From ebc095fbfa344b7cbd341bd280bb6e6bac56d68b Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:03:16 +0530 Subject: [PATCH 01/14] first draft of helm chart --- helm/Chart.yaml | 1 + helm/templates/NOTES.txt | 5 +++++ helm/templates/_helpers.tpl | 1 + helm/templates/deployment.yaml | 1 + helm/templates/ingress.yaml | 1 + helm/templates/service.yaml | 1 + helm/values.yaml | 1 + 7 files changed, 11 insertions(+) create mode 100644 helm/Chart.yaml create mode 100644 helm/templates/NOTES.txt create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/deployment.yaml create mode 100644 helm/templates/ingress.yaml create mode 100644 helm/templates/service.yaml create mode 100644 helm/values.yaml diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt new file mode 100644 index 0000000..6d186af --- /dev/null +++ b/helm/templates/NOTES.txt @@ -0,0 +1,5 @@ +ingress: + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/templates/deployment.yaml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/templates/ingress.yaml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1 @@ + \ No newline at end of file From 0d1d76484423532868d3351638b925f42923ed6f Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:05:45 +0530 Subject: [PATCH 02/14] add a schema for values --- helm/values.schema.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 helm/values.schema.yaml diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml new file mode 100644 index 0000000..0519ecb --- /dev/null +++ b/helm/values.schema.yaml @@ -0,0 +1 @@ + \ No newline at end of file From 7f91732859ac9b5e5a607610060adb37dbaecaa1 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:08:02 +0530 Subject: [PATCH 03/14] default to using image published at ghcr.io/developmentseed/stac-auth-proxy:latest --- helm/values.schema.yaml | 19 ++++++++++++++++++- helm/values.yaml | 5 ++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index 0519ecb..4678572 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -1 +1,18 @@ - \ No newline at end of file +image: + type: object + properties: + repository: + type: string + description: "Docker image repository" + default: "ghcr.io/developmentseed/stac-auth-proxy" + pullPolicy: + type: string + enum: ["IfNotPresent", "Always", "Never"] + description: "Kubernetes image pull policy" + tag: + type: string + description: "Docker image tag" + default: "latest" + +required: + - service \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index 0519ecb..890bb83 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1 +1,4 @@ - \ No newline at end of file +image: + repository: ghcr.io/developmentseed/stac-auth-proxy + pullPolicy: IfNotPresent + tag: "latest" \ No newline at end of file From d82755743c1d28acfe94abd8d166e83d26ec577a Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:11:50 +0530 Subject: [PATCH 04/14] actually add the things properly, fix bad previous commit --- helm/Chart.yaml | 7 +- helm/templates/_helpers.tpl | 50 +++++++++- helm/templates/deployment.yaml | 43 ++++++++- helm/templates/ingress.yaml | 41 ++++++++- helm/values.schema.yaml | 162 ++++++++++++++++++++++++++++++--- helm/values.yaml | 45 ++++++++- 6 files changed, 329 insertions(+), 19 deletions(-) diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 0519ecb..d8e0a92 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1 +1,6 @@ - \ No newline at end of file +apiVersion: v2 +name: stac-auth-proxy +description: A Helm chart for stac-auth-proxy +type: application +version: 0.1.0 +appVersion: "1.0.0" \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 0519ecb..23a9ecd 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -1 +1,49 @@ - \ No newline at end of file +{{/* +Expand the name of the chart. +*/}} +{{- define "stac-auth-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "stac-auth-proxy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "stac-auth-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "stac-auth-proxy.labels" -}} +helm.sh/chart: {{ include "stac-auth-proxy.chart" . }} +{{ include "stac-auth-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "stac-auth-proxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "stac-auth-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 0519ecb..a68beb8 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -1 +1,42 @@ - \ No newline at end of file +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "stac-auth-proxy.fullname" . }} + labels: + {{- include "stac-auth-proxy.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "stac-auth-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "stac-auth-proxy.selectorLabels" . | nindent 8 }} + spec: + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml index 0519ecb..6c47509 100644 --- a/helm/templates/ingress.yaml +++ b/helm/templates/ingress.yaml @@ -1 +1,40 @@ - \ No newline at end of file +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "stac-auth-proxy.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "stac-auth-proxy.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + {{- if and .Values.ingress.tls.enabled .Values.ingress.host }} + tls: + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" .Values.ingress.host) }} + {{- end }} + rules: + {{- if .Values.ingress.host }} + - host: {{ .Values.