this is sometimes written by a different team. These reusable microservices are written in Java using [SpringBoot](http://projects.spring.io/spring-boot/). They run inside [IBM Containers](https://new-console.ng.bluemix.net/catalog/images) using [Docker](https://www.docker.com/). 20 | - The SocialReview microservices is implemented with Serverless technologies on [Bluemix OpenWhisk](https://console.ng.bluemix.net/openwhisk/). It exposes itself as consumable REST API via API gateway mentioned above. 21 | - BFFs, OpenWhisk and Java Microservices communicate to each other using the [Netflix OSS Framework](https://netflix.github.io/). In this case, we run several Netflix components in Bluemix. 22 | - [Zuul](https://github.com/Netflix/zuul) provides a proxy layer for the microservices. 23 | - [Eureka](https://github.com/Netflix/eureka) provides a Service Registry. The reusable Java Microservices register themselves to Eureka which allows clients to find them. 24 | - [Hystrix](https://github.com/Netflix/hystrix) Provides an implementation of the [Circuit Breaker Pattern](http://martinfowler.com/bliki/CircuitBreaker.html). This component runs as library inside the Java Applications. This component them forward Service Availability information to the Hystrix Dashboard. 25 | - The Java Microservices retrieve their data from databases. The Catalog service retrieves items from a searchable JSON datasource using [ElasticSearch](https://www.elastic.co/). The Inventory Service using [MySQL](https://www.mysql.com/). In this example, we run MySQL in a Docker Container for Development (In a production environment, it runs on our Infrastructure as a Service layer, [Bluemix Infrastructure](https://console.ng.bluemix.net/catalog/?category=infrastructure)) The resiliency and DevOps section will explain that. The SocialReview Microservice relies on [Cloudant](https://new-console.ng.bluemix.net/catalog/services/cloudant-nosql-db/) as its Database. The application also relies on [Bluemix Object Storage](https://console.ng.bluemix.net/catalog/object-storage/) to store unstructured data such as images. 26 | 27 | ## Project repositories: 28 | 29 | This project organized itself like a microservice project, as such each component in the architecture has its own Git Repository and tutorial listed below. 30 | 31 | - [refarch-cloudnative](https://github.com/ibm-cloud-architecture/refarch-cloudnative) - The root repository (Current repository) 32 | - [refarch-cloudnative-bluecompute-mobile](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-mobile) - The BlueCompute client iOS and Android applications 33 | - [refarch-cloudnative-bluecompute-web](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-web) - The BlueCompute Web application with BFF services 34 | - [refarch-cloudnative-bluecompute-bff-ios](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-bff-ios) - The Swift based BFF application for the iOS application 35 | - [refarch-cloudnative-api](https://github.com/ibm-cloud-architecture/refarch-cloudnative-api) - The API gateway artifacts 36 | - [refarch-cloudnative-auth](https://github.com/ibm-cloud-architecture/refarch-cloudnative-auth) - The security authentication artifact 37 | - [refarch-cloudnative-micro-inventory](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-inventory) - The microservices (SpringBoot) app for Catalog (ElasticSearch) and Inventory data service (MySQL) 38 | - [refarch-cloudnative-micro-orders](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-orders) - The microservices (IBM Liberty based) app for Order data service (MySQL) 39 | - [refarch-cloudnative-micro-customer](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-customer) - The microservices (SpringBoot) app to fetch customer profile from identity store 40 | - [refarch-cloudnative-micro-socialreview](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-socialreview) - The microservices (Serverless OpenWhisk) app for SocialReview data service (Cloudant) 41 | - [refarch-cloudnative-netflix-eureka](https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-eureka) - Contains the Eureka containers for Microservices foundation 42 | - [refarch-cloudnative-netflix-zuul]( https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-zuul) - Contains the Zuul proxy containers for Microservices foundation 43 | 44 | 45 | This project contains tutorials for setting up CI/CD pipeline for the scenarios. The tutorial is shown below. 46 | - [refarch-cloudnative-devops](https://github.com/ibm-cloud-architecture/refarch-cloudnative-devops) - The DevOps assets are managed here 47 | 48 | This project contains tutorials for setting up Resiliency such as High Availability, Failover, and Disaster Recovery for the above application. 49 | - [refarch-cloudnative-resiliency](https://github.com/ibm-cloud-architecture/refarch-cloudnative-resiliency) - The Resiliency Assets will be managed here 50 | - [refarch-cloudnative-csmo](https://github.com/ibm-cloud-architecture/refarch-cloudnative-csmo) - The BlueCompute application end-to-end cloud service management 51 | 52 | ## Run the reference applications locally and in IBM Cloud 53 | 54 | To run the sample applications you will need to configure your Bluemix enviroment for the API and Microservices 55 | runtimes. Additionally you will need to configure your system to run the iOS and Web Application tier as well. 56 | 57 | ### Step 1: Environment Setup 58 | 59 | #### Prerequisites 60 | 61 | - Install Java JDK 1.8 and ensure it is available in your PATH 62 | - [Install Node.js](https://nodejs.org/) version 0.12.0 or version 4.x 63 | - [Install Docker](https://docs.docker.com/engine/installation/) on Windows or Mac 64 | - Login to your Bluemix account or register for a new account [here](https://bluemix.net/registration) 65 | 66 | 67 | #### Install the Bluemix CLI 68 | 69 | In order to complete the rest of this tutorial, many commands will require the Bluemix CLI toolkit to be installed on your local environment. To install it, follow [these instructions](https://console.ng.bluemix.net/docs/cli/index.html#cli) 70 | 71 | This walkthrough uses the `cf` tool. 72 | 73 | #### Create a New Space in Bluemix 74 | 75 | 1. Click on the Bluemix account in the top right corner of the web interface. 76 | 2. Click Create a new space. 77 | 3. Enter "cloudnative-dev" for the space name and complete the wizard. 78 | 79 | 80 | 81 | #### Get application source code 82 | 83 | - Clone the base repository: 84 | **`git clone https://github.com/ibm-cloud-architecture/refarch-cloudnative`** 85 | 86 | - Clone the peer repositories: 87 | **`./clonePeers.sh`** 88 | 89 | 90 | ## Building Microservices with Docker Containers 91 | 92 | ### Step 2: Deploy Netflix Eureka/Zuul components to Bluemix Container 93 | 94 | We used the Netflix OSS stack to provide some of the Microservices foundation services such as service registry and proxy/load balancer. 95 | 96 | Please follow the instruction in [refarch-cloudnative-netflix-eureka](https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-eureka) repository to deploy Eureka to Bluemix. 97 | 98 | Please follow the instruction in [refarch-cloudnative-netflix-zuul]( https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-zuul) repository to deploy Zuul to Bluemix. 99 | 100 | ### Step 3: Deploy Catalog and Inventory microservices to Bluemix Container 101 | 102 | After completing this step, you should have the Catalog and Inventory microservices deployed in Bluemix and interacting with ElasticSearch and MySQL database. You can unit test the microservice as documented in the instruction. 103 | 104 | Please follow the instruction in [refarch-cloudnative-micro-inventory](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-inventory) repository to build and deploy Catalog and Inventory microservices. 105 | 106 | ### Step 4: Deploy Customer and Authentication microservices to Bluemix Container 107 | 108 | After completing this step, you should have Customer microservice deployed in Bluemix and interacting with hosted Cloudant database as user identity store. And you should have Authentication service deployed to be used API Connect OAuth flow. 109 | 110 | - Please follow the instruction in [refarch-cloudnative-micro-customer](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-customer) repository to setup the Cloudant database and build/deploy the Customer microservice to Bluemix. 111 | - Please follow the instruction in [refarch-cloudnative-auth](https://github.com/ibm-cloud-architecture/refarch-cloudnative-auth) repository to build/deploy the Auth microservice to Bluemix. 112 | 113 | 114 | ### Step 5: Provision Watson Analytic services and Deploy SocialReview microservice to Bluemix OpenWhisk runtime 115 | 116 | After completing this step, you should have SocialReview microservice deployed in Bluemix OpenWhisk and interacting with hosted Cloudant database. You should also have Watson tone analyzer provisioned. 117 | 118 | Please follow the instruction in [refarch-cloudnative-micro-socialreview](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-socialreview) repository to build/deploy the microservice to Bluemix. 119 | 120 | ### Step 6: Deploy Order microservice to Bluemix Container 121 | 122 | After completing this step, you should have the Order microservice deployed in Bluemix and interacting with MessageHub and MySQL database. You can unit test the microservice as documented in the instruction. 123 | 124 | Please follow the instruction in [refarch-cloudnative-micro-orders](https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-orders) repository to build and deploy Catalog and Inventory microservices. 125 | 126 | 127 | ## Publish APIs and setup API Gateway with Bluemix API Connect 128 | 129 | ### Step 7: Setup your API Connect Gateway 130 | 131 | #### Provision the API Connect Service 132 | 133 | 1. Log in to [the Bluemix console](https://console.ng.bluemix.net) 134 | 2. From the Bluemix menu, Select Services -> APIs, then click the **API Connect** tile in the page. 135 | 3. In API Connect creation page, specify the Service name anything you like or keep the default. Then select the free **Essentials** plan for this walkthrough. Click the "Create" button to provision the service. 136 | 4. After the API Connect service is created, you will be automatically redirected to API Management console. 137 | 5. In the API Manager page, navigate to the API Connect Dashboard and select "Add Catalog" at the top left. You may notice that a sandbox has automatically been generated for you. 138 | ![API Info](static/imgs/apic_catalog_create.png?raw=true) 139 | 6. Name the catalog "**BlueCompute**" and press "Add". 140 | 7. Select the catalog and then navigate to the Settings tab and click the Portal sub-tab. 141 | 8. To setup a Developer Portal that your consumers can use to explore your API, select the IBM Developer Portal radio button. Then click the "Save" button to top right menu section. This will provision a portal for you. You should receive a message like the one below. ![API Info](static/imgs/bluemix_9.png?raw=true) 142 | 9. Once the new Developer Portal has been created, you will receive an email. 143 | 144 | 145 | #### Installing the IBM API Connect Developer Toolkit 146 | 147 | The IBM API Connect Developer Toolkit provides both the API Designer UI and a CLI that developers can use to develop APIs and LoopBack applications, as welll as the tools to publish them to the IBM API Connect runtime. 148 | 149 | Before getting started, you will need to install Node.js version 0.12 or version 4.x, follow the link below for more information details. [https://www.ibm.com/support/knowledgecenter/en/SSFS6T/com.ibm.apic.toolkit.doc/tapim_cli_install.html](https://www.ibm.com/support/knowledgecenter/en/SSFS6T/com.ibm.apic.toolkit.doc/tapim_cli_install.html) 150 | 151 | To install the APIC Connect CLI: 152 | 153 | ``` 154 | $ npm install -g apiconnect 155 | $ apic --version 156 | ``` 157 | 158 | That should install the tool and print the version number after the last command. 