Auth Layer Server using KeyCloak #42
Conversation
…or the auth-layer to secure the admin API port for thegraph index node. Signed-off-by: Alfredo Gutierrez <[email protected]>
AlfredoG87
added
the
New Feature
Signed-off-by: Alfredo Gutierrez <[email protected]>
| @@ -0,0 +1,12 @@ | |||
| apiVersion: v2 | |||
| name: auth-layer-server | |||
| appVersion: "19.1.0" | |||
There was a problem hiding this comment.
Q: is this right? I thought we usually match the appVersion with the version.
Maybe you're making a suggestion to not do this
There was a problem hiding this comment.
yeah, since we are more or less mirroring the bitnami chart with some modified defaults, It seems like we should just also mirror the keycloak chart value for version and appVersion here?
There was a problem hiding this comment.
yes, this is right and on purpose, since appVersion normally refers to the version of the app, in this case is version 19.1.0 of the Bitnami Chart, however I also see your point and either way it would work and be fine.
charts/auth-layer-server/README.md
Outdated
| - Login with email is enabled | ||
|
|
||
| ## Prerequisites | ||
| - Minikube or a Kubernetes cluster |
There was a problem hiding this comment.
nit: i like to provide links to the official sites for easy use by devs
charts/auth-layer-server/README.md
Outdated
| #### Groups and Roles | ||
|
|
||
| **a. Subgraph Admin:**, has access to all the subgraphs admin endpoints. (`subgraph_create`, `subgraph_remove`, `subgraph_deploy`,`subgraph_pause` and `subgraph_resume`) | ||
| **b. Subgraph Deployer:**, has access to: `subgraph_pause`, 'subgraph_resume' and 'subgraph_deploy' endpoints. |
There was a problem hiding this comment.
| **b. Subgraph Deployer:**, has access to: `subgraph_pause`, 'subgraph_resume' and 'subgraph_deploy' endpoints. | |
| **b. Subgraph Deployer:**, has access to: `subgraph_pause`, `subgraph_resume` and `subgraph_deploy` endpoints. |
| metadata: | ||
| name: keycloak-realm-config | ||
| data: | ||
| realm.json: | |
There was a problem hiding this comment.
Q: this is a very large json value.
Maybe not for this PR but could this be split into more than one file and mounted or does it have to be one?
Not sure how this is readable.
There was a problem hiding this comment.
Yes, indeed is a large json, this is the export file that KeyCloak produces when we Export a given Realm, for backup or sharing purposes.
Also not sure if we can split it, most likely not, that said, this file is not meant to be read or modify manually, is expected to be imported as is and then visualized on the GUI.
There was a problem hiding this comment.
Should probably have such a comment somewhere then.
| @@ -0,0 +1,12 @@ | |||
| apiVersion: v2 | |||
| name: auth-layer-server | |||
| appVersion: "19.1.0" | |||
There was a problem hiding this comment.
yeah, since we are more or less mirroring the bitnami chart with some modified defaults, It seems like we should just also mirror the keycloak chart value for version and appVersion here?
| - Realm preconfigured with the HTG (htg-auth-layer) client | ||
| - Groups and Roles preconfigured for the HTG client | ||
| - Custom claim mappers for the HTG client | ||
| - Token expiration time set to 10 hours (plenty of time for a one day work session) |
There was a problem hiding this comment.
nit: if there are links to docs explaining these settings we're overriding/modifying that would be useful here.
There was a problem hiding this comment.
yes there is an official documentation for keycloak that we can link here.
| metadata: | ||
| name: keycloak-realm-config | ||
| data: | ||
| realm.json: | |
There was a problem hiding this comment.
nit: this file would probably be easier to work with if the json lived in its own file, and was included via the $files.Get template function
There was a problem hiding this comment.
Thanks for the suggestion, however I am doing 1 replacement that could be potentially be used by a parent umbrella chart when deploying the server and the proxy altogether, so the same clientSecret can be shared and pre-set for the client "HederaTheGraph" that comes pre-configured on this realm export.
see line: 890
"secret": {{ include "auth.clientSecret" . | quote }},
Signed-off-by: Alfredo Gutierrez <[email protected]>
Signed-off-by: Alfredo Gutierrez <[email protected]>
|
|
||
| To install the Authentication Layer Server, run the following commands: | ||
|
|
||
| - Install the chart, using the custom values file provided in the `values.yaml` file |
There was a problem hiding this comment.
nit: you also need to run helm dependency build if this is the first time using the chart (and presumably again if dependencies change?).
charts/auth-layer-server/README.md
Outdated
|
|
||
| Define a custom password, use `auth.adminPassword` like this: | ||
| ```bash | ||
| helm install htg-auth-server . --set auth.adminPassword=yourpassword |
There was a problem hiding this comment.
This did not work for me - I installed via this command: helm install htg-auth-server . --set auth.adminPassword=secret.
I was able to successfully retrieve the admin password from the secret, so maybe it's just not setting the correct variable?
There was a problem hiding this comment.
Fixed, it was actually keycloak.auth.adminPassword=yourpassword
✅
charts/auth-layer-server/README.md
Outdated
| kubectl port-forward service/htg-auth-server-keycloak 8080:80 | ||
| ``` | ||
| #### Login to the Admin Console | ||
| Access console on the following URK: `http://localhost:8080/admin/master/console/#/HederaTheGraph` |
There was a problem hiding this comment.
nit: this might actually be better as a link. When following the readme I ended up just copying and pasting this URL.
|
|
||
|
|
||
| #### Verify a Token | ||
| To verify a token, you can call the introspection endpoint of the Authentication Layer Server. The introspection endpoint is available at the following URL: `http://localhost:8080/auth/realms/HederaTheGraph/protocol/openid-connect/token/introspect` |
There was a problem hiding this comment.
nit: this also would probably be better as a link
There was a problem hiding this comment.
This is not mean to be called by a browser, so the link does not makes too much sense.
Signed-off-by: Alfredo Gutierrez <[email protected]>
Description:
Added a subchart for deploying keycloak as an authentication server for the auth-layer to secure the admin API port for thegraph index node.
Used an existing helm chart maintened by Bitnami for deploying keycloak, and only added on top configurations specific to the needs of HederaTheGraph Auth server.
Related issue(s):
Fixes #
Notes for reviewer:
Checklist