Skip to content

Commit

Permalink
Adding more details in README and some cleanup in values files
Browse files Browse the repository at this point in the history
Signed-off-by: Chaitanya Khened <[email protected]>
  • Loading branch information
ckhened committed Aug 23, 2024
1 parent 3bc5c7a commit 92be80d
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 19 deletions.
37 changes: 32 additions & 5 deletions helm-charts/auth-apisix/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,15 +62,42 @@ The published APIs in apisix gateway are accessible through auth-apisix-gateway
```sh
export NODE_PORT=$(kubectl get --namespace auth-apisix -o jsonpath="{.spec.ports[0].nodePort}" services auth-apisix-gateway)
export NODE_IP=$(kubectl get nodes --namespace auth-apisix -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT

# the autherticated endpoint published in APISIX gateway can be accessed as: http://$NODE_IP:$NODE_PORT/<published endpoint uri>
# the authenticated endpoint published in APISIX gateway can be accessed as: http://$NODE_IP:$NODE_PORT/<published endpoint uri>
export accessUrl=http://$NODE_IP:$NODE_PORT/<your published endpoint uri>


```
</br>
Apisix helm chart provides configs to change the service type to other options like LoadBalancer (apisix.service.type) and externalTrafficPolicy to 'local'(apisix.service.externalTrafficPolicy). These can be added in apisix-helm/values.yaml </br></br>
Apisix helm chart provides configs to change the service type to other options like LoadBalancer (apisix.service.type) and externalTrafficPolicy to 'local'(apisix.service.externalTrafficPolicy). These can be added in values_apisix_gw.yaml </br></br>
While accessing the published APIs, the HTTP Authorization header of the request should contain the Access token provided by Identity provider as 'Bearer \<Access Token\>' </br></br>
The access token, refresh token, userinfo and user roles can be obtained by invoking OIDC auth endpoint through UI or token endpoint through curl and providing user credentials. </br>
The access token, refresh token, userinfo and user roles can be obtained by invoking OIDC auth endpoint through UI or token endpoint through curl and providing user credentials. </br></br>

Below steps can be followed to get access token from keycloak and access the APISIX published ChatQnA API through curl

```sh
# Get access token forspecified user from keycloak
export USER=<username>
export PASSWORD=<password>
export KEYCLOAK_ADDR=<keycloak url>
export KEYCLOAK_REALM=<keycloak realm>
export KEYCLOAK_CLIENT_ID=<keycloak client id>
export KEYCLOAK_CLIENT_SECRET=<keycloak client secret>

#Invoke Keycloak's OIDC token endpoint to get access token, refresh token and expirt times. (Only Access token is used in the example below)
export TOKEN=$(curl -X POST http://${KEYCLOAK_ADDR}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token -H 'Content-Type: application/x-www-form-urlencoded' -d "grant_type=password&client_id=${KEYCLOAK_CLIENT_ID}&client_secret=${KEYCLOAK_CLIENT_SECRET}&username=${USER}&password=${PASSWORD}" | jq -r .access_token)

# follow instructions above to fetch the NODE_IP and NODE_PORT
export accessUrl="http://$NODE_IP:$NODE_PORT/chatqna-oidc"

# try without token. Shall get response: "Authorization required 401 error"
curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H 'Content-Type: application/json' -w " %{http_code}\n"

# try with token. Shall get the correct response from ChatQnA with http code 200
curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -w " %{http_code}\n"

```


## Uninstall

Expand All @@ -80,6 +107,6 @@ helm uninstall auth-apisix-crds --namespace auth-apisix
helm uninstall auth-apisix --namespace auth-apisix
```
The crds installed by apisix won't be deleted by helm uninstall. Need to manually delete those crds </br>
All APISIX spicific crds can be obtained by 'kubectl get crds | grep apisix' </br>
All APISIX specific crds can be obtained by 'kubectl get crds | grep apisix' </br>
Each crd can be manually deleted by 'kubectl delete crd/\<crd name\>' </br>

22 changes: 11 additions & 11 deletions helm-charts/auth-apisix/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,18 @@

# Identity provider OIDC config
oidc:
realm: your-OIDC-provider-realm # replace with your realm name for OPEA apps
client_id: your-OIDC-provider-client-id # replace with your oidc client id
client_secret: your-OIDC-provider-client-secret # your oidc client secret
discovery: your-OIDC-provider-openid-configuration # replace with your oidc discovery endpoint
introspection_endpoint: your-OIDC-provider-introspection-endpoint # replace with your oidc introspection endpoint>
realm: your-OIDC-provider-realm # replace with your realm name for OPEA apps
client_id: your-OIDC-provider-client-id # replace with your oidc client id
client_secret: your-OIDC-provider-client-secret # your oidc client secret
discovery: your-OIDC-provider-openid-configuration # replace with your oidc discovery endpoint
introspection_endpoint: your-OIDC-provider-introspection-endpoint # replace with your oidc introspection endpoint>

# APISIX chatqna api config
chatqna:
namespace: default # namespace in which your chatqna service is running
hostname: your-hostname # 'Host' HTTP header from incoming request should match this. Wildcards like '*' allowed too
namespace: default # namespace in which your chatqna service is running
hostname: your-hostname # 'Host' HTTP header from incoming request should match this. Wildcards like '*' allowed too
query_api:
path: /chatqna-oidc # This is the path that will be published in apisix and this should be used by UI to access the chatqna service
backend_service: router-service # your kubernetes service name to access chatqna megaservice or gmc without .<namespace>.svc.cluster.local
service_port: 8080 # port on which chatqna mega service or gmc is running
service_path: "/" # path to access chatqna mega service or gmc backend
path: /chatqna-oidc # This is the path that will be published in apisix and this should be used by UI to access the chatqna service
backend_service: router-service # your kubernetes service name to access chatqna megaservice or gmc without .<namespace>.svc.cluster.local
service_port: 8080 # port on which chatqna mega service or gmc is running
service_path: "/" # path to access chatqna mega service or gmc backend
3 changes: 0 additions & 3 deletions helm-charts/auth-apisix/values_apisix_gw.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

# APISIX Namespace
namespace: auth-apisix

# APISIX Helm chart configs
version: 2.8.1
enabled: true
Expand Down

0 comments on commit 92be80d

Please sign in to comment.