Added auth for stac browser.

Author: pantierra

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
+- Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
 
 ### Fixed
 

charts/eoapi/templates/services/browser/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
     app: {{ .Release.Name }}-browser
     gitsha: {{ .Values.gitSha }}
 spec:
-  replicas: {{.Values.browser.replicaCount}}
+  replicas: {{ .Values.browser.replicaCount }}
   selector:
     matchLabels:
       app: {{ .Release.Name }}-browser
@@ -23,5 +23,16 @@ spec:
           - containerPort: 8080
           env:
             - name: SB_catalogUrl
-              value: "{{ .Values.stac.ingress.path }}"
+              value: "http://{{ .Values.ingress.host }}{{ .Values.stac.ingress.path }}"
+            {{- if index .Values "stac-auth-proxy" "enabled" }}
+            - name: SB_authConfig
+              value: |
+                {
+                  "type": "openIdConnect",
+                  "openIdConnectUrl": "http://{{ .Values.ingress.host }}{{ .Values.mockOidcServer.ingress.path }}/.well-known/openid-configuration",
+                  "oidcOptions": {
+                    "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}"
+                  }
+                }
+            {{- end }}
 {{- end }}

charts/eoapi/tests/stac_browser_tests.yaml

@@ -51,3 +51,61 @@ tests:
       - equal:
           path: metadata.annotations.annotation2
           value: world
+  - it: "stac browser deployment with auth enabled"
+    set:
+      raster.enabled: false
+      stac.enabled: true
+      vector.enabled: false
+      multidim.enabled: false
+      browser.enabled: true
+      stac-auth-proxy.enabled: true
+      ingress.host: "localhost"
+      stac.ingress.path: "/stac"
+      mockOidcServer.ingress.path: "/mock-oidc"
+      browser.oidcClientId: "test-client"
+      gitSha: "ABC123"
+    template: templates/services/browser/deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SB_catalogUrl
+            value: "http://localhost/stac"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SB_authConfig
+            value: |
+              {
+                "type": "openIdConnect",
+                "openIdConnectUrl": "http://localhost/mock-oidc/.well-known/openid-configuration",
+                "oidcOptions": {
+                  "client_id": "test-client"
+                }
+              }
+  - it: "stac browser deployment without auth"
+    set:
+      raster.enabled: false
+      stac.enabled: true
+      vector.enabled: false
+      multidim.enabled: false
+      browser.enabled: true
+      stac-auth-proxy.enabled: false
+      ingress.host: "localhost"
+      stac.ingress.path: "/stac"
+      gitSha: "ABC123"
+    template: templates/services/browser/deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SB_catalogUrl
+            value: "http://localhost/stac"
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SB_authConfig

charts/eoapi/values.yaml

@@ -415,7 +415,11 @@ stac:
 # STAC Auth Proxy - authentication layer for STAC API
 stac-auth-proxy:
   enabled: false
+  image:
+    tag: "v0.10.2-rc2"
   env:
+    ROOT_PATH: "/stac"
+    OVERRIDE_HOST: "false"
     DEFAULT_PUBLIC: "true"
     # UPSTREAM_URL will be set dynamically in template to point to stac service
     # OIDC_DISCOVERY_URL must be configured when enabling auth
@@ -492,6 +496,7 @@ browser:
     tag: 3.3.4
   ingress:
     enabled: true  # Control ingress specifically for browser service
+  oidcClientId: "some-client-id"
 
 docServer:
   enabled: true