[krakend] Nginx with oauth2-proxy redirect (#417)

Co-authored-by: Jozef Volak <[email protected]>
FRINXio · Sep 2, 2024 · 76f4e26 · 76f4e26
1 parent 354bcae
commit 76f4e26
Show file tree

Hide file tree

Showing 23 changed files with 856 additions and 248 deletions.
diff --git a/charts/krakend/Chart.yaml b/charts/krakend/Chart.yaml
@@ -3,8 +3,13 @@ name: krakend
 description: FRINX KrakenD API Gateway for FRINX-machine
 icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4
 type: application
-version: 4.1.0
+version: 5.0.0
 appVersion: "6.1.1"
+dependencies:
+  - condition: nginx.enabled
+    name: nginx
+    repository: https://charts.bitnami.com/bitnami
+    version: 18.x.x
 maintainers:
   - name: FRINX
     email: [email protected]
@@ -16,8 +21,13 @@ annotations:
     - name: nginx
       image: nginx:1.27-alpine
   artifacthub.io/changes: |
+    - kind: changed
+      description: Nginx as a separate pod
+      links:
+        - name: GitHub PR
+          url: https://github.com/FRINXio/helm-charts/pull/417
     - kind: added
-      description: Added servicemonitors and monitoring configuration
+      description: Add rate limits for services
       links:
         - name: GitHub PR
-          url: https://github.com/FRINXio/helm-charts/pull/397
+          url: https://github.com/FRINXio/helm-charts/pull/417
diff --git a/charts/krakend/README.md b/charts/krakend/README.md
@@ -2,7 +2,7 @@
 
 FRINX KrakenD API Gateway for FRINX-machine
 
-![Version: 4.1.0](https://img.shields.io/badge/Version-4.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.1.1](https://img.shields.io/badge/AppVersion-6.1.1-informational?style=flat-square)
+![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.1.1](https://img.shields.io/badge/AppVersion-6.1.1-informational?style=flat-square)
 
 ## Get Repo Info
 
@@ -29,15 +29,24 @@ helm upgrade [RELEASE_NAME] frinx/krakend
 helm uninstall [RELEASE_NAME]
 ```
 
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | nginx | 18.x.x |
+
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | [Affinity for pod assignment](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
 | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | [Autoscaling parameters](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) |
 | containerSecurityContext | object | `{"capabilities":{"drop":["ALL"]}}` | Security context for KrakenD container |
-| debug | object | `{"enabled":false,"x_forwarded_groups":"network-admin","x_forwarded_roles":"owner","x_forwarded_user":"frinx-admin-user"}` | Simulate USER credentials |
-| env | object | `{"ALLOWED_HOSTS":null,"ALLOWED_ORIGINS":null,"DEFAULT_TIMEOUT":"2m","DEVICE_TOPOLOGY_ENABLED":true,"HTTPS_PROXY":null,"HTTP_PROXY":null,"INVENTORY_ENABLED":true,"KRAKEND_TLS_PROTOCOL":"http","L3VPN_ENABLED":false,"LOG_LEVEL":"INFO","NO_PROXY":null,"OAUTH2_KRAKEND_PLUGIN_FROM_MAP":"X-Forwarded-User","OAUTH2_KRAKEND_PLUGIN_TENANT_ID":"frinx","OAUTH2_KRAKEND_PLUGIN_USER_GROUPS_MAP":"X-Forwarded-Groups","OAUTH2_KRAKEND_PLUGIN_USER_ROLES_MAP":"X-Forwarded-Roles","PERFORMANCE_MONITOR_ENABLED":true,"PROXY_ENABLED":false,"RESOURCE_MANAGER_ENABLED":true,"TLS_DISABLED":true,"UNICONFIG_ENABLED":true,"UNICONFIG_PROTOCOL":"http","UNICONFIG_TIMEOUT":"2m","UNICONFIG_ZONES_LIST":"uniconfig","WORKFLOW_MANAGER_ENABLED":true}` | Application environment variables |
+| debug.enabled | bool | `false` | Simulate USER RBAC headers Used when deployment is without identity provider |
+| debug.x_forwarded_groups | string | `"network-admin"` | User groups |
+| debug.x_forwarded_roles | string | `"owner"` | User roles |
+| debug.x_forwarded_user | string | `"frinx-admin-user"` | User name |
+| env | object | `{"ALLOWED_HOSTS":null,"ALLOWED_ORIGINS":null,"DEFAULT_TIMEOUT":"2m","DEVICE_TOPOLOGY_ENABLED":true,"HTTPS_PROXY":null,"HTTP_PROXY":null,"INVENTORY_ENABLED":true,"KRAKEND_TLS_PROTOCOL":"http","L3VPN_ENABLED":false,"LOG_LEVEL":"INFO","NO_PROXY":null,"OAUTH2_KRAKEND_PLUGIN_FROM_MAP":"X-Forwarded-User","OAUTH2_KRAKEND_PLUGIN_TENANT_ID":"frinx","OAUTH2_KRAKEND_PLUGIN_USER_GROUPS_MAP":"X-Forwarded-Groups","OAUTH2_KRAKEND_PLUGIN_USER_ROLES_MAP":"X-Forwarded-Roles","PERFORMANCE_MONITOR_ENABLED":true,"PROXY_ENABLED":false,"RESOURCE_MANAGER_ENABLED":true,"TLS_DISABLED":true,"UNICONFIG_ENABLED":true,"UNICONFIG_PROTOCOL":"http","UNICONFIG_TIMEOUT":"12h","UNICONFIG_ZONES_LIST":"uniconfig","WORKFLOW_MANAGER_ENABLED":true}` | Application environment variables |
 | extraEnv | list | `[]` | Additional KrakenD environment variables |
 | fullnameOverride | string | `""` | String to partially override app name |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
@@ -50,26 +59,41 @@ helm uninstall [RELEASE_NAME]
 | ingress.hosts | list | `[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]` | [Ingress Host](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) |
 | ingress.labels | object | `{}` | Additional labels for the Ingress resource |
 | ingress.tls | list | `[]` |  |
-| monitoring | object | `{"enabled":false,"port":9091,"targertPort":9091}` | Monitoring configuration |
+| monitoring | object | `{"enabled":false,"port":9091,"targetPort":9091}` | Monitoring configuration |
 | nameOverride | string | `""` | String to partially override app name |
-| nginx.server | string | `"client_body_buffer_size \"8k\";\nclient_header_buffer_size \"1k\";\nproxy_headers_hash_max_size 2048;\nproxy_headers_hash_bucket_size 128;\nproxy_connect_timeout \"3600\";\nproxy_read_timeout \"3600\";\nproxy_send_timeout \"3600\";\n"` | Nginx server configuration |
-| nginxContainerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsNonRoot":true,"runAsUser":101}` | Security context for NginX container |
+| nginx.enabled | bool | `false` |  |
+| nginx.existingServerBlockConfigmap | existingServerBlockConfigmap ConfigMap with custom server block to be added to NGINX configuration | `"krakend-nginx-config"` | [https://artifacthub.io/packages/helm/bitnami/nginx?modal=values&path=existingServerBlockConfigmap] |
+| nginx.ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/proxy-connect-timeout":"12h","nginx.ingress.kubernetes.io/proxy-read-timeout":"12h","nginx.ingress.kubernetes.io/proxy-send-timeout":"12h"},"enabled":false}` | Configure the [Nginx Ingress resource](https://artifacthub.io/packages/helm/bitnami/nginx?modal=values&path=ingress) |
+| nginx.rateLimits.dryRun | bool | `false` | [limit_req_dry_run](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_dry_run) |
+| nginx.rateLimits.statusCode | int | `429` | [limit_req_status](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status) |
+| nginx.rateLimits.zoneRate | object | `{"api":"100r/s","auth":"20r/s","ws":"10r/s"}` | [limit_req_zone](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone) |
+| nginx.server | string | `"client_body_buffer_size \"8k\";\nclient_header_buffer_size \"1k\";\nproxy_headers_hash_max_size 2048;\nproxy_headers_hash_bucket_size 128;\nproxy_connect_timeout \"12h\";\nproxy_read_timeout \"12h\";\nproxy_send_timeout \"12h\";\n"` |  |
 | nodeSelector | object | `{}` | [Node labels for pod assignment](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | podAnnotations | object | `{}` | Pod annotations |