159 | 160 | 161 | ### Step 8: Publish application APIs to Bluemix API Connect 162 | 163 | Once you have all the backend application (Catalog/Inventory/Customer/Order/SocialReview) deployed, it is time to publish the APIs to the IBM Bluemix API connect and Setup developerPortal to consume the API. 164 | 165 | Please follow the instruction in [refarch-cloudnative-api](https://github.com/ibm-cloud-architecture/refarch-cloudnative-api) repository to publish APIs to Bluemix API Connect runtime. 166 | 167 | ## Building Web and Mobile Applications 168 | 169 | ### Step 9: Deploy the BlueCompute Web app 170 | 171 | This step will deploy the Node.js application containing both the Web BFF and the front end AngularJS application. 172 | 173 | Please follow the instruction in [refarch-cloudnative-bluecompute-web](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-web) repository to setup and validate your Web application. 174 | 175 | ### Step 10: Integrate the BlueCompute iOS app with IBM Cloud and Mobile Analytics 176 | 177 | Time to test the application end-to-end. You can start with running the iOS application to integrate with the APIs as well as monitoring the application using Bluemix Mobile Analytics service. 178 | 179 | Please follow the instruction in [refarch-cloudnative-bluecompute-mobile](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-mobile) repository to setup your iOS application. 180 | 181 | 182 | ## DevOps automation, Resiliency and Cloud Management and Monitoring 183 | 184 | ### DevOps 185 | You can setup and enable automated CI/CD for most of the BlueCompute components via the Bluemix DevOps open toolchain. For detail, please check the [DevOps project](https://github.com/ibm-cloud-architecture/refarch-cloudnative-devops) . 186 | 187 | ### Cloud Management and monitoring 188 | For guidance on how to manage and monitor the BlueCompute solution, please check the [Management and Monitoring project](https://github.com/ibm-cloud-architecture/refarch-cloudnative-csmo). 189 | 190 | ### Making Microservices Resilient 191 | Please check [this repository](https://github.com/ibm-cloud-architecture/refarch-cloudnative-resiliency) on instructions and tools to improve availability and performances of the BlueCompute application. 192 | 193 | ### Secure The Application 194 | Please review [this page](https://github.com/ibm-cloud-architecture/refarch-cloudnative/blob/master/static/security.md) on how we secure the solution end-to-end. 195 | -------------------------------------------------------------------------------- /clonePeers.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ############################################################################## 4 | ## 5 | ## Wrapper sript to pull all peer git repositories 6 | ## 7 | ############################################################################## 8 | 9 | if [ -z "$1" ]; then 10 | MYBRANCH=`git rev-parse --abbrev-ref HEAD` 11 | else 12 | MYBRANCH=$1 13 | fi 14 | 15 | BASEREPO="https://github.com/ibm-cloud-architecture/refarch-cloudnative" 16 | REPO_MOBILE="https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-mobile" 17 | REPO_WEB="https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-web" 18 | REPO_BFF_IOS="https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-bff-ios" 19 | REPO_MICRO_ORDER="https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-orders" 20 | REPO_API="https://github.com/ibm-cloud-architecture/refarch-cloudnative-api" 21 | REPO_AUTH="https://github.com/ibm-cloud-architecture/refarch-cloudnative-auth" 22 | REPO_MICRO_INVENTORY="https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-inventory" 23 | REPO_MICRO_REVIEW="https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-socialreview" 24 | REPO_MICRO_CUSTOMER="https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-customer" 25 | REPO_MYSQL="https://github.com/ibm-cloud-architecture/refarch-cloudnative-mysql" 26 | REPO_DEVOPS="https://github.com/ibm-cloud-architecture/refarch-cloudnative-devops" 27 | REPO_NETFLIX_EUREKA="https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-eureka" 28 | REPO_NETFLIX_ZUUL="https://github.com/ibm-cloud-architecture/refarch-cloudnative-netflix-zuul" 29 | echo 'Cloning peer projects...' 30 | 31 | GIT_AVAIL=$(which git) 32 | if [ ${?