Feature: Dashboard for organizational identity view

[lumjjb]

Feature: Dashboard for organizational identity view
Box Note:
https://ibm.box.com/s/uu9hvimaokhbiz6qd253ow4vad7tdw59
Flows:
Stories to work on Epic 
1 - Cluster Management Page

• Cluster Create Page, Cluster Edit Page, Cluster List Page

• BackEnd - https://github.com/lumjjb/tornjak/issues/64
• FrontEnd [UI] - https://github.com/lumjjb/tornjak/issues/65
  • Part 1: Dashboard
  • Part 2: View details entry page
    2 - Design of DashBoard UI and data model [Overview page]
    3-  Details of Cluster/ Agents/ Entries Page 

Overview

This feature consists of the goal of allowing better oversight of workload identity. This consists of:

• Ability to view workload identities based on organizational constructs (clusters, nodes, workloads, etc.) instead of having to map internally to agents/entries, etc.
• Ability to automatically identify these constructs, or provide ability for user to annotate and define these constructs around SPIRE concepts
• Ability to navigate through the constructs (e.g. clicking on a node shows all identities registered to the node/agent) and obtain information and perform actions (i.e. logs of SVID provisioning and attestations)

Consideration of moving propagation of logging information to a separate feature since the scope is rather large.... Or start with a rather naive propagation of metrics exposed by a simple tornjak API.

Motivation

• Create a lower barrier of entry of utilizing SPIFFE/SPIRE for operators, CISOs, etc. who are interested in workload identity, but not familiar with underlying SPIRE mechanics.
• Propagate identity use information (e.g. minting of identities, attestation actions, etc.) to the control plane for monitoring and auditing.
• Provide a way to organize workload identity and agents in a way that matches the organization structure

Tasks

• Ability to derive some structure based on the definition of identity (i.e. trust domains, agents, and entries parent IDs)
• Ability for user to define metadata and tags around SPIRE servers, agents and entries to be used to provide structure
• Dashboard
  • Define structure to be able to organize identity
  • Define the exploration dashboard overview
    • Within each trust domain: Clusters, nodes, workloads
    • On the organization level (MANAGER-ONLY): Groups
  • For each view, provide information related, including selectors, and general statistics
  • Organizational View data table
    • As an extension to dashboard, provide showing workload identity in table similar to entries/agents
    • Provide ability to filter and search based on tags and metadata
  • Add metadata search for entry/agent list
• Information propagating:
  • As part of the dashboard view, additional data should be used to provide useful views and statistics, this can include:
    • Information from SPIRE server Debug API (https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/debug/v1/debug.proto)
    • Identity provisioning from SPIRE server logs (NOTE: Perhaps can be another feature on its own since its scope is rather big), alternatively fairly simple analysis can be done locally on each tornjak agent and only basic statistics propagated via tornjak API.
      • Define scalable way to keep logs up to date as well as provide filters to populate data structures. This should be done on the agent level, and propagated up to the managers.
        • maybe something like prometheus would work here for just metrics
        • or for log aggrergation and analysis, we could use Elasticsearch or Grafana/loki

Unless specified explicitly, functionality should be capable on agent views as well as managers.

Dashboard ideas

Something similar to k8s, where there is graphical information on top, and then a list of higher level constructs i.e. deployments <--> nodes/agents and pods <--> workloads

[lumjjb]

@maia-iyer @mamy-CS please link your PRs to this issue.