From c069148e223ec8636e284ec5f146b84277ee5311 Mon Sep 17 00:00:00 2001 From: Kyle Espinola Date: Mon, 13 Feb 2023 16:15:07 +0100 Subject: [PATCH] refactor: updates to support graphql. add more route rules to aling with UI. make X-User-Id optional header. remove opa plugin. --- charts/hub-gateway/Chart.yaml | 4 +- charts/hub-gateway/plugins/hub-orgs.lua | 115 ---------- charts/hub-gateway/plugins/kratos.lua | 107 ++++----- charts/hub-gateway/plugins/opa-helper.lua | 210 ------------------ charts/hub-gateway/plugins/opa-mod.lua | 169 -------------- charts/hub-gateway/templates/apisixroute.yaml | 30 +-- charts/hub-gateway/templates/opa-config.yaml | 25 --- charts/hub-gateway/templates/opa-deploy.yaml | 61 ----- .../hub-gateway/templates/opa-s3-creds.yaml | 17 -- charts/hub-gateway/templates/opa-svc.yaml | 21 -- charts/hub-gateway/values.yaml | 66 ++---- 11 files changed, 81 insertions(+), 744 deletions(-) delete mode 100644 charts/hub-gateway/plugins/hub-orgs.lua delete mode 100644 charts/hub-gateway/plugins/opa-helper.lua delete mode 100644 charts/hub-gateway/plugins/opa-mod.lua delete mode 100644 charts/hub-gateway/templates/opa-config.yaml delete mode 100644 charts/hub-gateway/templates/opa-deploy.yaml delete mode 100644 charts/hub-gateway/templates/opa-s3-creds.yaml delete mode 100644 charts/hub-gateway/templates/opa-svc.yaml diff --git a/charts/hub-gateway/Chart.yaml b/charts/hub-gateway/Chart.yaml index 5bddbe0..724d45f 100644 --- a/charts/hub-gateway/Chart.yaml +++ b/charts/hub-gateway/Chart.yaml @@ -18,13 +18,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.9 +version: "0.2" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.9" +appVersion: "0.2" sources: - https://github.com/holaplex/helm-charts diff --git a/charts/hub-gateway/plugins/hub-orgs.lua b/charts/hub-gateway/plugins/hub-orgs.lua deleted file mode 100644 index 189d3b3..0000000 --- a/charts/hub-gateway/plugins/hub-orgs.lua +++ /dev/null @@ -1,115 +0,0 @@ -local core = require("apisix.core") -local http = require("resty.http") -local json = require("apisix.core.json") - -local schema = { - type = "object", - properties = { - host = {type = "string"}, - ssl_verify = { - type = "boolean", - default = true, - }, - timeout = { - type = "integer", - minimum = 1, - maximum = 60000, - default = 3000, - description = "timeout in milliseconds", - }, - keepalive = {type = "boolean", default = true}, - keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, - keepalive_pool = {type = "integer", minimum = 1, default = 5}, - redirect_unauthorized = {type = "boolean", default = false}, - redirect_uri = {type = "string"}, - }, - required = {"host"} -} - - -local _M = { - version = 0.1, - priority = 1005, - name = "hub-orgs", - schema = schema, -} - - -function _M.check_schema(conf) - return core.schema.check(schema, conf) -end - -local function build_json_error(code, status, reason) - - core.response.set_header("content", "application/json") - local res = { - error = { - code = code, - status = status, - reason = reason - } - } - return json.encode(res) -end - -function _M.access(conf, ctx) - local headers = core.request.headers(); - local user_id = ctx.var.kratos_user_id - - if not user_id then - local res = build_json_error(500, "Internal server error", "Unable to read user-id from kratos plugin") - core.log.error("unable to read user-id from kratos plugin") - return 500, res - end - -- Get Org data - local params = { - method = "GET", - headers = { - ["X-USER-ID"] = user_id, - ["Content-Type"] = "application/json", - ["Accept"] = "application/json", - }, - keepalive = conf.keepalive, - ssl_verify = conf.ssl_verify - } - local org_id = ngx.var['cookie__hub_org'] or headers['x-organization-id'] - if not org_id then - local res = build_json_error(401, "Unauthorized", "X-Organization-Id header not found") - core.log.error("Failed to get org id from header or cookie") - return 401, res - end - - -- make the call - get affiliations - local endpoint = conf.host .. "/affiliations" - local httpc = http.new() - httpc:set_timeout(conf.timeout) - local res, err = httpc:request_uri(endpoint, params) - - core.log.error("Getting affiliations from hub-orgs for user: ", user_id) - -- return 503 if error on response or when parsing - if not res then - local res = build_json_error(500, "Internal server error", "Unable to get affiliations") - core.log.error("Failed to get affiliations. invalid response body: ", res.body, " err: ", err) - return 500, res - end - - local affiliations, err = json.decode(res.body) - if not affiliations then - local res = build_json_error(404, "Not found", "No affiliations found for user id: " .. user_id) - return res.status, res - end - - -- Expose org_id and affiliations on variables: org_id, hub_affiliations - core.ctx.register_var("org_id", function(ctx) - return org_id - end) - - local affiliations = ngx.encode_base64(res.body) - core.ctx.register_var("hub_affiliations", function(ctx) - return affiliations - end) - - core.response.set_header("x-organization-id", org_id) -end - -return _M diff --git a/charts/hub-gateway/plugins/kratos.lua b/charts/hub-gateway/plugins/kratos.lua index 4a88fbd..3ca9203 100644 --- a/charts/hub-gateway/plugins/kratos.lua +++ b/charts/hub-gateway/plugins/kratos.lua @@ -14,47 +14,63 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- - -local core = require("apisix.core") -local http = require("resty.http") -local json = require("apisix.core.json") +local core = require("apisix.core") +local http = require("resty.http") +local json = require("apisix.core.json") local schema = { type = "object", properties = { - host = {type = "string"}, + host = { + type = "string" + }, ssl_verify = { type = "boolean", - default = true, + default = true }, timeout = { type = "integer", minimum = 1, maximum = 60000, default = 3000, - description = "timeout in milliseconds", + description = "timeout in milliseconds" + }, + keepalive = { + type = "boolean", + default = true + }, + keepalive_timeout = { + type = "integer", + minimum = 1000, + default = 60000 + }, + keepalive_pool = { + type = "integer", + minimum = 1, + default = 5 + }, + expose_user_data = { + type = "boolean", + default = false + }, + expose_user_id = { + type = "boolean", + default = false + }, + session_cookie_name = { + type = "string" }, - keepalive = {type = "boolean", default = true}, - keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, - keepalive_pool = {type = "integer", minimum = 1, default = 5}, - expose_user_data = {type = "boolean", default = false}, - expose_user_id = {type = "boolean", default = false}, - session_cookie_name = {type = "string"}, - redirect_unauthorized = {type = "boolean", default = false}, - redirect_uri = {type = "string"}, }, required = {"host"} } - local _M = { version = 0.1, priority = 1030, name = "kratos", - schema = schema, + schema = schema } - function _M.check_schema(conf) return core.schema.check(schema, conf) end @@ -64,11 +80,11 @@ local function build_json_error(code, status, reason) core.response.set_header(ctx, "content", "application/json") local res = { error = { - code = code, - status = status, - reason = reason + code = code, + status = status, + reason = reason } - } + } return json.encode(res) end @@ -76,34 +92,25 @@ function _M.access(conf, ctx) local ret_code local headers = core.request.headers() local method_name = ngx.req.get_method() - - if method_name == "GET" and conf.redirect_unauthorized then - ret_code = 301 - else - ret_code = 401 - end local session_cookie_name = string.lower(conf.session_cookie_name or "ory_kratos_session") local cookie_header = string.lower("cookie_" .. session_cookie_name) local cookie_value = ngx.var[cookie_header] - + -- Try to get session token from cookie header and $session_cookie_name local session_token = headers[session_cookie_name] or cookie_value if not session_token then - local res = build_json_error(ret_code, "Unauthorized", "Missing " .. session_cookie_name .. " header or cookie") - if ret_code == 301 then - core.response.set_header("Location", conf.redirect_uri) - end - return ret_code, res + local res = build_json_error(ret_code, "Unauthorized", "Missing " .. session_cookie_name .. " header or cookie") + return end - local kratos_cookie = session_cookie_name .. "=" .. session_token - + local kratos_cookie = session_cookie_name .. "=" .. session_token + local params = { method = "POST", headers = { - ["Cookie"] = kratos_cookie, + ["Cookie"] = kratos_cookie }, keepalive = conf.keepalive, ssl_verify = conf.ssl_verify @@ -122,44 +129,38 @@ function _M.access(conf, ctx) -- block by default when user is not found if not res then - return 403, res.body + return end -- parse the user data local data, err = json.decode(res.body) if not data then - return 503, res.body + return end -- block if user id is not found if not data.id then - local reason = res.body - core.log.error(reason) - if ret_code == 301 then - core.response.set_header("Location", conf.redirect_uri) - end - - return ret_code, reason + return end -- Expose user data response on $kratos_user_data variable if conf.expose_user_data then local user_data = ngx.encode_base64(res.body) if not user_data then - return 503, res.body + return end core.ctx.register_var("kratos_user_data", function(ctx) - return user_data + return user_data end) end -- Expose user id on $kratos_user_id variable if conf.expose_user_id then - core.request.set_header(ctx, "x-user-id", data.identity.id) - core.response.set_header("x-user-id", data.identity.id) - core.ctx.register_var("kratos_user_id", function(ctx) - return data.identity.id - end) + core.request.set_header(ctx, "x-user-id", data.identity.id) + core.response.set_header("x-user-id", data.identity.id) + core.ctx.register_var("kratos_user_id", function(ctx) + return data.identity.id + end) end end diff --git a/charts/hub-gateway/plugins/opa-helper.lua b/charts/hub-gateway/plugins/opa-helper.lua deleted file mode 100644 index dd8b94c..0000000 --- a/charts/hub-gateway/plugins/opa-helper.lua +++ /dev/null @@ -1,210 +0,0 @@ --- Licensed to the Apache Software Foundation (ASF) under one or more --- contributor license agreements. See the NOTICE file distributed with --- this work for additional information regarding copyright ownership. --- The ASF licenses this file to You under the Apache License, Version 2.0 --- (the "License"); you may not use this file except in compliance with --- the License. You may obtain a copy of the License at --- --- http://www.apache.org/licenses/LICENSE-2.0 --- --- Unless required by applicable law or agreed to in writing, software --- distributed under the License is distributed on an "AS IS" BASIS, --- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --- See the License for the specific language governing permissions and --- limitations under the License. --- - -local core = require("apisix.core") -local get_service = require("apisix.http.service").get -local ngx = ngx -local ngx_time = ngx.time -local re_match = ngx.re.match -local pairs = pairs -local ipairs = ipairs -local type = type -local lrucache = core.lrucache.new({ - type = "plugin", -}) -local _M = {} - - --- build a table of Nginx variables with some generality --- between http subsystem and stream subsystem -local function build_var(conf, ctx) - return { - server_addr = ctx.var.server_addr, - server_port = ctx.var.server_port, - remote_addr = ctx.var.remote_addr, - remote_port = ctx.var.remote_port, - timestamp = ngx_time(), - } -end - -local function build_http_request(conf, ctx) - local request = { - scheme = core.request.get_scheme(ctx), - method = core.request.get_method(), - host = core.request.get_host(ctx), - port = core.request.get_port(ctx), - path = ctx.var.uri, - headers = core.request.headers(ctx), - query = core.request.get_uri_args(ctx), - } - - if conf.with_body then - request.body = core.request.get_body() - end - return request -end - - -local function build_http_route(conf, ctx, remove_upstream) - local route = core.table.clone(ctx.matched_route).value - - if remove_upstream and route and route.upstream then - route.upstream = nil - end - - return route -end - - -local function build_http_service(conf, ctx) - local service_id = ctx.service_id - - -- possible that there is no service bound to the route - if service_id then - local service = core.table.clone(get_service(service_id)).value - - if service then - if service.upstream then - service.upstream = nil - end - return service - else - core.log.error("failed to get service") - end - end - - return nil -end - - -local function build_http_consumer(conf, ctx) - -- possible that there is no consumer bound to the route - if ctx.consumer then - return core.table.clone(ctx.consumer) - end - - return nil -end - -local function check_set_inputs(inputs) - for field, value in pairs(inputs) do - if type(field) ~= 'string' then - return false, 'invalid type as input field' - end - - if type(value) ~= 'string' and type(value) ~= 'number' then - return false, 'invalid type as input value' - end - - if #field == 0 then - return false, 'invalid field length in input' - end - end - - return true -end - -local function is_new_inputs_conf(inputs) - return - (inputs.add and type(inputs.add) == "table") or - (inputs.set and type(inputs.set) == "table") or - (inputs.remove and type(inputs.remove) == "table") -end - -local function build_extra_inputs(inputs) - local set = {} - local add = {} - if is_new_inputs_conf(inputs) then - if inputs.add then - for _, value in ipairs(inputs.add) do - local m, err = re_match(value, [[^([^:\s]+)\s*:\s*([^:]+)$]], "jo") - if not m then - return nil, err - end - core.table.insert_tail(add, m[1], m[2]) - end - end - - if inputs.set then - for field, value in pairs(inputs.set) do - --reform header from object into array, so can avoid use pairs, which is NYI - core.table.insert_tail(set, field, value) - end - end - - else - for field, value in pairs(inputs) do - core.table.insert_tail(set, field, value) - end - end - - return { - add = add, - set = set, - remove = inputs.remove or {}, - } -end - -function _M.build_opa_input(conf, ctx, subsystem) - local data = { - type = subsystem, - request = build_http_request(conf, ctx), - var = build_var(conf, ctx), - extra = {} - } - - if conf.with_route then - data.route = build_http_route(conf, ctx, true) - end - - if conf.with_consumer then - data.consumer = build_http_consumer(conf, ctx) - end - - if conf.with_service then - data.service = build_http_service(conf, ctx) - end - - if conf.extra_inputs then - if conf.inputs then - if not is_new_inputs_conf(conf.inputs) then - local ok, err = check_set_inputs(conf.inputs) - if not ok then - return false - end - end - end - local input_op, err = core.lrucache.plugin_ctx(lrucache, ctx, nil, build_extra_inputs, conf.inputs) - if not input_op then - core.log.error("failed to create inputs: ", err) - return 503, "failed to create inputs" - end - local field_cnt = #input_op.set - for i = 1, field_cnt, 2 do - -- { ['uid'] = 'xxx'} - local val = core.utils.resolve_var(input_op.set[i+1], ctx.var) - data.extra[input_op.set[i]] = val - end - - end - - return { - input = data, - } -end - - -return _M diff --git a/charts/hub-gateway/plugins/opa-mod.lua b/charts/hub-gateway/plugins/opa-mod.lua deleted file mode 100644 index 4a6b1ec..0000000 --- a/charts/hub-gateway/plugins/opa-mod.lua +++ /dev/null @@ -1,169 +0,0 @@ --- --- Licensed to the Apache Software Foundation (ASF) under one or more --- contributor license agreements. See the NOTICE file distributed with --- this work for additional information regarding copyright ownership. --- The ASF licenses this file to You under the Apache License, Version 2.0 --- (the "License"); you may not use this file except in compliance with --- the License. You may obtain a copy of the License at --- --- http://www.apache.org/licenses/LICENSE-2.0 --- --- Unless required by applicable law or agreed to in writing, software --- distributed under the License is distributed on an "AS IS" BASIS, --- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --- See the License for the specific language governing permissions and --- limitations under the License. --- - -local core = require("apisix.core") -local http = require("resty.http") -local helper = require("apisix.plugins.opa-mod.helper") -local type = type - - -local schema = { - type = "object", - properties = { - host = {type = "string"}, - ssl_verify = { - type = "boolean", - default = true, - }, - policy = {type = "string"}, - timeout = { - type = "integer", - minimum = 1, - maximum = 60000, - default = 3000, - description = "timeout in milliseconds", - }, - keepalive = {type = "boolean", default = true}, - keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, - keepalive_pool = {type = "integer", minimum = 1, default = 5}, - with_route = {type = "boolean", default = false}, - with_service = {type = "boolean", default = false}, - with_consumer = {type = "boolean", default = false}, - with_body = {type = "boolean", default = false}, - extra_inputs = {type = "boolean", default = false}, - inputs = { - description = "new inputs for opa", - anyOf = { - { - type = "object", - minProperties = 1, - patternProperties = { - ["^[^:]+$"] = { - oneOf = { - {type = "string"}, - {type = "number"}, - } - } - }, - }, - { - properties = { - set = { - type = "object", - minProperties = 1, - patternProperties = { - ["^[^:]+$"] = { - oneOf = { - {type = "string"}, - {type = "number"}, - } - } - }, - }, - }, - } - } - } - }, - required = {"host", "policy"} -} - - -local _M = { - version = 0.1, - priority = 1000, - name = "opa-mod", - schema = schema, -} - -function _M.check_schema(conf) - local ok, err = core.schema.check(schema, conf) - if not ok then - return false, err - end - return true -end - -function _M.access(conf, ctx) - local body = helper.build_opa_input(conf, ctx, "http") - - local params = { - method = "POST", - body = core.json.encode(body), - headers = { - ["Content-Type"] = "application/json", - }, - keepalive = conf.keepalive, - ssl_verify = conf.ssl_verify - } - - if conf.keepalive then - params.keepalive_timeout = conf.keepalive_timeout - params.keepalive_pool = conf.keepalive_pool - end - - local endpoint = conf.host .. "/v1/data/" .. conf.policy - - local httpc = http.new() - httpc:set_timeout(conf.timeout) - - local res, err = httpc:request_uri(endpoint, params) - - -- block by default when decision is unavailable - if not res then - return 403, err - end - - -- parse the results of the decision - local data, err = core.json.decode(res.body) - - if not data then - core.log.error("invalid response body: ", res.body, " err: ", err) - return 503 - end - - if not data.result then - core.log.error("invalid OPA decision format: ", res.body, - " err: `result` field does not exist") - return 503 - end - - local result = data.result - - if not result.allow then - if result.headers then - core.response.set_header(result.headers) - end - - local status_code = 403 - if result.status_code then - status_code = result.status_code - end - - local reason = nil - if result.reason then - reason = type(result.reason) == "table" - and core.json.encode(result.reason) - or result.reason - end - - return status_code, reason - end -end - - -return _M diff --git a/charts/hub-gateway/templates/apisixroute.yaml b/charts/hub-gateway/templates/apisixroute.yaml index 2da81a2..4593700 100644 --- a/charts/hub-gateway/templates/apisixroute.yaml +++ b/charts/hub-gateway/templates/apisixroute.yaml @@ -17,6 +17,7 @@ spec: backends: - serviceName: {{ .serviceName }} servicePort: {{ .servicePort }} + websocket: {{ .websocket | default false }} match: hosts: - {{ print .subdomain "." $domain | quote }} @@ -25,7 +26,11 @@ spec: methods: {{ .methods | toYaml | nindent 7 }} plugins: - {{- if .require_auth }} + {{- if .cors }} + - name: cors + enable: true + {{- end }} + {{- if .setUserHeader }} - name: kratos enable: true config: @@ -34,32 +39,13 @@ spec: expose_user_id: true session_cookie_name: {{ $sessionCookie }} {{- end }} - {{- if .require_org }} - - name: hub-orgs - enable: true - config: - host: {{ print "http://" $apisixPlugins.hubOrgs.serviceName "." $namespace ".svc:" $apisixPlugins.hubOrgs.servicePort "/v1" | quote }} - {{- end }} - {{- if .regex_uri }} + {{- if .regexUri }} - name: proxy-rewrite enable: true config: regex_uri: - {{ .regex_uri | toYaml | nindent 9 }} + {{ .regexUri | toYaml | nindent 9 }} {{- end }} - {{- if .policy }} - - name: opa-mod - enable: true - config: - host: {{ print "http://" $apisixPlugins.opa.serviceName "." $namespace ".svc:" $apisixPlugins.opa.servicePort | quote }} - policy: {{ .policy }} - extra_inputs: true - inputs: - user_data: $kratos_user_data - org_id: $org_id - project_id: $project_id - affiliations: $hub_affiliations - {{- end }} --- {{- end }} {{- end }} diff --git a/charts/hub-gateway/templates/opa-config.yaml b/charts/hub-gateway/templates/opa-config.yaml deleted file mode 100644 index 5a138e3..0000000 --- a/charts/hub-gateway/templates/opa-config.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.apisixPlugins.opa.serviceName }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: opa-config - namespace: {{ $.Values.hubNamespace }} -data: - config.yaml: | - services: - s3: - url: "${AWS_BUCKET_URL}" - credentials: - s3_signing: - environment_credentials: {} - decision_logs: - console: true - bundles: - authz: - service: s3 - resource: bundle.tar.gz - persist: false - polling: - min_delay_seconds: 30 - max_delay_seconds: 120 -{{ end }} diff --git a/charts/hub-gateway/templates/opa-deploy.yaml b/charts/hub-gateway/templates/opa-deploy.yaml deleted file mode 100644 index ab30210..0000000 --- a/charts/hub-gateway/templates/opa-deploy.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.apisixPlugins.opa.serviceName }} -{{- $namespace := .Values.hubNamespace -}} -{{- $apisixPlugins := .Values.apisixPlugins -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $apisixPlugins.opa.serviceName }} - namespace: {{ $namespace }} - labels: - {{- include "hub-gateway.labels" $ | nindent 4 }} - app: {{ $apisixPlugins.opa.serviceName }} - annotations: - reloader.stakater.com/auto: "true" -spec: - replicas: 1 - selector: - matchLabels: - app: {{ $apisixPlugins.opa.serviceName }} - template: - metadata: - labels: - app: {{ $apisixPlugins.opa.serviceName }} - name: {{ $apisixPlugins.opa.serviceName }} - spec: - containers: - - name: opa - image: {{ $apisixPlugins.opa.image }} - envFrom: - - secretRef: - name: opa-s3-creds - ports: - - name: http - containerPort: 8181 - args: - - "run" - - "--ignore=.*" - - "--server" - - "-c" - - "/etc/opa/config.yaml" - livenessProbe: - httpGet: - scheme: HTTP - port: {{ $apisixPlugins.opa.servicePort }} - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - httpGet: - path: /health?bundle=true # Include bundle activation in readiness - scheme: HTTP - port: {{ $apisixPlugins.opa.servicePort }} - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - name: config - mountPath: /etc/opa/config.yaml - subPath: config.yaml - volumes: - - name: config - configMap: - name: opa-config -{{- end }} diff --git a/charts/hub-gateway/templates/opa-s3-creds.yaml b/charts/hub-gateway/templates/opa-s3-creds.yaml deleted file mode 100644 index 15d798e..0000000 --- a/charts/hub-gateway/templates/opa-s3-creds.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.apisixPlugins.opa.s3.secretKey }} -{{- $s3 := .Values.apisixPlugins.opa.s3 -}} -{{- $namespace := .Values.hubNamespace -}} -apiVersion: v1 -kind: Secret -metadata: - name: opa-s3-creds - namespace: {{ $namespace }} - labels: - {{- include "hub-gateway.labels" $ | nindent 4 }} -type: Opaque -data: - AWS_REGION: {{ $s3.region| b64enc }} - AWS_BUCKET_URL: {{ $s3.bucketUrl | b64enc }} - AWS_ACCESS_KEY_ID: {{ $s3.accessKey | b64enc }} - AWS_SECRET_ACCESS_KEY: {{ $s3.secretKey | b64enc }} -{{- end }} diff --git a/charts/hub-gateway/templates/opa-svc.yaml b/charts/hub-gateway/templates/opa-svc.yaml deleted file mode 100644 index a5a5b8b..0000000 --- a/charts/hub-gateway/templates/opa-svc.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.apisixPlugins.opa.serviceName }} -{{- $namespace := .Values.hubNamespace -}} -{{- $apisixPlugins := .Values.apisixPlugins -}} -kind: Service -apiVersion: v1 -metadata: - name: {{ $apisixPlugins.opa.serviceName }} - namespace: {{ $namespace }} - labels: - {{- include "hub-gateway.labels" $ | nindent 4 }} - app: {{ $apisixPlugins.opa.serviceName }} -spec: - type: ClusterIP - selector: - app: {{ $apisixPlugins.opa.serviceName }} - ports: - - name: http - protocol: TCP - port: {{ $apisixPlugins.opa.servicePort }} - targetPort: {{ $apisixPlugins.opa.servicePort }} -{{- end }} diff --git a/charts/hub-gateway/values.yaml b/charts/hub-gateway/values.yaml index 57479c4..82951f8 100644 --- a/charts/hub-gateway/values.yaml +++ b/charts/hub-gateway/values.yaml @@ -5,31 +5,19 @@ sessionCookieName: "hub_session" routes: - name: api - serviceName: hub-orgs + serviceName: federated-router servicePort: 80 subdomain: api paths: - - /v1/organization - - /v1/organizations - - /v1/projects - - /v1/projects/* - - /v1/affiliations - - /v1/members - - /v1/credentials - - /v1/credentials/* - - /v1/webhook/events - - /v1/webhooks/* - - /v1/members - - /v1/members/* - - /v1/invites - - /v1/invites/* + - /graphql methods: - - GET - POST - - DELETE - require_auth: true - require_org: true - policy: "hub/api/orgs" + - OPTIONS + cors: true + setUserHeader: true + regexUri: + - "/graphql" + - "/" - name: hub-browser-api serviceName: hub-orgs @@ -40,24 +28,26 @@ routes: - /browser/organizations/* methods: - POST - require_auth: true + setUserHeader: true - name: ui-private subdomain: hub serviceName: hub servicePort: 80 - require_auth: true - require_org: true + setUserHeader: true methods: - GET paths: - - /organization/* + - /settings + - /members + - /projects - /projects/* - name: ui-public subdomain: hub serviceName: hub servicePort: 80 + websocket: true methods: - GET - POST @@ -68,7 +58,9 @@ routes: - /login - /recovery - /holaplex.svg + - /holaplex-small.svg - /_next/static/* + - /_next/webpack-hmr - /__nextjs_original-stack-frame - /api/.ory/* @@ -78,23 +70,6 @@ apisixPlugins: servicePort: 80 files: - plugins/kratos.lua - hubOrgs: - serviceName: hub-orgs - servicePort: 80 - files: - - plugins/hub-orgs.lua - opa: - image: openpolicyagent/opa:0.48.0-rootless - s3: - bucketUrl: "http://your-bucket-url.s3.us-east-1.amazonaws.com" - region: us-east-1 - accessKey: "" - secretKey: "" - serviceName: opa - servicePort: 8181 - files: - - plugins/opa-helper.lua - - plugins/opa-mod.lua apisix: enabled: true @@ -150,9 +125,8 @@ apisix: plugins: - kratos - - opa-mod - - hub-orgs - mocking + - cors - redirect - serverless-pre-function - serverless-post-function @@ -168,12 +142,6 @@ apisix: mounts: - key: "kratos.lua" path: "/opts/custom_plugins/apisix/plugins/kratos.lua" - - key: "hub-orgs.lua" - path: "/opts/custom_plugins/apisix/plugins/hub-orgs.lua" - - key: "opa-mod.lua" - path: "/opts/custom_plugins/apisix/plugins/opa-mod.lua" - - key: "opa-helper.lua" - path: "/opts/custom_plugins/apisix/plugins/opa-mod/helper.lua" logs: enableAccessLog: true