Merge pull request #35 from carverauto/updates/use_gofr_oauth

Updates/use gofr oauth

cmd/jwks-server/Makefile → cmd/auth-server/Makefile

@@ -1,13 +1,13 @@
 # Define variables
-KO_DOCKER_REPO := ghcr.io/carverauto/jwks-server
+KO_DOCKER_REPO := ghcr.io/carverauto/auth-server
 VERSION := v0.0.01
 
 # Default target
 all: build
 
 # Build the binary locally
 build:
-	go build -o jwks-server .
+	go build -o auth-server .
 
 # Build and push the container image using ko
 ko-build:

cmd/auth-server/main.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+
+	"gofr.dev/pkg/gofr"
+	"gofr.dev/pkg/gofr/http/response"
+)
+
+const (
+	rulesPath = "/app/config/rules.json"
+)
+
+func main() {
+	app := gofr.New()
+
+	app.GET("/rules.json", RulesHandler)
+
+	app.Run()
+}
+
+func RulesHandler(c *gofr.Context) (interface{}, error) {
+	data, err := os.ReadFile(rulesPath)
+	if err != nil {
+		return nil, err
+	}
+
+	var jsonObj interface{}
+	if err := json.Unmarshal(data, &jsonObj); err != nil {
+		return nil, err
+	}
+
+	return response.Raw{Data: jsonObj}, nil
+}

k8s/auth-server/base/auth-server-configmaps.yaml

@@ -0,0 +1,105 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oathkeeper-rules-data
+  namespace: eventrunner
+data:
+  rules.json: |
+    [
+      {
+        "id": "api-health-check",
+        "upstream": {
+          "preserve_host": true,
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200"
+        },
+        "match": {
+          "url": "/api/v1/health",
+          "methods": ["GET"]
+        },
+        "authenticators": [
+          {
+            "handler": "anonymous",
+            "config": {
+              "subject": "guest"
+            }
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "noop"
+          }
+        ]
+      },
+      {
+        "id": "auth-check",
+        "upstream": {
+          "preserve_host": true,
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200"
+        },
+        "match": {
+          "url": "/judge",
+          "methods": ["GET"]
+        },
+        "authenticators": [
+          {
+            "handler": "anonymous",
+            "config": {
+              "subject": "anonymous"
+            }
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "header",
+            "config": {
+              "headers": {
+                "X-User": "anonymous",
+                "X-Tenant-ID": "default",
+                "X-Request-Id": "{{ print .RequestID }}"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "id": "protected-endpoints",
+        "upstream": {
+          "preserve_host": true,
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200"
+        },
+        "match": {
+          "url": "/api/v1/<.*>",
+          "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        },
+        "authenticators": [
+          {
+            "handler": "jwt",
+            "config": {
+              "jwks_urls": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com/.well-known/jwks.json"],
+              "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"]
+            }
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "header",
+            "config": {
+              "headers": {
+                "X-User": "{{ print .Subject }}",
+                "X-Tenant-ID": "{{ print .Extra.tenant_id }}",
+                "X-Request-Id": "{{ print .RequestID }}"
+              }
+            }
+          }
+        ]
+      }
+    ]

k8s/auth-server/base/auth-server.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-server
+  namespace: eventrunner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-server
+  template:
+    metadata:
+      labels:
+        app: auth-server
+    spec:
+      containers:
+        - name: auth-server
+          image: ghcr.io/carverauto/auth-server:v0.0.06
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          volumeMounts:
+            - name: rules-volume
+              mountPath: /app/config/rules.json
+              subPath: rules.json
+      volumes:
+        - name: rules-volume
+          configMap:
+            name: oathkeeper-rules-data
+            items:
+              - key: rules.json
+                path: rules.json
+      imagePullSecrets:
+        - name: ghcr-io-cred

k8s/auth-server/base/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+  - auth-server-configmaps.yaml
+  - auth-server.yaml
+  - service.yaml

k8s/auth-server/base/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-server
+  namespace: eventrunner
+spec:
+  selector:
+    app: auth-server
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
+  type: ClusterIP

k8s/er-api/base/configmap.yaml → k8s/eventrunner-api/base/configmap.yaml

@@ -15,7 +15,7 @@ data:
     DB_NAME=eventrunner
     DB_PORT=2001
     DB_DIALECT=mongo
-    DB_URL=mongodb://mongodb.svc.cluster.local:27017
+    DB_URL=mongodb://er-mongodb.svc.cluster.local:27017
   .staging.env: |
     LOG_LEVEL=DEBUG
     APP_NAME=eventrunner
@@ -27,4 +27,4 @@ data:
     DB_NAME=eventrunner
     DB_PORT=2001
     DB_DIALECT=mongo
-    DB_URL=mongodb://mongodb.svc.cluster.local:27017
+    DB_URL=mongodb://er-mongodb.svc.cluster.local:27017

k8s/eventrunner-api/base/ingress.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: eventrunner-api
+  namespace: eventrunner
+  annotations:
+    cert-manager.io/cluster-issuer: threadr-issuer
+    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/judge"
+    nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id"
+    nginx.ingress.kubernetes.io/auth-preserve-uri: "true"
+    nginx.ingress.kubernetes.io/auth-always-set-cookie: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - api.tunnel.threadr.ai
+      secretName: eventrunner-api-tls
+  rules:
+    - host: api.tunnel.threadr.ai
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: eventrunner-api
+                port:
+                  number: 8200

k8s/eventrunner-api/base/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+namespace: eventrunner
+resources:
+  - eventrunner.yaml
+  - configmap.yaml
+  - service.yaml
+  - ingress.yaml

k8s/eventrunner-api/base/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: eventrunner-api
+  namespace: eventrunner
+spec:
+  selector:
+    app: eventrunner-api
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP