From c8c809432a6b246e3cb64cb470ba45a15412d8f6 Mon Sep 17 00:00:00 2001 From: mfreeman451 Date: Fri, 25 Oct 2024 20:01:55 -0500 Subject: [PATCH 1/5] =?UTF-8?q?=F0=9F=94=A7=20jwks=20server=20for=20rules?= =?UTF-8?q?=20and=20jwks.json=20working?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmd/jwks-server/main.go | 45 ++++----- .../base/jwks-server-configmaps.yaml | 95 +++++++++++++++++++ k8s/jwks-server/base/jwks-server.yaml | 34 ++++--- k8s/jwks-server/base/kustomization.yaml | 4 +- k8s/jwks-server/base/service.yaml | 13 +++ k8s/ory/oathkeeper/nginx-auth-config.yaml | 52 ++++++++++ k8s/ory/oathkeeper/oathkeeper-config.yaml | 27 ++++++ k8s/ory/oathkeeper/oathkeeper-rules.yaml | 77 +++++++++++++++ k8s/ory/oathkeeper/oathkeeper-values.yaml | 26 +---- 9 files changed, 311 insertions(+), 62 deletions(-) create mode 100644 k8s/jwks-server/base/jwks-server-configmaps.yaml create mode 100644 k8s/jwks-server/base/service.yaml create mode 100644 k8s/ory/oathkeeper/nginx-auth-config.yaml create mode 100644 k8s/ory/oathkeeper/oathkeeper-config.yaml create mode 100644 k8s/ory/oathkeeper/oathkeeper-rules.yaml diff --git a/cmd/jwks-server/main.go b/cmd/jwks-server/main.go index aae9589..aeeb061 100644 --- a/cmd/jwks-server/main.go +++ b/cmd/jwks-server/main.go @@ -1,46 +1,39 @@ -// File: main.go - package main import ( + "os" + "gofr.dev/pkg/gofr" ) +const ( + jwksPath = "/app/config/jwks.json" + rulesPath = "/app/config/rules.json" +) + func main() { - // Initialize gofr application app := gofr.New() - // Register the JWKS route app.GET("/jwks.json", JWKSHandler) + app.GET("/rules.json", RulesHandler) - // Run the application app.Run() } -type JWK struct { - E string `json:"e"` - Kid string `json:"kid"` - Kty string `json:"kty"` - N string `json:"n"` -} +func JWKSHandler(c *gofr.Context) (interface{}, error) { + data, err := os.ReadFile(jwksPath) + if err != nil { + return nil, err + } -type JWKS struct { - Keys []JWK `json:"keys"` + return string(data), nil } -func JWKSHandler(c *gofr.Context) (interface{}, error) { - // Create the JWKS data - jwks := JWKS{ - Keys: []JWK{ - { - E: "AQAB", - Kid: "eventrunner-jwt", - Kty: "RSA", - N: "viVXLTzUz5zrrTRFe59lc5JfjonbmnBxgGVD2RHG-FQXdKp-5xnuH5C9ZLujcew8jYoeFw6o7ab7PMONzru5UcjxadKXaC1uTId_chCDVVVSD80IlYtzgchhMBTpqZJY5hd6GybODwJj0ulcfpXmw43dF5CRC9uLbLuSvkVsELgcioUJnaMTZjisY9R5ApeUOLSAZGOacdlVBBZfQb8pVjBqJQQmcyzooLZdXq-hNvutnI15sPQLcoBXXat_n8lfrI2Jr_mlG_rcvAdhZXUGeu1NeWdJuaHFoHcbV-PeSnr0mAGZxFEdM6nFywqmjtiU3EXhDmqfrB7hMiWdbAueRQ", - }, - }, +func RulesHandler(c *gofr.Context) (interface{}, error) { + data, err := os.ReadFile(rulesPath) + if err != nil { + return nil, err } - // Return the JWKS data; gofr will marshal it to JSON - return jwks, nil + return string(data), nil } diff --git a/k8s/jwks-server/base/jwks-server-configmaps.yaml b/k8s/jwks-server/base/jwks-server-configmaps.yaml new file mode 100644 index 0000000..9a06a0f --- /dev/null +++ b/k8s/jwks-server/base/jwks-server-configmaps.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: jwks-data + namespace: eventrunner +data: + jwks.json: | + { + "keys": [ + { + "e": "AQAB", + "kid": "eventrunner-jwt", + "kty": "RSA", + "n": "viVXLTzUz5zrrTRFe59lc5JfjonbmnBxgGVD2RHG-FQXdKp-5xnuH5C9ZLujcew8jYoeFw6o7ab7PMONzru5UcjxadKXaC1uTId_chCDVVVSD80IlYtzgchhMBTpqZJY5hd6GybODwJj0ulcfpXmw43dF5CRC9uLbLuSvkVsELgcioUJnaMTZjisY9R5ApeUOLSAZGOacdlVBBZfQb8pVjBqJQQmcyzooLZdXq-hNvutnI15sPQLcoBXXat_n8lfrI2Jr_mlG_rcvAdhZXUGeu1NeWdJuaHFoHcbV-PeSnr0mAGZxFEdM6nFywqmjtiU3EXhDmqfrB7hMiWdbAueRQ" + } + ] + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oathkeeper-rules-data + namespace: eventrunner +data: + rules.json: | + [ + { + "id": "eventrunner-api-rule", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "http://api.tunnel.threadr.ai/<**>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"] + }, + "authenticators": [ + { + "handler": "jwt", + "config": { + "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], + "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], + "target_audience": ["eventrunner"] + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutator": { + "handler": "header", + "config": { + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + }, + { + "id": "decisions-endpoint", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions/<**>", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "jwt", + "config": { + "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], + "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], + "target_audience": ["eventrunner"] + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutator": { + "handler": "header", + "config": { + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + } + ] \ No newline at end of file diff --git a/k8s/jwks-server/base/jwks-server.yaml b/k8s/jwks-server/base/jwks-server.yaml index dab4e66..35517db 100644 --- a/k8s/jwks-server/base/jwks-server.yaml +++ b/k8s/jwks-server/base/jwks-server.yaml @@ -13,23 +13,31 @@ spec: labels: app: jwks-server spec: - serviceAccountName: eventrunner-account - imagePullSecrets: - - name: ghcr-io-cred containers: - name: jwks-server - image: ghcr.io/carverauto/jwks-server:v0.0.01 + image: ghcr.io/carverauto/jwks-server:v0.0.03 imagePullPolicy: Always + ports: + - containerPort: 8000 volumeMounts: - - name: config - mountPath: /app/configs + - name: jwks-volume + mountPath: /app/config/jwks.json + subPath: jwks.json + - name: rules-volume + mountPath: /app/config/rules.json + subPath: rules.json volumes: - - name: config + - name: jwks-volume + configMap: + name: jwks-data + items: + - key: jwks.json + path: jwks.json + - name: rules-volume configMap: - name: eventrunner-config - - name: nats-creds - secret: - secretName: nats-creds + name: oathkeeper-rules-data items: - - key: nats.creds - path: nats.creds \ No newline at end of file + - key: rules.json + path: rules.json + imagePullSecrets: + - name: ghcr-io-cred \ No newline at end of file diff --git a/k8s/jwks-server/base/kustomization.yaml b/k8s/jwks-server/base/kustomization.yaml index 5973557..d388ba1 100644 --- a/k8s/jwks-server/base/kustomization.yaml +++ b/k8s/jwks-server/base/kustomization.yaml @@ -1,2 +1,4 @@ resources: - - jwks-server.yaml \ No newline at end of file + - jwks-server-configmaps.yaml + - jwks-server.yaml + - service.yaml \ No newline at end of file diff --git a/k8s/jwks-server/base/service.yaml b/k8s/jwks-server/base/service.yaml new file mode 100644 index 0000000..e4442f9 --- /dev/null +++ b/k8s/jwks-server/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: jwks-server + namespace: eventrunner +spec: + selector: + app: jwks-server + ports: + - protocol: TCP + port: 80 + targetPort: 8000 + type: ClusterIP \ No newline at end of file diff --git a/k8s/ory/oathkeeper/nginx-auth-config.yaml b/k8s/ory/oathkeeper/nginx-auth-config.yaml new file mode 100644 index 0000000..45a902e --- /dev/null +++ b/k8s/ory/oathkeeper/nginx-auth-config.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oathkeeper-config + namespace: default +data: + config.yaml: | + serve: + proxy: + port: 4455 + cors: + enabled: true + allowed_origins: + - "*" + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Content-Type + exposed_headers: + - X-User + - X-Tenant-ID + allow_credentials: true + debug: true + api: + port: 4456 + + access_rules: + repositories: + - file:///etc/rules/access-rules.json + matching_strategy: "regexp" + + authenticators: + jwt: + enabled: true + config: + jwks_urls: + - http://jwks-server.eventrunner.svc.cluster.local/jwks.json + + authorizers: + allow: + enabled: true + + mutators: + header: + enabled: true + noop: + enabled: true \ No newline at end of file diff --git a/k8s/ory/oathkeeper/oathkeeper-config.yaml b/k8s/ory/oathkeeper/oathkeeper-config.yaml new file mode 100644 index 0000000..c95aaec --- /dev/null +++ b/k8s/ory/oathkeeper/oathkeeper-config.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: eventrunner-api + namespace: eventrunner + annotations: + cert-manager.io/cluster-issuer: "threadr-issuer" + nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions" + nginx.ingress.kubernetes.io/auth-response-headers: "Authorization,X-User,X-Tenant-ID" + nginx.ingress.kubernetes.io/ssl-redirect: "true" +spec: + ingressClassName: nginx # Using spec instead of deprecated annotation + tls: + - hosts: + - api.tunnel.threadr.ai + secretName: eventrunner-api-tls + rules: + - host: api.tunnel.threadr.ai + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: eventrunner-api + port: + number: 8200 \ No newline at end of file diff --git a/k8s/ory/oathkeeper/oathkeeper-rules.yaml b/k8s/ory/oathkeeper/oathkeeper-rules.yaml new file mode 100644 index 0000000..cb4d950 --- /dev/null +++ b/k8s/ory/oathkeeper/oathkeeper-rules.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oathkeeper-rules + namespace: default +data: + access-rules.json: | + [ + { + "id": "eventrunner-api-rule", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "http://api.tunnel.threadr.ai/<**>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"] + }, + "authenticators": [ + { + "handler": "jwt", + "config": { + "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], + "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], + "target_audience": ["eventrunner"] + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutator": { + "handler": "header", + "config": { + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + }, + { + "id": "decisions-endpoint", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions/<**>", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "jwt", + "config": { + "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], + "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], + "target_audience": ["eventrunner"] + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutator": { + "handler": "header", + "config": { + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + } + ] \ No newline at end of file diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml index bf2a6ca..04582c7 100644 --- a/k8s/ory/oathkeeper/oathkeeper-values.yaml +++ b/k8s/ory/oathkeeper/oathkeeper-values.yaml @@ -13,7 +13,7 @@ oathkeeper: access_rules: repositories: - inline://WwogIHsKICAgICJpZCI6ICJoZWFsdGgtcmVhZGluZXNzIiwKICAgICJtYXRjaCI6IHsKICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjQ0NTYvaGVhbHRoLyoiLAogICAgICAibWV0aG9kcyI6IFsKICAgICAgICAiR0VUIgogICAgICBdCiAgICB9LAogICAgImF1dGhlbnRpY2F0b3JzIjogWwogICAgICB7CiAgICAgICAgImhhbmRsZXIiOiAiYW5vbnltb3VzIgogICAgICB9CiAgICBdLAogICAgImF1dGhvcml6ZXIiOiB7CiAgICAgICJoYW5kbGVyIjogImFsbG93IgogICAgfSwKICAgICJtdXRhdG9ycyI6IFsKICAgICAgewogICAgICAgICJoYW5kbGVyIjogIm5vb3AiCiAgICAgIH0KICAgIF0KICB9LAogIHsKICAgICJpZCI6ICJkZWZhdWx0IiwKICAgICJtYXRjaCI6IHsKICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjQ0NTYvKiIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJHRVQiCiAgICAgIF0KICAgIH0sCiAgICAiYXV0aGVudGljYXRvcnMiOiBbCiAgICAgIHsKICAgICAgICAiaGFuZGxlciI6ICJhbm9ueW1vdXMiCiAgICAgIH0KICAgIF0sCiAgICAiYXV0aG9yaXplciI6IHsKICAgICAgImhhbmRsZXIiOiAiYWxsb3ciCiAgICB9LAogICAgIm11dGF0b3JzIjogWwogICAgICB7CiAgICAgICAgImhhbmRsZXIiOiAibm9vcCIKICAgICAgfQogICAgXQogIH0KXQ== - matching_strategy: glob # Changed to glob + matching_strategy: glob authenticators: anonymous: @@ -26,7 +26,7 @@ oathkeeper: enabled: true config: jwks_urls: - - file:///etc/jwks/jwks.json + - http://jwks-server.eventrunner.svc.cluster.local/jwks.json authorizers: allow: @@ -39,31 +39,15 @@ oathkeeper: enabled: true config: issuer_url: "https://affectionate-brattain-fl0yahcycw.projects.oryapis.com" - jwks_url: file:///etc/jwks/jwks.json + jwks_url: http://jwks-server.eventrunner.svc.cluster.local/jwks.json ttl: "15m" deployment: replicas: 1 pod: - volumes: - - name: jwks - secret: - secretName: oathkeeper-jwks - items: - - key: jwks.json - path: jwks.json - - name: custom-rules - configMap: - name: oathkeeper-access-rules containers: - name: oathkeeper image: oryd/oathkeeper:v0.40.7 - volumeMounts: - - name: jwks - mountPath: /etc/jwks/jwks.json - subPath: jwks.json - - name: custom-rules - mountPath: /etc/rules readinessProbe: httpGet: path: /health/ready @@ -79,6 +63,4 @@ oathkeeper: failureThreshold: 3 periodSeconds: 10 initialDelaySeconds: 5 - timeoutSeconds: 1 - - # Rest of your config... + timeoutSeconds: 1 \ No newline at end of file From 7b505693492c56ee2de3bf854aea335e5bdddd9f Mon Sep 17 00:00:00 2001 From: mfreeman451 Date: Fri, 25 Oct 2024 21:13:00 -0500 Subject: [PATCH 2/5] =?UTF-8?q?=F0=9F=94=A7=20sync?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmd/jwks-server/main.go | 16 +++- k8s/er-api/base/db_secret.yaml | 8 -- k8s/er/base/kustomization.yaml | 3 - .../base/configmap.yaml | 4 +- .../base/eventrunner.yaml | 0 .../base/ingress.yaml} | 9 ++- k8s/eventrunner-api/base/kustomization.yaml | 7 ++ k8s/eventrunner-api/base/service.yaml | 13 ++++ k8s/{er => eventrunner}/base/configmap.yaml | 0 k8s/{er => eventrunner}/base/eventrunner.yaml | 0 .../base/kustomization.yaml | 0 .../base/jwks-server-configmaps.yaml | 74 +++--------------- k8s/jwks-server/base/jwks-server.yaml | 2 +- k8s/ory/oathkeeper/oathkeeper-rules.yaml | 77 ------------------- k8s/ory/oathkeeper/oathkeeper-values.yaml | 2 +- 15 files changed, 55 insertions(+), 160 deletions(-) delete mode 100644 k8s/er-api/base/db_secret.yaml delete mode 100644 k8s/er/base/kustomization.yaml rename k8s/{er-api => eventrunner-api}/base/configmap.yaml (84%) rename k8s/{er-api => eventrunner-api}/base/eventrunner.yaml (100%) rename k8s/{ory/oathkeeper/oathkeeper-config.yaml => eventrunner-api/base/ingress.yaml} (68%) create mode 100644 k8s/eventrunner-api/base/kustomization.yaml create mode 100644 k8s/eventrunner-api/base/service.yaml rename k8s/{er => eventrunner}/base/configmap.yaml (100%) rename k8s/{er => eventrunner}/base/eventrunner.yaml (100%) rename k8s/{er-api => eventrunner}/base/kustomization.yaml (100%) delete mode 100644 k8s/ory/oathkeeper/oathkeeper-rules.yaml diff --git a/cmd/jwks-server/main.go b/cmd/jwks-server/main.go index aeeb061..d3b7eba 100644 --- a/cmd/jwks-server/main.go +++ b/cmd/jwks-server/main.go @@ -1,9 +1,11 @@ package main import ( + "encoding/json" "os" "gofr.dev/pkg/gofr" + "gofr.dev/pkg/gofr/http/response" ) const ( @@ -26,7 +28,12 @@ func JWKSHandler(c *gofr.Context) (interface{}, error) { return nil, err } - return string(data), nil + var jsonObj interface{} + if err := json.Unmarshal(data, &jsonObj); err != nil { + return nil, err + } + + return response.Raw{Data: jsonObj}, nil } func RulesHandler(c *gofr.Context) (interface{}, error) { @@ -35,5 +42,10 @@ func RulesHandler(c *gofr.Context) (interface{}, error) { return nil, err } - return string(data), nil + var jsonObj interface{} + if err := json.Unmarshal(data, &jsonObj); err != nil { + return nil, err + } + + return response.Raw{Data: jsonObj}, nil } diff --git a/k8s/er-api/base/db_secret.yaml b/k8s/er-api/base/db_secret.yaml deleted file mode 100644 index ec7a00d..0000000 --- a/k8s/er-api/base/db_secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: db-credentials - namespace: eventrunner -type: Opaque -data: - DB_PASSWORD: base64encodedpassword= \ No newline at end of file diff --git a/k8s/er/base/kustomization.yaml b/k8s/er/base/kustomization.yaml deleted file mode 100644 index ba40e8c..0000000 --- a/k8s/er/base/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: - - eventrunner.yaml - - configmap.yaml diff --git a/k8s/er-api/base/configmap.yaml b/k8s/eventrunner-api/base/configmap.yaml similarity index 84% rename from k8s/er-api/base/configmap.yaml rename to k8s/eventrunner-api/base/configmap.yaml index 26c135d..8c52d36 100644 --- a/k8s/er-api/base/configmap.yaml +++ b/k8s/eventrunner-api/base/configmap.yaml @@ -15,7 +15,7 @@ data: DB_NAME=eventrunner DB_PORT=2001 DB_DIALECT=mongo - DB_URL=mongodb://mongodb.svc.cluster.local:27017 + DB_URL=mongodb://er-mongodb.svc.cluster.local:27017 .staging.env: | LOG_LEVEL=DEBUG APP_NAME=eventrunner @@ -27,4 +27,4 @@ data: DB_NAME=eventrunner DB_PORT=2001 DB_DIALECT=mongo - DB_URL=mongodb://mongodb.svc.cluster.local:27017 \ No newline at end of file + DB_URL=mongodb://er-mongodb.svc.cluster.local:27017 \ No newline at end of file diff --git a/k8s/er-api/base/eventrunner.yaml b/k8s/eventrunner-api/base/eventrunner.yaml similarity index 100% rename from k8s/er-api/base/eventrunner.yaml rename to k8s/eventrunner-api/base/eventrunner.yaml diff --git a/k8s/ory/oathkeeper/oathkeeper-config.yaml b/k8s/eventrunner-api/base/ingress.yaml similarity index 68% rename from k8s/ory/oathkeeper/oathkeeper-config.yaml rename to k8s/eventrunner-api/base/ingress.yaml index c95aaec..5a2c740 100644 --- a/k8s/ory/oathkeeper/oathkeeper-config.yaml +++ b/k8s/eventrunner-api/base/ingress.yaml @@ -4,12 +4,13 @@ metadata: name: eventrunner-api namespace: eventrunner annotations: - cert-manager.io/cluster-issuer: "threadr-issuer" - nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions" - nginx.ingress.kubernetes.io/auth-response-headers: "Authorization,X-User,X-Tenant-ID" + cert-manager.io/cluster-issuer: threadr-issuer + nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/judge" + nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id" nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-preserve-uri: "true" spec: - ingressClassName: nginx # Using spec instead of deprecated annotation + ingressClassName: nginx tls: - hosts: - api.tunnel.threadr.ai diff --git a/k8s/eventrunner-api/base/kustomization.yaml b/k8s/eventrunner-api/base/kustomization.yaml new file mode 100644 index 0000000..3b95b27 --- /dev/null +++ b/k8s/eventrunner-api/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +namespace: eventrunner +resources: + - eventrunner.yaml + - configmap.yaml + - service.yaml + - ingress.yaml diff --git a/k8s/eventrunner-api/base/service.yaml b/k8s/eventrunner-api/base/service.yaml new file mode 100644 index 0000000..6a62451 --- /dev/null +++ b/k8s/eventrunner-api/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: eventrunner-api + namespace: eventrunner +spec: + selector: + app: eventrunner-api + ports: + - protocol: TCP + port: 8200 + targetPort: 8200 + type: ClusterIP \ No newline at end of file diff --git a/k8s/er/base/configmap.yaml b/k8s/eventrunner/base/configmap.yaml similarity index 100% rename from k8s/er/base/configmap.yaml rename to k8s/eventrunner/base/configmap.yaml diff --git a/k8s/er/base/eventrunner.yaml b/k8s/eventrunner/base/eventrunner.yaml similarity index 100% rename from k8s/er/base/eventrunner.yaml rename to k8s/eventrunner/base/eventrunner.yaml diff --git a/k8s/er-api/base/kustomization.yaml b/k8s/eventrunner/base/kustomization.yaml similarity index 100% rename from k8s/er-api/base/kustomization.yaml rename to k8s/eventrunner/base/kustomization.yaml diff --git a/k8s/jwks-server/base/jwks-server-configmaps.yaml b/k8s/jwks-server/base/jwks-server-configmaps.yaml index 9a06a0f..5b42ac0 100644 --- a/k8s/jwks-server/base/jwks-server-configmaps.yaml +++ b/k8s/jwks-server/base/jwks-server-configmaps.yaml @@ -1,23 +1,5 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: jwks-data - namespace: eventrunner -data: - jwks.json: | - { - "keys": [ - { - "e": "AQAB", - "kid": "eventrunner-jwt", - "kty": "RSA", - "n": "viVXLTzUz5zrrTRFe59lc5JfjonbmnBxgGVD2RHG-FQXdKp-5xnuH5C9ZLujcew8jYoeFw6o7ab7PMONzru5UcjxadKXaC1uTId_chCDVVVSD80IlYtzgchhMBTpqZJY5hd6GybODwJj0ulcfpXmw43dF5CRC9uLbLuSvkVsELgcioUJnaMTZjisY9R5ApeUOLSAZGOacdlVBBZfQb8pVjBqJQQmcyzooLZdXq-hNvutnI15sPQLcoBXXat_n8lfrI2Jr_mlG_rcvAdhZXUGeu1NeWdJuaHFoHcbV-PeSnr0mAGZxFEdM6nFywqmjtiU3EXhDmqfrB7hMiWdbAueRQ" - } - ] - } ---- -apiVersion: v1 -kind: ConfigMap metadata: name: oathkeeper-rules-data namespace: eventrunner @@ -25,14 +7,14 @@ data: rules.json: | [ { - "id": "eventrunner-api-rule", + "id": "auth-rule", "upstream": { "preserve_host": true, "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" }, "match": { - "url": "http://api.tunnel.threadr.ai/<**>", - "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"] + "url": ".*", + "methods": ["GET"] }, "authenticators": [ { @@ -40,56 +22,24 @@ data: "config": { "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "target_audience": ["eventrunner"] + "required": false } } ], "authorizer": { "handler": "allow" }, - "mutator": { - "handler": "header", - "config": { - "headers": { - "X-User": "{{ print .Subject }}", - "X-Tenant-ID": "{{ print .Extra.tenant_id }}", - "X-Request-Id": "{{ print .RequestID }}" - } - } - } - }, - { - "id": "decisions-endpoint", - "upstream": { - "preserve_host": true, - "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" - }, - "match": { - "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions/<**>", - "methods": ["GET"] - }, - "authenticators": [ + "mutators": [ { - "handler": "jwt", + "handler": "header", "config": { - "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], - "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "target_audience": ["eventrunner"] - } - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "header", - "config": { - "headers": { - "X-User": "{{ print .Subject }}", - "X-Tenant-ID": "{{ print .Extra.tenant_id }}", - "X-Request-Id": "{{ print .RequestID }}" + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } } } - } + ] } ] \ No newline at end of file diff --git a/k8s/jwks-server/base/jwks-server.yaml b/k8s/jwks-server/base/jwks-server.yaml index 35517db..7cb5eeb 100644 --- a/k8s/jwks-server/base/jwks-server.yaml +++ b/k8s/jwks-server/base/jwks-server.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: jwks-server - image: ghcr.io/carverauto/jwks-server:v0.0.03 + image: ghcr.io/carverauto/jwks-server:v0.0.06 imagePullPolicy: Always ports: - containerPort: 8000 diff --git a/k8s/ory/oathkeeper/oathkeeper-rules.yaml b/k8s/ory/oathkeeper/oathkeeper-rules.yaml deleted file mode 100644 index cb4d950..0000000 --- a/k8s/ory/oathkeeper/oathkeeper-rules.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: oathkeeper-rules - namespace: default -data: - access-rules.json: | - [ - { - "id": "eventrunner-api-rule", - "upstream": { - "preserve_host": true, - "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" - }, - "match": { - "url": "http://api.tunnel.threadr.ai/<**>", - "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"] - }, - "authenticators": [ - { - "handler": "jwt", - "config": { - "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], - "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "target_audience": ["eventrunner"] - } - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "header", - "config": { - "headers": { - "X-User": "{{ print .Subject }}", - "X-Tenant-ID": "{{ print .Extra.tenant_id }}", - "X-Request-Id": "{{ print .RequestID }}" - } - } - } - }, - { - "id": "decisions-endpoint", - "upstream": { - "preserve_host": true, - "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" - }, - "match": { - "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions/<**>", - "methods": ["GET"] - }, - "authenticators": [ - { - "handler": "jwt", - "config": { - "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], - "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "target_audience": ["eventrunner"] - } - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "header", - "config": { - "headers": { - "X-User": "{{ print .Subject }}", - "X-Tenant-ID": "{{ print .Extra.tenant_id }}", - "X-Request-Id": "{{ print .RequestID }}" - } - } - } - } - ] \ No newline at end of file diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml index 04582c7..48de788 100644 --- a/k8s/ory/oathkeeper/oathkeeper-values.yaml +++ b/k8s/ory/oathkeeper/oathkeeper-values.yaml @@ -12,7 +12,7 @@ oathkeeper: access_rules: repositories: - - inline://WwogIHsKICAgICJpZCI6ICJoZWFsdGgtcmVhZGluZXNzIiwKICAgICJtYXRjaCI6IHsKICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjQ0NTYvaGVhbHRoLyoiLAogICAgICAibWV0aG9kcyI6IFsKICAgICAgICAiR0VUIgogICAgICBdCiAgICB9LAogICAgImF1dGhlbnRpY2F0b3JzIjogWwogICAgICB7CiAgICAgICAgImhhbmRsZXIiOiAiYW5vbnltb3VzIgogICAgICB9CiAgICBdLAogICAgImF1dGhvcml6ZXIiOiB7CiAgICAgICJoYW5kbGVyIjogImFsbG93IgogICAgfSwKICAgICJtdXRhdG9ycyI6IFsKICAgICAgewogICAgICAgICJoYW5kbGVyIjogIm5vb3AiCiAgICAgIH0KICAgIF0KICB9LAogIHsKICAgICJpZCI6ICJkZWZhdWx0IiwKICAgICJtYXRjaCI6IHsKICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjQ0NTYvKiIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJHRVQiCiAgICAgIF0KICAgIH0sCiAgICAiYXV0aGVudGljYXRvcnMiOiBbCiAgICAgIHsKICAgICAgICAiaGFuZGxlciI6ICJhbm9ueW1vdXMiCiAgICAgIH0KICAgIF0sCiAgICAiYXV0aG9yaXplciI6IHsKICAgICAgImhhbmRsZXIiOiAiYWxsb3ciCiAgICB9LAogICAgIm11dGF0b3JzIjogWwogICAgICB7CiAgICAgICAgImhhbmRsZXIiOiAibm9vcCIKICAgICAgfQogICAgXQogIH0KXQ== + - http://jwks-server.eventrunner.svc.cluster.local/rules.json matching_strategy: glob authenticators: From 8a3b68c8bce93c0126672de5bce307b3b01f1b07 Mon Sep 17 00:00:00 2001 From: Michael Freeman Date: Fri, 25 Oct 2024 22:12:57 -0500 Subject: [PATCH 3/5] updating connect methods --- go.work.sum | 6 ++---- pkg/api/handlers/jwks.go | 1 - pkg/eventrunner/app_interface.go | 14 ++++++++------ 3 files changed, 10 insertions(+), 11 deletions(-) delete mode 100644 pkg/api/handlers/jwks.go diff --git a/go.work.sum b/go.work.sum index 5715ec8..69b0fb5 100644 --- a/go.work.sum +++ b/go.work.sum @@ -311,7 +311,6 @@ github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+ye github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8= @@ -524,7 +523,6 @@ go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40 go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= @@ -566,7 +564,7 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -706,7 +704,7 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= diff --git a/pkg/api/handlers/jwks.go b/pkg/api/handlers/jwks.go deleted file mode 100644 index 5ac8282..0000000 --- a/pkg/api/handlers/jwks.go +++ /dev/null @@ -1 +0,0 @@ -package handlers diff --git a/pkg/eventrunner/app_interface.go b/pkg/eventrunner/app_interface.go index 2c5587b..28b1d4e 100644 --- a/pkg/eventrunner/app_interface.go +++ b/pkg/eventrunner/app_interface.go @@ -1,6 +1,8 @@ package eventrunner import ( + "context" + "gofr.dev/pkg/gofr" "gofr.dev/pkg/gofr/container" "gofr.dev/pkg/gofr/logging" @@ -13,8 +15,8 @@ type AppWrapper struct { app *gofr.App } -func (a *AppWrapper) AddMongo(mongoClient