From cd2476be9abda028031d871b9467328128ef6a89 Mon Sep 17 00:00:00 2001 From: thongdk8 Date: Fri, 27 Dec 2024 14:14:30 +0900 Subject: [PATCH] Add auth config for scalar manager --- charts/scalar-manager/README.md | 9 ++- .../templates/scalar-manager/deployment.yaml | 7 +++ .../templates/scalar-manager/service.yaml | 23 ++++++- charts/scalar-manager/values.schema.json | 43 +++++++++++-- charts/scalar-manager/values.yaml | 61 ++++++++++++++++++- 5 files changed, 132 insertions(+), 11 deletions(-) diff --git a/charts/scalar-manager/README.md b/charts/scalar-manager/README.md index 15eb3395..7d9502c7 100644 --- a/charts/scalar-manager/README.md +++ b/charts/scalar-manager/README.md @@ -27,12 +27,17 @@ Current chart version is `3.0.0-SNAPSHOT` | securityContext.allowPrivilegeEscalation | bool | `false` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | | securityContext.runAsNonRoot | bool | `true` | | -| service.port | int | `80` | | -| service.type | string | `"ClusterIP"` | | +| service.api.port | int | `8080` | | +| service.api.type | string | `"ClusterIP"` | | +| service.web.port | int | `80` | | +| service.web.type | string | `"ClusterIP"` | | | serviceAccount.automountServiceAccountToken | bool | `true` | | | serviceAccount.serviceAccountName | string | `""` | | | tolerations | list | `[]` | | +| web.authorization.baseUrl | string | `"http://localhost:8080"` | | +| web.authorization.enabled | bool | `false` | | | web.image.pullPolicy | string | `"IfNotPresent"` | | | web.image.repository | string | `"ghcr.io/scalar-labs/scalar-manager-web"` | | | web.image.tag | string | `""` | | +| web.operation.baseUrl | string | `"http://localhost:8080"` | | | web.resources | object | `{}` | | diff --git a/charts/scalar-manager/templates/scalar-manager/deployment.yaml b/charts/scalar-manager/templates/scalar-manager/deployment.yaml index 289bbe4f..ad6aaa1b 100644 --- a/charts/scalar-manager/templates/scalar-manager/deployment.yaml +++ b/charts/scalar-manager/templates/scalar-manager/deployment.yaml @@ -44,6 +44,13 @@ spec: image: "{{ .Values.web.image.repository }}:{{ .Values.web.image.tag | default .Chart.AppVersion }}" resources: {{- toYaml .Values.web.resources | nindent 12 }} + env: + - name: NEXT_PUBLIC_AUTH_ENABLED + value: {{ .Values.web.authorization.enabled | quote }} + - name: NEXT_PUBLIC_PERSISTENCE_API_BASE_URL + value: {{ .Values.web.authorization.baseUrl | quote }} + - name: NEXT_PUBLIC_OPERATION_API_BASE_URL + value: {{ .Values.web.operation.baseUrl | quote }} ports: - containerPort: 3000 imagePullPolicy: {{ .Values.web.image.pullPolicy }} diff --git a/charts/scalar-manager/templates/scalar-manager/service.yaml b/charts/scalar-manager/templates/scalar-manager/service.yaml index eea2cf3d..bc1182d6 100644 --- a/charts/scalar-manager/templates/scalar-manager/service.yaml +++ b/charts/scalar-manager/templates/scalar-manager/service.yaml @@ -1,16 +1,33 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "scalar-manager.fullname" . }} + name: {{ include "scalar-manager.fullname" . }}-web namespace: {{ .Release.Namespace }} labels: {{- include "scalar-manager.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: {{ .Values.service.web.type }} ports: - protocol: TCP name: web - port: {{ .Values.service.port }} + port: {{ .Values.service.web.port }} targetPort: 3000 selector: {{- include "scalar-manager.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "scalar-manager.fullname" . }}-api + namespace: {{ .Release.Namespace }} + labels: + {{- include "scalar-manager.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.api.type }} + ports: + - protocol: TCP + name: api + port: {{ .Values.service.api.port }} + targetPort: 8080 + selector: + {{- include "scalar-manager.selectorLabels" . | nindent 4 }} diff --git a/charts/scalar-manager/values.schema.json b/charts/scalar-manager/values.schema.json index 01114dcb..b61ec780 100644 --- a/charts/scalar-manager/values.schema.json +++ b/charts/scalar-manager/values.schema.json @@ -94,11 +94,27 @@ "service": { "type": "object", "properties": { - "port": { - "type": "integer" + "api": { + "type": "object", + "properties": { + "port": { + "type": "integer" + }, + "type": { + "type": "string" + } + } }, - "type": { - "type": "string" + "web": { + "type": "object", + "properties": { + "port": { + "type": "integer" + }, + "type": { + "type": "string" + } + } } } }, @@ -119,6 +135,17 @@ "web": { "type": "object", "properties": { + "authorization": { + "type": "object", + "properties": { + "baseUrl": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, "image": { "type": "object", "properties": { @@ -133,6 +160,14 @@ } } }, + "operation": { + "type": "object", + "properties": { + "baseUrl": { + "type": "string" + } + } + }, "resources": { "type": "object" } diff --git a/charts/scalar-manager/values.yaml b/charts/scalar-manager/values.yaml index 0844ca35..df184ec2 100644 --- a/charts/scalar-manager/values.yaml +++ b/charts/scalar-manager/values.yaml @@ -27,8 +27,12 @@ nodeSelector: {} tolerations: [] service: - type: ClusterIP - port: 80 + web: + type: ClusterIP + port: 80 + api: + type: ClusterIP + port: 8080 serviceAccount: serviceAccountName: "" @@ -80,12 +84,65 @@ api: paused-state-retention.storage=${PAUSED_STATE_RETENTION_STORAGE:configmap} paused-state-retention.max-number=${PAUSED_STATE_RETENTION_MAX_NUMBER:100} + # JWT configuration + # P-256 (secp256k1) private key in PKCS8 format, using for signing JWT tokens, required when persistence endpoints are enabled + authentication.providers.static-jwt.private-key=${AUTHENTICATION_PROVIDERS_STATIC_JWT_PRIVATE_KEY:} + # Public key in X.509/SPKI format using for verifying JWT tokens, when authentication is enabled, this key is used for verifying JWT tokens + authentication.providers.static-jwt.public-key=${AUTHENTICATION_PROVIDERS_STATIC_JWT_PUBLIC_KEY:} + authentication.providers.static-jwt.issuer-uri=${AUTHENTICATION_PROVIDERS_STATIC_JWT_ISSUER_URI:https://scalar-manager.scalar-labs.com} + authentication.providers.static-jwt.access-token-expiration-time=${AUTHENTICATION_PROVIDERS_STATIC_JWT_ACCESS_TOKEN_EXPIRATION_TIME:15m} + authentication.providers.static-jwt.refresh-token-expiration-time=${AUTHENTICATION_PROVIDERS_STATIC_JWT_REFRESH_TOKEN_EXPIRATION_TIME:3d} + + # OpenAPI configuration + springdoc.swagger-ui.enabled=${SPRINGDOC_SWAGGER_UI_ENABLED:false} + springdoc.swagger-ui.path=${SPRINGDOC_SWAGGER_UI_PATH:/swagger-ui.html} + + # Whether to enable persistence endpoints or not (auth, user management) + app.persistence-endpoints.enabled=${APP_PERSISTENCE_ENDPOINTS_ENABLED:false} + + # Whether to enable authorization or not for the operational endpoints + app.authorization.enabled=${APP_AUTHORIZATION_ENABLED:false} + + # CORS configuration + app.cors.allowed-origins=${APP_CORS_ALLOWED_ORIGINS:*} + app.cors.allowed-methods=${APP_CORS_ALLOWED_METHODS:*} + app.cors.allowed-headers=${APP_CORS_ALLOWED_HEADERS:*} + + # # Initial admin configuration, only need these configurations if persistence endpoints is enabled + # app.initial-admin-user.enabled=${APP_INITIAL_ADMIN_USER_ENABLED:false} + # app.initial-admin-user.email=${APP_INITIAL_ADMIN_USER_EMAIL:admin@scalar.com} + # app.initial-admin-user.name=${APP_INITIAL_ADMIN_USER_NAME:Administrator} + # app.initial-admin-user.password=${APP_INITIAL_ADMIN_USER_PASSWORD:Password@123!} + + # # JPA configuration, only need these configurations if persistence endpoints is enabled + # spring.jpa.hibernate.ddl-auto=${SPRING_JPA_HIBERNATE_DDL_AUTO:update} + # spring.jpa.show-sql=${SPRING_JPA_SHOW_SQL:false} + # spring.jpa.properties.hibernate.format_sql=${SPRING_JPA_PROPERTIES_HIBERNATE_FORMAT_SQL:false} + + # # Database configuration, only need these configurations if persistence endpoints is enabled + # spring.datasource.url=jdbc:postgresql://${DATABASE_HOST:scalar-manager-postgres-postgresql}:${DATABASE_PORT:5432}/${DATABASE_NAME:scalar-manager} + # spring.datasource.username=${DATABASE_USERNAME:scalar-manager} + # spring.datasource.password=${DATABASE_PASSWORD:scalar-manager} + # spring.datasource.driver-class-name=org.postgresql.Driver + + web: image: repository: ghcr.io/scalar-labs/scalar-manager-web pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" + + authorization: + # Whether to enable authorization or not for the web application, if enabled the login, user management page will be available + enabled: false + # The base URL of the authorization service, default is same as the scalar-manager-api service + baseUrl: http://localhost:8080 + + operation: + # The base URL of the operation service, default is same as the scalar-manager-api service + baseUrl: http://localhost:8080 + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious