diff --git a/.github/workflows/stac-browser.yml b/.github/workflows/stac-browser.yml index 4cf8c961..59b3d13f 100644 --- a/.github/workflows/stac-browser.yml +++ b/.github/workflows/stac-browser.yml @@ -5,18 +5,14 @@ on: types: [released] workflow_dispatch: inputs: - TAG_NAME: - description: "Tag name for this image" - required: true - default: "eoapi-k8s-stac-browser" STAC_BROWSER_VERSION: - description: "STAC Browser version to build (e.g. v3.3.4)" + description: "STAC Browser version to build (e.g. v4.0.0)" required: true - default: "v3.3.4" + default: "v4.0.0" env: REGISTRY: ghcr.io - TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} + STAC_BROWSER_VERSION: ${{ github.event.inputs.STAC_BROWSER_VERSION || github.event.release.tag_name }} jobs: build-and-push: @@ -28,12 +24,12 @@ jobs: uses: actions/checkout@v6 with: repository: radiantearth/stac-browser - ref: ${{ github.event.inputs.STAC_BROWSER_VERSION }} + ref: ${{ env.STAC_BROWSER_VERSION }} - name: Set environment variables run: | { - echo "VERSION=${TAG_NAME#v}" + echo "VERSION=${STAC_BROWSER_VERSION#v}" echo "IMAGE_NAME=$REGISTRY/${GITHUB_REPOSITORY,,}/stac-browser" echo "COMMITED_AT=$(git show -s --format=%cI "$(git rev-parse HEAD)")" echo "REVISION=$(git rev-parse --short HEAD)" @@ -49,7 +45,8 @@ jobs: org.opencontainers.image.version=v${{ env.VERSION }} org.opencontainers.image.maintainer=${{ github.repository_owner }} tags: | - type=semver,pattern={{version}},value=v${{ env.VERSION }} + type=raw,value=${{ env.VERSION }} + type=raw,value=latest - name: Log in to the GitHub container registry uses: docker/login-action@v3 @@ -69,5 +66,5 @@ jobs: pathPrefix=/browser/ tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:edge + cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:latest cache-to: type=inline diff --git a/CHANGELOG.md b/CHANGELOG.md index d0dbc188..bb98e4e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381) +- Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376) ### Fixed @@ -20,6 +21,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Consolidated service data into one data directory [#387](https://github.com/developmentseed/eoapi-k8s/pull/387) +### Dependencies + +- Updated STAC Browser image to version 4.0.0 [#376](https://github.com/developmentseed/eoapi-k8s/pull/376) + ## [0.8.1] ### Added diff --git a/charts/eoapi/profiles/experimental.yaml b/charts/eoapi/profiles/experimental.yaml index 5295eabd..0bce5d68 100644 --- a/charts/eoapi/profiles/experimental.yaml +++ b/charts/eoapi/profiles/experimental.yaml @@ -206,6 +206,8 @@ browser: enabled: true settings: resources: {} + # STAC Browser needs external OIDC URL (accessible from user's browser) + oidcDiscoveryUrl: "http://localhost/mock-oidc/.well-known/openid-configuration" docServer: enabled: true @@ -385,6 +387,9 @@ mockOidcServer: port: 8888 clientId: "test-client" clientSecret: "test-secret" + extraEnv: + - name: ISSUER + value: "http://localhost/mock-oidc" service: type: ClusterIP port: 8080 @@ -402,7 +407,6 @@ mockOidcServer: tolerations: [] affinity: {} imagePullSecrets: [] - extraEnv: [] ###################### # SERVICE diff --git a/charts/eoapi/templates/core/rbac.yaml b/charts/eoapi/templates/core/rbac.yaml index 0c5f452e..9f0ab1db 100644 --- a/charts/eoapi/templates/core/rbac.yaml +++ b/charts/eoapi/templates/core/rbac.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: eoapi-role-{{ $.Release.Name }} + name: eoapi-role-{{ .Release.Name }} labels: - app: eoapi-{{ $.Release.Name }} + app: eoapi-{{ .Release.Name }} rules: - apiGroups: ["batch"] resources: ["jobs"] @@ -14,9 +14,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: eoapi-cluster-role-{{ $.Release.Name }} + name: eoapi-cluster-role-{{ .Release.Name }} labels: - app: eoapi-{{ $.Release.Name }} + app: eoapi-{{ .Release.Name }} rules: # CRD management for Knative operator installation - apiGroups: ["apiextensions.k8s.io"] @@ -50,16 +50,16 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: eoapi-cluster-rolebinding-{{ $.Release.Name }} + name: eoapi-cluster-rolebinding-{{ .Release.Name }} labels: - app: eoapi-{{ $.Release.Name }} + app: eoapi-{{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ include "eoapi.serviceAccountName" . }} - namespace: {{ $.Release.Namespace }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: eoapi-cluster-role-{{ $.Release.Name }} + name: eoapi-cluster-role-{{ .Release.Name }} apiGroup: rbac.authorization.k8s.io --- {{- end }} @@ -67,15 +67,15 @@ roleRef: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: eoapi-rolebinding-{{ $.Release.Name }} + name: eoapi-rolebinding-{{ .Release.Name }} labels: - app: eoapi-{{ $.Release.Name }} + app: eoapi-{{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ include "eoapi.serviceAccountName" . }} - namespace: {{ $.Release.Namespace }} + namespace: {{ .Release.Namespace }} roleRef: kind: Role - name: eoapi-role-{{ $.Release.Name }} + name: eoapi-role-{{ .Release.Name }} apiGroup: rbac.authorization.k8s.io {{- end }} diff --git a/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml b/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml index c1f3b00a..f306f186 100644 --- a/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml +++ b/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml @@ -6,23 +6,23 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Release.Name }}-pgstac-settings-config + name: {{ .Release.Name }}-pgstac-settings-config annotations: helm.sh/hook: "post-install,post-upgrade" helm.sh/hook-weight: "-7" helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded" data: pgstac-settings.sql: | - {{- tpl ($.Files.Get "data/initdb/settings/pgstac-settings.sql.tpl") $ | nindent 4 }} + {{- tpl (.Files.Get "data/initdb/settings/pgstac-settings.sql.tpl") . | nindent 4 }} {{- if (index .Values "eoapi-notifier").enabled }} - {{ $.Files.Get "data/initdb/settings/pgstac-notification-triggers.sql" | nindent 4 }} + {{ .Files.Get "data/initdb/settings/pgstac-notification-triggers.sql" | nindent 4 }} {{- end }} --- {{- if .Values.pgstacBootstrap.settings.loadSamples }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Release.Name }}-initdb-sql-config + name: {{ .Release.Name }}-initdb-sql-config annotations: helm.sh/hook: "post-install,post-upgrade" helm.sh/hook-weight: "-7" @@ -36,7 +36,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Release.Name }}-initdb-json-config + name: {{ .Release.Name }}-initdb-json-config annotations: helm.sh/hook: "post-install,post-upgrade" helm.sh/hook-weight: "-7" @@ -58,7 +58,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: {{ $.Release.Name }}-pgstac-queryables-config + name: {{ .Release.Name }}-pgstac-queryables-config annotations: helm.sh/hook: "post-install,post-upgrade" helm.sh/hook-weight: "-7" diff --git a/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml b/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml index 8f5653d4..50420c28 100644 --- a/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml +++ b/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml @@ -47,27 +47,27 @@ spec: - name: PGUSER valueFrom: secretKeyRef: - name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres + name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres key: user - name: PGPORT valueFrom: secretKeyRef: - name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres + name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres key: port - name: PGHOST valueFrom: secretKeyRef: - name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres + name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres key: host - name: PGPASSWORD valueFrom: secretKeyRef: - name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres + name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres key: password - name: PGDATABASE valueFrom: secretKeyRef: - name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres + name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres key: dbname volumes: - name: {{ .Release.Name }}-initdb-config diff --git a/charts/eoapi/templates/networking/ingress-browser.yaml b/charts/eoapi/templates/networking/ingress-no-prefix.yaml similarity index 50% rename from charts/eoapi/templates/networking/ingress-browser.yaml rename to charts/eoapi/templates/networking/ingress-no-prefix.yaml index 35eccc23..fd3574c0 100644 --- a/charts/eoapi/templates/networking/ingress-browser.yaml +++ b/charts/eoapi/templates/networking/ingress-no-prefix.yaml @@ -1,5 +1,4 @@ -# We need a separate ingress because browser has the prefix /browser hardcoded in the code -{{- if and .Values.browser.enabled .Values.ingress.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }} +{{- if and .Values.ingress.enabled (or (and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled)) (and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled))) }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} apiVersion: networking.k8s.io/v1 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} @@ -9,21 +8,20 @@ apiVersion: extensions/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ .Release.Name }}-ingress-browser + name: {{ .Release.Name }}-ingress-no-prefix labels: - app: {{ .Release.Name }}-ingress-browser + app: {{ .Release.Name }}-ingress-no-prefix annotations: {{- if .Values.ingress.annotations }} {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} - {{- if eq .Values.ingress.className "nginx" }} - nginx.ingress.kubernetes.io/rewrite-target: /browser/$2 - nginx.ingress.kubernetes.io/use-regex: "true" - {{- end }} - # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490 + # Services handle their own path manipulation - no stripPrefix middleware {{- if eq .Values.ingress.className "traefik" }} traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd + {{- end }} + {{- if eq .Values.ingress.className "nginx" }} + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/use-regex: "true" {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} @@ -35,12 +33,26 @@ spec: - host: {{ . }} http: paths: + {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }} + - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index $.Values "stac-auth-proxy" "enabled" }} + name: {{ $.Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ $.Release.Name }}-stac + {{- end }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- if and $.Values.browser.enabled (or (not (hasKey $.Values.browser "ingress")) $.Values.browser.ingress.enabled) }} - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: "/browser{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" + path: "{{ $.Values.browser.ingress.path | default "/browser" }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" backend: service: - name: {{ .Release.Name }}-browser + name: {{ $.Release.Name }}-browser port: number: 8080 {{- end }} @@ -51,9 +63,23 @@ spec: {{- end }} http: paths: + {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} + - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index .Values "stac-auth-proxy" "enabled" }} + name: {{ .Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ .Release.Name }}-stac + {{- end }} + port: + number: {{ .Values.service.port }} + {{- end }} + {{- if and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }} - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: "/browser{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" + path: "{{ .Values.browser.ingress.path | default "/browser" }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" backend: service: name: {{ .Release.Name }}-browser diff --git a/charts/eoapi/templates/networking/ingress.yaml b/charts/eoapi/templates/networking/ingress.yaml index dc49bb70..b3f3faf0 100644 --- a/charts/eoapi/templates/networking/ingress.yaml +++ b/charts/eoapi/templates/networking/ingress.yaml @@ -19,10 +19,10 @@ metadata: {{- if .Values.ingress.annotations }} {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} - # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490 + # Traefik stripPrefix middleware for services that need path stripping (excludes STAC) {{- if eq .Values.ingress.className "traefik" }} traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ .Release.Name }}-strip-prefix-middleware@kubernetescrd {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} @@ -44,19 +44,7 @@ spec: number: {{ $.Values.service.port }} {{- end }} - {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }} - - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index $.Values "stac-auth-proxy" "enabled" }} - name: {{ $.Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ $.Release.Name }}-stac - {{- end }} - port: - number: {{ $.Values.service.port }} - {{- end }} + {{- if and $.Values.vector.enabled (or (not (hasKey $.Values.vector "ingress")) $.Values.vector.ingress.enabled) }} - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} @@ -114,19 +102,7 @@ spec: number: {{ .Values.service.port }} {{- end }} - {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} - - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index .Values "stac-auth-proxy" "enabled" }} - name: {{ .Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ .Release.Name }}-stac - {{- end }} - port: - number: {{ .Values.service.port }} - {{- end }} + {{- if and .Values.vector.enabled (or (not (hasKey .Values.vector "ingress")) .Values.vector.ingress.enabled) }} - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} @@ -160,7 +136,7 @@ spec: {{- if .Values.docServer.enabled }} - pathType: Prefix - path: "/{{ $.Values.ingress.rootPath | default "" }}" + path: "/{{ .Values.ingress.rootPath | default "" }}" backend: service: name: {{ .Release.Name }}-doc-server diff --git a/charts/eoapi/templates/services/browser/deployment.yaml b/charts/eoapi/templates/services/browser/deployment.yaml index 08e143a3..12336e8b 100644 --- a/charts/eoapi/templates/services/browser/deployment.yaml +++ b/charts/eoapi/templates/services/browser/deployment.yaml @@ -7,7 +7,7 @@ metadata: app: {{ .Release.Name }}-browser gitsha: {{ .Values.gitSha }} spec: - replicas: {{.Values.browser.replicaCount}} + replicas: {{ .Values.browser.replicaCount }} selector: matchLabels: app: {{ .Release.Name }}-browser @@ -23,5 +23,21 @@ spec: - containerPort: 8080 env: - name: SB_catalogUrl - value: "{{ .Values.stac.ingress.path }}" + value: "{{ if .Values.