 | podSecurityContext | object | `{}` | Configure [Pods Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
-| proxyImage.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| proxyImage.repository | string | `"nginx"` | nginx image repository |
-| proxyImage.tag | string | `"1.27-alpine"` | Overrides the image tag. |
+| rateLimits.frinxFrontend | object | `{"proxy":{"capacity":10,"enabled":true,"every":"1s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"1s","maxRate":10}}` | Rate limits for frinx-frontend |
+| rateLimits.frinxFrontendProxy | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for frinx-frontend-proxy |
+| rateLimits.inventory | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for inventory |
+| rateLimits.performanceMonitor | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for performance-monitor |
+| rateLimits.resourceManager | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for resource-manager |
+| rateLimits.schellar | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for schellar |
+| rateLimits.swagger | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for swagger |
+| rateLimits.topologDiscovery | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for topology-discovery |
+| rateLimits.uniconfig | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for uniconfig |
+| rateLimits.unistore | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for unistore |
+| rateLimits.workflowManager | object | `{"proxy":{"capacity":10,"enabled":true,"every":"10s","maxRate":30},"router":{"clientCapacity":30,"enabled":true,"every":"10s","maxRate":10}}` | Rate limits for workflow-manager |
 | rbac | object | `{"ADMIN_ACCESS_ROLE":"network-admin","INVENTORY_ADMIN_GROUP":"network-admin","UNICONFIG_CONTROLLER_ADMIN_GROUP":"network-admin","UNISTORE_BEARER_NODE":"bearer","UNISTORE_BEARER_ROLE":"","UNISTORE_CONTROLLER_ADMIN_GROUP":"network-admin","UNISTORE_NETWORK_NODE":"network","UNISTORE_NETWORK_ROLE":"","UNISTORE_OTHER_PERMITTED_ROLES":"","UNISTORE_SERVICE_NODE":"service","UNISTORE_SERVICE_ROLE":"","X_AUTH_USER_GROUP":"network-admin"}` | RBAC configuration |
 | replicaCount | int | `1` | Number of replicas of the deployment. |
-| resources | object | `{}` | [Container resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) |
-| service.nodePort | int | `30000` | Node port |
-| service.port | int | `8080` | SideCar proxy (nginx reverse proxy for http/ws protocols) |
-| service.targetPort | int | `8080` | Target port |
-| service.type | string | `"ClusterIP"` | Service type |
+| resources | object | `{}` | [KrakenD Container resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) |
+| service.nodePort | int | `30000` | Node port for HTTP |
+| service.port | int | `8080` | KrakenD HTTP |
+| service.targetPort | int | `8080` | Target port for HTTP |
+| service.type | string | `"ClusterIP"` | Service type for HTTP and Websocket |
+| service.wsNodePort | int | `30001` | Node port for Websocket |
+| service.wsPort | int | `8001` | KrakenD Websocket |
+| service.wsTargetPort | int | `8001` | Target port for Websocket |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | tolerations | list | `[]` | [Tolerations for pod assignment](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) |
-| volumes.azureFile | object | `{"enabled":false,"storage":{"accessKey":null,"accountName":null}}` | AzureFile volume |
 
diff --git a/charts/krakend/config/krakend.json b/charts/krakend/config/krakend.json
@@ -1,7 +1,7 @@
 {
   "version": 3,
   "name": "krakend for FM",
-  "port": 8000,
+  "port": {{ env "KRAKEND_PORT" }},
   "cache_ttl": "3600s",
   "tls": {
     "public_key": "/usr/local/share/ca-certificates/frinx_krakend_tls_cert.pem",
@@ -14,7 +14,7 @@
   "timeout": "{{ env "DEFAULT_TIMEOUT" }}",
   "extra_config": {
     "contribute/websocketproxy": {
-      "port": "8001",
+      "port": {{ env "WS_PORT" | quote }},
       "websockets": [
         {
           "endpoint": "/api/proxy",
@@ -29,7 +29,7 @@
             "prometheus": [
                 {
                     "name": "local_prometheus",
-                    "port": 9091,
+                    "port": {{ env "PROMETHEUS_PORT" }},
                     "process_metrics": true,
                     "go_metrics": true
                 }

diff --git a/charts/krakend/config/templates/frinx_frontend.tmpl b/charts/krakend/config/templates/frinx_frontend.tmpl
@@ -7,12 +7,36 @@
     "output_encoding": "no-op",
     "input_headers": ["*"],
 
+    "extra_config": {
+    {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_ENABLED" }}
+    {{- if eq $rate_enabled "true" }}
+        "qos/ratelimit/router": {
+            "client_capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_CLIENTCAPACITY" }},
+            "client_max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_MAXRATE" }},
+            "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_EVERY" | quote }},
+            "strategy": "ip"
+        }
+    {{- end }}
+    },
+
     "backend": [
     {
         "url_pattern": "{{range $index_for_uri, $not_used_element2 := $.range -}} {{- if lt $index_for_uri $index_in_range -}} /{{"{"}}n_{{$index_for_uri}}{{"}" -}} {{end}}{{end}}",
         "encoding": "no-op",
         "sd": "static",
         "disable_host_sanitize": false,
+
+        "extra_config": {
+            {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ENABLED" }}
+            {{- if eq $rate_enabled "true" }}
+            "qos/ratelimit/proxy": {
+                "max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_MAXRATE" }},
+                "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_EVERY" | quote }},
+                "capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_CAPACITY" }}
+            }
+            {{- end }}
+        },
+
         "host": [
             "frinx-frontend:8888"
         ]
@@ -26,12 +50,36 @@
     "output_encoding": "no-op",
     "input_headers": ["*"],
 
+    "extra_config": {
+    {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_ENABLED" }}
+    {{- if eq $rate_enabled "true" }}
+        "qos/ratelimit/router": {
+            "client_capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_CLIENTCAPACITY" }},
+            "client_max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_MAXRATE" }},
+            "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_EVERY" | quote }},
+            "strategy": "ip"
+        }
+    {{- end }}
+    },
+
     "backend": [
     {
         "url_pattern": "{{range $index_for_uri, $not_used_element2 := $.range -}} {{- if lt $index_for_uri $index_in_range -}} /{{"{"}}n_{{$index_for_uri}}{{"}" -}} {{end}}{{end}}",
         "encoding": "no-op",
         "sd": "static",
         "disable_host_sanitize": false,
+
+        "extra_config": {
+            {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ENABLED" }}
+            {{- if eq $rate_enabled "true" }}
+            "qos/ratelimit/proxy": {
+                "max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_MAXRATE" }},
+                "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_EVERY" | quote }},
+                "capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_CAPACITY" }}
+            }
+            {{- end }}
+        },
+
         "host": [
             "frinx-frontend:8888"
         ]

diff --git a/charts/krakend/config/templates/frinx_frontend_proxy.tmpl b/charts/krakend/config/templates/frinx_frontend_proxy.tmpl
@@ -4,6 +4,18 @@
     "output_encoding": "no-op",
     "input_headers": [ {{ include "allowed_headers.tmpl" }} ],
 
+    "extra_config": {
+    {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ROUTER_ENABLED" }}
+    {{- if eq $rate_enabled "true" }}
+        "qos/ratelimit/router": {
+            "client_capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ROUTER_CLIENTCAPACITY" }},
+            "client_max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ROUTER_MAXRATE" }},
+            "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_ROUTER_EVERY" | quote }},
+            "strategy": "ip"
+        }
+    {{- end }}
+    },
+
     "backend": [
         {
             "url_pattern": "/graphql",
@@ -12,6 +24,16 @@
             "disable_host_sanitize": false,
             "extra_config": {
                 {{ include "modifiers.tmpl" }}
+
+                {{ $rate_enabled := env "RATE_LIMIT_FRINX_FRONTEND_PROXY_ENABLED" }}
+                {{- if eq $rate_enabled "true" }}
+                , 
+                "qos/ratelimit/proxy": {
+                    "max_rate": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_PROXY_MAXRATE" }},
+                    "every": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_PROXY_EVERY" | quote }},
+                    "capacity": {{ env "RATE_LIMIT_FRINX_FRONTEND_PROXY_PROXY_CAPACITY" }}
+                }
+                {{- end }}
             },
             "host": [
                 "frinx-frontend:5555"

diff --git a/charts/krakend/config/templates/inventory.tmpl b/charts/krakend/config/templates/inventory.tmpl
@@ -6,17 +6,45 @@
     "output_encoding": "no-op",
     "input_headers": [ {{ include "allowed_headers.tmpl" }} ],
 
-    {{ if .input_query_strings }}
-    "input_query_strings": [ 
-        {{range $query_enabled, $query := .input_query_strings}} {{if gt $query_enabled 0}},{{end}} "{{$query}}" {{ end }} 
-        ],
-    {{end}}
+    {{- if .input_query_strings }}
+    "input_query_strings": [
+        {{- range $query_enabled, $query := .input_query_strings -}}
+        {{- if gt $query_enabled 0 }},{{ end }}
+        "{{ $query }}"
+        {{- end }}
+    ],
+    {{- end }}
+
+    "extra_config": {
+    {{ $rate_enabled := env "RATE_LIMIT_INVENTORY_ROUTER_ENABLED" }}
+    {{- if eq $rate_enabled "true" }}
+        "qos/ratelimit/router": {
+            "client_capacity": {{ env "RATE_LIMIT_INVENTORY_ROUTER_CLIENTCAPACITY" }},
+            "client_max_rate": {{ env "RATE_LIMIT_INVENTORY_ROUTER_MAXRATE" }},
+            "every": {{ env "RATE_LIMIT_INVENTORY_ROUTER_EVERY" | quote }},
+            "strategy": "ip"
+        }
+    {{- end }}
+    },
+
     "backend": [
     {
         "url_pattern": "{{ .url_pattern }}",
         "encoding": "no-op",
         "sd": "static",
         "disable_host_sanitize": false,
+
+        "extra_config": {
+            {{ $rate_enabled := env "RATE_LIMIT_INVENTORY_PROXY_ENABLED" }}
+            {{- if eq $rate_enabled "true" }}
+            "qos/ratelimit/proxy": {
+                "max_rate": {{ env "RATE_LIMIT_INVENTORY_PROXY_MAXRATE" }},
+                "every": {{ env "RATE_LIMIT_INVENTORY_PROXY_EVERY" | quote }},
+                "capacity": {{ env "RATE_LIMIT_INVENTORY_PROXY_CAPACITY" }}
+            }
+            {{- end }}
+        },
+
         "host": [
             "inventory:8000"
         ]