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index 4678572..9558846 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -1,18 +1,152 @@ -image: - type: object - properties: - repository: - type: string - description: "Docker image repository" - default: "ghcr.io/developmentseed/stac-auth-proxy" - pullPolicy: - type: string - enum: ["IfNotPresent", "Always", "Never"] - description: "Kubernetes image pull policy" - tag: +"$schema": "https://json-schema.org/draft-07/schema#" +type: object +properties: + replicaCount: + type: integer + minimum: 1 + description: "Number of replicas for the deployment" + + image: + type: object + properties: + repository: + type: string + description: "Docker image repository" + default: "ghcr.io/developmentseed/stac-auth-proxy" + pullPolicy: + type: string + enum: ["IfNotPresent", "Always", "Never"] + description: "Kubernetes image pull policy" + tag: + type: string + description: "Docker image tag" + default: "latest" + + service: + type: object + required: ["type", "port"] + properties: + type: + type: string + enum: ["ClusterIP", "NodePort", "LoadBalancer"] + description: "Kubernetes service type" + port: + type: integer + minimum: 1 + maximum: 65535 + description: "Service port number" + + ingress: + type: object + properties: + enabled: + type: boolean + description: "Enable ingress resource" + className: + type: string + description: "Ingress class name (e.g., nginx)" + annotations: + type: object + additionalProperties: + type: string + description: "Annotations for the ingress resource" + host: + type: string + description: "Hostname for the ingress" + tls: + type: object + properties: + enabled: + type: boolean + description: "Enable TLS configuration" + secretName: + type: string + description: "Name of the TLS secret (optional, will be auto-generated if empty)" + required: ["enabled"] + + resources: + type: object + properties: + limits: + type: object + properties: + cpu: + type: string + pattern: "^[0-9]+m?$|^[0-9]+\\.[0-9]+$" + description: "CPU limit (e.g., 500m, 1.5)" + memory: + type: string + pattern: "^[0-9]+(Ki|Mi|Gi|Ti|Pi|Ei|[kMGTPE]i?)?$" + description: "Memory limit (e.g., 512Mi, 1Gi)" + requests: + type: object + properties: + cpu: + type: string + pattern: "^[0-9]+m?$|^[0-9]+\\.[0-9]+$" + description: "CPU request (e.g., 200m, 0.5)" + memory: + type: string + pattern: "^[0-9]+(Ki|Mi|Gi|Ti|Pi|Ei|[kMGTPE]i?)?$" + description: "Memory request (e.g., 256Mi, 1Gi)" + + securityContext: + type: object + properties: + runAsNonRoot: + type: boolean + description: "Requires the container to run without root privileges" + runAsUser: + type: integer + description: "The UID to run the entrypoint of the container process" + runAsGroup: + type: integer + description: "The GID to run the entrypoint of the container process" + description: "Pod-level security context" + + containerSecurityContext: + type: object + properties: + allowPrivilegeEscalation: + type: boolean + description: "Controls whether a process can gain more privileges than its parent process" + capabilities: + type: object + properties: + drop: + type: array + items: + type: string + description: "List of capabilities to drop" + description: "Container-level security context" + + nodeSelector: + type: object + additionalProperties: type: string - description: "Docker image tag" - default: "latest" + description: "Node labels for pod assignment" + + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: ["Exists", "Equal"] + value: + type: string + effect: + type: string + enum: ["NoSchedule", "PreferNoSchedule", "NoExecute"] + description: "Pod tolerations" + + affinity: + type: object + additionalProperties: true + description: "Pod affinity rules" required: - service \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index 890bb83..8b9f759 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1,4 +1,47 @@ +# Default values for stac-auth-proxy + +replicaCount: 1 + image: repository: ghcr.io/developmentseed/stac-auth-proxy pullPolicy: IfNotPresent - tag: "latest" \ No newline at end of file + tag: "latest" + +service: + type: ClusterIP + port: 8000 + +ingress: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + host: "stac-proxy.example.com" # This should be overridden in production + tls: + enabled: true + secretName: "" # If empty, will be auto-generated as "{host}-tls" + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 200m + memory: 256Mi + +# Pod-level security context +securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + +# Container-level security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + +nodeSelector: {} +tolerations: [] +affinity: {} \ No newline at end of file From 52783e262ace67874db3d6b56f4e8db3c92a92ce Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:13:14 +0530 Subject: [PATCH 05/14] add service --- helm/templates/service.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml index 0519ecb..7d00ce9 100644 --- a/helm/templates/service.yaml +++ b/helm/templates/service.yaml @@ -1 +1,15 @@ - \ No newline at end of file +apiVersion: v1 +kind: Service +metadata: + name: {{ include "stac-auth-proxy.fullname" . }} + labels: + {{- include "stac-auth-proxy.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "stac-auth-proxy.selectorLabels" . | nindent 4 }} \ No newline at end of file From 0bab458eafe7afd44c4a96f00e63449674251e7e Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:19:29 +0530 Subject: [PATCH 06/14] add configurable env vars for deployment --- helm/templates/deployment.yaml | 49 ++++++++++++++++++++ helm/values.schema.yaml | 83 ++++++++++++++++++++++++++++++++++ helm/values.yaml | 42 ++++++++++++++++- 3 files changed, 173 insertions(+), 1 deletion(-) diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index a68beb8..07e8da7 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -28,6 +28,55 @@ spec: protocol: TCP resources: {{- toYaml .Values.resources | nindent 12 }} + env: + - name: UPSTREAM_URL + value: {{ required "A valid upstream URL is required" .Values.config.upstreamUrl | quote }} + - name: OIDC_DISCOVERY_URL + value: {{ required "An OIDC discovery URL is required" .Values.config.oidc.discoveryUrl | quote }} + + # Optional OIDC internal URL + {{- if .Values.config.oidc.discoveryInternalUrl }} + - name: OIDC_DISCOVERY_INTERNAL_URL + value: {{ .Values.config.oidc.discoveryInternalUrl | quote }} + {{- end }} + + # Core configuration + - name: WAIT_FOR_UPSTREAM + value: {{ .Values.config.waitForUpstream | quote }} + - name: HEALTHZ_PREFIX + value: {{ .Values.config.healthzPrefix | quote }} + + # Access control configuration + - name: DEFAULT_PUBLIC + value: {{ .Values.config.defaultPublic | quote }} + {{- if .Values.config.privateEndpoints }} + - name: PRIVATE_ENDPOINTS + value: {{ .Values.config.privateEndpoints | toJson | quote }} + {{- end }} + {{- if .Values.config.publicEndpoints }} + - name: PUBLIC_ENDPOINTS + value: {{ .Values.config.publicEndpoints | toJson | quote }} + {{- end }} + + # OpenAPI configuration + {{- if .Values.config.openapiSpecEndpoint }} + - name: OPENAPI_SPEC_ENDPOINT + value: {{ .Values.config.openapiSpecEndpoint | quote }} + {{- end }} + + # Filtering configuration + {{- if .Values.config.itemsFilter.class }} + - name: ITEMS_FILTER_CLS + value: {{ .Values.config.itemsFilter.class | quote }} + - name: ITEMS_FILTER_ARGS + value: {{ .Values.config.itemsFilter.args | toJson | quote }} + - name: ITEMS_FILTER_KWARGS + value: {{ .Values.config.itemsFilter.kwargs | toJson | quote }} + {{- end }} + + {{- with .Values.config.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index 9558846..ac939b0 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -148,5 +148,88 @@ properties: additionalProperties: true description: "Pod affinity rules" + config: + type: object + required: ["upstreamUrl", "oidc"] + properties: + upstreamUrl: + type: string + format: uri + description: "STAC API URL" + waitForUpstream: + type: boolean + description: "Wait for upstream API to become available" + default: true + healthzPrefix: + type: string + description: "Path prefix for health check endpoints" + default: "/healthz" + + oidc: + type: object + required: ["discoveryUrl"] + properties: + discoveryUrl: + type: string + format: uri + description: "OpenID Connect discovery document URL" + discoveryInternalUrl: + type: string + format: uri + description: "Internal network OpenID Connect discovery document URL" + + defaultPublic: + type: boolean + description: "Default access policy for endpoints" + default: false + + privateEndpoints: + type: object + additionalProperties: + type: array + items: + type: string + description: "Endpoints requiring authentication" + + publicEndpoints: + type: object + additionalProperties: + type: array + items: + type: string + description: "Public endpoints when defaultPublic is false" + + openapiSpecEndpoint: + type: ["string", "null"] + description: "Path of OpenAPI specification" + + itemsFilter: + type: object + properties: + class: + type: ["string", "null"] + description: "CQL2 expression generator class" + args: + type: array + description: "Positional arguments for filter class" + items: + type: string + kwargs: + type: object + description: "Keyword arguments for filter class" + additionalProperties: true + + extraEnv: + type: array + description: "Additional environment variables" + items: + type: object + required: ["name", "value"] + properties: + name: + type: string + value: + type: string + required: - service \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index 8b9f759..dcfa2f7 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -44,4 +44,44 @@ containerSecurityContext: nodeSelector: {} tolerations: [] -affinity: {} \ No newline at end of file +affinity: {} + +# Application configuration +config: + # Core Configuration + upstreamUrl: "" # Required: STAC API URL + waitForUpstream: true # Optional: wait for upstream API + healthzPrefix: "/healthz" # Optional: health check prefix + + # Authentication Configuration + oidc: + discoveryUrl: "" # Required: OpenID Connect discovery URL + discoveryInternalUrl: "" # Optional: internal network OIDC URL + + # Access Control + defaultPublic: false # Optional: default access policy + privateEndpoints: # Optional: endpoints requiring auth + "^/collections$": ["POST"] + "^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"] + "^/collections/([^/]+)/items$": ["POST"] + "^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"] + "^/collections/([^/]+)/bulk_items$": ["POST"] + publicEndpoints: # Optional: public endpoints + "^/api.html$": ["GET"] + "^/api$": ["GET"] + "^/docs/oauth2-redirect": ["GET"] + "^/healthz": ["GET"] + + # OpenAPI Configuration + openapiSpecEndpoint: null # Optional: OpenAPI spec path + + # Filtering Configuration + itemsFilter: + class: null # Optional: CQL2 expression generator class + args: [] # Optional: positional arguments + kwargs: {} # Optional: keyword arguments + + # Additional environment variables + extraEnv: [] + # - name: CUSTOM_VAR + # value: "custom-value" \ No newline at end of file From 3523b1d102543f7f33a945ab3adcb403c7bff0f9 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 14:36:21 +0530 Subject: [PATCH 07/14] fix NOTES.txt --- helm/templates/NOTES.txt | 76 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 5 deletions(-) diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 6d186af..5fabf22 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,71 @@ -ingress: - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" \ No newline at end of file +Thank you for installing {{ .Chart.Name }}. + +Your STAC Auth Proxy has been deployed with the following configuration: + +1. Application Access: +{{- if .Values.ingress.enabled }} +{{- if .Values.ingress.host }} + Your proxy is available at: + {{- if .Values.ingress.tls.enabled }} + https://{{ .Values.ingress.host }} + {{- else }} + http://{{ .Values.ingress.host }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + Get the application URL by running these commands: + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "stac-auth-proxy.