auth-proxy: verify group membership (#105)
* auth-proxy: verify group membership
* memberships: install memberships app and use it in few apps
* app-repo: render auth
* installer: always use external dependencies option in app configs
* installer: fix auth handling
* auth-proxy: configure membership-addr and groups flags in helm chart
* installer: fix indentation
* app-manager: fix how auth block is rendered
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/core/installer/values-tmpl/url-shortener.cue b/core/installer/values-tmpl/url-shortener.cue
index 7d854e8..42a3ce8 100644
--- a/core/installer/values-tmpl/url-shortener.cue
+++ b/core/installer/values-tmpl/url-shortener.cue
@@ -1,7 +1,7 @@
input: {
network: #Network
subdomain: string
- requireAuth: bool
+ auth: #Auth
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -73,7 +73,7 @@
portName: _httpPortName
}
}
- if input.requireAuth {
+ if input.auth.enabled {
"auth-proxy": {
chart: charts.authProxy
values: {
@@ -85,6 +85,8 @@
upstream: "\(_urlShortenerServiceName).\(release.namespace).svc.cluster.local"
whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
loginAddr: "https://accounts-ui.\(global.domain)/login"
+ membershipAddr: "http://memberships.\(global.id)-core-auth-memberships.svc.cluster.local/api/user"
+ groups: input.auth.groups
portName: _httpPortName
}
}
@@ -96,10 +98,10 @@
ingressClassName: input.network.ingressClass
certificateIssuer: input.network.certificateIssuer
service: {
- if input.requireAuth {
+ if input.auth.enabled {
name: _authProxyServiceName
}
- if !input.requireAuth {
+ if !input.auth.enabled {
name: _urlShortenerServiceName
}
port: name: _httpPortName