From 3366fcd9eece92a094f48643b09c1856f2f5de75 Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Mon, 13 Jan 2025 18:44:56 +0100
Subject: [PATCH] Added authentication for webapp.

---
 deploy/helm/webapp/.gitignore                 |   1 +
 deploy/helm/webapp/Chart.lock                 |   9 ++++--
 deploy/helm/webapp/Chart.yaml                 |   4 +++
 deploy/helm/webapp/README.md                  |  10 +++++++
 .../{values.yaml => values-template.yaml}     |  26 ++++++++++++++++--
 deploy/tf/secrets/ovh-creds.sh                | Bin 579 -> 768 bytes
 webapp/README.md                              |   6 ++--
 7 files changed, 47 insertions(+), 9 deletions(-)
 create mode 100644 deploy/helm/webapp/.gitignore
 create mode 100644 deploy/helm/webapp/README.md
 rename deploy/helm/webapp/{values.yaml => values-template.yaml} (73%)

diff --git a/deploy/helm/webapp/.gitignore b/deploy/helm/webapp/.gitignore
new file mode 100644
index 0000000..7f47975
--- /dev/null
+++ b/deploy/helm/webapp/.gitignore
@@ -0,0 +1 @@
+values.yaml
diff --git a/deploy/helm/webapp/Chart.lock b/deploy/helm/webapp/Chart.lock
index 310ae4c..8dfd4ee 100644
--- a/deploy/helm/webapp/Chart.lock
+++ b/deploy/helm/webapp/Chart.lock
@@ -1,9 +1,12 @@
 dependencies:
 - name: ingress-nginx
   repository: https://kubernetes.github.io/ingress-nginx
-  version: 4.11.3
+  version: 4.11.4
 - name: cert-manager
   repository: https://charts.jetstack.io
   version: v1.16.2
-digest: sha256:73be99187863fdb965368bf071bb54fca0250b51ca1a6bd28fb8544479055719
-generated: "2024-12-09T16:50:07.714014385+01:00"
+- name: oauth2-proxy
+  repository: https://oauth2-proxy.github.io/manifests
+  version: 7.9.2
+digest: sha256:b97c01cb64c980e3c0b829b2750f96441cf806b0bbd46c5b53cc270197e93065
+generated: "2025-01-14T20:41:30.130792606+01:00"
diff --git a/deploy/helm/webapp/Chart.yaml b/deploy/helm/webapp/Chart.yaml
index 9bed3fb..61fcb62 100644
--- a/deploy/helm/webapp/Chart.yaml
+++ b/deploy/helm/webapp/Chart.yaml
@@ -32,3 +32,7 @@ dependencies:
     version: ~v1.16.2
     repository: "https://charts.jetstack.io"
     condition: certManager.enabled
+  - name: oauth2-proxy
+    version: ~7.9.2
+    repository: "https://oauth2-proxy.github.io/manifests"
+    condition: oauth2Proxy.enabled
diff --git a/deploy/helm/webapp/README.md b/deploy/helm/webapp/README.md
new file mode 100644
index 0000000..dd8453e
--- /dev/null
+++ b/deploy/helm/webapp/README.md
@@ -0,0 +1,10 @@
+# Helm chart for GFTS webapp
+
+This helm chart handles the deployment of the GFTS webapp, it's ingress tied to a static IP and an oauth proxy in front of it.
+
+Please make sure you have ssh-vault configured properly and you run the following commands in the helm chart directory before deploying the chart:
+
+```bash
+source ../../deploy/tf/secrets/ovh-creds.sh
+envsubst < values-template.yaml > values.yaml
+```
diff --git a/deploy/helm/webapp/values.yaml b/deploy/helm/webapp/values-template.yaml
similarity index 73%
rename from deploy/helm/webapp/values.yaml
rename to deploy/helm/webapp/values-template.yaml
index 915a030..23c8264 100644
--- a/deploy/helm/webapp/values.yaml
+++ b/deploy/helm/webapp/values-template.yaml
@@ -20,11 +20,31 @@ service:
   port: 80
   targetPort: 9000
 
+oauth2Proxy:
+  enabled: true
+
+oauth2-proxy:
+  namespaceOverride: webapp
+  ingress:
+    enabled: true
+    className: webapp-nginx
+    pathType: Prefix
+    path: /oauth2
+    hosts:
+      - gfts.developmentseed.org
+  config:
+    clientID: "gfts-public"
+    clientSecret: "${OAUTH2_PROXY_CLIENT_SECRET}"
+    cookieSecret: "${OAUTH2_PROXY_COOKIE_SECRET}"
+  extraArgs:
+    provider: oidc
+    oidc-issuer-url: "https://iam.e2e-2.desp.space/realms/desp"
+
 ingress:
   enabled: true
   namespace: webapp
   installController: true
-  className: "webapp-nginx"
+  className: webapp-nginx
   annotations:
     cert-manager.io/issuer: letsencrypt-webapp
   hosts:
@@ -43,7 +63,7 @@ ingress:
 
 ingress-nginx:
   controller:
-    ingressClass: "webapp-nginx"
+    ingressClass: webapp-nginx
     ingressClassResource:
       name: webapp-nginx
       enabled: true
@@ -56,7 +76,7 @@ ingress-nginx:
         loadbalancer.ovhcloud.com/class: "octavia"
         loadbalancer.openstack.org/keep-floatingip: "true"
       externalTrafficPolicy: Local
-  fullnameOverride: "webapp-ingress-nginx"
+  fullnameOverride: webapp-ingress-nginx
 
 livenessProbe:
   httpGet:
diff --git a/deploy/tf/secrets/ovh-creds.sh b/deploy/tf/secrets/ovh-creds.sh
index 9b77a7f1a718f17352ace84ca6a7d84e1f5b21d7..612bc6f9a5d53831a35dbc40fba9ab04aa42e56f 100644
GIT binary patch
literal 768
zcmV+b1ONO0M@dveQdv+`0Cg|oEYTaP<dT5FX*Jn-Fhxg?Ux*f~RwE9U$Fef;ns;mM
zeWVhuQB#@Ri!AUVt7jYUA)X_4{}~_C=L_)h=oD>N?&bL0D1&lqpR7iX&rY~~wbv$S
zmeQMAed(y&&W77uO_SvZ=!V;2&vQpsp_zt)))fdBj2Zfuq&0bNdMF(I<x-F{=(ph2
z$3z&SH_~bk4}!}3y*;4iUvpH1HyCMDmx9JuchCI9*$GAzKhVO->O7{iUnJwW<s%_9
zgdG)R@2G`1EUlZ~gJz$o8^}*ZB2{ekdz{($>+!0wLU46iz7vx1WvrESZ8lWHYr65g
z!Pn*9tMKaqz<$O@U4HnT25xd@B2&u)`!E%*B=JKg?b~sCmlGqaSWtqZC|<(Gn>d;F
zQM{7UVYU!sjSl?(2%gCgd;r^WM72XlO?@|%2+<Wo_xakGqM|H?pLbd2S5dG<Hh4e#
zPy_kX<@ouvTb)7Vo7xqC9^DDznPVJqI)6q}OpLR|i=m#G-2{}yj7gq_L~gTRFVfx4
zD85hu#&PYvIDJ3i7#NZ)Bm^fVIuhSW@IfJF{jrklMmH|jt58P^K8L$6daqD3Glw_C
z>ycTFzcRF`@!<%3TbbwY9Z%6PGkY7i-|Ot8PFEC*JJO9SszP^G$Kmp}d$gd**_Rc)
zY-1hi6;-#TqnXZ7H_SZ94R3j6e`=MW0#66W6o-WQem&`&tqpj1ItTVl(lp%&OM|QC
zdlANf`d#yH7Fy~iemVtBwQ~RNQrKC$oJDo77{IX@_1x}%mQ6xRj``^9l^*gBpSk`0
z-At#$SfjWNW5NZGlx~8BSn6!VKXjiM_U-pBEgA(#g!Fce&!w<%4j(nkF$U=McVfxj
zSk~?(uzGw3YL|e2{=`)#Or!9wLbw_fs;t=(u5Io=;)ej(>^rk0oNpNcnLN+7cJI)y
yu8hx(aB@AJ)W<=^ESV)!ef}EApHZx1DQd>kp{FL~hb<df#`sHq7-|kIfc{R}nT8?&

literal 579
zcmV-J0=)eIM@dveQdv+`0L=!R0#XGH7$wItnOM~~{`_3BqFP<<oSq5w97Iwo5d_T4
zp3AuSuMhlodLi?Iwvpb&@PWcz(PHI7#9y{Iox%as6yHv)N)>kM*f>VxD1oi9oHD2o
zRTBL<6D4&xAbCHVIzyM#<^JaK%};2mz40q>&yxGkb@ZF{i+eth>ACo}6;T*xljN1|
zagt4d&15LtYl;kr<({uRiUbok0~kcd{lFpIqe5kWpQH7e0q~=C7iBczD8XiAqKM!m
z-!Tk;Ko>9DyxfyV4o@ZtKt_dJt+D8w7SC$fTgw)5ten$>eB;^E^w14wwR}VC>7kyT
z@rdWZ)Ou+CMonC_zwH-(oco7X;NUHyetIfvmNA3tgB6L+g=cBBx2tEdTr=9smNobX
z(>PxlppX3$?Vqy)YKxci^-{7-%mH0g@3>~q#_N}VW?^J@mzd24cFx9Dc%&p-5dhX4
z6n$JgAqQaGmktbALO{78B!*8wRC_OZNgjK${W=dAKrax=+dn&f{RsVFaCU<E3BIOX
zl{EfxWkND|@ettyO1)8Ks-V>?T;!Hi=}7wr<H?Iv+1cU*Fu_)_ZON$lU-9q0q+b=R
zHNmJZWx@|IisJ~V@{^p6^AQ~yqPu4A?t~;9yVR-;QqcvtEJheGp_%ag<7R$fj7Zvo
z`K*N;>s*K8IF%`TYPbV{F3_PQF8FC^Ijwcc0HWgw0!Vldq6pAXwQ|X$v$Fj&SUzf4
R0yw)_zP;{xk)ZOcart4JBFz8*

diff --git a/webapp/README.md b/webapp/README.md
index 8c267b2..d69d12f 100644
--- a/webapp/README.md
+++ b/webapp/README.md
@@ -6,7 +6,7 @@ Here, we will document how to deploy the webapp.
 
 ## Container
 
-The webapp can be run in a container. The Dockerfile is in the `webapp/deploy` directory of the repository.
+The webapp can be run in a container. The Dockerfile is in the `webapp` directory of the repository.
 
 ## Deployment
 
@@ -14,5 +14,5 @@ The webapp can be run in a container. The Dockerfile is in the `webapp/deploy` d
 
 As a requirement for the webapp, we need a kubernetes cluster. Then the webapp consists in two parts to:
 
-- terraform/tofu resources for a static floating IP address in `gfts-track-reconstruction/jupyterhub/tofu`
-- helm charts for a configured kubernetes cluster `webapp/deploy/helm`
+- terraform/tofu resources for a static floating IP address in `deploy/tf`
+- helm charts for a configured kubernetes cluster `deploy/helm/webapp`