add internal auth url support for astronomer components (#2066)

* add internal auth url support for astronomer components * update global values to support internal auth flag * add houston service port to internal auth url * update alertmanager ingress config * common template to call houston internal auth * fix pre-commit * update houston network policy * add basic tests * update houston config * fix houston configmap template * fix namespace in test cases
astronomer · Nov 28, 2023 · 93d8cdc · 93d8cdc
1 parent 464917c
commit 93d8cdc
Show file tree

Hide file tree

Showing 10 changed files with 83 additions and 6 deletions.
diff --git a/charts/alertmanager/templates/ingress.yaml b/charts/alertmanager/templates/ingress.yaml
@@ -18,7 +18,7 @@ metadata:
     {{- else }}
     kubernetes.io/ingress.class: "{{ .Release.Name }}-nginx"
     kubernetes.io/tls-acme: {{ eq .Values.global.acme true | quote }}
-    nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
+    {{ include "houston.internalauthurl" . | indent 4 }}
     nginx.ingress.kubernetes.io/auth-signin: https://app.{{ .Values.global.baseDomain }}/login
     nginx.ingress.kubernetes.io/auth-response-headers: authorization, username, email
     {{- end }}

diff --git a/charts/astronomer/templates/_helpers.yaml b/charts/astronomer/templates/_helpers.yaml
@@ -386,3 +386,11 @@ imagePullSecrets:
 fluentd
 {{- end -}}
 {{- end }}
+
+{{- define "houston.InternalAuthorization" -}}
+{{- if or .Values.houston.enableHoustonInternalAuthorization .Values.global.enableHoustonInternalAuthorization -}}
+true
+{{- else -}}
+false
+{{- end }}
+{{- end }}
diff --git a/charts/astronomer/templates/houston/api/houston-networkpolicy.yaml b/charts/astronomer/templates/houston/api/houston-networkpolicy.yaml
@@ -70,7 +70,7 @@ spec:
           component: external-es-proxy
           release: {{ .Release.Name }}
     {{- end }}
-    {{- if .Values.houston.enableHoustonInternalAuthorization  }}
+    {{- if or .Values.houston.enableHoustonInternalAuthorization .Values.global.enableHoustonInternalAuthorization  }}
     - namespaceSelector: {}
       podSelector:
         matchLabels:

diff --git a/charts/astronomer/templates/houston/houston-configmap.yaml b/charts/astronomer/templates/houston/houston-configmap.yaml
@@ -58,7 +58,7 @@ data:
     # Airflow deployment configuration
     deployments:
       fluentdIndexPrefix: {{ include "fluentd.IndexPattern" .}}
-      enableHoustonInternalAuthorization: {{ .Values.houston.enableHoustonInternalAuthorization }}
+      enableHoustonInternalAuthorization: {{ include "houston.InternalAuthorization" . }}
       namespaceFreeFormEntry: {{ .Values.global.namespaceFreeFormEntry }}
       # Airflow chart settings
       # Static helm configurations for this chart are found below.

diff --git a/charts/grafana/templates/ingress.yaml b/charts/grafana/templates/ingress.yaml
@@ -18,7 +18,7 @@ metadata:
     {{- else }}
     kubernetes.io/ingress.class: "{{ .Release.Name }}-nginx"
     kubernetes.io/tls-acme: {{ eq .Values.global.acme true | quote }}
-    nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
+    {{- include "houston.internalauthurl" . | indent 4}}
     nginx.ingress.kubernetes.io/auth-signin: https://app.{{ .Values.global.baseDomain }}/login
     nginx.ingress.kubernetes.io/auth-response-headers: authorization, username, email
     {{- end }}