container.MongoProvider) { - a.app.AddMongo(mongoClient) +func (a *AppWrapper) AddMongo(ctx context.Context, mongoClient container.MongoProvider) error { + return a.app.AddMongo(ctx, mongoClient) } func NewAppWrapper(app *gofr.App) *AppWrapper { @@ -37,12 +39,12 @@ func (a *AppWrapper) Metrics() metrics.Manager { return a.app.Metrics() } -func (a *AppWrapper) AddPubSub(pubsubClient container.PubSubProvider) { - a.app.AddPubSub(pubsubClient) +func (a *AppWrapper) AddPubSub(ctx context.Context, pubsubClient container.PubSubProvider) error { + return a.app.AddPubSub(ctx, pubsubClient) } -func (a *AppWrapper) AddCassandra(cassandraClient container.CassandraProvider) { - a.app.AddCassandra(cassandraClient) +func (a *AppWrapper) AddCassandra(ctx context.Context, cassandraClient container.CassandraProvider) error { + return a.app.AddCassandra(ctx, cassandraClient) } func (a *AppWrapper) Migrate(migrationsMap map[int64]migration.Migrate) { From 2cd6535ad09740dd1bc7e847ae10747b4c48aeb6 Mon Sep 17 00:00:00 2001 From: mfreeman451 Date: Sat, 26 Oct 2024 06:57:58 -0500 Subject: [PATCH 4/5] =?UTF-8?q?=F0=9F=94=A7=20oathkeeper=20rules=20working?= =?UTF-8?q?=20now=20getting=20401?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- k8s/eventrunner-api/base/ingress.yaml | 3 +- .../base/jwks-server-configmaps.yaml | 30 +++++++++++++++++-- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml index 5a2c740..4afba29 100644 --- a/k8s/eventrunner-api/base/ingress.yaml +++ b/k8s/eventrunner-api/base/ingress.yaml @@ -7,8 +7,9 @@ metadata: cert-manager.io/cluster-issuer: threadr-issuer nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/judge" nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id" - nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/auth-preserve-uri: "true" + nginx.ingress.kubernetes.io/auth-always-set-cookie: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: ingressClassName: nginx tls: diff --git a/k8s/jwks-server/base/jwks-server-configmaps.yaml b/k8s/jwks-server/base/jwks-server-configmaps.yaml index 5b42ac0..165d442 100644 --- a/k8s/jwks-server/base/jwks-server-configmaps.yaml +++ b/k8s/jwks-server/base/jwks-server-configmaps.yaml @@ -7,13 +7,37 @@ data: rules.json: | [ { - "id": "auth-rule", + "id": "oathkeeper-health", + "upstream": { + "preserve_host": true, + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455" + }, + "match": { + "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/health/alive", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "noop" + } + ], + "authorizer": { + "handler": "allow" + }, + "mutators": [ + { + "handler": "noop" + } + ] + }, + { + "id": "judge-endpoint", "upstream": { "preserve_host": true, "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" }, "match": { - "url": ".*", + "url": "http://oathkeeper-proxy.default.svc.cluster.local/judge", "methods": ["GET"] }, "authenticators": [ @@ -22,7 +46,7 @@ data: "config": { "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "required": false + "target_audience": ["eventrunner"] } } ], From ef677fd7e94a79bc078b049e74f881d547e21193 Mon Sep 17 00:00:00 2001 From: mfreeman451 Date: Sat, 26 Oct 2024 13:39:42 -0500 Subject: [PATCH 5/5] sync --- cmd/{jwks-server => auth-server}/Makefile | 4 +- .../jwt/jwks.json | 0 .../jwt/jwtKeys.go | 0 cmd/{jwks-server => auth-server}/main.go | 16 --- go.work.sum | 6 +- .../base/auth-server-configmaps.yaml | 105 ++++++++++++++++++ .../base/auth-server.yaml} | 19 +--- k8s/auth-server/base/kustomization.yaml | 4 + .../base/service.yaml | 4 +- .../base/jwks-server-configmaps.yaml | 69 ------------ k8s/jwks-server/base/kustomization.yaml | 4 - .../oathkeeper/access-rules-configmap.yaml | 52 --------- k8s/ory/oathkeeper/access-rules.json | 46 -------- k8s/ory/oathkeeper/nginx-auth-config.yaml | 2 +- k8s/ory/oathkeeper/oathkeeper-values.yaml | 33 ++++-- 15 files changed, 149 insertions(+), 215 deletions(-) rename cmd/{jwks-server => auth-server}/Makefile (82%) rename cmd/{jwks-server => auth-server}/jwt/jwks.json (100%) rename cmd/{jwks-server => auth-server}/jwt/jwtKeys.go (100%) rename cmd/{jwks-server => auth-server}/main.go (59%) create mode 100644 k8s/auth-server/base/auth-server-configmaps.yaml rename k8s/{jwks-server/base/jwks-server.yaml => auth-server/base/auth-server.yaml} (60%) create mode 100644 k8s/auth-server/base/kustomization.yaml rename k8s/{jwks-server => auth-server}/base/service.yaml (80%) delete mode 100644 k8s/jwks-server/base/jwks-server-configmaps.yaml delete mode 100644 k8s/jwks-server/base/kustomization.yaml delete mode 100644 k8s/ory/oathkeeper/access-rules-configmap.yaml delete mode 100644 k8s/ory/oathkeeper/access-rules.json diff --git a/cmd/jwks-server/Makefile b/cmd/auth-server/Makefile similarity index 82% rename from cmd/jwks-server/Makefile rename to cmd/auth-server/Makefile index 5f4381f..b071e89 100644 --- a/cmd/jwks-server/Makefile +++ b/cmd/auth-server/Makefile @@ -1,5 +1,5 @@ # Define variables -KO_DOCKER_REPO := ghcr.io/carverauto/jwks-server +KO_DOCKER_REPO := ghcr.io/carverauto/auth-server VERSION := v0.0.01 # Default target @@ -7,7 +7,7 @@ all: build # Build the binary locally build: - go build -o jwks-server . + go build -o auth-server . # Build and push the container image using ko ko-build: diff --git a/cmd/jwks-server/jwt/jwks.json b/cmd/auth-server/jwt/jwks.json similarity index 100% rename from cmd/jwks-server/jwt/jwks.json rename to cmd/auth-server/jwt/jwks.json diff --git a/cmd/jwks-server/jwt/jwtKeys.go b/cmd/auth-server/jwt/jwtKeys.go similarity index 100% rename from cmd/jwks-server/jwt/jwtKeys.go rename to cmd/auth-server/jwt/jwtKeys.go diff --git a/cmd/jwks-server/main.go b/cmd/auth-server/main.go similarity index 59% rename from cmd/jwks-server/main.go rename to cmd/auth-server/main.go index d3b7eba..a94e208 100644 --- a/cmd/jwks-server/main.go +++ b/cmd/auth-server/main.go @@ -9,33 +9,17 @@ import ( ) const ( - jwksPath = "/app/config/jwks.json" rulesPath = "/app/config/rules.json" ) func main() { app := gofr.New() - app.GET("/jwks.json", JWKSHandler) app.GET("/rules.json", RulesHandler) app.Run() } -func JWKSHandler(c *gofr.Context) (interface{}, error) { - data, err := os.ReadFile(jwksPath) - if err != nil { - return nil, err - } - - var jsonObj interface{} - if err := json.Unmarshal(data, &jsonObj); err != nil { - return nil, err - } - - return response.Raw{Data: jsonObj}, nil -} - func RulesHandler(c *gofr.Context) (interface{}, error) { data, err := os.ReadFile(rulesPath) if err != nil { diff --git a/go.work.sum b/go.work.sum index 69b0fb5..5715ec8 100644 --- a/go.work.sum +++ b/go.work.sum @@ -311,6 +311,7 @@ github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+ye github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8= @@ -523,6 +524,7 @@ go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40 go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= @@ -564,7 +566,7 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -704,7 +706,7 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= diff --git a/k8s/auth-server/base/auth-server-configmaps.yaml b/k8s/auth-server/base/auth-server-configmaps.yaml new file mode 100644 index 0000000..f467f1a --- /dev/null +++ b/k8s/auth-server/base/auth-server-configmaps.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: oathkeeper-rules-data + namespace: eventrunner +data: + rules.json: | + [ + { + "id": "api-health-check", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "/api/v1/health", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "anonymous", + "config": { + "subject": "guest" + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutators": [ + { + "handler": "noop" + } + ] + }, + { + "id": "auth-check", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "/judge", + "methods": ["GET"] + }, + "authenticators": [ + { + "handler": "anonymous", + "config": { + "subject": "anonymous" + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutators": [ + { + "handler": "header", + "config": { + "headers": { + "X-User": "anonymous", + "X-Tenant-ID": "default", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + ] + }, + { + "id": "protected-endpoints", + "upstream": { + "preserve_host": true, + "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" + }, + "match": { + "url": "/api/v1/<.*>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"] + }, + "authenticators": [ + { + "handler": "jwt", + "config": { + "jwks_urls": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com/.well-known/jwks.json"], + "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"] + } + } + ], + "authorizer": { + "handler": "allow" + }, + "mutators": [ + { + "handler": "header", + "config": { + "headers": { + "X-User": "{{ print .Subject }}", + "X-Tenant-ID": "{{ print .Extra.tenant_id }}", + "X-Request-Id": "{{ print .RequestID }}" + } + } + } + ] + } + ] \ No newline at end of file diff --git a/k8s/jwks-server/base/jwks-server.yaml b/k8s/auth-server/base/auth-server.yaml similarity index 60% rename from k8s/jwks-server/base/jwks-server.yaml rename to k8s/auth-server/base/auth-server.yaml index 7cb5eeb..acaf501 100644 --- a/k8s/jwks-server/base/jwks-server.yaml +++ b/k8s/auth-server/base/auth-server.yaml @@ -1,38 +1,29 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: jwks-server + name: auth-server namespace: eventrunner spec: replicas: 1 selector: matchLabels: - app: jwks-server + app: auth-server template: metadata: labels: - app: jwks-server + app: auth-server spec: containers: - - name: jwks-server - image: ghcr.io/carverauto/jwks-server:v0.0.06 + - name: auth-server + image: ghcr.io/carverauto/auth-server:v0.0.06 imagePullPolicy: Always ports: - containerPort: 8000 volumeMounts: - - name: jwks-volume - mountPath: /app/config/jwks.json - subPath: jwks.json - name: rules-volume mountPath: /app/config/rules.json subPath: rules.json volumes: - - name: jwks-volume - configMap: - name: jwks-data - items: - - key: jwks.json - path: jwks.json - name: rules-volume configMap: name: oathkeeper-rules-data diff --git a/k8s/auth-server/base/kustomization.yaml b/k8s/auth-server/base/kustomization.yaml new file mode 100644 index 0000000..1e7363f --- /dev/null +++ b/k8s/auth-server/base/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - auth-server-configmaps.yaml + - auth-server.yaml + - service.yaml \ No newline at end of file diff --git a/k8s/jwks-server/base/service.yaml b/k8s/auth-server/base/service.yaml similarity index 80% rename from k8s/jwks-server/base/service.yaml rename to k8s/auth-server/base/service.yaml index e4442f9..232c423 100644 --- a/k8s/jwks-server/base/service.yaml +++ b/k8s/auth-server/base/service.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: jwks-server + name: auth-server namespace: eventrunner spec: selector: - app: jwks-server + app: auth-server ports: - protocol: TCP port: 80 diff --git a/k8s/jwks-server/base/jwks-server-configmaps.yaml b/k8s/jwks-server/base/jwks-server-configmaps.yaml deleted file mode 100644 index 165d442..0000000 --- a/k8s/jwks-server/base/jwks-server-configmaps.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: oathkeeper-rules-data - namespace: eventrunner -data: - rules.json: | - [ - { - "id": "oathkeeper-health", - "upstream": { - "preserve_host": true, - "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455" - }, - "match": { - "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/health/alive", - "methods": ["GET"] - }, - "authenticators": [ - { - "handler": "noop" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "noop" - } - ] - }, - { - "id": "judge-endpoint", - "upstream": { - "preserve_host": true, - "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200" - }, - "match": { - "url": "http://oathkeeper-proxy.default.svc.cluster.local/judge", - "methods": ["GET"] - }, - "authenticators": [ - { - "handler": "jwt", - "config": { - "jwks_urls": ["http://jwks-server.eventrunner.svc.cluster.local/jwks.json"], - "trusted_issuers": ["https://affectionate-brattain-fl0yahcycw.projects.oryapis.com"], - "target_audience": ["eventrunner"] - } - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "header", - "config": { - "headers": { - "X-User": "{{ print .Subject }}", - "X-Tenant-ID": "{{ print .Extra.tenant_id }}", - "X-Request-Id": "{{ print .RequestID }}" - } - } - } - ] - } - ] \ No newline at end of file diff --git a/k8s/jwks-server/base/kustomization.yaml b/k8s/jwks-server/base/kustomization.yaml deleted file mode 100644 index d388ba1..0000000 --- a/k8s/jwks-server/base/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: - - jwks-server-configmaps.yaml - - jwks-server.yaml - - service.yaml \ No newline at end of file diff --git a/k8s/ory/oathkeeper/access-rules-configmap.yaml b/k8s/ory/oathkeeper/access-rules-configmap.yaml deleted file mode 100644 index 27201ce..0000000 --- a/k8s/ory/oathkeeper/access-rules-configmap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: oathkeeper-access-rules -data: - access-rules.json: | - [ - { - "id": "health-readiness", - "match": { - "url": "http://127.0.0.1:4456/health/*", - "methods": [ - "GET" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "noop" - } - ] - }, - { - "id": "default", - "match": { - "url": "http://127.0.0.1:4456/*", - "methods": [ - "GET" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "noop" - } - ] - } - ] \ No newline at end of file diff --git a/k8s/ory/oathkeeper/access-rules.json b/k8s/ory/oathkeeper/access-rules.json deleted file mode 100644 index e1eeefb..0000000 --- a/k8s/ory/oathkeeper/access-rules.json +++ /dev/null @@ -1,46 +0,0 @@ -[ - { - "id": "health-readiness", - "match": { - "url": "http://127.0.0.1:4456/health/*", - "methods": [ - "GET" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "noop" - } - ] - }, - { - "id": "default", - "match": { - "url": "http://127.0.0.1:4456/*", - "methods": [ - "GET" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutators": [ - { - "handler": "noop" - } - ] - } -] \ No newline at end of file diff --git a/k8s/ory/oathkeeper/nginx-auth-config.yaml b/k8s/ory/oathkeeper/nginx-auth-config.yaml index 45a902e..1c0bff9 100644 --- a/k8s/ory/oathkeeper/nginx-auth-config.yaml +++ b/k8s/ory/oathkeeper/nginx-auth-config.yaml @@ -39,7 +39,7 @@ data: enabled: true config: jwks_urls: - - http://jwks-server.eventrunner.svc.cluster.local/jwks.json + - https://affectionate-brattain-fl0yahcycw.projects.oryapis.com/.well-known/jwks.json authorizers: allow: diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml index 48de788..230e641 100644 --- a/k8s/ory/oathkeeper/oathkeeper-values.yaml +++ b/k8s/ory/oathkeeper/oathkeeper-values.yaml @@ -5,6 +5,23 @@ oathkeeper: port: 4455 cors: enabled: true + allowed_origins: + - "*" + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Content-Type + exposed_headers: + - X-User + - X-Tenant-ID + - X-Request-Id + allow_credentials: true + debug: true api: port: 4456 cors: @@ -12,7 +29,7 @@ oathkeeper: access_rules: repositories: - - http://jwks-server.eventrunner.svc.cluster.local/rules.json + - "http://auth-server.eventrunner.svc.cluster.local/rules.json" matching_strategy: glob authenticators: @@ -26,7 +43,7 @@ oathkeeper: enabled: true config: jwks_urls: - - http://jwks-server.eventrunner.svc.cluster.local/jwks.json + - "https://affectionate-brattain-fl0yahcycw.projects.oryapis.com/.well-known/jwks.json" authorizers: allow: @@ -35,12 +52,14 @@ oathkeeper: mutators: noop: enabled: true - id_token: - enabled: true + header: config: - issuer_url: "https://affectionate-brattain-fl0yahcycw.projects.oryapis.com" - jwks_url: http://jwks-server.eventrunner.svc.cluster.local/jwks.json - ttl: "15m" + headers: {} # This is important - we're enabling header mutator with empty default config + enabled: true + + log: + level: debug + format: json deployment: replicas: 1