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + Get the application URL by running these commands: + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status by running: + kubectl get svc --namespace {{ .Release.Namespace }} {{ include "stac-auth-proxy.fullname" . }} -w + + Once ready, get the external IP/hostname with: + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "stac-auth-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else }} + The service is accessible within the cluster at: + {{ include "stac-auth-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }} +{{- end }} + +2. Configuration Details: + - Upstream STAC API: {{ .Values.config.upstreamUrl }} + - OIDC Discovery URL: {{ .Values.config.oidc.discoveryUrl }} + - Health Check Endpoint: {{ .Values.config.healthzPrefix }} + - Default Public Access: {{ .Values.config.defaultPublic }} + +3. Verify the deployment: + kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "stac-auth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" + +4. View the logs: + kubectl logs --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "stac-auth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" + +5. Health check: +{{- if .Values.ingress.enabled }} +{{- if .Values.ingress.host }} + {{- if .Values.ingress.tls.enabled }} + curl https://{{ .Values.ingress.host }}{{ .Values.config.healthzPrefix }} + {{- else }} + curl http://{{ .Values.ingress.host }}{{ .Values.config.healthzPrefix }} + {{- end }} +{{- end }} +{{- else }} + kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ include "stac-auth-proxy.fullname" . }} 8000:{{ .Values.service.port }} + curl http://localhost:8000{{ .Values.config.healthzPrefix }} +{{- end }} + +For more information about STAC Auth Proxy, please visit: +https://github.com/developmentseed/stac-auth-proxy + +{{- if or (not .Values.config.upstreamUrl) (not .Values.config.oidc.discoveryUrl) }} +WARNING: Some required configuration values are not set. Please ensure you have configured: +{{- if not .Values.config.upstreamUrl }} + - config.upstreamUrl +{{- end }} +{{- if not .Values.config.oidc.discoveryUrl }} + - config.oidc.discoveryUrl +{{- end }} +{{- end }} \ No newline at end of file From 1718d6f61fa3c6b559cdc7d823d5b7b13c23818e Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 27 Mar 2025 15:46:53 +0530 Subject: [PATCH 08/14] add github action to publish helm chart and README around usage of helm chart --- .github/workflows/publish-helm.yaml | 44 +++++++++++ helm/README.md | 117 ++++++++++++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 .github/workflows/publish-helm.yaml create mode 100644 helm/README.md diff --git a/.github/workflows/publish-helm.yaml b/.github/workflows/publish-helm.yaml new file mode 100644 index 0000000..55797bd --- /dev/null +++ b/.github/workflows/publish-helm.yaml @@ -0,0 +1,44 @@ +name: Publish Helm Chart + +on: + push: + branches: + - main + paths: + - 'helm/**' + - '.github/workflows/publish-helm.yaml' + release: + types: [created] + +jobs: + publish-helm: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.12.1 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Package Helm Chart + run: | + helm package helm/ + + - name: Push Helm Chart + run: | + helm push *.tgz oci://ghcr.io/${{ github.repository }}/charts \ No newline at end of file diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..7c0a010 --- /dev/null +++ b/helm/README.md @@ -0,0 +1,117 @@ +# STAC Auth Proxy Helm Chart + +This Helm chart deploys the STAC Auth Proxy, which provides authentication and authorization for STAC APIs. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- An OIDC provider (e.g., Auth0, Cognito, Keycloak) +- A STAC API endpoint + +## Installation + +### Add the Helm Repository + +```bash +helm registry login ghcr.io +helm pull oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy --version 0.1.0 +``` + +### Install the Chart + +Basic installation with minimal configuration: + +```bash +helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \ + --set config.upstreamUrl=https://your-stac-api.com/stac \ + --set config.oidc.discoveryUrl=https://your-auth-server/.well-known/openid-configuration \ + --set ingress.host=stac-proxy.your-domain.com +``` + +### Using a Values File + +Create a `values.yaml` file: + +```yaml +config: + upstreamUrl: "https://your-stac-api.com/stac" + oidc: + discoveryUrl: "https://your-auth-server/.well-known/openid-configuration" + discoveryInternalUrl: "http://auth-server-internal/.well-known/openid-configuration" + defaultPublic: false + healthzPrefix: "/healthz" + +ingress: + enabled: true + host: "stac-proxy.your-domain.com" + tls: + enabled: true + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 200m + memory: 256Mi +``` + +Install using the values file: + +```bash +helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy -f values.yaml +``` + +## Configuration + +### Required Values + +| Parameter | Description | +|-----------|-------------| +| `config.upstreamUrl` | URL of the STAC API to proxy | +| `config.oidc.discoveryUrl` | OpenID Connect discovery document URL | + +### Optional Values + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `config.waitForUpstream` | Wait for upstream API to become available | `true` | +| `config.healthzPrefix` | Path prefix for health check endpoints | `/healthz` | +| `config.defaultPublic` | Default access policy for endpoints | `false` | +| `config.oidc.discoveryInternalUrl` | Internal network OIDC discovery URL | `""` | +| `ingress.enabled` | Enable ingress | `true` | +| `ingress.className` | Ingress class name | `nginx` | +| `ingress.host` | Hostname for the ingress | `""` | +| `ingress.tls.enabled` | Enable TLS for ingress | `true` | +| `replicaCount` | Number of replicas | `1` | + +For a complete list of values, see the [values.yaml](./values.yaml) file. + +## Upgrading + +To upgrade the release: + +```bash +helm upgrade stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy -f values.yaml +``` + +## Uninstalling + +To uninstall/delete the deployment: + +```bash +helm uninstall stac-auth-proxy +``` + +## Development + +To test the chart locally: + +```bash +helm install stac-auth-proxy ./helm --dry-run --debug +``` + +## Support + +For support, please open an issue in the [STAC Auth Proxy repository](https://github.com/developmentseed/stac-auth-proxy/issues). \ No newline at end of file From 0abe07ea2c2961f44643413c7053a010f84cd1ef Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Mon, 31 Mar 2025 12:39:08 +0530 Subject: [PATCH 09/14] add and use serviceAccount --- helm/README.md | 13 +++++++++++++ helm/templates/_helpers.tpl | 11 +++++++++++ helm/templates/deployment.yaml | 1 + helm/templates/serviceaccount.yaml | 16 ++++++++++++++++ helm/values.schema.yaml | 25 +++++++++++++++++++++++++ helm/values.yaml | 14 +++++++++++++- 6 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 helm/templates/serviceaccount.yaml diff --git a/helm/README.md b/helm/README.md index 7c0a010..62b1ecf 100644 --- a/helm/README.md +++ b/helm/README.md @@ -63,6 +63,19 @@ Install using the values file: helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy -f values.yaml ``` +### Using Image Pull Secrets + +To use private container registries, you can configure image pull secrets: + +```yaml + +serviceAccount: + create: true + imagePullSecrets: + name: "my-registry-secret" +``` + + ## Configuration ### Required Values diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 23a9ecd..fb8160d 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -46,4 +46,15 @@ Selector labels {{- define "stac-auth-proxy.selectorLabels" -}} app.kubernetes.io/name: {{ include "stac-auth-proxy.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "stac-auth-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "stac-auth-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 07e8da7..54d938d 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -14,6 +14,7 @@ spec: labels: {{- include "stac-auth-proxy.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ include "stac-auth-proxy.serviceAccountName" . }} securityContext: {{- toYaml .Values.securityContext | nindent 8 }} containers: diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/serviceaccount.yaml new file mode 100644 index 0000000..c76b454 --- /dev/null +++ b/helm/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "stac-auth-proxy.serviceAccountName" . }} + labels: + {{- include "stac-auth-proxy.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index ac939b0..6f15449 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -231,5 +231,30 @@ properties: value: type: string + serviceAccount: + type: object + properties: + create: + type: boolean + description: "Specifies whether a service account should be created" + annotations: + type: object + additionalProperties: + type: string + description: "Annotations to add to the service account" + name: + type: string + description: "The name of the service account to use. If not set and create is true, a name is generated" + imagePullSecrets: + type: array + description: "Image pull secrets to add to the service account" + items: + type: object + required: ["name"] + properties: + name: + type: string + description: "Name of the image pull secret" + required: - service \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index dcfa2f7..6f17ffb 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -84,4 +84,16 @@ config: # Additional environment variables extraEnv: [] # - name: CUSTOM_VAR - # value: "custom-value" \ No newline at end of file + # value: "custom-value" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Image pull secrets to add to the service account + imagePullSecrets: [] + # - name: my-registry-secret \ No newline at end of file From e87d20e77c7d2bb25c27b01d27cb6454dba08160 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Mon, 14 Apr 2025 12:28:25 +0530 Subject: [PATCH 10/14] switch from nested config in values, to an env key that passes env directly --- helm/README.md | 26 ++++----- helm/templates/deployment.yaml | 51 ++---------------- helm/values.schema.yaml | 99 ++++++++++++---------------------- helm/values.yaml | 68 +++++++++++------------ 4 files changed, 78 insertions(+), 166 deletions(-) diff --git a/helm/README.md b/helm/README.md index 62b1ecf..80c0eab 100644 --- a/helm/README.md +++ b/helm/README.md @@ -24,8 +24,8 @@ Basic installation with minimal configuration: ```bash helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \ - --set config.upstreamUrl=https://your-stac-api.com/stac \ - --set config.oidc.discoveryUrl=https://your-auth-server/.well-known/openid-configuration \ + --set env.UPSTREAM_URL=https://your-stac-api.com/stac \ + --set env.OIDC_DISCOVERY_URL=https://your-auth-server/.well-known/openid-configuration \ --set ingress.host=stac-proxy.your-domain.com ``` @@ -34,13 +34,12 @@ helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/chart Create a `values.yaml` file: ```yaml -config: - upstreamUrl: "https://your-stac-api.com/stac" - oidc: - discoveryUrl: "https://your-auth-server/.well-known/openid-configuration" - discoveryInternalUrl: "http://auth-server-internal/.well-known/openid-configuration" - defaultPublic: false - healthzPrefix: "/healthz" +env: + UPSTREAM_URL: "https://your-stac-api.com/stac" + OIDC_DISCOVERY_URL: "https://your-auth-server/.well-known/openid-configuration" + OIDC_DISCOVERY_INTERNAL_URL: "http://auth-server-internal/.well-known/openid-configuration" + DEFAULT_PUBLIC: "false" + HEALTHZ_PREFIX: "/healthz" ingress: enabled: true @@ -82,17 +81,14 @@ serviceAccount: | Parameter | Description | |-----------|-------------| -| `config.upstreamUrl` | URL of the STAC API to proxy | -| `config.oidc.discoveryUrl` | OpenID Connect discovery document URL | +| `env.UPSTREAM_URL` | URL of the STAC API to proxy | +| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery document URL | ### Optional Values | Parameter | Description | Default | |-----------|-------------|---------| -| `config.waitForUpstream` | Wait for upstream API to become available | `true` | -| `config.healthzPrefix` | Path prefix for health check endpoints | `/healthz` | -| `config.defaultPublic` | Default access policy for endpoints | `false` | -| `config.oidc.discoveryInternalUrl` | Internal network OIDC discovery URL | `""` | +| `env` | Environment variables passed to the container. See [STAC Auth Proxy documentation](https://github.com/developmentseed/stac-auth-proxy#configuration) for details | `{}` | | `ingress.enabled` | Enable ingress | `true` | | `ingress.className` | Ingress class name | `nginx` | | `ingress.host` | Hostname for the ingress | `""` | diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 54d938d..365b412 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -30,54 +30,11 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} env: - - name: UPSTREAM_URL - value: {{ required "A valid upstream URL is required" .Values.config.upstreamUrl | quote }} - - name: OIDC_DISCOVERY_URL - value: {{ required "An OIDC discovery URL is required" .Values.config.oidc.discoveryUrl | quote }} - - # Optional OIDC internal URL - {{- if .Values.config.oidc.discoveryInternalUrl }} - - name: OIDC_DISCOVERY_INTERNAL_URL - value: {{ .Values.config.oidc.discoveryInternalUrl | quote }} - {{- end }} - - # Core configuration - - name: WAIT_FOR_UPSTREAM - value: {{ .Values.config.waitForUpstream | quote }} - - name: HEALTHZ_PREFIX - value: {{ .Values.config.healthzPrefix | quote }} - - # Access control configuration - - name: DEFAULT_PUBLIC - value: {{ .Values.config.defaultPublic | quote }} - {{- if .Values.config.privateEndpoints }} - - name: PRIVATE_ENDPOINTS - value: {{ .Values.config.privateEndpoints | toJson | quote }} - {{- end }} - {{- if .Values.config.publicEndpoints }} - - name: PUBLIC_ENDPOINTS - value: {{ .Values.config.publicEndpoints | toJson | quote }} - {{- end }} - - # OpenAPI configuration - {{- if .Values.config.openapiSpecEndpoint }} - - name: OPENAPI_SPEC_ENDPOINT - value: {{ .Values.config.openapiSpecEndpoint | quote }} - {{- end }} - - # Filtering configuration - {{- if .Values.config.itemsFilter.class }} - - name: ITEMS_FILTER_CLS - value: {{ .Values.config.itemsFilter.class | quote }} - - name: ITEMS_FILTER_ARGS - value: {{ .Values.config.itemsFilter.args | toJson | quote }} - - name: ITEMS_FILTER_KWARGS - value: {{ .Values.config.itemsFilter.kwargs | toJson | quote }} - {{- end }} - - {{- with .Values.config.extraEnv }} - {{- toYaml . | nindent 12 }} + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | toJson | quote }} {{- end }} + {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index 6f15449..973e0a9 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -148,88 +148,55 @@ properties: additionalProperties: true description: "Pod affinity rules" - config: + env: type: object - required: ["upstreamUrl", "oidc"] + required: ["UPSTREAM_URL", "OIDC_DISCOVERY_URL"] properties: - upstreamUrl: + UPSTREAM_URL: type: string format: uri description: "STAC API URL" - waitForUpstream: + OIDC_DISCOVERY_URL: + type: string + format: uri + description: "OpenID Connect discovery document URL" + OIDC_DISCOVERY_INTERNAL_URL: + type: string + format: uri + description: "Internal network OpenID Connect discovery document URL" + WAIT_FOR_UPSTREAM: type: boolean description: "Wait for upstream API to become available" default: true - healthzPrefix: + HEALTHZ_PREFIX: type: string description: "Path prefix for health check endpoints" default: "/healthz" - - oidc: - type: object - required: ["discoveryUrl"] - properties: - discoveryUrl: - type: string - format: uri - description: "OpenID Connect discovery document URL" - discoveryInternalUrl: - type: string - format: uri - description: "Internal network OpenID Connect discovery document URL" - - defaultPublic: + DEFAULT_PUBLIC: type: boolean description: "Default access policy for endpoints" default: false - - privateEndpoints: - type: object - additionalProperties: - type: array - items: - type: string - description: "Endpoints requiring authentication" - - publicEndpoints: - type: object - additionalProperties: - type: array - items: - type: string - description: "Public endpoints when defaultPublic is false" - - openapiSpecEndpoint: + PRIVATE_ENDPOINTS: + type: string + description: "JSON string of endpoints requiring authentication" + PUBLIC_ENDPOINTS: + type: string + description: "JSON string of public endpoints when DEFAULT_PUBLIC is false" + OPENAPI_SPEC_ENDPOINT: type: ["string", "null"] description: "Path of OpenAPI specification" - - itemsFilter: - type: object - properties: - class: - type: ["string", "null"] - description: "CQL2 expression generator class" - args: - type: array - description: "Positional arguments for filter class" - items: - type: string - kwargs: - type: object - description: "Keyword arguments for filter class" - additionalProperties: true - - extraEnv: - type: array - description: "Additional environment variables" - items: - type: object - required: ["name", "value"] - properties: - name: - type: string - value: - type: string + ITEMS_FILTER_CLS: + type: ["string", "null"] + description: "CQL2 expression generator class" + ITEMS_FILTER_ARGS: + type: string + description: "JSON string of positional arguments for filter class" + default: "[]" + ITEMS_FILTER_KWARGS: + type: string + description: "JSON string of keyword arguments for filter class" + default: "{}" + serviceAccount: type: object diff --git a/helm/values.yaml b/helm/values.yaml index 6f17ffb..49274df 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -46,45 +46,37 @@ nodeSelector: {} tolerations: [] affinity: {} -# Application configuration -config: - # Core Configuration - upstreamUrl: "" # Required: STAC API URL - waitForUpstream: true # Optional: wait for upstream API - healthzPrefix: "/healthz" # Optional: health check prefix - - # Authentication Configuration - oidc: - discoveryUrl: "" # Required: OpenID Connect discovery URL - discoveryInternalUrl: "" # Optional: internal network OIDC URL - - # Access Control - defaultPublic: false # Optional: default access policy - privateEndpoints: # Optional: endpoints requiring auth - "^/collections$": ["POST"] - "^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"] - "^/collections/([^/]+)/items$": ["POST"] - "^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"] - "^/collections/([^/]+)/bulk_items$": ["POST"] - publicEndpoints: # Optional: public endpoints - "^/api.html$": ["GET"] - "^/api$": ["GET"] - "^/docs/oauth2-redirect": ["GET"] - "^/healthz": ["GET"] - - # OpenAPI Configuration - openapiSpecEndpoint: null # Optional: OpenAPI spec path - - # Filtering Configuration - itemsFilter: - class: null # Optional: CQL2 expression generator class - args: [] # Optional: positional arguments - kwargs: {} # Optional: keyword arguments +# Environment variables for the application +env: + # Required configuration + UPSTREAM_URL: "" # STAC API URL + OIDC_DISCOVERY_URL: "" # OpenID Connect discovery URL + + # Optional configuration + WAIT_FOR_UPSTREAM: true + HEALTHZ_PREFIX: "/healthz" + OIDC_DISCOVERY_INTERNAL_URL: "" + DEFAULT_PUBLIC: false + PRIVATE_ENDPOINTS: | + { + "^/collections$": ["POST"], + "^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"], + "^/collections/([^/]+)/items$": ["POST"], + "^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"], + "^/collections/([^/]+)/bulk_items$": ["POST"] + } + PUBLIC_ENDPOINTS: | + { + "^/api.html$": ["GET"], + "^/api$": ["GET"], + "^/docs/oauth2-redirect": ["GET"], + "^/healthz": ["GET"] + } + OPENAPI_SPEC_ENDPOINT: null + ITEMS_FILTER_CLS: null + ITEMS_FILTER_ARGS: "[]" + ITEMS_FILTER_KWARGS: "{}" - # Additional environment variables - extraEnv: [] - # - name: CUSTOM_VAR - # value: "custom-value" serviceAccount: # Specifies whether a service account should be created From ee1b9afa362be271b64d18c81a5aa04f363d9b56 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Mon, 14 Apr 2025 12:32:15 +0530 Subject: [PATCH 11/14] update NOTES.txt with new values schema (config -> env) --- helm/templates/NOTES.txt | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 5fabf22..029c0c9 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -32,10 +32,10 @@ Your STAC Auth Proxy has been deployed with the following configuration: {{- end }} 2. Configuration Details: - - Upstream STAC API: {{ .Values.config.upstreamUrl }} - - OIDC Discovery URL: {{ .Values.config.oidc.discoveryUrl }} - - Health Check Endpoint: {{ .Values.config.healthzPrefix }} - - Default Public Access: {{ .Values.config.defaultPublic }} + - Upstream STAC API: {{ .Values.env.UPSTREAM_URL }} + - OIDC Discovery URL: {{ .Values.env.OIDC_DISCOVERY_URL }} + - Health Check Endpoint: {{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }} + - Default Public Access: {{ .Values.env.DEFAULT_PUBLIC | default "false" }} 3. Verify the deployment: kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "stac-auth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" @@ -47,25 +47,25 @@ Your STAC Auth Proxy has been deployed with the following configuration: {{- if .Values.ingress.enabled }} {{- if .Values.ingress.host }} {{- if .Values.ingress.tls.enabled }} - curl https://{{ .Values.ingress.host }}{{ .Values.config.healthzPrefix }} + curl https://{{ .Values.ingress.host }}{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }} {{- else }} - curl http://{{ .Values.ingress.host }}{{ .Values.config.healthzPrefix }} + curl http://{{ .Values.ingress.host }}{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }} {{- end }} {{- end }} {{- else }} kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ include "stac-auth-proxy.fullname" . }} 8000:{{ .Values.service.port }} - curl http://localhost:8000{{ .Values.config.healthzPrefix }} + curl http://localhost:8000{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }} {{- end }} For more information about STAC Auth Proxy, please visit: https://github.com/developmentseed/stac-auth-proxy -{{- if or (not .Values.config.upstreamUrl) (not .Values.config.oidc.discoveryUrl) }} +{{- if or (not .Values.env.UPSTREAM_URL) (not .Values.env.OIDC_DISCOVERY_URL) }} WARNING: Some required configuration values are not set. Please ensure you have configured: -{{- if not .Values.config.upstreamUrl }} - - config.upstreamUrl +{{- if not .Values.env.UPSTREAM_URL }} + - env.UPSTREAM_URL {{- end }} -{{- if not .Values.config.oidc.discoveryUrl }} - - config.oidc.discoveryUrl +{{- if not .Values.env.OIDC_DISCOVERY_URL }} + - env.OIDC_DISCOVERY_URL {{- end }} {{- end }} \ No newline at end of file From c10ea5a754b73e08a58814c5751fae5feb8e20c0 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 17 Apr 2025 12:36:28 +0530 Subject: [PATCH 12/14] improve schema validation --- helm/values.schema.yaml | 131 +++++++++++++++++++++++++--------------- 1 file changed, 81 insertions(+), 50 deletions(-) diff --git a/helm/values.schema.yaml b/helm/values.schema.yaml index 973e0a9..308bbdc 100644 --- a/helm/values.schema.yaml +++ b/helm/values.schema.yaml @@ -22,6 +22,87 @@ properties: description: "Docker image tag" default: "latest" + env: + type: object + properties: + # Core + UPSTREAM_URL: + type: string + pattern: "^https?://.