From 92be80d78fb10556628778f53b6528548bea4287 Mon Sep 17 00:00:00 2001
From: Chaitanya Khened <chaitanya.khened@intel.com>
Date: Fri, 23 Aug 2024 16:22:31 -0700
Subject: [PATCH] Adding more details in README and some cleanup in values
 files

Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
---
 helm-charts/auth-apisix/README.md             | 37 ++++++++++++++++---
 helm-charts/auth-apisix/values.yaml           | 22 +++++------
 helm-charts/auth-apisix/values_apisix_gw.yaml |  3 --
 3 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/helm-charts/auth-apisix/README.md b/helm-charts/auth-apisix/README.md
index 2fa8ad53c..ae599117c 100644
--- a/helm-charts/auth-apisix/README.md
+++ b/helm-charts/auth-apisix/README.md
@@ -62,15 +62,42 @@ The published APIs in apisix gateway are accessible through auth-apisix-gateway
 ```sh
 export NODE_PORT=$(kubectl get --namespace auth-apisix -o jsonpath="{.spec.ports[0].nodePort}" services auth-apisix-gateway)
 export NODE_IP=$(kubectl get nodes --namespace auth-apisix -o jsonpath="{.items[0].status.addresses[0].address}")
-echo http://$NODE_IP:$NODE_PORT
 
-# the autherticated endpoint published in APISIX gateway can be accessed as: http://$NODE_IP:$NODE_PORT/<published endpoint uri>
+# the authenticated endpoint published in APISIX gateway can be accessed as: http://$NODE_IP:$NODE_PORT/<published endpoint uri>
+export accessUrl=http://$NODE_IP:$NODE_PORT/<your published endpoint uri>
+
 
 ```
 </br>
-Apisix helm chart provides configs to change the service type to other options like LoadBalancer (apisix.service.type) and externalTrafficPolicy to 'local'(apisix.service.externalTrafficPolicy). These can be added in apisix-helm/values.yaml </br></br>
+Apisix helm chart provides configs to change the service type to other options like LoadBalancer (apisix.service.type) and externalTrafficPolicy to 'local'(apisix.service.externalTrafficPolicy). These can be added in values_apisix_gw.yaml </br></br>
 While accessing the published APIs, the HTTP Authorization header of the request should contain the Access token provided by Identity provider as 'Bearer \<Access Token\>' </br></br>
-The access token, refresh token, userinfo and user roles can be obtained by invoking OIDC auth endpoint through UI or token endpoint through curl and providing user credentials. </br>
+The access token, refresh token, userinfo and user roles can be obtained by invoking OIDC auth endpoint through UI or token endpoint through curl and providing user credentials. </br></br>
+
+Below steps can be followed to get access token from keycloak and access the APISIX published ChatQnA API through curl
+
+```sh
+# Get access token forspecified user from keycloak
+export USER=<username>
+export PASSWORD=<password>
+export KEYCLOAK_ADDR=<keycloak url>
+export KEYCLOAK_REALM=<keycloak realm>
+export KEYCLOAK_CLIENT_ID=<keycloak client id>
+export KEYCLOAK_CLIENT_SECRET=<keycloak client secret>
+
+#Invoke Keycloak's OIDC token endpoint to get access token, refresh token and expirt times. (Only Access token is used in the example below)
+export TOKEN=$(curl -X POST http://${KEYCLOAK_ADDR}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token -H 'Content-Type: application/x-www-form-urlencoded' -d "grant_type=password&client_id=${KEYCLOAK_CLIENT_ID}&client_secret=${KEYCLOAK_CLIENT_SECRET}&username=${USER}&password=${PASSWORD}" | jq -r .access_token)
+
+# follow instructions above to fetch the NODE_IP and NODE_PORT
+export accessUrl="http://$NODE_IP:$NODE_PORT/chatqna-oidc"
+
+# try without token. Shall get response: "Authorization required 401 error"
+curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H 'Content-Type: application/json' -w " %{http_code}\n"
+
+# try with token. Shall get the correct response from ChatQnA with http code 200
+curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -w " %{http_code}\n"
+
+```
+
 
 ## Uninstall
 
@@ -80,6 +107,6 @@ helm uninstall auth-apisix-crds --namespace auth-apisix
 helm uninstall auth-apisix --namespace auth-apisix
 ```
 The crds installed by apisix won't be deleted by helm uninstall. Need to manually delete those crds </br>
-All APISIX spicific crds can be obtained by 'kubectl get crds | grep apisix' </br>
+All APISIX specific crds can be obtained by 'kubectl get crds | grep apisix' </br>
 Each crd can be manually deleted by 'kubectl delete crd/\<crd name\>' </br>
 
diff --git a/helm-charts/auth-apisix/values.yaml b/helm-charts/auth-apisix/values.yaml
index a2254aecb..0589ced5d 100644
--- a/helm-charts/auth-apisix/values.yaml
+++ b/helm-charts/auth-apisix/values.yaml
@@ -3,18 +3,18 @@
 
 # Identity provider OIDC config
 oidc:
-  realm: your-OIDC-provider-realm # replace with your realm name for OPEA apps
-  client_id: your-OIDC-provider-client-id # replace with your oidc client id
-  client_secret: your-OIDC-provider-client-secret # your oidc client secret
-  discovery: your-OIDC-provider-openid-configuration  # replace with your oidc discovery endpoint
-  introspection_endpoint: your-OIDC-provider-introspection-endpoint  # replace with your oidc introspection endpoint>
+  realm: your-OIDC-provider-realm                                      # replace with your realm name for OPEA apps
+  client_id: your-OIDC-provider-client-id                              # replace with your oidc client id
+  client_secret: your-OIDC-provider-client-secret                      # your oidc client secret
+  discovery: your-OIDC-provider-openid-configuration                   # replace with your oidc discovery endpoint
+  introspection_endpoint: your-OIDC-provider-introspection-endpoint    # replace with your oidc introspection endpoint>
 
 # APISIX chatqna api config
 chatqna:
-  namespace: default # namespace in which your chatqna service is running
-  hostname: your-hostname # 'Host' HTTP header from incoming request should match this. Wildcards like '*' allowed too
+  namespace: default                                                   # namespace in which your chatqna service is running
+  hostname: your-hostname                                              # 'Host' HTTP header from incoming request should match this. Wildcards like '*' allowed too
   query_api:
-    path: /chatqna-oidc  # This is the path that will be published in apisix and this should be used by UI to access the chatqna service
-    backend_service: router-service # your kubernetes service name to access chatqna megaservice or gmc without .<namespace>.svc.cluster.local
-    service_port: 8080 # port on which chatqna mega service or gmc is running
-    service_path: "/" # path to access chatqna mega service or gmc backend
+    path: /chatqna-oidc                                                # This is the path that will be published in apisix and this should be used by UI to access the chatqna service
+    backend_service: router-service                                    # your kubernetes service name to access chatqna megaservice or gmc without .<namespace>.svc.cluster.local
+    service_port: 8080                                                 # port on which chatqna mega service or gmc is running
+    service_path: "/"                                                  # path to access chatqna mega service or gmc backend
diff --git a/helm-charts/auth-apisix/values_apisix_gw.yaml b/helm-charts/auth-apisix/values_apisix_gw.yaml
index b7c96ee46..fa1f74300 100644
--- a/helm-charts/auth-apisix/values_apisix_gw.yaml
+++ b/helm-charts/auth-apisix/values_apisix_gw.yaml
@@ -1,9 +1,6 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-# APISIX Namespace
-namespace: auth-apisix
-
 # APISIX Helm chart configs
 version: 2.8.1
 enabled: true