From 687ae6ae1ee2a8092aecb3c484a5d2f43ed73d99 Mon Sep 17 00:00:00 2001 From: Felix Delattre Date: Mon, 15 Dec 2025 15:50:20 +0100 Subject: [PATCH 1/4] Added auth for stac browser. --- CHANGELOG.md | 1 + .../services/browser/deployment.yaml | 15 ++++- charts/eoapi/tests/stac_browser_tests.yaml | 58 +++++++++++++++++++ charts/eoapi/values.yaml | 5 ++ 4 files changed, 77 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0dbc188..3dacadbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381) +- Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376) ### Fixed diff --git a/charts/eoapi/templates/services/browser/deployment.yaml b/charts/eoapi/templates/services/browser/deployment.yaml index 08e143a3..a4973795 100644 --- a/charts/eoapi/templates/services/browser/deployment.yaml +++ b/charts/eoapi/templates/services/browser/deployment.yaml @@ -7,7 +7,7 @@ metadata: app: {{ .Release.Name }}-browser gitsha: {{ .Values.gitSha }} spec: - replicas: {{.Values.browser.replicaCount}} + replicas: {{ .Values.browser.replicaCount }} selector: matchLabels: app: {{ .Release.Name }}-browser @@ -23,5 +23,16 @@ spec: - containerPort: 8080 env: - name: SB_catalogUrl - value: "{{ .Values.stac.ingress.path }}" + value: "http://{{ .Values.ingress.host }}{{ .Values.stac.ingress.path }}" + {{- if index .Values "stac-auth-proxy" "enabled" }} + - name: SB_authConfig + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "http://{{ .Values.ingress.host }}{{ .Values.mockOidcServer.ingress.path }}/.well-known/openid-configuration", + "oidcOptions": { + "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}" + } + } + {{- end }} {{- end }} diff --git a/charts/eoapi/tests/stac_browser_tests.yaml b/charts/eoapi/tests/stac_browser_tests.yaml index d195a601..2bded177 100644 --- a/charts/eoapi/tests/stac_browser_tests.yaml +++ b/charts/eoapi/tests/stac_browser_tests.yaml @@ -51,3 +51,61 @@ tests: - equal: path: metadata.annotations.annotation2 value: world + - it: "stac browser deployment with auth enabled" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: true + ingress.host: "localhost" + stac.ingress.path: "/stac" + mockOidcServer.ingress.path: "/mock-oidc" + browser.oidcClientId: "test-client" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_catalogUrl + value: "http://localhost/stac" + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "http://localhost/mock-oidc/.well-known/openid-configuration", + "oidcOptions": { + "client_id": "test-client" + } + } + - it: "stac browser deployment without auth" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: false + ingress.host: "localhost" + stac.ingress.path: "/stac" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_catalogUrl + value: "http://localhost/stac" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml index 62608f00..73dd9d78 100644 --- a/charts/eoapi/values.yaml +++ b/charts/eoapi/values.yaml @@ -415,7 +415,11 @@ stac: # STAC Auth Proxy - authentication layer for STAC API stac-auth-proxy: enabled: false + image: + tag: "v0.10.2-rc2" env: + ROOT_PATH: "/stac" + OVERRIDE_HOST: "false" DEFAULT_PUBLIC: "true" # UPSTREAM_URL will be set dynamically in template to point to stac service # OIDC_DISCOVERY_URL must be configured when enabling auth @@ -492,6 +496,7 @@ browser: tag: 3.3.4 ingress: enabled: true # Control ingress specifically for browser service + oidcClientId: "some-client-id" docServer: enabled: true From b1a7c6fdf434a2609e3c39d231f573068a93ddd1 Mon Sep 17 00:00:00 2001 From: Felix Delattre Date: Mon, 15 Dec 2025 15:56:25 +0100 Subject: [PATCH 2/4] Adjusted ingress middleware. --- .../templates/networking/ingress-browser.yaml | 3 +- .../templates/networking/ingress-stac.yaml | 66 +++++++++++++++++++ .../eoapi/templates/networking/ingress.yaml | 30 +-------- .../networking/traefik-middleware.yaml | 2 +- charts/eoapi/tests/ingress_tests.yaml | 6 +- .../tests/stac-auth-proxy-ingress_test.yaml | 19 +++--- 6 files changed, 82 insertions(+), 44 deletions(-) create mode 100644 charts/eoapi/templates/networking/ingress-stac.yaml diff --git a/charts/eoapi/templates/networking/ingress-browser.yaml b/charts/eoapi/templates/networking/ingress-browser.yaml index 35eccc23..77f350e2 100644 --- a/charts/eoapi/templates/networking/ingress-browser.yaml +++ b/charts/eoapi/templates/networking/ingress-browser.yaml @@ -20,10 +20,9 @@ metadata: nginx.ingress.kubernetes.io/rewrite-target: /browser/$2 nginx.ingress.kubernetes.io/use-regex: "true" {{- end }} - # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490 + # Traefik configuration - services handle their own root paths {{- if eq .Values.ingress.className "traefik" }} traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} diff --git a/charts/eoapi/templates/networking/ingress-stac.yaml b/charts/eoapi/templates/networking/ingress-stac.yaml new file mode 100644 index 00000000..950128d5 --- /dev/null +++ b/charts/eoapi/templates/networking/ingress-stac.yaml @@ -0,0 +1,66 @@ +{{- if and .Values.stac.enabled .Values.ingress.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ .Release.Name }}-ingress-stac + labels: + app: {{ .Release.Name }}-ingress-stac + annotations: + {{- if .Values.ingress.annotations }} +{{ toYaml .Values.ingress.annotations | indent 4 }} + {{- end }} + # STAC uses stac-auth-proxy which handles its own path manipulation + {{- if eq .Values.ingress.className "traefik" }} + traefik.ingress.kubernetes.io/router.entrypoints: web + {{- end }} + {{- if eq .Values.ingress.className "nginx" }} + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/use-regex: "true" + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ . }} + http: + paths: + - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index $.Values "stac-auth-proxy" "enabled" }} + name: {{ $.Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ $.Release.Name }}-stac + {{- end }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- else }} + - {{- if .Values.ingress.host }} + host: {{ .Values.ingress.host }} + {{- end }} + http: + paths: + - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index .Values "stac-auth-proxy" "enabled" }} + name: {{ .Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ .Release.Name }}-stac + {{- end }} + port: + number: {{ .Values.service.port }} + {{- end }} +{{- end }} diff --git a/charts/eoapi/templates/networking/ingress.yaml b/charts/eoapi/templates/networking/ingress.yaml index dc49bb70..d6afb3bc 100644 --- a/charts/eoapi/templates/networking/ingress.yaml +++ b/charts/eoapi/templates/networking/ingress.yaml @@ -19,7 +19,7 @@ metadata: {{- if .Values.ingress.annotations }} {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} - # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490 + # Traefik stripPrefix middleware for services that need path stripping (excludes STAC) {{- if eq .Values.ingress.className "traefik" }} traefik.ingress.kubernetes.io/router.entrypoints: web traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd @@ -44,19 +44,7 @@ spec: number: {{ $.Values.service.port }} {{- end }} - {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }} - - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index $.Values "stac-auth-proxy" "enabled" }} - name: {{ $.Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ $.Release.Name }}-stac - {{- end }} - port: - number: {{ $.Values.service.port }} - {{- end }} + {{- if and $.Values.vector.enabled (or (not (hasKey $.Values.vector "ingress")) $.Values.vector.ingress.enabled) }} - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} @@ -114,19 +102,7 @@ spec: number: {{ .Values.service.port }} {{- end }} - {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} - - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index .Values "stac-auth-proxy" "enabled" }} - name: {{ .Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ .Release.Name }}-stac - {{- end }} - port: - number: {{ .Values.service.port }} - {{- end }} + {{- if and .Values.vector.enabled (or (not (hasKey .Values.vector "ingress")) .Values.vector.ingress.enabled) }} - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} diff --git a/charts/eoapi/templates/networking/traefik-middleware.yaml b/charts/eoapi/templates/networking/traefik-middleware.yaml index 82bc926c..04d28ae0 100644 --- a/charts/eoapi/templates/networking/traefik-middleware.yaml +++ b/charts/eoapi/templates/networking/traefik-middleware.yaml @@ -1,5 +1,5 @@ {{- if and .Values.ingress.enabled (eq .Values.ingress.className "traefik") }} -apiVersion: traefik.io/v1alpha1 +apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: {{ .Release.Name }}-strip-prefix-middleware diff --git a/charts/eoapi/tests/ingress_tests.yaml b/charts/eoapi/tests/ingress_tests.yaml index 11363982..14845ce8 100644 --- a/charts/eoapi/tests/ingress_tests.yaml +++ b/charts/eoapi/tests/ingress_tests.yaml @@ -1,6 +1,6 @@ suite: unified ingress tests templates: - - templates/services/ingress.yaml + - templates/networking/ingress.yaml tests: - it: "vector ingress with nginx controller" set: @@ -56,7 +56,7 @@ tests: path: metadata.annotations value: traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: NAMESPACE-RELEASE-NAME-strip-prefix-middleware@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: RELEASE-NAME-strip-prefix-middleware@kubernetescrd - equal: path: spec.ingressClassName value: "traefik" @@ -150,7 +150,7 @@ tests: path: metadata.annotations value: traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: NAMESPACE-RELEASE-NAME-strip-prefix-middleware@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: RELEASE-NAME-strip-prefix-middleware@kubernetescrd - it: "multiple hosts with nginx controller" set: diff --git a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml index c4007016..ef9121f9 100644 --- a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml +++ b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml @@ -1,6 +1,6 @@ suite: test stac-auth-proxy ingress routing templates: - - networking/ingress.yaml + - networking/ingress-stac.yaml tests: - it: should route ingress to stac-auth-proxy when enabled @@ -23,7 +23,7 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-stac.yaml - it: should route ingress directly to stac when auth-proxy is disabled set: @@ -45,20 +45,17 @@ tests: name: RELEASE-NAME-stac port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-stac.yaml - - it: should not create stac routes when stac is disabled + - it: should not create stac ingress when stac is disabled set: ingress.enabled: true stac.enabled: false stac-auth-proxy.enabled: true asserts: - - notContains: - path: spec.rules[0].http.paths - any: true - content: - path: /stac(/|$)(.*) - template: networking/ingress.yaml + - hasDocuments: + count: 0 + template: networking/ingress-stac.yaml - it: should route correctly with experimental profile values: @@ -76,4 +73,4 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress.yaml + template: networking/ingress-stac.yaml From 12232ed1533431b6fd3c3469ee6f69adedc91920 Mon Sep 17 00:00:00 2001 From: Felix Delattre Date: Mon, 15 Dec 2025 16:06:52 +0100 Subject: [PATCH 3/4] Consolidated ingress definitions. --- ...ss-browser.yaml => ingress-no-prefix.yaml} | 47 ++++++++++--- .../templates/networking/ingress-stac.yaml | 66 ------------------ .../networking/traefik-middleware.yaml | 2 +- charts/eoapi/tests/ingress_tests.yaml | 57 +++++++--------- .../tests/stac-auth-proxy-ingress_test.yaml | 68 +++++++++++++++++-- 5 files changed, 124 insertions(+), 116 deletions(-) rename charts/eoapi/templates/networking/{ingress-browser.yaml => ingress-no-prefix.yaml} (56%) delete mode 100644 charts/eoapi/templates/networking/ingress-stac.yaml