From cdc00553daf10ec52da8cf32594a61a97b320836 Mon Sep 17 00:00:00 2001 From: Alfredo Gutierrez Date: Thu, 4 Apr 2024 16:09:02 -0600 Subject: [PATCH] Added an umbrella chart for installing both the `auth-proxy` and the `auth-server` with the same chart, instructions on how to configure it and GHA WF to test it, modified the previous Chart test name to be more descriptive, since now we have 2 umbrella charts on the repo. Signed-off-by: Alfredo Gutierrez --- .github/workflows/auth-layer-charts.yml | 46 +++++++++++++ ...charts.yml => hedera-the-graph-charts.yml} | 2 +- .gitignore | 2 + .../hedera-the-graph-auth-layer/.helmignore | 23 +++++++ charts/hedera-the-graph-auth-layer/Chart.yaml | 38 +++++++++++ charts/hedera-the-graph-auth-layer/README.md | 63 ++++++++++++++++++ .../scripts/install.sh | 64 +++++++++++++++++++ .../hedera-the-graph-auth-layer/values.yaml | 17 +++++ 8 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/auth-layer-charts.yml rename .github/workflows/{charts.yml => hedera-the-graph-charts.yml} (97%) create mode 100644 charts/hedera-the-graph-auth-layer/.helmignore create mode 100644 charts/hedera-the-graph-auth-layer/Chart.yaml create mode 100644 charts/hedera-the-graph-auth-layer/README.md create mode 100644 charts/hedera-the-graph-auth-layer/scripts/install.sh create mode 100644 charts/hedera-the-graph-auth-layer/values.yaml diff --git a/.github/workflows/auth-layer-charts.yml b/.github/workflows/auth-layer-charts.yml new file mode 100644 index 0000000..ee28e38 --- /dev/null +++ b/.github/workflows/auth-layer-charts.yml @@ -0,0 +1,46 @@ +name: Hedera-TheGraph Auth-Layer Charts + +on: + pull_request: + branches: [ main, release/**] + push: + branches: [ main, release/*] + tags: [ v* ] + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install ct + uses: helm/chart-testing-action@v2.6.1 + + - name: Run lint + run: ct lint --config .github/ct.yaml --all + + install: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install k3d + run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash + + - name: Create k3d cluster + run: k3d cluster create hedera-graph-auth-layer --agents 1 --timeout 5m --registry-create registry:0.0.0.0:5001 --image rancher/k3s:v1.25.9-k3s1 + timeout-minutes: 3 + + - name: Set up Docker Qemu + uses: docker/setup-qemu-action@v2 + + - name: Install ct + uses: helm/chart-testing-action@v2.6.1 + + - name: Install chart + run: ct install --helm-extra-args="--timeout 10m --set global.auth.clientSecret=abc123" --charts charts/hedera-the-graph-auth-layer --config .github/ct.yaml + diff --git a/.github/workflows/charts.yml b/.github/workflows/hedera-the-graph-charts.yml similarity index 97% rename from .github/workflows/charts.yml rename to .github/workflows/hedera-the-graph-charts.yml index 1ab8131..3f17a5f 100644 --- a/.github/workflows/charts.yml +++ b/.github/workflows/hedera-the-graph-charts.yml @@ -1,4 +1,4 @@ -name: Charts +name: Hedera-TheGraph Charts on: pull_request: diff --git a/.gitignore b/.gitignore index 84f9dfa..71e1c73 100644 --- a/.gitignore +++ b/.gitignore @@ -138,6 +138,8 @@ charts/*.tar.gz charts/hedera-the-graph/Chart.lock charts/hedera-the-graph-node/Chart.lock charts/auth-layer-server/Chart.lock +charts/auth-layer-proxy/Chart.lock +charts/*/*.lock # DS_Store .DS_Store diff --git a/charts/hedera-the-graph-auth-layer/.helmignore b/charts/hedera-the-graph-auth-layer/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/hedera-the-graph-auth-layer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/hedera-the-graph-auth-layer/Chart.yaml b/charts/hedera-the-graph-auth-layer/Chart.yaml new file mode 100644 index 0000000..c988471 --- /dev/null +++ b/charts/hedera-the-graph-auth-layer/Chart.yaml @@ -0,0 +1,38 @@ +apiVersion: v2 +name: hedera-the-graph +appVersion: "0.1.0" +description: Umbrella Helm chart deployment of the hedera-the-graph auth layer, includes auth-layer-server and auth-layer-proxy +home: https://github.com/hashgraph/hedera-the-graph +icon: https://camo.githubusercontent.com/cca6b767847bb8ca5c7059481ba13a5fc81c5938/68747470733a2f2f7777772e6865646572612e636f6d2f6c6f676f2d6361706974616c2d686261722d776f72646d61726b2e6a7067 +keywords: + - blockchain + - dlt + - hedera + - hashgraph + - smart + - contracts + - evm + - relay + - subgraph + - graphql + - thegraph + - graph-node +maintainers: + - name: Hedera Smart Contracts Team + email: engsmartcontracts@hedera.com +sources: + - https://github.com/hashgraph/hedera-the-graph +type: application +version: 0.0.1 +dependencies: + - alias: auth-server + name: auth-layer-server + condition: auth-server.enabled + repository: file://../auth-layer-server + version: 0.1.0 + + - alias: auth-proxy + name: auth-layer-proxy + condition: auth-proxy.enabled + repository: file://../auth-layer-proxy + version: 0.1.0 diff --git a/charts/hedera-the-graph-auth-layer/README.md b/charts/hedera-the-graph-auth-layer/README.md new file mode 100644 index 0000000..82b39e0 --- /dev/null +++ b/charts/hedera-the-graph-auth-layer/README.md @@ -0,0 +1,63 @@ +# Hedera TheGraph Auth Layer +This chart deploys the Hedera TheGraph Auth Layer. It is comprised of two components: `auth-layer-proxy` and `auth-layer-server`. +Together they provide a way to authenticate users and protect the Hedera TheGraph Admin API. + +For a high level overview of the Hedera TheGraph Auth Layer, please refer to the [Hedera TheGraph Auth Layer documentation](https://github.com/hashgraph/hedera-the-graph/blob/main/docs/design/auth-layer.md) +For more information on the individual components, please refer to the [auth-layer-proxy](https://github.com/hashgraph/hedera-the-graph/blob/main/auth-layer-proxy/README.md) and [auth-layer-server](https://github.com/hashgraph/hedera-the-graph/blob/main/charts/auth-layer-server/README.md) documentation. + +## Prerequisites +- Minikube or a Kubernetes cluster [(Install Minikube)](https://minikube.sigs.k8s.io/docs/start/) +- Kubectl [Install Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- Helm [Install Helm](https://helm.sh/docs/intro/install/) +- A Hedera TheGraph Index Node Instance [Deploy Hedera-The-Graph nodes](https://github.com/hashgraph/hedera-the-graph/blob/main/charts/hedera-the-graph/README.md) + +## Installing the Chart + +Is recommended to use the `values.yaml` file to set the values you want to override. The following table lists the configurable parameters that most likely will need to be overridden. + +| Parameter | Description | Default | +| --------- | ----------- | ------- | +| `auth-proxy.configEnv.SERVICE_TYPE` | The Type address of the downstream service, set as `DNS_LOGICAL` for a FQDN name, or `STATIC` for an IP address | +| `auth-proxy.configEnv.SERVICE_ADDRESS` | The downstream IP or DNS address of your Hedera-The-Graph `index-node` | +| `auth-proxy.configEnv.TOKEN_INTROSPECTION_URL` | The instrospect endpoint using the public DNS name of your Auth server, this is needed for verifying the token validity and claims | + +To install the chart with the release name `my-release` and a random 32 length client secret, run the following command: + +```bash +sh scripts/install.sh my-release +``` + +The above script will generate a random 32 length client secret and install the chart with the generated secret that will be shared between the `auth-layer-proxy` and `auth-layer-server` subcharts using the `global.auth.clientSecret` value. + +Is also possible to use the script `scripts/install.sh` to install the chart with a values file and other overrides as needed, similar to the `helm install` command. + +```bash +sh scripts/install.sh my-release -f values.yaml --set auth-server.keycloak.auth.adminPassword="" +``` + +Alternatively, you can specify the client secret by passing the `--set global.auth.clientSecret=` argument to the `helm install` command. +```bash +helm install my-release . --set global.auth.clientSecret="" +``` +or using a override values file + +```bash +helm install my-release . -f values.yaml +``` + +# Post Installation Configuration + +Due to how the Keycloak server works is necessary that the `auth-layer-proxy` configuration is updated with the public DNS instrospect endpoint of the Keycloak server, this is done by exposing your `-keycloak` service to a public DNS and updating the `auth-layer-proxy` configuration with the public DNS. + +Assuming your keycloak service is exposed on the public DNS `https://keycloak.example.com`, you can update the `auth-layer-proxy` configuration with the following command: + +```bash +helm upgrade . --set auth-proxy.configEnv.TOKEN_INTROSPECTION_URL="https://keycloak.example.com/realms/HederaTheGraph/protocol/openid-connect/token/introspect" +``` + +## Uninstalling the Chart +To uninstall the `my-release` deployment: + +```bash +helm uninstall my-release +``` diff --git a/charts/hedera-the-graph-auth-layer/scripts/install.sh b/charts/hedera-the-graph-auth-layer/scripts/install.sh new file mode 100644 index 0000000..b5dac9c --- /dev/null +++ b/charts/hedera-the-graph-auth-layer/scripts/install.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Verify params +if [ -z "$1" ]; then + echo "Missing required parameter: " + exit 1 +fi + +# Set release name +RELEASE_NAME=$1 + +# Define the character set for CLIENT_SECRET +CHARS="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + +# Desired length of the random string +LENGTH=32 + +# Initialize CLIENT_SECRET variable +CLIENT_SECRET="" + +for i in $(seq 1 $LENGTH); do + CLIENT_SECRET="$CLIENT_SECRET${CHARS:RANDOM%${#CHARS}:1}" +done + +# Prepare the base Helm command +HELM_COMMAND="helm install $RELEASE_NAME . --set global.auth.clientSecret=\"$CLIENT_SECRET\"" + +# Process remaining arguments +shift # Skip the first argument since it's the release name + +while (( "$#" )); do + case "$1" in + -f) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + # Add the file argument with quotes around the file name + HELM_COMMAND+=" -f \"$2\"" + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + --set) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + # Split the --set argument into key and value, assuming they're in the form key=value + IFS='=' read -ra KV <<< "$2" + # Add the --set argument with quotes around the value part + HELM_COMMAND+=" --set ${KV[0]}=\"${KV[1]}\"" + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + *) + echo "Error: Unsupported flag $1" >&2 + exit 1 + ;; + esac +done + +# Execute the Helm command +echo "Executing: $HELM_COMMAND" +eval $HELM_COMMAND diff --git a/charts/hedera-the-graph-auth-layer/values.yaml b/charts/hedera-the-graph-auth-layer/values.yaml new file mode 100644 index 0000000..60d2fce --- /dev/null +++ b/charts/hedera-the-graph-auth-layer/values.yaml @@ -0,0 +1,17 @@ +auth-proxy: + enabled: true + configEnv: + SERVICE_ADDRESS: "host.docker.internal" + SERVICE_TYPE: "LOGICAL_DNS" + TOKEN_INTROSPECTION_URL: "http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect" + +auth-server: + enabled: true + keycloak: + auth: + adminUser: admin + adminPassword: "" + +global: + auth: + clientSecret: "" \ No newline at end of file