From e39d2a3894439851dadac7c0e141aff5741e9e3b Mon Sep 17 00:00:00 2001 From: Maximiliano Osorio Date: Fri, 14 Feb 2025 13:30:54 -0300 Subject: [PATCH 1/8] add: auth values --- charts/mint/values.yaml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/charts/mint/values.yaml b/charts/mint/values.yaml index 0b360c6..eac9f4b 100644 --- a/charts/mint/values.yaml +++ b/charts/mint/values.yaml @@ -245,6 +245,35 @@ components: enable_dev_mode: false # -- Unauthorized role for Hasura unauthorized_role: anonymous + # -- Authentication configuration for Hasura + auth: + # -- Authentication type (jwt or webhook) + type: jwt + jwt: + # -- Enable JWT authentication + enabled: true + # -- JWT claims configuration + claims: + namespace: "https://hasura.io/jwt/claims" + webhook: + # -- Enable webhook authentication + enabled: false + # -- Webhook service configuration + service: + image: + # -- Docker image repository for auth webhook + repository: ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook + # -- Docker image tag for auth webhook + tag: latest + # -- Image pull policy for auth webhook + pullPolicy: IfNotPresent + # -- Resource specifications for auth webhook + resources: {} + config: + # -- JWKS URI for Tapis authentication + tapisJwksUri: "https://tacc.tapis.io/v3/tenants/tacc" + # -- Token issuer for Tapis authentication + tapisTokenIssuer: "https://tacc.tapis.io/v3/tokens" ingress: # -- Enable or disable ingress for Hasura enabled: true @@ -535,7 +564,7 @@ secrets: # -- Url for S3 endpoint: example.com hasura: - # -- JWT verification secret for Hasura + # -- JWT verification secret for Hasura (only used when auth.type is jwt) jwt_secret: '{"type": "RS256", "key": "-----BEGIN CERTIFICATE-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\n-----END CERTIFICATE-----", "allowed_skew": 2}' # -- Admin secret for Hasura used to access the console admin_secret: CHANGEME From 956099df1e135168945156cfae0f1c541eff8c05 Mon Sep 17 00:00:00 2001 From: Maximiliano Osorio Date: Fri, 14 Feb 2025 13:34:11 -0300 Subject: [PATCH 2/8] feat: add Hasura authentication webhook support --- charts/mint/templates/hasura.yaml | 77 +++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 5 deletions(-) diff --git a/charts/mint/templates/hasura.yaml b/charts/mint/templates/hasura.yaml index 92ac771..021cc3d 100644 --- a/charts/mint/templates/hasura.yaml +++ b/charts/mint/templates/hasura.yaml @@ -24,6 +24,66 @@ spec: selector: app: {{ include "mint.prefix" . }}-hasura --- +{{- if and (eq .Values.components.hasura.auth.type "webhook") .Values.components.hasura.auth.webhook.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mint.prefix" . }}-hasura-auth-webhook + namespace: {{ .Release.Namespace }} + labels: + {{- include "helm.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: {{ include "mint.prefix" . }}-hasura-auth-webhook +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "mint.prefix" . }}-hasura-auth-webhook + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ include "mint.prefix" . }}-hasura-auth-webhook + template: + metadata: + labels: + app: {{ include "mint.prefix" . }}-hasura-auth-webhook + spec: + containers: + - name: auth-webhook + {{- with .Values.components.hasura.auth.webhook.service }} + image: "{{ .image.repository }}:{{ .image.tag }}" + imagePullPolicy: {{ .image.pullPolicy }} + resources: + {{- toYaml .resources | nindent 12 }} + {{- end }} + env: + - name: TAPIS_JWKS_URI + value: {{ .Values.components.hasura.auth.webhook.config.tapisJwksUri }} + - name: TAPIS_TOKEN_ISSUER + value: {{ .Values.components.hasura.auth.webhook.config.tapisTokenIssuer }} + ports: + - name: http + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: http + readinessProbe: + httpGet: + path: /healthz + port: http +{{- end }} +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -59,6 +119,18 @@ spec: value: "{{ .environment.enable_dev_mode }}" - name: HASURA_GRAPHQL_UNAUTHORIZED_ROLE value: "{{ .environment.unauthorized_role }}" + {{- if eq .auth.type "webhook" }} + - name: HASURA_GRAPHQL_AUTH_HOOK + value: "http://{{ include "mint.prefix" $ }}-hasura-auth-webhook:3000/auth-webhook" + - name: HASURA_GRAPHQL_AUTH_HOOK_MODE + value: "POST" + {{- else }} + - name: HASURA_GRAPHQL_JWT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "mint.prefix" $ }}-hasura-secrets + key: jwt_secret + {{- end }} {{- end }} - name: HASURA_GRAPHQL_DATABASE_URL valueFrom: @@ -70,11 +142,6 @@ spec: secretKeyRef: name: {{ include "mint.prefix" . }}-hasura-secrets key: admin_secret - - name: HASURA_GRAPHQL_JWT_SECRET - valueFrom: - secretKeyRef: - name: {{ include "mint.prefix" . }}-hasura-secrets - key: jwt_secret - name: DB_HOST value: {{ include "mint.prefix" $ }}-hasura ports: From 5acb021f8f17bb5bb3f405649e65a7a77019d9a1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 14 Feb 2025 16:39:09 +0000 Subject: [PATCH 3/8] update Helm documentation --- charts/mint/README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/mint/README.md b/charts/mint/README.md index 5da2605..adff65e 100644 --- a/charts/mint/README.md +++ b/charts/mint/README.md @@ -107,6 +107,18 @@ A Helm chart for MINT | components.ensemble_manager.serviceAccountName | string | `"default"` | Service account name for Ensemble Manager, used to run jobs | | components.ensemble_manager.strategy | object | `{"type":"Recreate"}` | Ensemble Manager deployment strategy (Recreate or RollingUpdate) | | components.ensemble_manager.strategy.type | string | `"Recreate"` | Type of deployment strategy | +| components.hasura.auth | object | `{"jwt":{"claims":{"namespace":"https://hasura.io/jwt/claims"},"enabled":true},"type":"jwt","webhook":{"config":{"tapisJwksUri":"https://tacc.tapis.io/v3/tenants/tacc","tapisTokenIssuer":"https://tacc.tapis.io/v3/tokens"},"enabled":false,"service":{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}}}` | Authentication configuration for Hasura | +| components.hasura.auth.jwt.claims | object | `{"namespace":"https://hasura.io/jwt/claims"}` | JWT claims configuration | +| components.hasura.auth.jwt.enabled | bool | `true` | Enable JWT authentication | +| components.hasura.auth.type | string | `"jwt"` | Authentication type (jwt or webhook) | +| components.hasura.auth.webhook.config.tapisJwksUri | string | `"https://tacc.tapis.io/v3/tenants/tacc"` | JWKS URI for Tapis authentication | +| components.hasura.auth.webhook.config.tapisTokenIssuer | string | `"https://tacc.tapis.io/v3/tokens"` | Token issuer for Tapis authentication | +| components.hasura.auth.webhook.enabled | bool | `false` | Enable webhook authentication | +| components.hasura.auth.webhook.service | object | `{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}` | Webhook service configuration | +| components.hasura.auth.webhook.service.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for auth webhook | +| components.hasura.auth.webhook.service.image.repository | string | `"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook"` | Docker image repository for auth webhook | +| components.hasura.auth.webhook.service.image.tag | string | `"latest"` | Docker image tag for auth webhook | +| components.hasura.auth.webhook.service.resources | object | `{}` | Resource specifications for auth webhook | | components.hasura.enabled | bool | `true` | Enable or disable Hasura | | components.hasura.environment.enable_console | bool | `true` | Enable or disable Hasura console | | components.hasura.environment.enable_dev_mode | bool | `false` | Enable or disable Hasura dev mode | @@ -286,7 +298,7 @@ A Helm chart for MINT | secrets.external_services.s3.access_key | string | `"CHANGEME"` | Access