} -ne 0 ]; then 33 | echo "git is not available on your local system. Please install git for your operating system and try again." 34 | exit 1 35 | fi 36 | 37 | DEFAULT_BRANCH=${MYBRANCH:-master} 38 | 39 | echo -e '\nClone BlueCompute Mobile project' 40 | REPO=${REPO_MOBILE} 41 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 42 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 43 | 44 | echo -e '\nClone BlueCompute Web project' 45 | REPO=${REPO_WEB} 46 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 47 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 48 | 49 | echo -e '\nClone Mobile iOS BFF project' 50 | REPO=${REPO_BFF_IOS} 51 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 52 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 53 | 54 | echo -e '\nClone Order Microservice project' 55 | REPO=${REPO_MICRO_ORDER} 56 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 57 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 58 | 59 | echo -e '\nClone API project' 60 | REPO=${REPO_API} 61 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 62 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 63 | 64 | echo -e '\nClone Auth project' 65 | REPO=${REPO_AUTH} 66 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 67 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 68 | 69 | echo -e '\nClone Inventory Microservice project' 70 | REPO=${REPO_MICRO_INVENTORY} 71 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 72 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 73 | 74 | echo -e '\nClone SocialReview Microservice project' 75 | REPO=${REPO_MICRO_REVIEW} 76 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 77 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 78 | 79 | echo -e '\nClone Customer Microservice project' 80 | REPO=${REPO_MICRO_CUSTOMER} 81 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 82 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 83 | 84 | echo -e '\nClone MySQL project' 85 | REPO=${REPO_MYSQL} 86 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 87 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 88 | 89 | echo -e '\nClone DevOps project' 90 | REPO=${REPO_DEVOPS} 91 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 92 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 93 | 94 | echo -e '\nClone Netflix Core project' 95 | REPO=${REPO_NETFLIX_EUREKA} 96 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 97 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 98 | 99 | echo -e '\nClone Netflix Core project' 100 | REPO=${REPO_NETFLIX_ZUUL} 101 | PROJECT=$(echo ${REPO} | cut -d/ -f5) 102 | git clone -b ${DEFAULT_BRANCH} ${REPO} ../${PROJECT} 103 | 104 | echo -e '\nCloned all peer projects successfully!\n' 105 | ls ../ | grep refarch-cloudnative 106 | -------------------------------------------------------------------------------- /create-branch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | which git >/dev/null || { echo "Could not find git on this machine. Install git and try again.";exit 1; } 4 | 5 | gitid=$1 6 | branch=$2 7 | if [[ -z $gitid || -z $branch ]]; then 8 | echo "Missing args.\nUsage: sh create-branch.sh " 9 | exit 1 10 | fi 11 | base_url="http://github.com/$gitid/" 12 | 13 | wdir=/tmp/`/bin/date +'%H%M%S'` 14 | mkdir -p $wdir 15 | cat > $wdir/repo.list </dev/null 37 | git clone $base_url$repo 38 | cd $repo 39 | git checkout -b $branch 40 | git push origin $branch 41 | popd >/dev/null 42 | done < $wdir/repo.list 43 | rm -rf $wdir 44 | exit 0 45 | -------------------------------------------------------------------------------- /fork-repos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | usage() { 4 | echo "\nUsage: sh fork-repos.sh -o git-org-name -u git-userid -p git-password" 5 | echo "This script will fork refarch-cloudnative project repos from github.com/ibm-cloud-architecture to your git organization" 6 | } 7 | 8 | which curl >/dev/null || { echo "Could not find curl on this machine. Install curl and try again.";exit 1; } 9 | 10 | while getopts u:p:o:h OPTION 11 | do 12 | case $OPTION in 13 | u) 14 | guser=$OPTARG 15 | ;; 16 | p) 17 | gpass=$OPTARG 18 | ;; 19 | o) 20 | gorg=$OPTARG 21 | ;; 22 | h) 23 | usage 24 | ;; 25 | ?) 