feat: api endpoint (#1982)

Co-authored-by: Jehoszafat Zimnowoda <[email protected]>

Author: merll

charts/otomi-api/templates/istio/authorizationpolicy.yaml

@@ -0,0 +1,16 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ include "otomi-api.fullname" . }}
+  labels:
+{{ include "otomi-api.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "otomi-api.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            requestPrincipals: ["*"]

charts/otomi-api/templates/istio/requestauthentication.yaml

@@ -0,0 +1,15 @@
+apiVersion: security.istio.io/v1
+kind: RequestAuthentication
+metadata:
+  name: {{ include "otomi-api.fullname" . }}
+  labels:
+{{ include "otomi-api.labels" . | indent 4 }}
+spec:
+  jwtRules:
+    - issuer: {{ .Values.sso.issuer | quote }}
+      jwksUri: {{ .Values.sso.jwksUri | quote }}
+      forwardOriginalToken: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "otomi-api.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}

core.yaml

@@ -324,6 +324,17 @@ adminApps:
         namespace: otomi
         type: public
         auth: true
+  - name: api # Used by any client that do not support cookies
+    hide: true
+    isShared: true
+    ownHost: true
+    ingress:
+      - svc: otomi-api
+        namespace: otomi
+        type: public
+        # RequestAuthentication and AuthorizationPolicy ensure Authorization header validation
+        auth: false
+
   - name: prometheus
     tags: [metrics, observability]
     ownHost: true

src/cmd/validate-templates.ts

@@ -157,11 +157,6 @@ export const validateTemplates = async (): Promise<void> => {
     ',',
   )} ${skipPatterns} -schema-location ${schemaOutputPath}/${vk8sVersion}-standalone/{{.ResourceKind}}{{.KindSuffix}}.json -summary -output json ${verbose} ${k8sResourcesPath}`.nothrow()
 
-  if (kubeconformOutput.exitCode !== 0) {
-    d.info('Kubeconform output: %s', kubeconformOutput.toString())
-    throw new Error(`Template validation FAILED: ${kubeconformOutput.exitCode}`)
-  }
-
   const parsedOutput = JSON.parse(kubeconformOutput.stdout)
   const { valid, invalid, errors, skipped } = parsedOutput.summary
 
@@ -170,6 +165,15 @@ export const validateTemplates = async (): Promise<void> => {
   d.info(`${chalk.yellowBright('TOTAL WARN')}: %s`, `${invalid} files`)
   d.info(`${chalk.redBright('TOTAL ERR')}: %s`, `${errors} files`)
 
+  if (kubeconformOutput.exitCode !== 0) {
+    const failedResources = parsedOutput.resources.filter((res) => res.status === 'statusInvalid')
+    d.error('Kubeconform failed resources:')
+    for (const resource of failedResources) {
+      d.error(resource.msg)
+    }
+    throw new Error(`Template validation FAILED: ${kubeconformOutput.exitCode}`)
+  }
+
   d.log('Template validation SUCCESS')
 }
 

values/otomi-api/otomi-api.gotmpl

@@ -61,3 +61,7 @@ podSecurityContext:
 imagePullSecrets:
   - name: otomi-pullsecret-global
 {{- end }}
+
+sso:
+  issuer: {{ $v._derived.oidcBaseUrl }}
+  jwksUri: {{ $v._derived.oidcBaseUrl }}/protocol/openid-connect/certs