Skip to content

feat: Add helm chart auth options. #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pantierra wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: Add helm chart auth options. #118

pantierra wants to merge 1 commit into from
+601 −17

Conversation

@pantierra
Copy link
Contributor

@pantierra pantierra commented Dec 16, 2025

This PR adds the following authorization options to the helm chart:

stac-auth-proxy:
  enabled: true

  authorization:
  
    route:
      # mode: "default" (default, DEFAULT_PUBLIC), "custom", "private", "disabled"
      mode: "default"
     
      # Custom endpoint configurations (only used when mode: "custom")
      publicEndpoints: {}
        # Example:
        # "^/collections$": ["GET"]
        # "^/search$": ["GET", "POST"]
      privateEndpoints: {}
        # Example:
        # "^/collections$": [["POST", "collection:create"]]
        # "^/collections/([^/]+)/items$": [["POST", "item:create"]]
    
    record:
      # mode: "disabled" (default), "custom", "opa"
      mode: "disabled"
    
      # Custom filters configurations (only used when mode: "custom")
      custom:
        filtersFile: "data/custom_filters.py"
        
      # OPA configuration (only used when mode: "opa")
      opa:
        url: "http://opa:8181/"
        policy: "stac/items/allow"

Manual configuration via environment variables and manual mount of filter files is still possible.

The PR requires #114 and #117.

I open this as a draft, as I expect us to have a few iterations and conversations about this.

@github-actions github-actions bot added the feat label Dec 16, 2025
@pantierra pantierra requested review from alukach, batpad and sunu December 16, 2025 18:06
@pantierra pantierra force-pushed the feature/helm-filter-configuration branch from 985ef13 to fa530fa Compare December 16, 2025 18:07
@pantierra pantierra mentioned this pull request Dec 16, 2025
Draft
alukach
alukach reviewed Dec 16, 2025
View reviewed changes
helm/AUTHORIZATION.md
@@ -0,0 +1,150 @@
# Authorization configuration guide
Copy link
Member

@alukach alukach Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we push this into the docs directory to publish at developmentseed.org/stac-auth-proxy?

Copy link
Contributor Author

@pantierra pantierra Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a bit out of context. We could move it into the docs but frame it as helm/kubernetes setup and include this.

Copy link
Member

@alukach alukach Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from the repo, is there anywhere else that this information would be surfaced?

I'd ideally like for people to be able to think about this tool as a packaged product rather than just a codebase, hence my view that docs should be available outside of the repo

Copy link
Member

@alukach alukach Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from the repo, is there anywhere else that this information would be surfaced?

I'd ideally like for people to be able to think about this tool as a packaged product rather than just a codebase, hence my view that docs should be available outside of the repo

Copy link
Contributor Author

@pantierra pantierra Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to move it to the docs. Perhaps good to bring in #117 first? After that I can combine README and AUTHORIZATION into one file in the docs.

helm/values.yaml Outdated
mode: "default"

# Custom endpoint configurations (only used when mode: "custom")
publicEndpoints: {}
Copy link
Member

@alukach alukach Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this (and the privateEndpoints) override the defaults established within the stac auth proxy's configuration?

Copy link
Contributor Author

@pantierra pantierra Dec 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These would just set an env variable with the contents specified here. So, to my understanding, yes, if these are set, they will override them.

Copy link
Contributor Author

@pantierra pantierra Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarified a bit better in the comments.

@pantierra pantierra force-pushed the feature/helm-filter-configuration branch 2 times, most recently from adab675 to e9a6cea Compare December 16, 2025 19:21
@pantierra pantierra force-pushed the feature/helm-filter-configuration branch from e9a6cea to d37cee3 Compare December 16, 2025 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alukach alukach alukach left review comments

@batpad batpad Awaiting requested review from batpad

@sunu sunu Awaiting requested review from sunu

Assignees

No one assigned

Labels

feat

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pantierra @alukach