fix: migration and dev-env setup (#75)

davidcheung · web-flow · commit c8cb4693ba94 · 2021-08-04T17:11:53.000-04:00
diff --git a/templates/.circleci/config.yml b/templates/.circleci/config.yml
@@ -241,7 +241,7 @@ jobs:
             pushd kubernetes/migration
             kubectl -n $NAMESPACE delete configmap $MIGRATION_NAME || echo "no migration configmap existing for deletion" 
             if [ `ls ${SQL_DIR}/*.sql 2>/dev/null | wc -l` -gt 0 ] ; then
-                kubectl -n $NAMESPACE create configmap $MIGRATION_NAME --from-file ${SQL_DIR}/*.sql
+                kubectl -n $NAMESPACE create configmap $MIGRATION_NAME $(ls  ${SQL_DIR}/*.sql | xargs printf '--from-file %s ')
             else
                 kubectl -n $NAMESPACE create configmap $MIGRATION_NAME
             fi
diff --git a/templates/.github/actions/db-migration/action.yml b/templates/.github/actions/db-migration/action.yml
@@ -23,7 +23,7 @@ runs:
       if [ `ls ${SQL_DIR}/*.sql 2>/dev/null | wc -l` -gt 0 ] ; then
         pushd kubernetes/migration
         kubectl -n $NAMESPACE delete configmap $MIGRATION_NAME || echo "no migration configmap existing for deletion"
-        kubectl -n $NAMESPACE create configmap $MIGRATION_NAME --from-file ${SQL_DIR}/*.sql
+        kubectl -n $NAMESPACE create configmap $MIGRATION_NAME $(ls  ${SQL_DIR}/*.sql | xargs printf '--from-file %s ')
 
         kubectl -n $NAMESPACE create -f job.yml
         if ! kubectl -n $NAMESPACE wait --for=condition=complete --timeout=180s job/$MIGRATION_NAME ; then
diff --git a/templates/kubernetes/overlays/dev/auth.yml b/templates/kubernetes/overlays/dev/auth.yml
@@ -0,0 +1,24 @@
+## Backend public endpoint
+# pattern: http://<proxy>/status/*
+# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(status|webhook)\/.*>
+---
+## Backend User-restricted endpoint
+# pattern: http://<proxy>/<not `status`/`.ory/kratos`>, everything else should be authenticated
+# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
+# Note the authenticators is `cookie_session`,
+# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
+# these can be configured via infra's `oathkeeper-values.yml`
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(?!(status|webhook|\.ory\/kratos)).*>
diff --git a/templates/kubernetes/overlays/dev/ingress.yml b/templates/kubernetes/overlays/dev/ingress.yml
@@ -10,7 +10,6 @@ metadata:
     ingress.kubernetes.io/ssl-redirect: "true"
     cert-manager.io/cluster-issuer: clusterissuer-letsencrypt-production
     # CORS
-    nginx.ingress.kubernetes.io/enable-cors: "true"
     ## to support both frontend origin and 'localhost', need 'configuration-snippet' implementation here, because 'cors-allow-origin' field doesn't support multiple originss yet.
     nginx.ingress.kubernetes.io/configuration-snippet: |
       if ($http_origin ~* "^https?://((?:<% index .Params `stagingFrontendSubdomain` %><% index .Params `stagingHostRoot` %>)|(?:localhost))") {
@@ -22,13 +21,15 @@ metadata:
 
       if ($cors = "true") {
         add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+        add_header 'Access-Control-Allow-Credentials' 'true';
         add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, PATCH, OPTIONS' always;
         add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization' always;
         add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
       }
 
       if ($cors = "trueoptions") {
         add_header 'Access-Control-Allow-Origin' "$http_origin";
+        add_header 'Access-Control-Allow-Credentials' 'true';
         add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, PATCH, OPTIONS';
         add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
         add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
diff --git a/templates/kubernetes/overlays/dev/kustomization.yml b/templates/kubernetes/overlays/dev/kustomization.yml
@@ -3,6 +3,8 @@ kind: Kustomization
 
 patchesStrategicMerge:
 - deployment.yml
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 
 resources:
 - ../../base
diff --git a/templates/start-dev-env.sh b/templates/start-dev-env.sh
@@ -105,7 +105,7 @@ MIGRATION_NAME=${PROJECT_NAME}-migration
 SQL_DIR="${PWD}/database/migration"
 ## launch migration job
 (cd kubernetes/migration && \
-    kubectl --context ${CLUSTER_CONTEXT} -n ${DEV_NAMESPACE} create configmap ${MIGRATION_NAME} --from-file ${SQL_DIR}/*.sql || error_exit "Failed to apply kubernetes migration configmap" && \
+    kubectl --context ${CLUSTER_CONTEXT} -n ${DEV_NAMESPACE} create configmap ${MIGRATION_NAME} $(ls  ${SQL_DIR}/*.sql | xargs printf '\-\-from\-file %s ') || error_exit "Failed to apply kubernetes migration configmap" && \
     cat job.yml | \
     sed "s|/${DATABASE_NAME}|/${DEV_DATABASE_NAME}|g" | \
     kubectl --context ${CLUSTER_CONTEXT} -n ${DEV_NAMESPACE} create -f - ) || error_exit "Failed to apply kubernetes migration"