+" + description: "URL of the STAC API to proxy" + WAIT_FOR_UPSTREAM: + type: ["boolean", "string"] + description: "Wait for upstream API to become available before starting proxy" + default: "true" + CHECK_CONFORMANCE: + type: ["boolean", "string"] + description: "Ensure upstream API conforms to required conformance classes before starting proxy" + default: "true" + ENABLE_COMPRESSION: + type: ["boolean", "string"] + description: "Enable response compression" + default: "true" + HEALTHZ_PREFIX: + type: string + description: "Path prefix for health check endpoints" + default: "/healthz" + OVERRIDE_HOST: + type: ["boolean", "string"] + description: "Override the host header for the upstream API" + default: "true" + ROOT_PATH: + type: string + description: "Path prefix for the proxy API" + default: "" + # Authentication + OIDC_DISCOVERY_URL: + type: string + pattern: "^https?://.+" + description: "OpenID Connect discovery document URL" + OIDC_DISCOVERY_INTERNAL_URL: + type: string + pattern: "^https?://.+" + description: "Internal network OpenID Connect discovery document URL" + DEFAULT_PUBLIC: + type: ["boolean", "string"] + description: "Default access policy for endpoints" + default: "false" + PRIVATE_ENDPOINTS: + type: ["object", "string"] + description: "Endpoints explicitly marked as requiring authentication and possibly scopes" + PUBLIC_ENDPOINTS: + type: ["object", "string"] + description: "Endpoints explicitly marked as not requiring authentication" + ENABLE_AUTHENTICATION_EXTENSION: + type: ["boolean", "string"] + description: "Enable authentication extension in STAC API responses" + default: "true" + # OpenAPI + OPENAPI_SPEC_ENDPOINT: + type: ["string", "null"] + description: "Path of OpenAPI specification" + default: "/api" + OPENAPI_AUTH_SCHEME_NAME: + type: string + description: "Name of the auth scheme to use in the OpenAPI spec" + default: "oidcAuth" + OPENAPI_AUTH_SCHEME_OVERRIDE: + type: ["object", "string", "null"] + description: "Override for the auth scheme in the OpenAPI spec" + # Filtering + ITEMS_FILTER_CLS: + type: ["string", "null"] + description: "CQL2 expression generator for item-level filtering" + ITEMS_FILTER_ARGS: + type: ["array", "string"] + description: "Positional arguments for CQL2 expression generator" + ITEMS_FILTER_KWARGS: + type: ["object", "string"] + description: "Keyword arguments for CQL2 expression generator" + required: + - UPSTREAM_URL + - OIDC_DISCOVERY_URL + service: type: object required: ["type", "port"] @@ -148,56 +229,6 @@ properties: additionalProperties: true description: "Pod affinity rules" - env: - type: object - required: ["UPSTREAM_URL", "OIDC_DISCOVERY_URL"] - properties: - UPSTREAM_URL: - type: string - format: uri - description: "STAC API URL" - OIDC_DISCOVERY_URL: - type: string - format: uri - description: "OpenID Connect discovery document URL" - OIDC_DISCOVERY_INTERNAL_URL: - type: string - format: uri - description: "Internal network OpenID Connect discovery document URL" - WAIT_FOR_UPSTREAM: - type: boolean - description: "Wait for upstream API to become available" - default: true - HEALTHZ_PREFIX: - type: string - description: "Path prefix for health check endpoints" - default: "/healthz" - DEFAULT_PUBLIC: - type: boolean - description: "Default access policy for endpoints" - default: false - PRIVATE_ENDPOINTS: - type: string - description: "JSON string of endpoints requiring authentication" - PUBLIC_ENDPOINTS: - type: string - description: "JSON string of public endpoints when DEFAULT_PUBLIC is false" - OPENAPI_SPEC_ENDPOINT: - type: ["string", "null"] - description: "Path of OpenAPI specification" - ITEMS_FILTER_CLS: - type: ["string", "null"] - description: "CQL2 expression generator class" - ITEMS_FILTER_ARGS: - type: string - description: "JSON string of positional arguments for filter class" - default: "[]" - ITEMS_FILTER_KWARGS: - type: string - description: "JSON string of keyword arguments for filter class" - default: "{}" - - serviceAccount: type: object properties: From d8f1c75addabcfe139b57eebb043a2f82c52124c Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Thu, 17 Apr 2025 12:44:06 +0530 Subject: [PATCH 13/14] use either toJson or quote on env vars based on type --- helm/templates/_helpers.tpl | 13 ++++++++++++- helm/templates/deployment.yaml | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index fb8160d..8bab877 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -57,4 +57,15 @@ Create the name of the service account to use {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{/* +Render env var value based on type +*/}} +{{- define "stac-auth-proxy.envValue" -}} +{{- if kindIs "string" . -}} + {{- . | quote -}} +{{- else -}} + {{- . | toJson | quote -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 365b412..ce3c3f5 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -32,7 +32,7 @@ spec: env: {{- range $key, $value := .Values.env }} - name: {{ $key }} - value: {{ $value | toJson | quote }} + value: {{ include "stac-auth-proxy.envValue" $value }} {{- end }} {{- with .Values.nodeSelector }} @@ -46,4 +46,4 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} \ No newline at end of file + {{- end }} From af974a95ae7745881dc1223dec28c80a79512053 Mon Sep 17 00:00:00 2001 From: Sanjay Bhangar Date: Fri, 18 Apr 2025 13:18:48 +0530 Subject: [PATCH 14/14] remove null entries from values so installation now works with only 2 required values over-ridden --- helm/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/helm/values.yaml b/helm/values.yaml index 49274df..76e00d4 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -72,10 +72,7 @@ env: "^/docs/oauth2-redirect": ["GET"], "^/healthz": ["GET"] } - OPENAPI_SPEC_ENDPOINT: null - ITEMS_FILTER_CLS: null - ITEMS_FILTER_ARGS: "[]" - ITEMS_FILTER_KWARGS: "{}" + serviceAccount: