Added an umbrella chart for installing both the auth-proxy and the …

…`auth-server` with the same chart, instructions on how to configure it and GHA WF to test it, modified the previous Chart test name to be more descriptive, since now we have 2 umbrella charts on the repo.

Signed-off-by: Alfredo Gutierrez <[email protected]>

.github/workflows/auth-layer-charts.yml

@@ -0,0 +1,46 @@
+name: Hedera-TheGraph Auth-Layer Charts
+
+on:
+  pull_request:
+    branches: [ main, release/**]
+  push:
+    branches: [ main, release/*]
+    tags: [ v* ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install ct
+        uses: helm/[email protected]
+
+      - name: Run lint
+        run: ct lint --config .github/ct.yaml --all
+
+  install:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install k3d
+        run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
+
+      - name: Create k3d cluster
+        run: k3d cluster  create hedera-graph-auth-layer --agents 1 --timeout 5m --registry-create registry:0.0.0.0:5001 --image rancher/k3s:v1.25.9-k3s1
+        timeout-minutes: 3
+
+      - name: Set up Docker Qemu
+        uses: docker/setup-qemu-action@v2
+
+      - name: Install ct
+        uses: helm/[email protected]
+
+      - name: Install chart
+        run: ct install --helm-extra-args="--timeout 10m --set global.auth.clientSecret=abc123" --charts charts/hedera-the-graph-auth-layer --config .github/ct.yaml
+

.github/workflows/charts.yml → .github/workflows/hedera-the-graph-charts.yml

@@ -1,4 +1,4 @@
-name: Charts
+name: Hedera-TheGraph Charts
 
 on:
   pull_request:

.gitignore

@@ -138,6 +138,8 @@ charts/*.tar.gz
 charts/hedera-the-graph/Chart.lock
 charts/hedera-the-graph-node/Chart.lock
 charts/auth-layer-server/Chart.lock
+charts/auth-layer-proxy/Chart.lock
+charts/*/*.lock
 
 # DS_Store
 .DS_Store

charts/hedera-the-graph-auth-layer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/hedera-the-graph-auth-layer/Chart.yaml

@@ -0,0 +1,38 @@
+apiVersion: v2
+name: hedera-the-graph
+appVersion: "0.1.0"
+description: Umbrella Helm chart deployment of the hedera-the-graph auth layer, includes auth-layer-server and auth-layer-proxy
+home: https://github.com/hashgraph/hedera-the-graph
+icon: https://camo.githubusercontent.com/cca6b767847bb8ca5c7059481ba13a5fc81c5938/68747470733a2f2f7777772e6865646572612e636f6d2f6c6f676f2d6361706974616c2d686261722d776f72646d61726b2e6a7067
+keywords:
+  - blockchain
+  - dlt
+  - hedera
+  - hashgraph
+  - smart
+  - contracts
+  - evm
+  - relay
+  - subgraph
+  - graphql
+  - thegraph
+  - graph-node
+maintainers:
+  - name: Hedera Smart Contracts Team
+    email: [email protected]
+sources:
+  - https://github.com/hashgraph/hedera-the-graph
+type: application
+version: 0.0.1
+dependencies:
+  - alias: auth-server
+    name: auth-layer-server
+    condition: auth-server.enabled
+    repository: file://../auth-layer-server
+    version: 0.1.0
+
+  - alias: auth-proxy
+    name: auth-layer-proxy
+    condition: auth-proxy.enabled
+    repository: file://../auth-layer-proxy
+    version: 0.1.0

charts/hedera-the-graph-auth-layer/README.md

@@ -0,0 +1,63 @@
+# Hedera TheGraph Auth Layer
+This chart deploys the Hedera TheGraph Auth Layer. It is comprised of two components: `auth-layer-proxy` and `auth-layer-server`. 
+Together they provide a way to authenticate users and protect the Hedera TheGraph Admin API.
+
+For a high level overview of the Hedera TheGraph Auth Layer, please refer to the [Hedera TheGraph Auth Layer documentation](https://github.com/hashgraph/hedera-the-graph/blob/main/docs/design/auth-layer.md)
+For more information on the individual components, please refer to the [auth-layer-proxy](https://github.com/hashgraph/hedera-the-graph/blob/main/auth-layer-proxy/README.md) and [auth-layer-server](https://github.com/hashgraph/hedera-the-graph/blob/main/charts/auth-layer-server/README.md) documentation.
+
+## Prerequisites
+- Minikube or a Kubernetes cluster [(Install Minikube)](https://minikube.sigs.k8s.io/docs/start/)
+- Kubectl [Install Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+- Helm  [Install Helm](https://helm.sh/docs/intro/install/)
+- A Hedera TheGraph Index Node Instance [Deploy Hedera-The-Graph nodes](https://github.com/hashgraph/hedera-the-graph/blob/main/charts/hedera-the-graph/README.md)
+
+## Installing the Chart
+
+Is recommended to use the `values.yaml` file to set the values you want to override. The following table lists the configurable parameters that most likely will need to be overridden.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `auth-proxy.configEnv.SERVICE_TYPE` | The Type address of the downstream service, set as `DNS_LOGICAL` for a FQDN name, or `STATIC` for an IP address |
+| `auth-proxy.configEnv.SERVICE_ADDRESS` | The downstream IP or DNS address of your Hedera-The-Graph `index-node` |
+| `auth-proxy.configEnv.TOKEN_INTROSPECTION_URL` | The instrospect endpoint using the public DNS name of your Auth server, this is needed for verifying the token validity and claims |
+
+To install the chart with the release name `my-release` and a random 32 length client secret, run the following command:
+
+```bash
+sh scripts/install.sh my-release
+```
+
+The above script will generate a random 32 length client secret and install the chart with the generated secret that will be shared between the `auth-layer-proxy` and `auth-layer-server` subcharts using the `global.auth.clientSecret` value.
+
+Is also possible to use the script `scripts/install.sh` to install the chart with a values file and other overrides as needed, similar to the `helm install` command.
+
+```bash
+sh scripts/install.sh my-release -f values.yaml --set auth-server.keycloak.auth.adminPassword="<admin-password>"
+```
+
+Alternatively, you can specify the client secret by passing the `--set global.auth.clientSecret=<client-secret>` argument to the `helm install` command.
+```bash
+helm install my-release . --set global.auth.clientSecret="<client-secret>"
+```
+or using a override values file
+
+```bash
+helm install my-release . -f values.yaml
+```
+
+# Post Installation Configuration
+
+Due to how the Keycloak server works is necessary that the `auth-layer-proxy` configuration is updated with the public DNS instrospect endpoint of the Keycloak server, this is done by exposing your `<release-name>-keycloak` service to a public DNS and updating the `auth-layer-proxy` configuration with the public DNS.
+
+Assuming your keycloak service is exposed on the public DNS `https://keycloak.example.com`, you can update the `auth-layer-proxy` configuration with the following command:
+
+```bash
+helm upgrade <releaseName> . --set auth-proxy.configEnv.TOKEN_INTROSPECTION_URL="https://keycloak.example.com/realms/HederaTheGraph/protocol/openid-connect/token/introspect"
+```
+
+## Uninstalling the Chart
+To uninstall the `my-release` deployment:
+
+```bash
+helm uninstall my-release
+```

charts/hedera-the-graph-auth-layer/scripts/install.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Verify params
+if [ -z "$1" ]; then
+  echo "Missing required parameter: <release-name>"
+  exit 1
+fi
+
+# Set release name
+RELEASE_NAME=$1
+
+# Define the character set for CLIENT_SECRET
+CHARS="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+# Desired length of the random string
+LENGTH=32
+
+# Initialize CLIENT_SECRET variable
+CLIENT_SECRET=""
+
+for i in $(seq 1 $LENGTH); do
+  CLIENT_SECRET="$CLIENT_SECRET${CHARS:RANDOM%${#CHARS}:1}"
+done
+
+# Prepare the base Helm command
+HELM_COMMAND="helm install $RELEASE_NAME . --set global.auth.clientSecret=\"$CLIENT_SECRET\""
+
+# Process remaining arguments
+shift # Skip the first argument since it's the release name
+
+while (( "$#" )); do
+  case "$1" in
+    -f)
+      if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+        # Add the file argument with quotes around the file name
+        HELM_COMMAND+=" -f \"$2\""
+        shift 2
+      else
+        echo "Error: Argument for $1 is missing" >&2
+        exit 1
+      fi
+      ;;
+    --set)
+      if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+        # Split the --set argument into key and value, assuming they're in the form key=value
+        IFS='=' read -ra KV <<< "$2"
+        # Add the --set argument with quotes around the value part
+        HELM_COMMAND+=" --set ${KV[0]}=\"${KV[1]}\""
+        shift 2
+      else
+        echo "Error: Argument for $1 is missing" >&2
+        exit 1
+      fi
+      ;;
+    *)
+      echo "Error: Unsupported flag $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+# Execute the Helm command
+echo "Executing: $HELM_COMMAND"
+eval $HELM_COMMAND

charts/hedera-the-graph-auth-layer/values.yaml

@@ -0,0 +1,17 @@
+auth-proxy:
+  enabled: true
+  configEnv:    
+    SERVICE_ADDRESS: "host.docker.internal"    
+    SERVICE_TYPE: "LOGICAL_DNS"
+    TOKEN_INTROSPECTION_URL: "http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect"
+
+auth-server:
+  enabled: true
+  keycloak:    
+    auth:
+      adminUser: admin
+      adminPassword: ""
+
+global:
+  auth:
+    clientSecret: ""