Merge pull request #41 from cms-DQM/refactor/deploy-oauth2-proxy-dire…

…ctly
cms-DQM · Feb 17, 2025 · 3708b6c · 3708b6c
2 parents 3794426 + 0435581
commit 3708b6c
Show file tree

Hide file tree

Showing 12 changed files with 432 additions and 34 deletions.
diff --git a/deployment/prod/configmaps/nginx.yaml b/deployment/prod/configmaps/nginx.yaml
@@ -19,13 +19,40 @@ data:
     client_max_body_size 0;
 
     location /oauth2/ {
-        proxy_pass       http://cern-auth-proxy:4180;    # TODO: must match the Release name used to deploy the cern-auth-proxy service
+        # The following config takes care of the temporary transition
+        # from the one auth proxy to the other. To do so, the
+        # user agent is checked, which lets us know which version of
+        # runregistry_api_client is making the request.
+        # "if" statements are generally NOT advised in location context,
+        # but we don't seem to be able to use "map", even if we wrap it in http context.
+        # What's more, there's no "else" statement, so we resort to
+        # using two ifs.
+        if ($http_user_agent ~ "runregistry_api_client/(3.1|1.5).+"){
+          proxy_pass       http://cern-auth-proxy:4180;
+        }
+        if ($http_user_agent !~ "runregistry_api_client/(3.1|1.5).+"){
+          proxy_pass       http://cern-auth-proxy-helm:4180;
+        }
         proxy_set_header Host                    $host;
         proxy_set_header X-Scheme                $scheme;
         proxy_set_header X-Auth-Request-Redirect $request_uri;
     }
 
     location /api/ {
+        # Since the oauth2-proxy doesn't set any cors headers
+        # we need to set the header here for the OPTIONS methods.
+        # This is needed to request data from the run registry api
+        # directly from a frontend hosted in a different origin.
+        if ($request_method = OPTIONS) {
+          add_header Access-Control-Allow-Origin "$http_origin";
+          add_header Access-Control-Allow-Headers "accept, authorization, content-type, user-agent, x-csrftoken, x-requested-with";
+          add_header Access-Control-Allow-Methods "DELETE, GET, OPTIONS, PATCH, POST, PUT";
+          add_header Access-Control-Allow-Credentials "true";
+          add_header Content-Length 0;
+          add_header Content-Type text/plain;
+          return 204;
+        }
+
         auth_request /oauth2/auth;
         error_page 401 = /oauth2/start;
 
@@ -44,6 +71,18 @@ data:
         proxy_set_header egroups           $groups;
         proxy_set_header displayname       $preferredUsername;
 
+        # The express.js run registry backend is setting the "Access-Control-Allow-Origin"
+        # header as "*", this is done to enable local development (since the frontend
+        # is hosted in a different origin). However, in the production evironment the browser
+        # will block any requests (issued from different origins) that contains "*" in the response headers.
+        # Therefore, this is needed to request data from the run registry api
+        # directly from a frontend hosted in a different origin.
+        proxy_hide_header Access-Control-Allow-Origin;
+        add_header Access-Control-Allow-Origin "$http_origin";
+        add_header Access-Control-Allow-Headers "accept, authorization, content-type, user-agent, x-csrftoken, x-requested-with";
+        add_header Access-Control-Allow-Methods "DELETE, GET, OPTIONS, PATCH, POST, PUT";
+        add_header Access-Control-Allow-Credentials "true";
+
         proxy_pass http://runregistry-backend:9500/;
         proxy_read_timeout 500s;  # Backend may take a long time to respond for some queries
         proxy_connect_timeout 500s;

