WIP

InseeFrLab · Mar 21, 2024 · c9c1afd · c9c1afd
1 parent 62f7db2
commit c9c1afd
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 18 deletions.
diff --git a/cmd/handlers.go b/cmd/handlers.go
@@ -9,4 +9,5 @@ func RegisterPublicHandlers(r *gin.RouterGroup) {
 func RegisterPrivateHandlers(r *gin.RouterGroup) {
 	registerUserHandlers(r)
 	registerMyLabHandlers(r)
+	registerOnboardingHandlers(r)
 }
diff --git a/cmd/onboarding-handler.go b/cmd/onboarding-handler.go
@@ -0,0 +1,28 @@
+package cmd
+
+import (
+	"net/http"
+
+	"github.com/inseefrlab/onyxia-api/internal/helm"
+
+	"github.com/gin-gonic/gin"
+)
+
+// @Summary Init a namespace for a user or a group
+// @Schemes
+// @Description Create or replace the namespace of the user or the namespace of a group if the user is in the requested group and the according rbac policies. with the group prefix / user prefix of the region
+// @Tags Onboarding
+// @Produce json
+// @Success 200
+// @Router /onboarding [post]
+func onboarding(c *gin.Context) {
+	myServices := MyServices{}
+	for _, release := range helm.ListReleases() {
+		myServices.Apps = append(myServices.Apps, App{ID: release.Name, Chart: release.Chart.Name()})
+	}
+	c.JSON(http.StatusOK, myServices)
+}
+
+func registerOnboardingHandlers(r *gin.RouterGroup) {
+	r.POST("/onboarding", onboarding)
+}
diff --git a/internal/configuration/config.yaml b/internal/configuration/config.yaml
@@ -1,5 +1,69 @@
 authentication:
-  issuerURI:
+  mode: none
+oidc:
+  issuer-uri: 
+  clientID: 
   audience: 
+  username-claim: 
+  groups-claim: 
+  extra-query-params:
 rootPath: /api
-regions: 
+regions:
+- id: kub
+  name: Kubernetes (in-cluster)
+  description: The in-cluster Kubernetes region.
+  onyxiaAPI:
+    baseURL: ''
+  services:
+    type: KUBERNETES
+    initScript: https://git.lab.sspcloud.fr/innovation/plateforme-onyxia/services-ressources/-/raw/master/onyxia-init.sh
+    singleNamespace: true
+    namespacePrefix: user-
+    usernamePrefix: oidc-
+    groupNamespacePrefix: projet-
+    authenticationMode: serviceAccount
+    quotas:
+      allowUserModification: true
+      enabled: false
+      default:
+        requests.memory: 10Gi
+        requests.cpu: '10'
+        limits.memory: 10Gi
+        limits.cpu: '10'
+        requests.storage: 100Gi
+        count/pods: '50'
+      userEnabled: false
+      user:
+        requests.memory: 11Gi
+        requests.cpu: '11'
+        limits.memory: 11Gi
+        limits.cpu: '11'
+        requests.storage: 101Gi
+        count/pods: '51'
+      groupEnabled: false
+      group:
+        requests.memory: 12Gi
+        requests.cpu: '12'
+        limits.memory: 12Gi
+        limits.cpu: '12'
+        requests.storage: 102Gi
+        count/pods: '52'
+    defaultConfiguration:
+      IPProtection: false
+      networkPolicy: false
+    expose:
+      domain: fakedomain.kub.example.com
+      ingress: true
+      route: false
+      istio:
+        enabled: false
+        gateways: []
+    monitoring:
+      URLPattern: https://graphana.kub.example.com/$appIdSlug
+  data: {}
+  auth:
+    type: openidconnect
+  location:
+    name: Paris
+    lat: 48.8453225
+    long: 2.3024401
diff --git a/internal/configuration/configuration.go b/internal/configuration/configuration.go
@@ -1,5 +1,25 @@
 package configuration
 
+type Configuration struct {
+	Authentication Authentication
+	RootPath       string
+	Regions        []Region
+	OIDC           OIDC `json:"oidc"`
+}
+
+type Authentication struct {
+	Mode string `json:"mode"`
+}
+
+type OIDC struct {
+	IssuerURI        string `json:"issuer-uri"`
+	ClientID         string `json:"clientID"`
+	Audience         string `json:"audience"`
+	UsernameClaim    string `json:"username-claim"`
+	GroupsClaim      string `json:"groups-claim"`
+	ExtraQueryParams string `json:"extra-query-params"`
+}
+
 type Region struct {
 	ID          string `json:"id"`
 	Name        string `json:"name"`
@@ -153,14 +173,3 @@ type Region struct {
 		URL string `json:"URL"`
 	} `json:"git"`
 }
-
-type Configuration struct {
-	Authentication Authentication
-	RootPath       string
-	Regions        []Region
-}
-
-type Authentication struct {
-	IssuerURI string
-	Audience  string
-}
diff --git a/main.go b/main.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
@@ -34,17 +35,17 @@ func main() {
 
 	zap.ReplaceGlobals(zap.Must(zap.NewProduction()))
 
-	if configuration.Config.Authentication.IssuerURI != "" {
-		fmt.Printf("Using authentication with issuer %s", configuration.Config.Authentication.IssuerURI)
+	if strings.EqualFold(configuration.Config.Authentication.Mode, "openidconnect") {
+		fmt.Printf("Using OIDC authentication with issuer %s", configuration.Config.OIDC.IssuerURI)
 		fmt.Println()
 		client := &http.Client{
 			Timeout: time.Duration(6000) * time.Second,
 		}
 		ctx := oidc.ClientContext(context.Background(), client)
-		provider, _ := oidc.NewProvider(ctx, configuration.Config.Authentication.IssuerURI)
+		provider, _ := oidc.NewProvider(ctx, configuration.Config.OIDC.IssuerURI)
 		oidcConfig := &oidc.Config{}
-		if configuration.Config.Authentication.Audience != "" {
-			oidcConfig.ClientID = configuration.Config.Authentication.Audience
+		if configuration.Config.OIDC.Audience != "" {
+			oidcConfig.ClientID = configuration.Config.OIDC.Audience
 		} else {
 			zap.L().Warn("Token audience validation disabled")
 			oidcConfig.SkipClientIDCheck = true