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.ingress.host }}{{ .Values.stac.ingress.path }}" + {{- if index .Values "stac-auth-proxy" "enabled" }} + - name: SB_authConfig + {{- if .Values.browser.authConfig }} + value: {{ .Values.browser.authConfig }} + {{- else }} + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "{{ .Values.browser.oidcDiscoveryUrl }}", + "oidcOptions": { + "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}", + "redirect_uri": "{{ if .Values.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.ingress.host }}{{ .Values.browser.ingress.path | default "/browser" | trimSuffix "/" }}/auth" + } + } + {{- end }} + {{- end }} {{- end }} diff --git a/charts/eoapi/tests/ingress_tests.yaml b/charts/eoapi/tests/ingress_tests.yaml index 11363982..4d0b3477 100644 --- a/charts/eoapi/tests/ingress_tests.yaml +++ b/charts/eoapi/tests/ingress_tests.yaml @@ -1,6 +1,6 @@ suite: unified ingress tests templates: - - templates/services/ingress.yaml + - templates/networking/ingress.yaml tests: - it: "vector ingress with nginx controller" set: @@ -33,13 +33,13 @@ tests: path: spec.ingressClassName value: "nginx" - - it: "stac ingress with traefik controller" + - it: "raster ingress with traefik controller" set: ingress.className: "traefik" ingress.pathType: "Prefix" ingress.host: "eoapi.local" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -48,7 +48,7 @@ tests: of: Ingress - equal: path: spec.rules[0].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" @@ -95,8 +95,7 @@ tests: ingress.className: "nginx" raster.enabled: true raster.ingress.path: "/titiler" - stac.enabled: true - stac.ingress.path: "/api" + stac.enabled: false vector.enabled: true vector.ingress.path: "/features" multidim.enabled: false @@ -109,9 +108,6 @@ tests: value: "/titiler(/|$)(.*)" - equal: path: spec.rules[0].http.paths[1].path - value: "/api(/|$)(.*)" - - equal: - path: spec.rules[0].http.paths[2].path value: "/features(/|$)(.*)" - equal: path: spec.rules[0].http.paths[0].pathType @@ -119,9 +115,6 @@ tests: - equal: path: spec.rules[0].http.paths[1].pathType value: "ImplementationSpecific" - - equal: - path: spec.rules[0].http.paths[2].pathType - value: "ImplementationSpecific" - equal: path: metadata.annotations value: @@ -131,9 +124,9 @@ tests: - it: "custom paths with traefik controller" set: ingress.className: "traefik" - raster.enabled: false - stac.enabled: true - stac.ingress.path: "/api" + raster.enabled: true + raster.ingress.path: "/titiler" + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -142,7 +135,7 @@ tests: of: Ingress - equal: path: spec.rules[0].http.paths[0].path - value: "/api" + value: "/titiler" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" @@ -159,8 +152,8 @@ tests: - "2.eoapi.dev" - "1.eoapi.dev" raster.enabled: true - stac.enabled: true - vector.enabled: false + stac.enabled: false + vector.enabled: true multidim.enabled: false browser.enabled: false asserts: @@ -177,13 +170,13 @@ tests: value: "/raster(/|$)(.*)" - equal: path: spec.rules[0].http.paths[1].path - value: "/stac(/|$)(.*)" + value: "/vector(/|$)(.*)" - equal: path: spec.rules[1].http.paths[0].path value: "/raster(/|$)(.*)" - equal: path: spec.rules[1].http.paths[1].path - value: "/stac(/|$)(.*)" + value: "/vector(/|$)(.*)" - it: "multiple hosts with traefik controller" set: @@ -191,8 +184,8 @@ tests: ingress.hosts: - "2.eoapi.dev" - "1.eoapi.dev" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -207,13 +200,13 @@ tests: value: "1.eoapi.dev" - equal: path: spec.rules[0].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" - equal: path: spec.rules[1].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[1].http.paths[0].pathType value: "Prefix" @@ -226,8 +219,8 @@ tests: - "1.eoapi.dev" ingress.tls.enabled: true ingress.tls.secretName: "eoapi-tls" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -250,8 +243,8 @@ tests: ingress.host: "1.eoapi.dev" ingress.tls.enabled: true ingress.tls.secretName: "eoapi-tls" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -274,8 +267,8 @@ tests: ingress.host: "should-be-ignored.com" ingress.hosts: - "1.eoapi.dev" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false diff --git a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml index c4007016..0851ce94 100644 --- a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml +++ b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml @@ -1,6 +1,6 @@ -suite: test stac-auth-proxy ingress routing +suite: test ingress routing without stripPrefix middleware templates: - - networking/ingress.yaml + - networking/ingress-no-prefix.yaml tests: - it: should route ingress to stac-auth-proxy when enabled @@ -23,7 +23,7 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-no-prefix.yaml - it: should route ingress directly to stac when auth-proxy is disabled set: @@ -45,20 +45,18 @@ tests: name: RELEASE-NAME-stac port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-no-prefix.yaml - - it: should not create stac routes when stac is disabled + - it: should not create ingress when both stac and browser are disabled set: ingress.enabled: true stac.enabled: false + browser.enabled: false stac-auth-proxy.enabled: true asserts: - - notContains: - path: spec.rules[0].http.paths - any: true - content: - path: /stac(/|$)(.*) - template: networking/ingress.yaml + - hasDocuments: + count: 0 + template: networking/ingress-no-prefix.yaml - it: should route correctly with experimental profile values: @@ -76,4 +74,57 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-no-prefix.yaml + + - it: should route ingress to browser + set: + ingress.enabled: true + ingress.className: nginx + browser.enabled: true + stac.enabled: false + asserts: + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /browser(/|$)(.*) + backend: + service: + name: RELEASE-NAME-browser + port: + number: 8080 + template: networking/ingress-no-prefix.yaml + + - it: should include both stac and browser when both enabled + set: + ingress.enabled: true + ingress.className: nginx + stac.enabled: true + stac.ingress.enabled: true + stac.ingress.path: "/stac" + stac-auth-proxy.enabled: true + browser.enabled: true + service.port: 8080 + asserts: + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /stac(/|$)(.*) + backend: + service: + name: RELEASE-NAME-stac-auth-proxy + port: + number: 8080 + template: networking/ingress-no-prefix.yaml + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /browser(/|$)(.*) + backend: + service: + name: RELEASE-NAME-browser + port: + number: 8080 + template: networking/ingress-no-prefix.yaml diff --git a/charts/eoapi/tests/stac_browser_tests.yaml b/charts/eoapi/tests/stac_browser_tests.yaml index d195a601..0a74bd89 100644 --- a/charts/eoapi/tests/stac_browser_tests.yaml +++ b/charts/eoapi/tests/stac_browser_tests.yaml @@ -51,3 +51,91 @@ tests: - equal: path: metadata.annotations.annotation2 value: world + - it: "stac browser deployment with auth enabled" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: true + stac-auth-proxy.env.OIDC_DISCOVERY_URL: "http://localhost/mock-oidc/.well-known/openid-configuration" + ingress.host: "localhost" + stac.ingress.path: "/stac" + mockOidcServer.ingress.path: "/mock-oidc" + browser.oidcClientId: "test-client" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_catalogUrl + value: "http://localhost/stac" + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "http://localhost/mock-oidc/.well-known/openid-configuration", + "oidcOptions": { + "client_id": "test-client" + } + } + - it: "stac browser deployment with custom OIDC_DISCOVERY_URL" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: true + stac-auth-proxy.env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration" + ingress.host: "localhost" + stac.ingress.path: "/stac" + browser.oidcClientId: "test-client" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "https://auth.example.com/.well-known/openid-configuration", + "oidcOptions": { + "client_id": "test-client" + } + } + - it: "stac browser deployment without auth" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: false + ingress.host: "localhost" + stac.ingress.path: "/stac" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_catalogUrl + value: "http://localhost/stac" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml index 62608f00..2b85de0e 100644 --- a/charts/eoapi/values.yaml +++ b/charts/eoapi/values.yaml @@ -415,7 +415,11 @@ stac: # STAC Auth Proxy - authentication layer for STAC API stac-auth-proxy: enabled: false + image: + tag: "v0.11.0" env: + ROOT_PATH: "/stac" + OVERRIDE_HOST: "false" DEFAULT_PUBLIC: "true" # UPSTREAM_URL will be set dynamically in template to point to stac service # OIDC_DISCOVERY_URL must be configured when enabling auth @@ -488,10 +492,16 @@ browser: enabled: true image: # we use a custom image with pathPrefix built into it - name: ghcr.io/developmentseed/eoapi-k8s-stac-browser - tag: 3.3.4 + name: ghcr.io/developmentseed/eoapi-k8s/stac-browser + tag: 4.0.0 ingress: enabled: true # Control ingress specifically for browser service + path: "/browser" + # OAuth2 client ID for browser (frontend app) + oidcClientId: "stac-browser" + # OIDC discovery URL for browser (must be externally accessible URL) + # Required when stac-auth-proxy is enabled + oidcDiscoveryUrl: "" docServer: enabled: true diff --git a/renovate.json b/renovate.json index 44b8b74a..f72b37b1 100644 --- a/renovate.json +++ b/renovate.json @@ -57,7 +57,7 @@ "matchPackageNames": [ "/ghcr.io/developmentseed/tipg/", "/ghcr.io/developmentseed/titiler-md-demo/", - "/ghcr.io/developmentseed/eoapi-k8s-stac-browser/" + "/ghcr.io/developmentseed/eoapi-k8s/stac-browser/" ], "automerge": false, "platformAutomerge": false,