provision dev-env user-auth for local development (#227)

Author: davidcheung

templates/kubernetes/terraform/environments/stage/main.tf

@@ -106,7 +106,12 @@ module "kubernetes" {
     ## Oathkeeper requires a private key (as `user_auth[0].jwks_secret_name`)
     ## per environment one of each (database/database secret/private key) is created in the pre-k8s step
     ## If you need to add another user-auth instance you will have to create another set of these resources
-  ]<% end %>
+  ]
+  # Provisions an extra Kratos instance and Rules for Oathkeeper enabling local frontend to connect to the dev-env's user auth
+  # Cookies will be set to dev.<domain> and dev-env backend will be set to <developer-name>.dev.<domain>
+  # allowing cookie to be shared
+  user_auth_dev_env_enabled = true
+  <% end %>
   notification_service_enabled             = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
   notification_service_highly_available    = false
   notification_service_twilio_phone_number = "<% index .Params `notificationServiceTwilioPhoneNumber` %>"

templates/kubernetes/terraform/modules/kubernetes/user_auth.tf

@@ -17,7 +17,7 @@ data "aws_secretsmanager_secret_version" "jwks_content" {
 module "user_auth" {
   count   = length(var.user_auth)
   source  = "commitdev/zero/aws//modules/user_auth"
-  version = "0.4.8"
+  version = "0.5.3"
 
   name                        = var.user_auth[count.index].name
   auth_namespace              = var.user_auth[count.index].auth_namespace
@@ -36,3 +36,78 @@ module "user_auth" {
 
   depends_on = [helm_release.external_secrets]
 }
+
+module "dev_user_auth" {
+  count = var.user_auth_dev_env_enabled ? 1 : 0
+
+  source  = "commitdev/zero/aws//modules/user_auth"
+  version = "0.5.3"
+
+  name                        = "development"
+  auth_namespace              = "user-auth"
+  create_namespace            = false
+  kratos_secret_name          = var.project
+  frontend_use_https          = false
+  frontend_service_domain     = var.dev_user_auth_frontend_domain
+  backend_service_domain      = "dev.${var.domain_name}"
+  user_auth_mail_from_address = "noreply@${var.domain_name}"
+  whitelisted_return_urls     = ["http://${var.dev_user_auth_frontend_domain}"]
+  jwks_content                = "none"
+  cookie_signing_secret_key   = "${var.project}-${var.environment}-${var.random_seed}"
+  kubectl_extra_args          = local.k8s_exec_context
+  external_secret_name        = "${var.project}/kubernetes/stage/user-auth"
+  kratos_values_override      = {
+    kratos = {
+      config = {
+        session = {
+          cookie = {
+            same_site = "None"
+            domain = "dev.${var.domain_name}"
+          }
+        }
+      }
+    }
+  }
+  disable_oathkeeper          = true
+}
+
+resource "kubernetes_ingress" "dev_user_auth" {
+  count = var.user_auth_dev_env_enabled ? 1 : 0
+
+  metadata {
+    name      = "dev-user-auth"
+    namespace = "user-auth"
+    annotations = {
+      "kubernetes.io/ingress.class"                        = "nginx"
+      "cert-manager.io/cluster-issuer"                     = "clusterissuer-letsencrypt-production"
+      "nginx.ingress.kubernetes.io/enable-cors"            = "true"
+      "nginx.ingress.kubernetes.io/cors-allow-origin"      = "http://${var.dev_user_auth_frontend_domain}"
+      "nginx.ingress.kubernetes.io/cors-allow-credentials" =  "true"
+    }
+  }
+
+  spec {
+    rule {
+      host = "dev.${var.domain_name}"
+      http {
+        path {
+          path = "/"
+          # Sharing Oathkeeper with stage instance
+          backend {
+            service_name = "oathkeeper-${var.user_auth[0].name}-proxy"
+            service_port = "http"
+          }
+        }
+
+      }
+    }
+    tls {
+      secret_name = "dev-user-auth-tls-secret"
+      hosts = [
+        "dev.${var.domain_name}"
+      ]
+    }
+  }
+  depends_on = [module.user_auth]
+
+}

templates/kubernetes/terraform/modules/kubernetes/variables.tf

@@ -144,6 +144,18 @@ variable "user_auth" {
   }))
 }
 
+variable "user_auth_dev_env_enabled" {
+  description = "When enabled will provision Kratos and Oathkeeper Rules for dev environment"
+  type        = bool
+  default     = false
+}
+
+variable "dev_user_auth_frontend_domain" {
+  description = "Frontend domain used for local development with dev env"
+  type        = string
+  default     = "127.0.0.1:3000"
+}
+
 variable "nginx_ingress_replicas" {
   description = "The number of ingress controller pods to run in the cluster. Production environments should not have less than 2"
   type        = number