Skip to content

Commit

Permalink
Add support for the RBAC feature.
Browse files Browse the repository at this point in the history
This PR adds two new options RBAC (bool) and RBAC_CONFIG
(string) which allow configuring RBAC in Weaviate.

It also improves the help information displayed when no
option is passed or when local-k8s.sh --help is executed.

Last, it improves the busy loops that wait for services to
be ready which were kind of broken before and adds an automatic
way to pass authentication if required.
  • Loading branch information
jfrancoa committed Nov 15, 2024
1 parent ebe5079 commit c2fd69e
Show file tree
Hide file tree
Showing 6 changed files with 298 additions and 32 deletions.
32 changes: 31 additions & 1 deletion .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ jobs:
WEAVIATE_GRPC_PORT: '50052'
HELM_BRANCH: 'master'
ENABLE_BACKUP: 'true'
RBAC: 'true'
RBAC_CONFIG: './rbac-config.yaml'
VALUES_OVERRIDE: |
storage:
size: 50Gi
Expand All @@ -67,6 +69,32 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Create RBAC config file
run: |
cat > rbac-config.yaml << 'EOF'
authentication:
anonymous_access:
enabled: false
apikey:
enabled: true
allowed_keys:
- admin-key
- reader-key
users:
- admin
- reader
roles:
- admin
- reader
oidc:
enabled: false
authorization:
admin_list:
enabled: true
users:
- admin
- reader
EOF
- name: Deploy weaviate-local-k8s from current branch.
id: invoke-local-k8s
uses: ./
Expand All @@ -81,6 +109,8 @@ jobs:
enable-backup: ${{ env.ENABLE_BACKUP }}
values-inline: ${{ env.VALUES_INLINE }}
observability: 'true'
rbac: ${{ env.RBAC }}
rbac-config: ${{ env.RBAC_CONFIG }}
- name: Check the configured values
run: |
replicas=$(kubectl get sts weaviate -n weaviate -o=jsonpath="{.spec.replicas}")
Expand All @@ -93,7 +123,7 @@ jobs:
echo "Error: Workers count is not equal to ${{ env.WORKERS }}. Found $workers"
exit 1
fi
versions=$(curl -s http://127.0.0.1:${{ env.WEAVIATE_PORT }}/v1/nodes | jq '.nodes[] | .version' | tr -d '"')
versions=$(curl -H "Authorization: Bearer admin-key" -s http://127.0.0.1:${{ env.WEAVIATE_PORT }}/v1/nodes | jq '.nodes[] | .version' | tr -d '"')
for version in `echo $versions | tr '\n' ' '`; do
if [[ "$version" != "1.25.0" ]]; then
echo "Error: Version is not equal to 1.25.0. Found $version"
Expand Down
38 changes: 38 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ This GitHub composite action allows you to deploy Weaviate to a local Kubernetes
- **enable-backup**: When set to true it configures Weaviate to support S3 backups using MinIO. Refer to the [backup and restore](https://weaviate.io/developers/weaviate/configuration/backups#) documentation for more information.
- **s3-offload**: When set to true it configures Weaviate to support S3 tenant offloading using MinIO. This functionality is only supported in Weaviate 1.26
- **values-override**: Override values for the Helm chart in YAML string. (Optional, default: '')
- **rbac**: When set to true it will create an admin user with admin role and the API key be `admin-key`. (Optional, default: 'false')
- **rbac-config**: File location containing the RBAC configuration in YAML format. (Optional, default: '')

### Usage
To use this action in your GitHub Actions workflow, you can add the following step:
Expand Down Expand Up @@ -67,6 +69,8 @@ You can also execute the local-k8s.sh script locally. Ensure you have the requir
Then, you can execute the script with the desired option:
```bash
#Setup Weaviate instance with RBAC enabled (default admin user only)
WEAVIATE_VERSION="1.28.0" RBAC=true REPLICAS=3 ./local-k8s.sh setup

# Setup Weaviate on local Kubernetes
WEAVIATE_VERSION="1.24.4" REPLICAS=3 ./local-k8s.sh setup
Expand All @@ -90,6 +94,8 @@ The environment variables that can be passed are:
- **REPLICAS**
- **HELM_BRANCH**
- **MODULES**
- **RBAC**
- **RBAC_CONFIG**

Example, running preview version of Weaviate, using the `raft-configuration` weaviate-helm branch:
```bash
Expand Down Expand Up @@ -139,3 +145,35 @@ Make sure your images are present in your environment, as otherwise the script w
This action is invoked from a GitHub Actions workflow using the uses keyword followed by the action's repository and version. Input values can be provided using the with keyword within the workflow YAML file.

