package
0.0.0-20240221233143-6c4e3efe1a8f
Repository: https://github.com/sap/cloud-robotics.git
Documentation: pkg.go.dev
# README
Remarks
This app is copied from kyma-runtime-extension-samples and includes an additional config option which allows to control if the auth token is forwarded to the upstream service and serveral fixes.
Overview
This sample provides a reverse proxy feature which dispatches requests to other microservices running in Kyma. It includes a middleware to handle authentication which is based on Open ID Connect and can be configured using XSUAA or SAP IAS. The authentication middleware creates a server side session which is referenced by a cookie provided to the client. It also includes a middleware to validate user scopes based on HTTP methods. By default the app will use a memory store for storing user sessions which is meant for development only. It also contains a Redis implemention for storing session which is the preferred usage. See store-implementations for other options.
This sample demonstrates how to:
- Create a development Namespace in the Kyma runtime.
- Consume the SCP service XSUAA
- Deploy the following Kubernetes resources:
- API deployment written in GO
- API Rule
- Service
- Configmap
- ServiceBinding
- ServiceBindingUsage
Prerequisites
- SAP BTP, Kyma runtime instance
- Docker
- Go
- kubectl configured to use the
KUBECONFIGfile downloaded from the Kyma runtime
Steps
Create XSUAA Service Instance
- Create a new
devNamespace:
kubectl create namespace dev
- Within the Kyma console open the namespace
dev - Choose
Service Management->Catalog. - Choose the service
Authorization & Trust Management - Choose
Add - Choose the Plan
application - Choose
Add parametersand provide the object after adjusting it to your needs.
{
"oauth2-configuration": {
"redirect-uris": [
"https://app-auth-proxy.<cluster domain>/oauth/callback",
"http://localhost:8000/oauth/callback"
]
},
"xsappname": "app-auth-proxy"
}
For a complete list of parameters visit Application Security Descriptor Configuration Syntax
- Once the instance is provisioned choose the option
Create Credentials - Under the
Credentialstab choose theSecretwhich should display the instance secret in a dialog. ChooseDecodeto view the values. These will be needed if running the sample locally.
Run the API locally
- Optionally set the environment variables required to connect with the XSUAA instance which can be found in the
Secretgenerated with the service instance:
export IDP_clientid='<instance clientid>'
export IDP_clientsecret=<instance clientsecret>
export IDP_url=<instance url>
export IDP_xsappname=<xsappname>
- Adjust the config.json which contains the following properties. The provided config.json is configured to use the examples
- React frontend MS SQL
- Requires the configmap API_URL to point to
https://app-auth-proxy.<cluster domain>
- Requires the configmap API_URL to point to
- Golang MS SQL database API
- React frontend MS SQL
| Property | Description | Remarks |
|---|---|---|
| routes | An array of routes to be proxied | |
| routes.path | The incoming path | |
| routes.priority | The priority of the path with 1 be the highest | |
| routes.protected | If the auth middleware is required on the path | |
| routes.remove_from_path | If assigned, this value will be removed from routes.path before the call is proxied | |
| routes.target | The target of the proxied route which can be a service url | |
| routes.forward_auth_token | If the auth token should be forwarded to upstream service | |
| routes.http_method_scopes | An array containing HTTP methods and thier associated user scopes | For no restrictions this can be obmitted or assigned: http-method: "*", "scope": "*" |
| routes.http_method_scopes.http_method | An HTTP methods for example GET | |
| routes.http_method_scopes.scope | A scope which is allowed the call the given http_method on the route path | Use $XSAPPNAME for the application name, for example using a Kyma scopes - $XSAPPNAME.runtimeDeveloper |
| idp_config | Optionally set IDP config if not using a service binding | |
| idp_config.url | The IDP url | If this value is not set, the environment variables will be used |
| idp_config.clientsecret | The IDP client secret | |
| idp_config.clientid | The IDP client ID | |
| idp_config.token_endpoint_auth_method | The htttp method used to during authentication | For XSUAA use client_secret_post, for SAPIAS us client_secret_basic |
| redirect_uri | The registered redirect_uri to be called | |
| debug | Toggle debug on or off | |
| redis_store | When configure app will you redis to store the sessions, otherwise a memory store is used which should only be used for evaluation. | |
| redis_store.addr | The service address of the Redis database | If this value is not set, memory storage will be used to store the session |
| redis_store.password | The password of the Redis database | |
| redis_store.db | The database index | |
| cookie.session_name | The name of the session cookie | |
| cookie.max_age_seconds | The max age of the session cookie | |
| cookie.key | The key used to encrypt the session cookie | |
| cookie.httponly | If the cookie can be accessed with Javascript or only http |
- Run the application:
go run ./cmd/proxy
- Accessible endpoints include
Build the Docker image
- Build and push the image to your Docker repository:
docker build -t {your-docker-account}/app-auth-proxy -f docker/Dockerfile .
docker push {your-docker-account}/app-auth-proxy
- To run the image locally adjust the config.json and either set the env variables individually, or copy them from your environment:
docker run -p 8000:8000 --env-file ./env.list --mount type=bind,source=$(pwd)/config/config.json,target=/config/config.json -d app-auth-proxy:latest
OR
docker run -p 8000:8000 --env-file <(env | grep IDP) --mount type=bind,source=$(pwd)/config/config.json,target=/config/config.json -d app-auth-proxy:latest
Deploy the APP
- Create a new
devNamespace:
kubectl create namespace dev
- Within
./k8s/configmap.yamladjust the values and then apply the ConfigMap:
kubectl -n dev apply -f ./k8s/configmap.yaml
- Get the name of the ServiceInstance:
kubectl -n dev get serviceinstances
For example:
| NAME | CLASS | PLAN | STATUS | AGE |
|---|---|---|---|---|
| xsuaa-showy-yard | ClusterServiceClass/xsuaa | application | Ready | 63m |
- Within
./k8s/deployment.yamladjust the value of<Service Instance Name>to the XSUAA service instance name and the apply the Deployment:
kubectl -n dev apply -f ./k8s/deployment.yaml
- Apply the APIRule:
kubectl -n dev apply -f ./k8s/apirule.yaml
- Verify that the Deployment is up and running:
kubectl -n dev get deployment app-auth-proxy
- Use the APIRule:
https://app-auth-proxy.{cluster-domain}