diff --git a/charts/kibana/templates/ingress.yaml b/charts/kibana/templates/ingress.yaml
@@ -18,7 +18,7 @@ metadata:
     {{- else }}
     kubernetes.io/ingress.class: "{{ .Release.Name }}-nginx"
     kubernetes.io/tls-acme: {{ eq .Values.global.acme true | quote }}
-    nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
+    {{- include "houston.internalauthurl" . | indent 4 }}
     nginx.ingress.kubernetes.io/auth-signin: https://app.{{ .Values.global.baseDomain }}/login
     nginx.ingress.kubernetes.io/auth-response-headers: authorization, username, email
     nginx.ingress.kubernetes.io/configuration-snippet: |

diff --git a/charts/prometheus/templates/ingress.yaml b/charts/prometheus/templates/ingress.yaml
@@ -18,7 +18,7 @@ metadata:
     {{- else }}
     kubernetes.io/ingress.class: "{{ .Release.Name }}-nginx"
     kubernetes.io/tls-acme: {{ eq .Values.global.acme true | quote }}
-    nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
+    {{- include "houston.internalauthurl" . | nindent 4 }}
     nginx.ingress.kubernetes.io/auth-signin: https://app.{{ .Values.global.baseDomain }}/login
     nginx.ingress.kubernetes.io/auth-response-headers: authorization, username, email
     {{- end }}

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -9,3 +9,12 @@ fluentd
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+
+{{ define "houston.internalauthurl" -}}
+{{- if .Values.global.enableHoustonInternalAuthorization  }}
+nginx.ingress.kubernetes.io/auth-url: http://{{ .Release.Name }}-houston.{{ .Release.Namespace }}.svc.cluster.local:8871/v1/authorization
+{{- else }}
+nginx.ingress.kubernetes.io/auth-url: https://houston.{{ .Values.global.baseDomain }}/v1/authorization
+{{- end }}
+{{- end }}
diff --git a/tests/chart_tests/test_astronomer_houston_Internal_authorization.py b/tests/chart_tests/test_astronomer_houston_Internal_authorization.py
@@ -0,0 +1,58 @@
+import pytest
+
+from tests import supported_k8s_versions
+from tests.chart_tests.helm_template_generator import render_chart
+
+
+@pytest.mark.parametrize(
+    "kube_version",
+    supported_k8s_versions,
+)
+class TestHoustonInternalAuthorization:
+    def test_ingress_with_authorization_defaults(self, kube_version):
+        """Test Alertmanager Service with authSidecar."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={},
+            show_only=[
+                "charts/alertmanager/templates/ingress.yaml",
+                "charts/grafana/templates/ingress.yaml",
+                "charts/kibana/templates/ingress.yaml",
+                "charts/prometheus/templates/ingress.yaml",
+            ],
+        )
+
+        assert len(docs) == 4
+        for doc in docs:
+            assert doc["kind"] == "Ingress"
+            assert doc["apiVersion"] == "networking.k8s.io/v1"
+            assert (
+                "https://houston.example.com/v1/authorization"
+                in doc["metadata"]["annotations"][
+                    "nginx.ingress.kubernetes.io/auth-url"
+                ]
+            )
+
+    def test_ingress_with_internal_authorization(self, kube_version):
+        """Test Alertmanager Service with authSidecar."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={"global": {"enableHoustonInternalAuthorization": True}},
+            show_only=[
+                "charts/alertmanager/templates/ingress.yaml",
+                "charts/grafana/templates/ingress.yaml",
+                "charts/kibana/templates/ingress.yaml",
+                "charts/prometheus/templates/ingress.yaml",
+            ],
+        )
+
+        assert len(docs) == 4
+        for doc in docs:
+            assert doc["kind"] == "Ingress"
+            assert doc["apiVersion"] == "networking.k8s.io/v1"
+            assert (
+                "http://release-name-houston.default.svc.cluster.local:8871/v1/authorization"
+                in doc["metadata"]["annotations"][
+                    "nginx.ingress.kubernetes.io/auth-url"
+                ]
+            )
diff --git a/values.yaml b/values.yaml
@@ -107,6 +107,8 @@ global:
 
   taskUsageMetricsEnabled: false
 
+  enableHoustonInternalAuthorization: false
+
   logging:
     indexNamePrefix: ~