diff --git a/charts/eoapi/templates/networking/ingress-browser.yaml b/charts/eoapi/templates/networking/ingress-no-prefix.yaml similarity index 56% rename from charts/eoapi/templates/networking/ingress-browser.yaml rename to charts/eoapi/templates/networking/ingress-no-prefix.yaml index 77f350e2..048b4580 100644 --- a/charts/eoapi/templates/networking/ingress-browser.yaml +++ b/charts/eoapi/templates/networking/ingress-no-prefix.yaml @@ -1,5 +1,4 @@ -# We need a separate ingress because browser has the prefix /browser hardcoded in the code -{{- if and .Values.browser.enabled .Values.ingress.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }} +{{- if and .Values.ingress.enabled (or (and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled)) (and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled))) }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} apiVersion: networking.k8s.io/v1 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} @@ -9,21 +8,21 @@ apiVersion: extensions/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ .Release.Name }}-ingress-browser + name: {{ .Release.Name }}-ingress-no-prefix labels: - app: {{ .Release.Name }}-ingress-browser + app: {{ .Release.Name }}-ingress-no-prefix annotations: {{- if .Values.ingress.annotations }} {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} - {{- if eq .Values.ingress.className "nginx" }} - nginx.ingress.kubernetes.io/rewrite-target: /browser/$2 - nginx.ingress.kubernetes.io/use-regex: "true" - {{- end }} - # Traefik configuration - services handle their own root paths + # Services handle their own path manipulation - no stripPrefix middleware {{- if eq .Values.ingress.className "traefik" }} traefik.ingress.kubernetes.io/router.entrypoints: web {{- end }} + {{- if eq .Values.ingress.className "nginx" }} + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/use-regex: "true" + {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} @@ -34,12 +33,26 @@ spec: - host: {{ . }} http: paths: + {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }} + - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index $.Values "stac-auth-proxy" "enabled" }} + name: {{ $.Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ $.Release.Name }}-stac + {{- end }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- if and $.Values.browser.enabled (or (not (hasKey $.Values.browser "ingress")) $.Values.browser.ingress.enabled) }} - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} path: "/browser{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" backend: service: - name: {{ .Release.Name }}-browser + name: {{ $.Release.Name }}-browser port: number: 8080 {{- end }} @@ -50,6 +63,20 @@ spec: {{- end }} http: paths: + {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} + - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} + path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} + backend: + service: + {{- if index .Values "stac-auth-proxy" "enabled" }} + name: {{ .Release.Name }}-stac-auth-proxy + {{- else }} + name: {{ .Release.Name }}-stac + {{- end }} + port: + number: {{ .Values.service.port }} + {{- end }} + {{- if and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }} - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} path: "/browser{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}" diff --git a/charts/eoapi/templates/networking/ingress-stac.yaml b/charts/eoapi/templates/networking/ingress-stac.yaml deleted file mode 100644 index 950128d5..00000000 --- a/charts/eoapi/templates/networking/ingress-stac.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if and .Values.stac.enabled .Values.ingress.