Merge pull request #6 from holaplex/mpw/gateway-add-opa

Mpw/gateway add opa
holaplex · Jan 30, 2023 · 796148c · 796148c
2 parents 13c672d + 1ca43ba
commit 796148c
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 8 deletions.
diff --git a/charts/hub-gateway/Chart.yaml b/charts/hub-gateway/Chart.yaml
@@ -18,13 +18,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.1"
+appVersion: "0.1.2"
 sources:
   - https://github.com/holaplex/helm-charts
 

diff --git a/charts/hub-gateway/plugins/graphql.lua b/charts/hub-gateway/plugins/graphql.lua
@@ -1,3 +1,4 @@
+--
 -- Licensed to the Apache Software Foundation (ASF) under one or more
 -- contributor license agreements.  See the NOTICE file distributed with
 -- this work for additional information regarding copyright ownership.
@@ -96,21 +97,21 @@ local function fetch_graphql_schema(conf, ctx)
     -- block by default when user is not found
     if not res then
         core.log.error("failed to get schema, err: ", err)
-        return 403
+        return 403, err
     end
 
     -- parse the results of the decision
     local data, err = json.decode(res.body)
 
     if not data then
         core.log.error("invalid response body: ", res.body, " err: ", err)
-        return 503
+        return 503, res.body
     end
     local schema = ngx.encode_base64(data.data['_service']['sdl'])
     if not schema then
      core.log.error("invalid response from GraphQL: ", res.body,
                     " err: `_service.sdl` field does not exist")
-     return 503, "unable to get sdl"
+     return 503, res.body
 
     end
 

diff --git a/charts/hub-gateway/templates/apisixroute.yaml b/charts/hub-gateway/templates/apisixroute.yaml
@@ -49,7 +49,7 @@ spec:
         host: {{ print "http://" $apisixPlugins.graphql.serviceName  "." $namespace ".svc:" $apisixPlugins.graphql.servicePort | quote }}
         schema_url: ""
         #Schema query needs to be base64 encoded
-        schema_query: {{ .schema_query | b64enc }}
+        schema_query: {{ .schema_query | b64enc | quote }}
         #Schema needs to be base64 encoded
         schema: ""
     {{- end }}

diff --git a/charts/hub-gateway/templates/configmap.yaml b/charts/hub-gateway/templates/configmap.yaml
@@ -2,6 +2,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: apisix-custom-plugins
+  labels:
+    {{- include "hub-gateway.labels" $ | nindent 4 }}
 data:
   {{- $files := .Files }}
   {{- range $key, $val := .Values.apisixPlugins }}

diff --git a/charts/hub-gateway/templates/opa-config.yaml b/charts/hub-gateway/templates/opa-config.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-config
+  namespace: {{ $.Values.hubNamespace }}
+data:
+  config.yaml: |
+    services:
+      s3:
+        url: "${AWS_BUCKET_URL}"
+        credentials:
+          s3_signing:
+            environment_credentials: {}
+    decision_logs:
+      console: true
+    bundles:
+      authz:
+        service: s3
+        resource: bundle.tar.gz
+        persist: false
+        polling:
+          min_delay_seconds: 30
+          max_delay_seconds: 120
diff --git a/charts/hub-gateway/templates/opa-deploy.yaml b/charts/hub-gateway/templates/opa-deploy.yaml
@@ -0,0 +1,59 @@
+{{- $namespace := .Values.hubNamespace -}}
+{{- $apisixPlugins := .Values.apisixPlugins -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $apisixPlugins.opa.serviceName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "hub-gateway.labels" $ | nindent 4 }}
+    app: {{ $apisixPlugins.opa.serviceName }}
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ $apisixPlugins.opa.serviceName }}
+  template:
+    metadata:
+      labels:
+        app: {{ $apisixPlugins.opa.serviceName }}
+      name: {{ $apisixPlugins.opa.serviceName }}
+    spec:
+      containers:
+      - name: opa
+        image: {{ $apisixPlugins.opa.image }}
+        envFrom:
+        - secretRef:
+            name: opa-s3-creds
+        ports:
+        - name: http
+          containerPort: 8181
+        args:
+        - "run"
+        - "--ignore=.*"
+        - "--server"
+        - "-c"
+        - "/etc/opa/config.yaml"
+        livenessProbe:
+          httpGet:
+            scheme: HTTP          
+            port: {{ $apisixPlugins.opa.servicePort }}
+          initialDelaySeconds: 5      
+          periodSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /health?bundle=true  # Include bundle activation in readiness
+            scheme: HTTP
+            port: {{ $apisixPlugins.opa.servicePort }}
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        volumeMounts:
+        - name: config
+          mountPath: /etc/opa/config.yaml
+          subPath: config.yaml
+      volumes:
+        - name: config
+          configMap:
+            name: opa-config
diff --git a/charts/hub-gateway/templates/opa-s3-creds.yaml b/charts/hub-gateway/templates/opa-s3-creds.yaml
@@ -0,0 +1,16 @@
+{{- $namespace := .Values.hubNamespace -}}
+{{- $opa := .Values.apisixPlugins.opa -}}
+{{- $s3 := $opa.s3 -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: opa-s3-creds
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "hub-gateway.labels" $ | nindent 4 }}
+type: Opaque
+data:
+  AWS_REGION: {{ $s3.region| b64enc }} 
+  AWS_BUCKET_URL: {{ $s3.bucketUrl | b64enc }} 
+  AWS_ACCESS_KEY_ID: {{ $s3.accessKey | b64enc }}
+  AWS_SECRET_ACCESS_KEY: {{ $s3.secretKey | b64enc }} 
diff --git a/charts/hub-gateway/templates/opa-svc.yaml b/charts/hub-gateway/templates/opa-svc.yaml
@@ -0,0 +1,20 @@
+{{- $namespace := .Values.hubNamespace -}}
+{{- $apisixPlugins := .Values.apisixPlugins -}}
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ $apisixPlugins.opa.serviceName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "hub-gateway.labels" $ | nindent 4 }}
+    app: {{ $apisixPlugins.opa.serviceName }}
+spec:
+  type: ClusterIP
+  selector:
+    app: {{ $apisixPlugins.opa.serviceName }}
+  ports:
+    - name: http
+      protocol: TCP
+      port: {{ $apisixPlugins.opa.servicePort }}
+      targetPort: {{ $apisixPlugins.opa.servicePort }}
+
diff --git a/charts/hub-gateway/values.yaml b/charts/hub-gateway/values.yaml
@@ -16,14 +16,15 @@ routes:
   require_auth: true
   regex_uri: ["/graphql", "/"]
   policy: "hub/graphql/example"
-  schema_query: '{ _service { sdl } }'
+  schema_query: "{ _service { sdl } }"
 
 - name: ui-public
   subdomain: hub
   serviceName: hub
   servicePort: 80
   methods:
     - GET
+    - POST
   paths:
     - /
     - /registration
@@ -44,6 +45,7 @@ routes:
   paths:
     - /organizations
 
+
 apisixPlugins:
   kratos:
     serviceName: kratos-public
@@ -56,6 +58,12 @@ apisixPlugins:
     files:
       - plugins/graphql.lua
   opa:
+    image: openpolicyagent/opa:0.48.0-rootless
+    s3:
+      bucketUrl: "http://your-bucket-url.s3.us-east-1.amazonaws.com"
+      region: us-east-1
+      accessKey: ""
+      secretKey: ""
     serviceName: opa
     servicePort: 8181
     files:
@@ -153,11 +161,15 @@ apisix:
   etcd:
     enabled: true
     fullnameOverride: apisix-etcd
+    image:
+      repository: bitnami/etcd
+      pullPolicy: IfNotPresent
+      tag: 3.5.7-debian-11-r3
     persistence:
       storageClass: "hostpath"
       size: 1Gi
     replicaCount: 1
     host:
-      - http://etcd:2379
+      - http://apisix-etcd:2379
     prefix: "/apisix"
     timeout: 30