From 75bbdb2be9e1ec54e9fc3a85fe0bda6525431d81 Mon Sep 17 00:00:00 2001
From: Simon Hirtreiter <simon.hirtreiter@muenchen.de>
Date: Fri, 5 Jul 2024 10:24:42 +0200
Subject: [PATCH] gateway init README.md

---
 refarch-gateway/README.md | 41 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 refarch-gateway/README.md

diff --git a/refarch-gateway/README.md b/refarch-gateway/README.md
new file mode 100644
index 00000000..10680e7d
--- /dev/null
+++ b/refarch-gateway/README.md
@@ -0,0 +1,41 @@
+# Refarch Gateway
+
+## Usage
+
+- Image: TODO
+- Helm-Chart: TODO
+
+### Routing
+
+Routes are configured via environment variables as listed under [Configuration](#configuration).
+
+By default, routes require authentication through oAuth2 and manage the session between the client and gateway using
+cookies.
+The gateway then maps the session cookie to a JWT before routing it.
+
+Beside the default behaviour there are some special route prefixes which are handled different:
+
+- `/public/**`: All `OPTIONS` and `GET` requests are routed without security.
+- `/clients/**`: Uses JWT for authenticating incoming requests instead of session cookies.
+
+## Profiles
+
+| Profile       | Description                                                                                       |
+|---------------|---------------------------------------------------------------------------------------------------|
+| `no-security` | Disables complete security like authentication, authorization, csrf etc. Routing works as normal. |
+
+## Configuration
+
+| Var                                                      | Description                                        | Example                                                                 |
+|----------------------------------------------------------|----------------------------------------------------|-------------------------------------------------------------------------|
+| `SSO_ISSUER_URL`                                         | Url of the oAuth2 server used for authentication.  | `https://sso.muenchen.de/auth/realms/muenchen.de`                       |
+| `SSO_CLIENT_ID`                                          | OAuth2 client id used for authentication.          |                                                                         |
+| `SSO_CLIENT_SECRET`                                      | OAuth2 client secret used for authentication.      |                                                                         |
+| `SPRING_CLOUD_GATEWAY_ROUTES_<index>_ID`                 | Id of a route definition.                          | `backend`                                                               |
+| `SPRING_CLOUD_GATEWAY_ROUTES_<index>_URI`                | The uri to route to if this route matches.         | `http://backend-service:8080/`                                          |
+| `SPRING_CLOUD_GATEWAY_ROUTES_<index>_PREDICATES_<index>` | Route predicates i.e. matcher.                     | `Path=/api/backend-service/**`                                          |
+| `SPRING_CLOUD_GATEWAY_ROUTES_<index>_FILTERS_<index>`    | List of filters applied to the route.              | `RewritePath=/api/backend-service/(?<urlsegments>.*), /$\{urlsegments}` |
+| `ALLOWED_ORIGINS_PUBLIC` (optional)                      | List of urls allowed as origin for public routes.  | `https://*.muenchen.de,http://localhost:*`                              |
+| `ALLOWED_ORIGINS_CLIENTS` (optional)                     | List of urls allowed as origin for clients routes. | `https://*.muenchen.de,http://localhost:*`                              |
+| `REFARCH_SECURITY_CSRFWHITELISTED_<index>` (optional)    | List of routes to disable csrf protection for.     | `/example/**`                                                           |
+| `INFO_APPSWITCHER_URL` (optional)                        | App switcher url for usage in refarch frontend.    | `https://appswitcher.muenchen.de`                                       |