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: networking.k8s.io/v1beta1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ .Release.Name }}-ingress-stac - labels: - app: {{ .Release.Name }}-ingress-stac - annotations: - {{- if .Values.ingress.annotations }} -{{ toYaml .Values.ingress.annotations | indent 4 }} - {{- end }} - # STAC uses stac-auth-proxy which handles its own path manipulation - {{- if eq .Values.ingress.className "traefik" }} - traefik.ingress.kubernetes.io/router.entrypoints: web - {{- end }} - {{- if eq .Values.ingress.className "nginx" }} - nginx.ingress.kubernetes.io/rewrite-target: /$2 - nginx.ingress.kubernetes.io/use-regex: "true" - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - rules: - {{- if .Values.ingress.hosts }} - {{- range .Values.ingress.hosts }} - - host: {{ . }} - http: - paths: - - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index $.Values "stac-auth-proxy" "enabled" }} - name: {{ $.Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ $.Release.Name }}-stac - {{- end }} - port: - number: {{ $.Values.service.port }} - {{- end }} - {{- else }} - - {{- if .Values.ingress.host }} - host: {{ .Values.ingress.host }} - {{- end }} - http: - paths: - - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }} - path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }} - backend: - service: - {{- if index .Values "stac-auth-proxy" "enabled" }} - name: {{ .Release.Name }}-stac-auth-proxy - {{- else }} - name: {{ .Release.Name }}-stac - {{- end }} - port: - number: {{ .Values.service.port }} - {{- end }} -{{- end }} diff --git a/charts/eoapi/templates/networking/traefik-middleware.yaml b/charts/eoapi/templates/networking/traefik-middleware.yaml index 04d28ae0..82bc926c 100644 --- a/charts/eoapi/templates/networking/traefik-middleware.yaml +++ b/charts/eoapi/templates/networking/traefik-middleware.yaml @@ -1,5 +1,5 @@ {{- if and .Values.ingress.enabled (eq .Values.ingress.className "traefik") }} -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: {{ .Release.Name }}-strip-prefix-middleware diff --git a/charts/eoapi/tests/ingress_tests.yaml b/charts/eoapi/tests/ingress_tests.yaml index 14845ce8..4d0b3477 100644 --- a/charts/eoapi/tests/ingress_tests.yaml +++ b/charts/eoapi/tests/ingress_tests.yaml @@ -33,13 +33,13 @@ tests: path: spec.ingressClassName value: "nginx" - - it: "stac ingress with traefik controller" + - it: "raster ingress with traefik controller" set: ingress.className: "traefik" ingress.pathType: "Prefix" ingress.host: "eoapi.local" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -48,7 +48,7 @@ tests: of: Ingress - equal: path: spec.rules[0].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" @@ -56,7 +56,7 @@ tests: path: metadata.annotations value: traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: RELEASE-NAME-strip-prefix-middleware@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: NAMESPACE-RELEASE-NAME-strip-prefix-middleware@kubernetescrd - equal: path: spec.ingressClassName value: "traefik" @@ -95,8 +95,7 @@ tests: ingress.className: "nginx" raster.enabled: true raster.ingress.path: "/titiler" - stac.enabled: true - stac.ingress.path: "/api" + stac.enabled: false vector.enabled: true vector.ingress.path: "/features" multidim.enabled: false @@ -109,9 +108,6 @@ tests: value: "/titiler(/|$)(.*)" - equal: path: spec.rules[0].http.paths[1].path - value: "/api(/|$)(.*)" - - equal: - path: spec.rules[0].http.paths[2].path value: "/features(/|$)(.*)" - equal: path: spec.rules[0].http.paths[0].pathType @@ -119,9 +115,6 @@ tests: - equal: path: spec.rules[0].http.paths[1].pathType value: "ImplementationSpecific" - - equal: - path: spec.rules[0].http.paths[2].pathType - value: "ImplementationSpecific" - equal: path: metadata.annotations value: @@ -131,9 +124,9 @@ tests: - it: "custom paths with traefik controller" set: ingress.className: "traefik" - raster.enabled: false - stac.enabled: true - stac.ingress.path: "/api" + raster.enabled: true + raster.ingress.path: "/titiler" + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -142,7 +135,7 @@ tests: of: Ingress - equal: path: spec.rules[0].http.paths[0].path - value: "/api" + value: "/titiler" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" @@ -150,7 +143,7 @@ tests: path: metadata.annotations value: traefik.ingress.kubernetes.io/router.entrypoints: web - traefik.ingress.kubernetes.io/router.middlewares: RELEASE-NAME-strip-prefix-middleware@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: NAMESPACE-RELEASE-NAME-strip-prefix-middleware@kubernetescrd - it: "multiple hosts with nginx controller" set: @@ -159,8 +152,8 @@ tests: - "2.eoapi.dev" - "1.eoapi.dev" raster.enabled: true - stac.enabled: true - vector.enabled: false + stac.enabled: false + vector.enabled: true multidim.enabled: false browser.enabled: false asserts: @@ -177,13 +170,13 @@ tests: value: "/raster(/|$)(.*)" - equal: path: spec.rules[0].http.paths[1].path - value: "/stac(/|$)(.*)" + value: "/vector(/|$)(.*)" - equal: path: spec.rules[1].http.paths[0].path value: "/raster(/|$)(.*)" - equal: path: spec.rules[1].http.paths[1].path - value: "/stac(/|$)(.*)" + value: "/vector(/|$)(.*)" - it: "multiple hosts with traefik controller" set: @@ -191,8 +184,8 @@ tests: ingress.hosts: - "2.eoapi.dev" - "1.eoapi.dev" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -207,13 +200,13 @@ tests: value: "1.eoapi.dev" - equal: path: spec.rules[0].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[0].http.paths[0].pathType value: "Prefix" - equal: path: spec.rules[1].http.paths[0].path - value: "/stac" + value: "/raster" - equal: path: spec.rules[1].http.paths[0].pathType value: "Prefix" @@ -226,8 +219,8 @@ tests: - "1.eoapi.dev" ingress.tls.enabled: true ingress.tls.secretName: "eoapi-tls" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -250,8 +243,8 @@ tests: ingress.host: "1.eoapi.dev" ingress.tls.enabled: true ingress.tls.secretName: "eoapi-tls" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false @@ -274,8 +267,8 @@ tests: ingress.host: "should-be-ignored.com" ingress.hosts: - "1.eoapi.dev" - raster.enabled: false - stac.enabled: true + raster.enabled: true + stac.enabled: false vector.enabled: false multidim.enabled: false browser.enabled: false diff --git a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml index ef9121f9..0851ce94 100644 --- a/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml +++ b/charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml @@ -1,6 +1,6 @@ -suite: test stac-auth-proxy ingress routing +suite: test ingress routing without stripPrefix middleware templates: - - networking/ingress-stac.yaml + - networking/ingress-no-prefix.yaml tests: - it: should route ingress to stac-auth-proxy when enabled @@ -23,7 +23,7 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress-stac.yaml + template: networking/ingress-no-prefix.yaml - it: should route ingress directly to stac when auth-proxy is disabled set: @@ -45,17 +45,18 @@ tests: name: RELEASE-NAME-stac port: number: 8080 - template: networking/ingress-stac.yaml + template: networking/ingress-no-prefix.yaml - - it: should not create stac ingress when stac is disabled + - it: should not create ingress when both stac and browser are disabled set: ingress.enabled: true stac.enabled: false + browser.enabled: false stac-auth-proxy.enabled: true asserts: - hasDocuments: count: 0 - template: networking/ingress-stac.yaml + template: networking/ingress-no-prefix.yaml - it: should route correctly with experimental profile values: @@ -73,4 +74,57 @@ tests: name: RELEASE-NAME-stac-auth-proxy port: number: 8080 - template: networking/ingress-stac.yaml + template: networking/ingress-no-prefix.yaml + + - it: should route ingress to browser + set: + ingress.enabled: true + ingress.className: nginx + browser.enabled: true + stac.enabled: false + asserts: + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /browser(/|$)(.*) + backend: + service: + name: RELEASE-NAME-browser + port: + number: 8080 + template: networking/ingress-no-prefix.yaml + + - it: should include both stac and browser when both enabled + set: + ingress.enabled: true + ingress.className: nginx + stac.enabled: true + stac.ingress.enabled: true + stac.ingress.path: "/stac" + stac-auth-proxy.enabled: true + browser.enabled: true + service.port: 8080 + asserts: + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /stac(/|$)(.*) + backend: + service: + name: RELEASE-NAME-stac-auth-proxy + port: + number: 8080 + template: networking/ingress-no-prefix.yaml + - contains: + path: spec.rules[0].http.paths + content: + pathType: ImplementationSpecific + path: /browser(/|$)(.*) + backend: + service: + name: RELEASE-NAME-browser + port: + number: 8080 + template: networking/ingress-no-prefix.yaml From cfdc7a1003a506193beeeaa58946ddfae92ccc05 Mon Sep 17 00:00:00 2001 From: Felix Delattre Date: Mon, 15 Dec 2025 16:06:52 +0100 Subject: [PATCH 4/4] Consolidated ingress definitions. --- .../services/browser/deployment.yaml | 6 +++- charts/eoapi/tests/stac_browser_tests.yaml | 30 +++++++++++++++++++ charts/eoapi/values.yaml | 1 + 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/charts/eoapi/templates/services/browser/deployment.yaml b/charts/eoapi/templates/services/browser/deployment.yaml index a4973795..87505a28 100644 --- a/charts/eoapi/templates/services/browser/deployment.yaml +++ b/charts/eoapi/templates/services/browser/deployment.yaml @@ -26,13 +26,17 @@ spec: value: "http://{{ .Values.ingress.host }}{{ .Values.stac.ingress.path }}" {{- if index .Values "stac-auth-proxy" "enabled" }} - name: SB_authConfig + {{- if .Values.browser.authConfig }} + value: {{ .Values.browser.authConfig }} + {{- else }} value: | { "type": "openIdConnect", - "openIdConnectUrl": "http://{{ .Values.ingress.host }}{{ .Values.mockOidcServer.ingress.path }}/.well-known/openid-configuration", + "openIdConnectUrl": "{{ index .Values "stac-auth-proxy" "env" "OIDC_DISCOVERY_URL" }}", "oidcOptions": { "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}" } } + {{- end }} {{- end }} {{- end }} diff --git a/charts/eoapi/tests/stac_browser_tests.yaml b/charts/eoapi/tests/stac_browser_tests.yaml index 2bded177..0a74bd89 100644 --- a/charts/eoapi/tests/stac_browser_tests.yaml +++ b/charts/eoapi/tests/stac_browser_tests.yaml @@ -59,6 +59,7 @@ tests: multidim.enabled: false browser.enabled: true stac-auth-proxy.enabled: true + stac-auth-proxy.env.OIDC_DISCOVERY_URL: "http://localhost/mock-oidc/.well-known/openid-configuration" ingress.host: "localhost" stac.ingress.path: "/stac" mockOidcServer.ingress.path: "/mock-oidc" @@ -85,6 +86,35 @@ tests: "client_id": "test-client" } } + - it: "stac browser deployment with custom OIDC_DISCOVERY_URL" + set: + raster.enabled: false + stac.enabled: true + vector.enabled: false + multidim.enabled: false + browser.enabled: true + stac-auth-proxy.enabled: true + stac-auth-proxy.env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration" + ingress.host: "localhost" + stac.ingress.path: "/stac" + browser.oidcClientId: "test-client" + gitSha: "ABC123" + template: templates/services/browser/deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: SB_authConfig + value: | + { + "type": "openIdConnect", + "openIdConnectUrl": "https://auth.example.com/.well-known/openid-configuration", + "oidcOptions": { + "client_id": "test-client" + } + } - it: "stac browser deployment without auth" set: raster.enabled: false diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml index 73dd9d78..c1651f00 100644 --- a/charts/eoapi/values.yaml +++ b/charts/eoapi/values.yaml @@ -496,6 +496,7 @@ browser: tag: 3.3.4 ingress: enabled: true # Control ingress specifically for browser service + # OAuth2 client ID for browser (frontend app). Reads OIDC_DISCOVERY_URL from stac-auth-proxy.env oidcClientId: "some-client-id" docServer: