feat: addes custom nginx to helm charts for CoMPAS services

Signed-off-by: David Monichi <[email protected]>
com-pas · Feb 14, 2025 · 5b9d355 · 5b9d355
1 parent c5a515d
commit 5b9d355
Show file tree

Hide file tree

Showing 39 changed files with 541 additions and 133 deletions.
diff --git a/helm/charts/compas-keycloak/resources/compas-realm.json b/helm/charts/compas-keycloak/resources/compas-realm.json
@@ -1248,17 +1248,17 @@
             "clientId": "cim-mapping",
             "name": "CIM Mapping",
             "description": "CIM Mapping Service to convert CIM Data to SCL Data",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -1328,17 +1328,17 @@
         {
             "id": "ace17366-e696-4821-9f24-89b797acb736",
             "clientId": "openscd",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -1447,17 +1447,17 @@
             "clientId": "scl-auto-alignment",
             "name": "SCL Auto Alignment Service",
             "description": "The SCL Auto Alignment Service for calculating XY Coordinates",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -1529,17 +1529,17 @@
             "clientId": "scl-data-service",
             "name": "SCL Data Service",
             "description": "The SCL Data Service for storing / retrieving SCLs",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -1611,17 +1611,17 @@
             "clientId": "scl-validator",
             "name": "SCL Validator Service",
             "description": "The SCL Validator Service to validate SCL Files",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -1693,17 +1693,17 @@
             "clientId": "sitipe-service",
             "name": "Sitipe Service",
             "description": "The Sitipe Service to retrieve Sitipe related data",
-            "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/",
-            "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/",
+            "rootUrl": "{{ .Values.public.keycloak.hostname }}/",
+            "adminUrl": "{{ .Values.public.keycloak.hostname }}/",
             "surrogateAuthRequired": false,
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
             "redirectUris": [
-                "{{ .Values.global.keycloak.baseUrl }}/*"
+                "{{ .Values.public.keycloak.hostname }}/*"
             ],
             "webOrigins": [
-                "{{ .Values.global.keycloak.baseUrl }}"
+                "{{ .Values.public.keycloak.hostname }}"
             ],
             "notBefore": 0,
             "bearerOnly": false,
@@ -3204,7 +3204,7 @@
         "clientSessionIdleTimeout": "0",
         "parRequestUriLifespan": "60",
         "clientSessionMaxLifespan": "0",
-        "frontendUrl": "{{ .Values.global.keycloak.baseUrl }}/auth",
+        "frontendUrl": "{{ .Values.public.keycloak.hostname }}/auth",
         "clientOfflineSessionIdleTimeout": "0",
         "cibaInterval": "5"
     },

diff --git a/helm/charts/compas-keycloak/values.yaml b/helm/charts/compas-keycloak/values.yaml
@@ -1,18 +1,24 @@
 config:
   keycloak:
-    keycloakUrl: "http://localhost/"
-    clientUrl: "http://localhost/"
+    keycloakUrl: "http://compas.local/"
+    clientUrl: "http://compas.local/"
+
+service:
+  environment:
+    public:
+      keycloak:
+        realm: compas
 
 keycloak:
   postgresql:
     enabled: false
 
   ingress:
     enabled: true;
-    hostname: "localhost"
+    hostname: "compas.local"
     annotations:
       alb.ingress.kubernetes.io/group.name: "openscd"
-      external-dns.alpha.kubernetes.io/hostname: localhost
+      external-dns.alpha.kubernetes.io/hostname: compas.local
       kubernetes.io/ingress.class: nginx
 
   extraEnvVars:

diff --git a/helm/charts/compas-nginx/resources/authenticate.include b/helm/charts/compas-nginx/resources/authenticate.include
@@ -0,0 +1,24 @@
+access_by_lua_block {
+  local opts = {
+    redirect_uri = "http://compas.local/redirect_uri",
+    discovery = "http://compas.local/realms/compas/.well-known/openid-configuration",
+    client_id = "openscd",
+    redirect_uri_scheme = "http",
+    logout_path = "/logout",
+    redirect_after_logout_uri = "http://compas.local/realms/compas/protocol/openid-connect/logout?redirect_uri=http://compas.local/",
+    redirect_after_logout_with_id_token_hint = false,
+    session_contents = {id_token=true, access_token=true},
+    renew_access_token_on_expiry = true,
+  }
+
+  -- call introspect for OAuth 2.0 Bearer Access Token validation
+  local res, err = require("resty.openidc").authenticate(opts)
+
+  if err then
+    ngx.status = 403
+    ngx.say(err)
+    ngx.exit(ngx.HTTP_FORBIDDEN)
+  end
+
+  ngx.var.access_token = res.access_token
+}
diff --git a/helm/charts/compas-nginx/resources/nginx.conf b/helm/charts/compas-nginx/resources/nginx.conf
@@ -0,0 +1,194 @@
+worker_processes 1;
+error_log /var/log/nginx/error.log debug;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+   # set search paths for pure Lua external libraries (';;' is the default path):
+   lua_package_path '/usr/local/openresty/lualib/?.lua;;';
+   # cache for discovery metadata documents
+   lua_shared_dict discovery 1m;
+   # cache for JWKs
+   lua_shared_dict jwks 1m;
+
+   resolver 127.0.0.11;
+   index   index.html index.htm;
+
+   server {
+     set $access_token '';
+     set $session_cookie_samesite off;
+     set $session_name compas_session;
+
+     listen       80 default_server;
+     listen       [::]:80 default_server;
+     server_name  reverse-proxy;
+
+     # set client body size to 150M #
+     client_max_body_size 150M;
+
+     # I disabled caching so the browser won't cache the site.
+     expires           0;
+     add_header        Cache-Control private;
+
+     # Default forward all web calls to the OpenSCD Container
+     location / {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+
+       proxy_pass http://compas-openscd/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to KeyCloak container.
+     location /realms/ {
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+
+       proxy_pass http://compas-keycloak/realms/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to KeyCloak container.
+     location /auth/ {
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+
+       proxy_pass http://compas-keycloak/auth/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to the SCL Validator Service container (websockets).
+     location /compas-scl-data-service/scl-ws/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade           $http_upgrade;
+       proxy_set_header Connection        "Upgrade";
+       proxy_set_header Host              $host;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-scl-data-service/scl-ws/;
+     }
+
+     # Forwarding to the SCL Data Service container.
+     location /compas-scl-data-service/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-scl-data-service/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to the CIM Mapping Service container.
+     location /compas-cim-mapping/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-cim-mapping/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to the SCL Auto Alignment Service container.
+     location /compas-scl-auto-alignment/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-scl-auto-alignment/;
+
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # Forwarding to the SCL Validator Service container (websockets).
+     location /compas-scl-validator/validate-ws/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade           $http_upgrade;
+       proxy_set_header Connection        "Upgrade";
+       proxy_set_header Host              $host;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-scl-validator/validate-ws/;
+     }
+
+     # Forwarding to the SCL Validator Service container (http).
+     location /compas-scl-validator/ {
+       include /etc/nginx/include/authenticate.include;
+
+       proxy_set_header Host              $http_host;
+
+       proxy_set_header X-Real-IP         $remote_addr;
+       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Forwarded-Port  $server_port;
+       proxy_set_header Authorization     "Bearer ${access_token}";
+
+       proxy_pass http://compas-keycloak/compas-scl-validator/;
+
+       proxy_cache_bypass $http_upgrade;
+       proxy_redirect off;
+     }
+
+     # redirect server error pages to the static page /40x.html
+     error_page 404 /404.html;
+       location = /40x.html {
+     }
+     # redirect server error pages to the static page /50x.html
+     error_page 500 502 503 504 /50x.html;
+       location = /50x.html {
+     }
+   }
+}
diff --git a/helm/charts/compas-nginx/templates/_helpers.tpl b/helm/charts/compas-nginx/templates/_helpers.tpl
@@ -46,7 +46,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 Selector labels
 */}}
 {{- define "application.selectorLabels" -}}
-app.kubernetes.io/name: {{ include ".Chart.name" . }}
+app.kubernetes.io/name: {{ .Chart.Name }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}