26 | usage 27 | ;; 28 | esac 29 | done 30 | [ "$gorg" == "" ] && read -p "git organization to fork repos to: " gorg 31 | [ "$guser" == "" ] && read -p "git user id: " guser 32 | [ "$gpass" == "" ] && read -s -p "git password: " gpass 33 | [[ -z $gorg || -z $guser || -z $gpass ]] && { usage; exit 1; } 34 | 35 | cat > repo.list </dev/null 59 | done < repo.list 60 | rm repo.list 61 | exit 0 62 | -------------------------------------------------------------------------------- /static/imgs/OmniChannelEndToEnd_security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/OmniChannelEndToEnd_security.png -------------------------------------------------------------------------------- /static/imgs/apic_catalog_create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/apic_catalog_create.png -------------------------------------------------------------------------------- /static/imgs/app_architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/app_architecture.png -------------------------------------------------------------------------------- /static/imgs/bluemix_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/bluemix_1.png -------------------------------------------------------------------------------- /static/imgs/bluemix_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/bluemix_2.png -------------------------------------------------------------------------------- /static/imgs/bluemix_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/bluemix_3.png -------------------------------------------------------------------------------- /static/imgs/bluemix_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/bluemix_4.png -------------------------------------------------------------------------------- /static/imgs/bluemix_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/bluemix_9.png -------------------------------------------------------------------------------- /static/imgs/github_flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/github_flow.png -------------------------------------------------------------------------------- /static/imgs/github_flow.xml: -------------------------------------------------------------------------------- 1 | 7V1bc5s4FP41eWwGkBDwmKTO7kzbqSfZS/vUASPbzGLLC+S2v35FLNlIB9uYcrFxk5nECBD29+ncdI7kK3S3eP0t8VfzLyyk8ZVlhK9X6OOVZVmGY/B/ecvbusU0DWvdMkuiULRtGx6j/6hoFDfOnqKQpsqFGWNxFq3UxglbLukkU9r8JGEv6mVTFqtPXfkzChoeJ34MW/+OwmwuWpFhbE/8TqPZXDzalScWvrxYNKRzP2QvhSY0ukJ3CWPZ+tXi9Y7GOXoSl/V99zvObt5YQpdZlRt+fPrr3/H4C/tm4vHd4+rT6z/BywdHsPHsx0/iE4t3m71JCBL2tAxp3ot5hW5f5lFGH1f+JD/7wlnnbfNsEYvT0yiO71jMkvd70f39/Wh0y9vTLGH/0MKZkATEJvyMeAM0yejrzo9mbgDjQ42yBc2SN36JvAELjN8kCevDly1jjmybF8hCcnj6YpTMNl1vgeQvBJZH4Oqa7eI6nVIymZTi6ngBH4PN4EpUXDejvgAs8UqANU3cFrDGEIHl+qQasKStAevY7eI6uh159zdluNrENh3aEK7IVXDFpKImML22gLUqAEuX4U1uq/gR49epQPKT91Esj9b30hBYrYMQFSCwSxCQbQmN/Sx6VrsvQ0U8Ycwi/uANA1hKvmDAdjVgU/aUTKi4q2iutI6IYezvKPOTGc1AR+8kbT52fd4qKPAB0WYRlTZTVzRVadP5Bx21TFsFf2bAtCHkNUMb6Khl2tBF02abDdEGOmqZNgJou//68OnHw2j89coiMUftNkj4q1m2YaXAKLfzmUqj6hws2ZJqnoRo8uNotuSHE84n5e23udcQ8ajtRpxYRGGYP6bUS9n6MU25cy5RpccQx4XhhEuGk9WaNwd4+XP8+MfD6OaL4GaoTFgG0sxPz0yYMF75/PXu5vMFyoinMIMdt2dmjvPwBKqhn843IVCpATLeOfKTbGOtVnQp2wrXnLyRcjWXANd0CfWOunYJzeN8wosjGhmaE6GLXFWi9Y66diJN6EUu/DRXfoPVqiBuw3DCo1utii+PA08b9tIJ740D6JYPnoNdEVVvHLiAgyn1s6eE/ggSfzmZD5gL11G5KJmE7ZYL7ygHQJjxC3IAdOGp7QAcmkVse/KvQnLokj29xibnQUf6iGmbaOjpwdCZ9xOt0l1qr0C0n67WpQPT6DUfCHruKrSpG+Ky3JVrBYg0lMTGmhthExuoTVQyNlBbalMKTwHkm7MHGZ8ayNBfvjt3kO1TAxkdZxfOPb1wMAdXNwfbtT1HcIrue4vC4VN3Wlr6QSYuDaZNCYfqHZu4b+GAav7buYOMHXJiIEM1P2QNRAxTtQC1q0A8d39HLWsgXMFyzHgEvdo5aEVhqh/Iy43KXEkMpPncY07LuGxvMMP5pW9cLxN/kSuDZZCuyjJZJ6dC9hC+k4sP2OxZkcDU7s3tGXiMtcC2egYbQ619KZN4eqCESM8TqvjIOsrak3iCj3Ob2zloKeuaXKSXxu4wuRw//61w2Sq/IN3zhh01uMCesn6Bv1j32Kw9h6Zr7ygamB9WPxLUBkXXkSCGZu+X9Cv8qFElENrqRGvhqV0th3+09GsrIOTKhlal34ahLhhF7Xvzh0PTTr15u9kFCorMnbrYYFMtF6xdiAusb8eFuHazdu2sSaxdBA88n47rl6SqbcPInTqJBwWoNol62WJDBszR3FfUhfsqjWZhhJhwiDQV+0/t/Ld0ouX9J7+DLbNC+/qnqbIqSwHYsjEwlFJAlAjUaslQEpiNKJHPYYCPTBV87MCpmG7Bh64bGiz4jhq19T/y4TyYPVTwsaeuUyByBUdv4EP/nAwVfFsLjrDjXsPwqFv4oWftDhV+ou2jgR2nd/jhxI83WPgt1XXlTnDP4MMiZqkNh4e+62hTaAguUOsWfRgOmoP19h2taBw5MN/UKfoODLUg9pVriXWs3Qkt32UmcG1sn2PAvlFeP51a6LiW2IFh3fihRTGrSv3PmRJXnRPzoBPbaSbdqbDBw0Z2cgzYUxZHSw6P3NbN0GDW0+WxH9B4zNIoi1hpHv2zdkHAsowtShLtGcspTef+Kn9ji9dZvrXd9QsNYjZj6fUsyuZPASR2s8NRA/SZSNWGDqQPu7tFu3n6oCMA6AMDv8DWiiYRfyd0X73DZn88o6hH84No8b5J37v5ETsEmta2/WO0mPFPFUdB/tnSiU/5/4/0mY+dlMX0On2eQbY2G9M1wpbqNpOSupUyTYwt6V03XyZ0XFLn4lbCHNxdqnaJdMV8aWMzwlCx4haNV30fMYwS3vVa9XJwc44bmStzLZVI1LPfiJvdykgRSY5J8vYtF7FrwqMV0fD9vcHh4YJoGBe07TkII9jFytVkqHbuR++oZWH04DzpPu4nsZ+m0WQf/adO3cG6oKrUudrUU9cFRjYU23OsaT4QZMsFNaeyLMKGAnMW1cwHYLZPDGbvOG9wgHqpdk2Irpe6rgnxhrHW4ji9hCyY8OxWYM50lcVxeql/mCtMKwxbL9Uuc9L1UtcFhzJLflF6yTZ6FhhTzjYMWzGdAM7QMXUq7NZ5ChMtDfBBkFqGQYyeU6EezNHsMxSNJ+N432LimZyBkcEmulaXDBOkMVN9ox+9K9PUump7U8eSXR33cX/uS7bATnaN7dHU8dJ5Wb5b4O2B+mGOZMb4n5A+05itAJc/9e0tnSRX9W3OSpKrXkl2rj1rZf7K9hy1Oq72BndgdVzFWcpjFxe4RH0O1r/b68D18huwai5G4Ifb7yVbX779ejc0+h8= -------------------------------------------------------------------------------- /static/imgs/jwk_key_generator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative/fa5f1730f06c46a3f2e4f1862030675b3968d39e/static/imgs/jwk_key_generator.png -------------------------------------------------------------------------------- /static/security.md: -------------------------------------------------------------------------------- 1 | # BlueCompute Security Architecture 2 | 3 | Security is critical for developing and hosting the BlueCompute application on IBM Cloud. In R3 release, we have implemented several key security features: 4 | 5 | - Authentication (against Customer Microservice) 6 | - Authorization (OAuth2.0) 7 | - Transportation Security with HTTPs 8 | - Network isolation 9 | - Intra-component auth via JWT Token 10 | 11 | The overall security diagram is shown below (security flow is labeled with red text): 12 | ![Security Overview](imgs/OmniChannelEndToEnd_security.png?raw=true) 13 | 14 | 15 | ## Security flow 16 | 17 | BlueCompute workload typically has the following security flow: 18 | Client(mobile/web) *HTTPs/OAuth*-> API Connect -> *HTTPs/JWT* -> Bluemix GoRouter *HTTPs/JWT* -> Zuul *HTTP/Private Network*-> Microservices containers 19 | 20 | - Mobile client and Web application accesses APIs hosted by IBM API Connect over HTTPs 21 | - Mobile and Web client authenticates against the authentication service (redirected by APIC) 22 | - The authentication service communicates with the Customer Microservice over the private container network 23 | - Mobile and Web client grant access to resources via OAuth 2.0 where APIC is the OAuth Provider 24 | - API Connect generates JWT (JSON Web Token) to access the downstream Zuul proxy 25 | - API Connect invokes Zuul proxy over HTTPs 26 | - Zuul proxy validates the JWT Token to allow access only to APIC initiated workload 27 | - Zuul invokes the data access microservices over Bluemix private network (Container Service) 28 | 29 | All BlueCompute components communicating with BlueMix services (i.e. Cloudant, ElasticSearch, or MessageHub) outside of the Container Network do so through the NAT gateway. All outbound connections are encrypted TLS connections. 30 | 31 | ## Generate JWT Shared key 32 | 33 | BlueCompute JWT implementation uses HS256 algorithm to sign and verify the JWT token. You need to have a JWK key for both the API Connect gateway and the Zuul proxy. You can get a key using the online JWK generate at [https://mkjwk.org/](https://mkjwk.org/). 34 | 35 | At the site, select **Shared Secret** tab at the key generation form, 36 | Keep the default key size (2048), Select **Signing** for Key use and **HS256** for Algorithm. Keep the Key ID field empty, then click "Generate new key" button, you should get your key as following: 37 | 38 | ![JWT Key generator](imgs/jwk_key_generator.png?raw=true) 39 | 40 | Under the **"Key"** section, locate the field for **k:**, that's your shared key. You need to provide it to your APIs and Zuul proxy application configuration file. 41 | --------------------------------------------------------------------------------