diff --git a/deployment/prod/secrets/custom-oidc-client-secret.yaml b/deployment/prod/secrets/custom-oidc-client-secret.yaml
@@ -0,0 +1,11 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: custom-oidc-client-secret
+  namespace: cmsrunregistry
+type: Opaque
+data:
+  clientID:
+  clientSecret:
+  issuerURL:
+  suggestedCookieSecret:
diff --git a/deployment/prod/sso_proxy/cern-auth-proxy-deployment.yaml b/deployment/prod/sso_proxy/cern-auth-proxy-deployment.yaml
@@ -0,0 +1,133 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cern-auth-proxy
+  namespace: cmsrunregistry
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: cern-auth-proxy
+      app.kubernetes.io/name: cern-auth-proxy
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: cern-auth-proxy
+        app.kubernetes.io/name: cern-auth-proxy
+    spec:
+      automountServiceAccountToken: false
+      containers:
+      - args:
+        - --set-xauthrequest=true
+        - --pass-user-headers=true
+        # Make sure that the cookies do not stay valid for the default 168 hours
+        - --cookie-expire=4h
+        - --reverse-proxy=true
+        - --set-authorization-header=true
+        # Needed to authenticate with client_credentials
+        # See: https://stackoverflow.com/questions/74520641/analyzing-oauth2-client-credential-flow-with-oauth2-proxy-keycloak-oauth2-pro
+        - --skip-jwt-bearer-tokens=true
+        env:
+        - name: OAUTH2_PROXY_HTTP_ADDRESS
+          value: :4180
+        - name: OAUTH2_PROXY_METRICS_ADDRESS
+          value: :44180
+        - name: OAUTH2_PROXY_SILENCE_PING_LOGGING
+          value: "true"
+        - name: OAUTH2_PROXY_REDIRECT_URL
+          value: https://cmsrunregistry.web.cern.ch/oauth2/callback
+        - name: OAUTH2_PROXY_WHITELIST_DOMAINS
+          value: .cern.ch
+        - name: OAUTH2_PROXY_ALLOWED_GROUPS
+          value: default-role
+        - name: OAUTH2_PROXY_UPSTREAMS
+          value: http://example:8080/
+        - name: OAUTH2_PROXY_PROXY_PREFIX
+          value: /oauth2
+        - name: OAUTH2_PROXY_COOKIE_PATH
+          value: /
+        - name: OAUTH2_PROXY_OIDC_GROUPS_CLAIM
+          value: cern_roles
+        - name: OAUTH2_PROXY_PREFER_EMAIL_TO_USER
+          value: "true"
+        - name: OAUTH2_PROXY_EMAIL_DOMAINS
+          value: '*'
+        - name: OAUTH2_PROXY_SCOPE
+          value: openid
+        - name: OAUTH2_PROXY_PROVIDER
+          value: oidc
+        - name: OAUTH2_PROXY_OIDC_ISSUER_URL
+          valueFrom:
+            secretKeyRef:
+              key: issuerURL
+              name: custom-oidc-client-secret
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: clientID
+              name: custom-oidc-client-secret
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: clientSecret
+              name: custom-oidc-client-secret
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: suggestedCookieSecret
+              name: custom-oidc-client-secret
+        - name: OAUTH2_PROXY_COOKIE_SECURE
+          value: "false"
+        - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
+          value: "true"
+        image: image-registry.openshift-image-registry.svc:5000/openshift/oauth2-proxy:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /ping
+            port: http
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: sso-proxy
+        ports:
+        - containerPort: 4180
+          name: http
+          protocol: TCP
+        - containerPort: 44180
+          name: metrics
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /ping
+            port: http
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+          requests:
+            cpu: 50m
+            memory: 20Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: default
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 30
diff --git a/deployment/prod/sso_proxy/cern-auth-proxy-oidcreturnuri.yaml b/deployment/prod/sso_proxy/cern-auth-proxy-oidcreturnuri.yaml
@@ -0,0 +1,12 @@
+apiVersion: webservices.cern.ch/v1alpha1
+kind: OidcReturnURI
+metadata:
+  labels:
+    app.kubernetes.io/instance: cern-auth-proxy
+    app.kubernetes.io/name: cern-auth-proxy
+    app.kubernetes.io/part-of: cern-auth-proxy
+    app.kubernetes.io/version: latest
+  name: cern-auth-proxy
+  namespace: cmsrunregistry
+spec:
+  redirectURI: https://cmsrunregistry.web.cern.ch/oauth2/callback
diff --git a/deployment/prod/sso_proxy/cern-auth-proxy-service.yaml b/deployment/prod/sso_proxy/cern-auth-proxy-service.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: cern-auth-proxy
+    app.kubernetes.io/name: cern-auth-proxy
+    app.kubernetes.io/part-of: cern-auth-proxy
+    app.kubernetes.io/version: latest
+  name: cern-auth-proxy
+  namespace: cmsrunregistry
+spec:
+  type: ClusterIP
+  ports:
+    - name: sso-proxy
+      port: 4180
+      protocol: TCP
+      targetPort: 4180
+  selector:
+    app.kubernetes.io/instance: cern-auth-proxy
+    app.kubernetes.io/name: cern-auth-proxy
diff --git a/deployment/prod/sso_proxy_helmchart.yaml b/deployment/prod/sso_proxy_helmchart.yaml
diff --git a/deployment/staging/configmaps/nginx.yaml b/deployment/staging/configmaps/nginx.yaml
@@ -19,13 +19,40 @@ data:
     client_max_body_size 0;
 
     location /oauth2/ {
-        proxy_pass       http://cern-auth-proxy:4180;    # TODO: must match the Release name used to deploy the cern-auth-proxy service
+        # The following config takes care of the temporary transition
+        # from the one auth proxy to the other. To do so, the
+        # user agent is checked, which lets us know which version of
+        # runregistry_api_client is making the request.
+        # "if" statements are generally NOT advised in location context,
+        # but we don't seem to be able to use "map", even if we wrap it in http context.
+        # What's more, there's no "else" statement, so we resort to
+        # using two ifs.
+        if ($http_user_agent ~ "runregistry_api_client/(3.1|1.5).+"){
+          proxy_pass       http://cern-auth-proxy:4180;
+        }
+        if ($http_user_agent !~ "runregistry_api_client/(3.1|1.5).+"){
+          proxy_pass       http://cern-auth-proxy-helm:4180;
+        }
         proxy_set_header Host                    $host;
         proxy_set_header X-Scheme                $scheme;
         proxy_set_header X-Auth-Request-Redirect $request_uri;
     }
 
     location /api/ {
+        # Since the oauth2-proxy doesn't set any cors headers
+        # we need to set the header here for the OPTIONS methods.
+        # This is needed to request data from the run registry api
+        # directly from a frontend hosted in a different origin.
+        if ($request_method = OPTIONS) {
+          add_header Access-Control-Allow-Origin "$http_origin";
+          add_header Access-Control-Allow-Headers "accept, authorization, content-type, user-agent, x-csrftoken, x-requested-with";
+          add_header Access-Control-Allow-Methods "DELETE, GET, OPTIONS, PATCH, POST, PUT";
+          add_header Access-Control-Allow-Credentials "true";
+          add_header Content-Length 0;
+          add_header Content-Type text/plain;
+          return 204;
+        }
+
         auth_request /oauth2/auth;
         error_page 401 = /oauth2/start;
 
@@ -44,6 +71,18 @@ data:
         proxy_set_header egroups           $groups;
         proxy_set_header displayname       $preferredUsername;
 
+        # The express.js run registry backend is setting the "Access-Control-Allow-Origin"
+        # header as "*", this is done to enable local development (since the frontend
+        # is hosted in a different origin). However, in the production evironment the browser
+        # will block any requests (issued from different origins) that contains "*" in the response headers.
+        # Therefore, this is needed to request data from the run registry api
+        # directly from a frontend hosted in a different origin.
+        proxy_hide_header Access-Control-Allow-Origin;
+        add_header Access-Control-Allow-Origin "$http_origin";
+        add_header Access-Control-Allow-Headers "accept, authorization, content-type, user-agent, x-csrftoken, x-requested-with";
+        add_header Access-Control-Allow-Methods "DELETE, GET, OPTIONS, PATCH, POST, PUT";
+        add_header Access-Control-Allow-Credentials "true";
+
         proxy_pass http://runregistry-backend:9500/;
         proxy_read_timeout 500s;  # Backend may take a long time to respond for some queries
         proxy_connect_timeout 500s;

diff --git a/deployment/staging/secrets/custom-oidc-client-secret.yaml b/deployment/staging/secrets/custom-oidc-client-secret.yaml
@@ -0,0 +1,11 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: custom-oidc-client-secret
+  namespace: dev-cmsrunregistry
+type: Opaque
+data:
+  clientID:
+  clientSecret:
+  issuerURL:
+  suggestedCookieSecret: