Merge branch 'RESTAPI-988-add-issuer-kong-var' into 'master'

Add OIDC/OAuth2 issuer to Kong configuration See merge request firecrest/firecrest!259
eth-cscs · Dec 13, 2023 · ab91d92 · ab91d92
2 parents f6c465c + f9e3d15
commit ab91d92
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add description for each parameter in `GET /status/parameters` response.
 - Add support for Object Storage Tenants in S3v4 object storage. The associated environment variable is `F7T_S3_TENANT` and it can be empty or be `null` or `none` when the tenant is not needed. Otherwise the tenant name has to be set.
 - The task that is returned from a successful `GET /jobs/acct` would returns the attribute `time`, which is `cputime` from slurm. The attribute will remain and `cputime` and `elapsed` will be also returned. Similarly, `time_left` is actually the time of termination of the jobs. `time_left` will remain for compatibility reasons, but `elapsed` attribute will also be returned.
+- Added `F7T_AUTH_ISSUER` to specify the JWT token issuer to be checked by Kong GW
+  - Removed `F7T_AUTH_REALM` and `F7T_AUTH_URL` which are no longer needed
 
 ## Changed
 

diff --git a/deploy/demo/kong/kong.yml b/deploy/demo/kong/kong.yml
@@ -45,17 +45,14 @@ plugins:
     max_age: 3600
 
 consumers:
-- username: firecrest
-  custom_id: firecrest
+- jwt_secrets:
+  - key: http://localhost:8080/auth/realms/kcrealm
+    algorithm: "RS256"
+    rsa_public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB\n-----END PUBLIC KEY-----"
+  username: firecrest
 - username: docs
   custom_id: docs
 
-jwt_secrets:
-- consumer: firecrest
-  key: http://localhost:8080/auth/realms/kcrealm
-  algorithm: "RS256"
-  rsa_public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB\n-----END PUBLIC KEY-----"
-
 routes:
 - name: reject
   # rejects any undefined route with 'request-termination' plugin

diff --git a/deploy/k8s/kong/templates/cm.kong.yaml b/deploy/k8s/kong/templates/cm.kong.yaml
@@ -49,20 +49,16 @@ items:
 
       consumers:
       {{- range .Values.global.auth }}
-      - username: {{ .username }}
-        custom_id: {{ .username }}
+      - jwt_secrets:
+        - key: "{{ .F7T_AUTH_ISSUER }}"
+          algorithm: "{{ .F7T_AUTH_REALM_TYPE }}"
+          rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_REALM_PUBKEY }}\n-----END PUBLIC KEY-----"
+        username: "{{ .username }}"
       {{- end }}
+      
       - username: docs
         custom_id: docs
 
-      {{- range .Values.global.auth }}
-      jwt_secrets:
-      - key: "{{ .F7T_AUTH_URL }}/auth/realms/{{ .F7T_AUTH_REALM }}"
-        algorithm: "{{ .F7T_AUTH_REALM_TYPE }}"
-        rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_REALM_PUBKEY }}\n-----END PUBLIC KEY-----"
-        consumer: "{{ .username }}"
-      {{- end }}
-        
       routes:
       - name: reject
         # rejects any undefined route with 'request-termination' plugin

diff --git a/deploy/k8s/values-dev.yaml b/deploy/k8s/values-dev.yaml
@@ -93,7 +93,6 @@ global:
   F7T_RESERVATIONS_HOST: "https://svc-reservations"
   auth:
     - username: kc-demo
-      F7T_AUTH_URL: "http://svc-keycloak:8080"
-      F7T_AUTH_REALM: "kcrealm"
+      F7T_AUTH_ISSUER: "http://svc-keycloak:8080/auth/realms/kcrealm"
       F7T_AUTH_REALM_PUBKEY: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB'
       F7T_AUTH_REALM_TYPE: "RS256"