For local execution of the local-k8s.sh script, ensure you have the necessary dependencies installed and then execute the script with one of the supported options: setup, upgrade, or clean.


### RBAC

Role-Based Access Control (RBAC) is integrated into this repository to manage and secure access to Weaviate. To facilitate configuration, a test example is provided in the `rbac.yaml.example` file.

You have two options to configure RBAC:

1. **Enable RBAC with Default Settings:**

Simply set the `RBAC` environment variable to `true` when running the setup script. This enables RBAC using the default configuration, which creates an admin user with admin role and the API key be `admin-key`.

```bash
RBAC=true WEAVIATE_VERSION="1.28.6" REPLICAS=1 WORKERS=1 ./local-k8s.sh setup
```

2. **Use a Custom RBAC Configuration:**

For a customized RBAC setup, specify the path to your YAML configuration file using the `RBAC_CONFIG` environment variable. This allows you to define specific roles, users, and permissions as needed.

```bash
RBAC=true RBAC_CONFIG="./custom-rbac.yaml" WEAVIATE_VERSION="1.28.2" REPLICAS=4 WORKERS=3 ./local-k8s.sh setup
```

Make sure to create and configure your `custom-rbac.yaml` based on the structure provided in `rbac.yaml.example`.

By leveraging RBAC, you can ensure that access to Weaviate is managed securely and tailored to your specific requirements.

```



10 changes: 10 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,14 @@ inputs:
description: 'Enable observability stack'
required: false
default: 'false'
rbac:
description: 'Enable RBAC. By default it will create an admin user with admin role and the API key be `admin-key`'
required: false
default: 'false'
rbac-config:
description: 'File location containing the RBAC configuration in YAML format'
required: false
default: ''

runs:
using: 'composite'
Expand Down Expand Up @@ -85,6 +93,8 @@ runs:
DELETE_STS: ${{ inputs.delete-sts }}
VALUES_INLINE: ${{ inputs.values-inline }}
OBSERVABILITY: ${{ inputs.observability }}
RBAC: ${{ inputs.rbac }}
RBAC_CONFIG: ${{ inputs.rbac-config }}
run: ${{ github.action_path }}/local-k8s.sh $OPERATION
- name: Retrieve weaviate logs
shell: bash
Expand Down
24 changes: 17 additions & 7 deletions local-k8s.sh
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ OBSERVABILITY=${OBSERVABILITY:-"true"}
PROMETHEUS_PORT=9091
GRAFANA_PORT=3000
TARGET=""
RBAC=${RBAC:-"false"}
RBAC_CONFIG=${RBAC_CONFIG:-""}


function get_timeout() {
Expand Down Expand Up @@ -188,6 +190,14 @@ EOF
wait_for_all_healthy_nodes $REPLICAS
echo_green "setup # Success"
echo_green "setup # Weaviate is up and running on http://localhost:$WEAVIATE_PORT"
if [[ $RBAC == "true" && -n "$RBAC_CONFIG" ]]; then
echo_green "setup # RBAC is enabled"
fi
auth_enabled=$(is_auth_enabled)
if [[ "$auth_enabled" == "true" ]]; then
bearer_token=$(get_bearer_token)
echo_green "setup # You can now access the Weaviate API with the following API key: $bearer_token"
fi
if [[ $OBSERVABILITY == "true" ]]; then
echo_green "setup # Grafana is accessible on http://localhost:$GRAFANA_PORT (admin/admin)"
echo_green "setup # Prometheus is accessible on http://localhost:$PROMETHEUS_PORT"
Expand Down Expand Up @@ -232,16 +242,16 @@ function clean() {
# Check if any options are passed
if [ $# -eq 0 ]; then
echo "Usage: $0 <options> <flags>"
echo "options:"
echo " setup"
echo " clean"
echo " upgrade"
echo "flags:"
echo " --local-images (optional) [Upload local images to the cluster]"
show_help
exit 1
fi
# Show help if requested
if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
show_help
exit 0
fi
# Check if all requirements are installed
for requirement in "${REQUIREMENTS[@]}"; do
if ! command -v $requirement &> /dev/null; then
Expand Down
22 changes: 22 additions & 0 deletions rbac.yaml.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
authentication:
anonymous_access:
enabled: false
apikey:
enabled: true
allowed_keys:
- admin-key
- reader-key
users:
- admin
- reader
roles:
- admin
- reader
oidc:
enabled: false
authorization:
admin_list:
enabled: true
users:
- admin
- reader
Loading

0 comments on commit c2fd69e

Please sign in to comment.