key for S3. Used by Ensemble Manager to upload data | | secrets.external_services.s3.secret_key | string | `"CHANGEME"` | Secret key for S3 | | secrets.hasura.admin_secret | string | `"CHANGEME"` | Admin secret for Hasura used to access the console | -| secrets.hasura.jwt_secret | string | `"{\"type\": \"RS256\", \"key\": \"-----BEGIN CERTIFICATE-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\\n-----END CERTIFICATE-----\", \"allowed_skew\": 2}"` | JWT verification secret for Hasura | +| secrets.hasura.jwt_secret | string | `"{\"type\": \"RS256\", \"key\": \"-----BEGIN CERTIFICATE-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\\n-----END CERTIFICATE-----\", \"allowed_skew\": 2}"` | JWT verification secret for Hasura (only used when auth.type is jwt) | | securityContext | object | `{}` | | | service | object | `{"port":80,"type":"ClusterIP"}` | Service configuration | | service.port | int | `80` | Port number for the service | From 1319c87b5e91dea4eb23943eabefb11ed71bb5b3 Mon Sep 17 00:00:00 2001 From: Maximiliano Osorio Date: Fri, 14 Feb 2025 13:42:02 -0300 Subject: [PATCH 4/8] fix: dump --- charts/mint/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/mint/Chart.yaml b/charts/mint/Chart.yaml index b30eb28..e0a19b3 100644 --- a/charts/mint/Chart.yaml +++ b/charts/mint/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 3.4.6-pre1 +version: 3.4.6-pre2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. From d027bb2a5d73aa41d0561f4eab0d2855709315f8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 14 Feb 2025 16:42:24 +0000 Subject: [PATCH 5/8] update Helm documentation --- charts/mint/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/mint/README.md b/charts/mint/README.md index adff65e..cbcb715 100644 --- a/charts/mint/README.md +++ b/charts/mint/README.md @@ -1,6 +1,6 @@ # MINT -![Version: 3.4.6-pre1](https://img.shields.io/badge/Version-3.4.6--pre1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square) +![Version: 3.4.6-pre2](https://img.shields.io/badge/Version-3.4.6--pre2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square) A Helm chart for MINT From 214cb4d86d410b00f5baab1ff099574b422e01e3 Mon Sep 17 00:00:00 2001 From: Maximiliano Osorio Date: Fri, 14 Feb 2025 16:16:05 -0300 Subject: [PATCH 6/8] dump --- charts/mint/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/mint/Chart.yaml b/charts/mint/Chart.yaml index e0a19b3..230493a 100644 --- a/charts/mint/Chart.yaml +++ b/charts/mint/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 3.4.6-pre2 +version: 3.4.6-pre3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. From 5ffaaf3bef1fa4151cb849a1f746dbe58349c7c9 Mon Sep 17 00:00:00 2001 From: Maximiliano Osorio Date: Fri, 14 Feb 2025 16:45:10 -0300 Subject: [PATCH 7/8] fix: improve values --- charts/mint/templates/hasura.yaml | 10 +++++----- charts/mint/values.yaml | 4 ---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/charts/mint/templates/hasura.yaml b/charts/mint/templates/hasura.yaml index 021cc3d..f2c4a8f 100644 --- a/charts/mint/templates/hasura.yaml +++ b/charts/mint/templates/hasura.yaml @@ -24,7 +24,7 @@ spec: selector: app: {{ include "mint.prefix" . }}-hasura --- -{{- if and (eq .Values.components.hasura.auth.type "webhook") .Values.components.hasura.auth.webhook.enabled }} +{{- if eq .Values.components.hasura.auth.type "webhook" }} apiVersion: v1 kind: Service metadata: @@ -76,11 +76,11 @@ spec: protocol: TCP livenessProbe: httpGet: - path: /healthz + path: /health port: http readinessProbe: httpGet: - path: /healthz + path: /health port: http {{- end }} --- @@ -117,14 +117,14 @@ spec: value: "{{ .environment.enable_console }}" - name: HASURA_GRAPHQL_DEV_MODE value: "{{ .environment.enable_dev_mode }}" - - name: HASURA_GRAPHQL_UNAUTHORIZED_ROLE - value: "{{ .environment.unauthorized_role }}" {{- if eq .auth.type "webhook" }} - name: HASURA_GRAPHQL_AUTH_HOOK value: "http://{{ include "mint.prefix" $ }}-hasura-auth-webhook:3000/auth-webhook" - name: HASURA_GRAPHQL_AUTH_HOOK_MODE value: "POST" {{- else }} + - name: HASURA_GRAPHQL_UNAUTHORIZED_ROLE + value: "{{ .environment.unauthorized_role }}" - name: HASURA_GRAPHQL_JWT_SECRET valueFrom: secretKeyRef: diff --git a/charts/mint/values.yaml b/charts/mint/values.yaml index b405842..612ff77 100644 --- a/charts/mint/values.yaml +++ b/charts/mint/values.yaml @@ -254,14 +254,10 @@ components: # -- Authentication type (jwt or webhook) type: jwt jwt: - # -- Enable JWT authentication - enabled: true # -- JWT claims configuration claims: namespace: "https://hasura.io/jwt/claims" webhook: - # -- Enable webhook authentication - enabled: false # -- Webhook service configuration service: image: From 065994c7ff018b29974e687d82d2a9fe8894fea7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 14 Feb 2025 19:45:47 +0000 Subject: [PATCH 8/8] update Helm documentation --- charts/mint/README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/mint/README.md b/charts/mint/README.md index 50564a7..da1846a 100644 --- a/charts/mint/README.md +++ b/charts/mint/README.md @@ -1,6 +1,6 @@ # MINT -![Version: 3.4.6-pre2](https://img.shields.io/badge/Version-3.4.6--pre2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square) +![Version: 3.4.6-pre3](https://img.shields.io/badge/Version-3.4.6--pre3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square) A Helm chart for MINT @@ -107,13 +107,11 @@ A Helm chart for MINT | components.ensemble_manager.serviceAccountName | string | `"default"` | Service account name for Ensemble Manager, used to run jobs | | components.ensemble_manager.strategy | object | `{"type":"Recreate"}` | Ensemble Manager deployment strategy (Recreate or RollingUpdate) | | components.ensemble_manager.strategy.type | string | `"Recreate"` | Type of deployment strategy | -| components.hasura.auth | object | `{"jwt":{"claims":{"namespace":"https://hasura.io/jwt/claims"},"enabled":true},"type":"jwt","webhook":{"config":{"tapisJwksUri":"https://tacc.tapis.io/v3/tenants/tacc","tapisTokenIssuer":"https://tacc.tapis.io/v3/tokens"},"enabled":false,"service":{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}}}` | Authentication configuration for Hasura | +| components.hasura.auth | object | `{"jwt":{"claims":{"namespace":"https://hasura.io/jwt/claims"}},"type":"jwt","webhook":{"config":{"tapisJwksUri":"https://tacc.tapis.io/v3/tenants/tacc","tapisTokenIssuer":"https://tacc.tapis.io/v3/tokens"},"service":{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}}}` | Authentication configuration for Hasura | | components.hasura.auth.jwt.claims | object | `{"namespace":"https://hasura.io/jwt/claims"}` | JWT claims configuration | -| components.hasura.auth.jwt.enabled | bool | `true` | Enable JWT authentication | | components.hasura.auth.type | string | `"jwt"` | Authentication type (jwt or webhook) | | components.hasura.auth.webhook.config.tapisJwksUri | string | `"https://tacc.tapis.io/v3/tenants/tacc"` | JWKS URI for Tapis authentication | | components.hasura.auth.webhook.config.tapisTokenIssuer | string | `"https://tacc.tapis.io/v3/tokens"` | Token issuer for Tapis authentication | -| components.hasura.auth.webhook.enabled | bool | `false` | Enable webhook authentication | | components.hasura.auth.webhook.service | object | `{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}` | Webhook service configuration | | components.hasura.auth.webhook.service.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for auth webhook | | components.hasura.auth.webhook.service.image.repository | string | `"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook"` | Docker image repository for auth webhook |