feat: support both jwt and webhook authentication hasura (#88)

mosoriob · github-actions[bot] · web-flow · commit 44592803740b · 2025-02-14T16:47:22.000-03:00
* add: auth values

* feat: add Hasura authentication webhook support

* update Helm documentation

* fix: dump

* update Helm documentation

* dump

* fix: improve values

* update Helm documentation

---------

Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/charts/mint/Chart.yaml b/charts/mint/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.4.6-pre2
+version: 3.4.6-pre3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
diff --git a/charts/mint/README.md b/charts/mint/README.md
@@ -1,6 +1,6 @@
 # MINT
 
-![Version: 3.4.6-pre2](https://img.shields.io/badge/Version-3.4.6--pre2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square)
+![Version: 3.4.6-pre3](https://img.shields.io/badge/Version-3.4.6--pre3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square)
 
 A Helm chart for MINT
 
@@ -107,6 +107,16 @@ A Helm chart for MINT
 | components.ensemble_manager.serviceAccountName | string | `"default"` | Service account name for Ensemble Manager, used to run jobs |
 | components.ensemble_manager.strategy | object | `{"type":"Recreate"}` | Ensemble Manager deployment strategy (Recreate or RollingUpdate) |
 | components.ensemble_manager.strategy.type | string | `"Recreate"` | Type of deployment strategy |
+| components.hasura.auth | object | `{"jwt":{"claims":{"namespace":"https://hasura.io/jwt/claims"}},"type":"jwt","webhook":{"config":{"tapisJwksUri":"https://tacc.tapis.io/v3/tenants/tacc","tapisTokenIssuer":"https://tacc.tapis.io/v3/tokens"},"service":{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}}}` | Authentication configuration for Hasura |
+| components.hasura.auth.jwt.claims | object | `{"namespace":"https://hasura.io/jwt/claims"}` | JWT claims configuration |
+| components.hasura.auth.type | string | `"jwt"` | Authentication type (jwt or webhook) |
+| components.hasura.auth.webhook.config.tapisJwksUri | string | `"https://tacc.tapis.io/v3/tenants/tacc"` | JWKS URI for Tapis authentication |
+| components.hasura.auth.webhook.config.tapisTokenIssuer | string | `"https://tacc.tapis.io/v3/tokens"` | Token issuer for Tapis authentication |
+| components.hasura.auth.webhook.service | object | `{"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook","tag":"latest"},"resources":{}}` | Webhook service configuration |
+| components.hasura.auth.webhook.service.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for auth webhook |
+| components.hasura.auth.webhook.service.image.repository | string | `"ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook"` | Docker image repository for auth webhook |
+| components.hasura.auth.webhook.service.image.tag | string | `"latest"` | Docker image tag for auth webhook |
+| components.hasura.auth.webhook.service.resources | object | `{}` | Resource specifications for auth webhook |
 | components.hasura.enabled | bool | `true` | Enable or disable Hasura |
 | components.hasura.environment.enable_console | bool | `true` | Enable or disable Hasura console |
 | components.hasura.environment.enable_dev_mode | bool | `false` | Enable or disable Hasura dev mode |
@@ -286,7 +296,7 @@ A Helm chart for MINT
 | secrets.external_services.s3.access_key | string | `"CHANGEME"` | Access key for S3. Used by Ensemble Manager to upload data |
 | secrets.external_services.s3.secret_key | string | `"CHANGEME"` | Secret key for S3 |
 | secrets.hasura.admin_secret | string | `"CHANGEME"` | Admin secret for Hasura used to access the console |
-| secrets.hasura.jwt_secret | string | `"{\"type\": \"RS256\", \"key\": \"-----BEGIN CERTIFICATE-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\\n-----END CERTIFICATE-----\", \"allowed_skew\": 2}"` | JWT verification secret for Hasura |
+| secrets.hasura.jwt_secret | string | `"{\"type\": \"RS256\", \"key\": \"-----BEGIN CERTIFICATE-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\\n-----END CERTIFICATE-----\", \"allowed_skew\": 2}"` | JWT verification secret for Hasura (only used when auth.type is jwt) |
 | securityContext | object | `{}` |  |
 | service | object | `{"port":80,"type":"ClusterIP"}` | Service configuration |
 | service.port | int | `80` | Port number for the service |
diff --git a/charts/mint/templates/hasura.yaml b/charts/mint/templates/hasura.yaml
@@ -24,6 +24,66 @@ spec:
   selector:
     app: {{ include "mint.prefix" . }}-hasura
 ---
+{{- if eq .Values.components.hasura.auth.type "webhook" }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "mint.prefix" . }}-hasura-auth-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 3000
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ include "mint.prefix" . }}-hasura-auth-webhook
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "mint.prefix" . }}-hasura-auth-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "mint.prefix" . }}-hasura-auth-webhook
+  template:
+    metadata:
+      labels:
+        app: {{ include "mint.prefix" . }}-hasura-auth-webhook
+    spec:
+      containers:
+        - name: auth-webhook
+          {{- with .Values.components.hasura.auth.webhook.service }}
+          image: "{{ .image.repository }}:{{ .image.tag }}"
+          imagePullPolicy: {{ .image.pullPolicy }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+          {{- end }}
+          env:
+            - name: TAPIS_JWKS_URI
+              value: {{ .Values.components.hasura.auth.webhook.config.tapisJwksUri }}
+            - name: TAPIS_TOKEN_ISSUER
+              value: {{ .Values.components.hasura.auth.webhook.config.tapisTokenIssuer }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+{{- end }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -57,8 +117,20 @@ spec:
             value: "{{ .environment.enable_console }}"
           - name: HASURA_GRAPHQL_DEV_MODE
             value: "{{ .environment.enable_dev_mode }}"
+          {{- if eq .auth.type "webhook" }}
+          - name: HASURA_GRAPHQL_AUTH_HOOK
+            value: "http://{{ include "mint.prefix" $ }}-hasura-auth-webhook:3000/auth-webhook"
+          - name: HASURA_GRAPHQL_AUTH_HOOK_MODE
+            value: "POST"
+          {{- else }}
           - name: HASURA_GRAPHQL_UNAUTHORIZED_ROLE
             value: "{{ .environment.unauthorized_role }}"
+          - name: HASURA_GRAPHQL_JWT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "mint.prefix" $ }}-hasura-secrets
+                key: jwt_secret
+          {{- end }}
           {{- end }}
           - name: HASURA_GRAPHQL_DATABASE_URL
             valueFrom:
@@ -70,11 +142,6 @@ spec:
               secretKeyRef:
                 name: {{ include "mint.prefix" . }}-hasura-secrets
                 key: admin_secret
-          - name: HASURA_GRAPHQL_JWT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "mint.prefix" . }}-hasura-secrets
-                key: jwt_secret
           - name: DB_HOST
             value: {{ include "mint.prefix" $ }}-hasura
           ports:
diff --git a/charts/mint/values.yaml b/charts/mint/values.yaml
@@ -249,6 +249,31 @@ components:
       enable_dev_mode: false
       # -- Unauthorized role for Hasura
       unauthorized_role: anonymous
+    # -- Authentication configuration for Hasura
+    auth:
+      # -- Authentication type (jwt or webhook)
+      type: jwt
+      jwt:
+        # -- JWT claims configuration
+        claims:
+          namespace: "https://hasura.io/jwt/claims"
+      webhook:
+        # -- Webhook service configuration
+        service:
+          image:
+            # -- Docker image repository for auth webhook
+            repository: ghcr.io/in-for-disaster-analytics/hasura-tapis-auth-webhook
+            # -- Docker image tag for auth webhook
+            tag: latest
+            # -- Image pull policy for auth webhook
+            pullPolicy: IfNotPresent
+          # -- Resource specifications for auth webhook
+          resources: {}
+        config:
+          # -- JWKS URI for Tapis authentication
+          tapisJwksUri: "https://tacc.tapis.io/v3/tenants/tacc"
+          # -- Token issuer for Tapis authentication
+          tapisTokenIssuer: "https://tacc.tapis.io/v3/tokens"
     ingress:
       # -- Enable or disable ingress for Hasura
       enabled: true
@@ -541,7 +566,7 @@ secrets:
       # -- Url for S3
       endpoint: example.com
   hasura:
-    # -- JWT verification secret for Hasura
+    # -- JWT verification secret for Hasura (only used when auth.type is jwt)
     jwt_secret: '{"type": "RS256", "key": "-----BEGIN CERTIFICATE-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyQQ56WKKsVCUs8n9swlv5DV7st7UUdvNoDSnwovdU2vinQQ686//vRqlUJ5vpyI7r75qTXCPkXUitDhPvGEMfChnb9tuWdymSyZmMmT+34oaYo/2bGSZjTlLRVfRJjUnFYeWoVLoXVKJolyDWtU6bXbFNnUyysb/6YIpg5sSwxkLs/9yl6HsWdFconxPJO6KmMPSjcOc0fZermNq+cOEvj1OqRhVkxDqBebreI+zcgrJHNSN8d6cxTmfVQl1jIPHvxE5oN7qUdfYmK4D+SOlj8FlkUvwis+3Ix2AQsvNoOD1OzuqUOd/FpXBnEGaeTq9EMwDxplNqltR/qT3/poUwIDAQAB\n-----END CERTIFICATE-----", "allowed_skew": 2}'
     # -- Admin secret for Hasura used to access the console
     admin_secret: CHANGEME
