Allow ingress configuration to support running stac-fastapi behind stac-auth-proxy

[batpad]

Context

To handle authorization on the IFRC Montandon project, we want to use stac-auth-proxy. We would use the stac-auth-proxy helm chart to deploy stac-auth-proxy into the same namespace on a cluster as eoapi-k8s. Side-note: In the future, we could think of making this an optional dependency to eoapi-k8s, but for now, we can think of it as a separate install.

Stac-auth-proxy would have external facing ingress, that handles authenticating users, and if the user is authenticated / has permissions to access the requested resource, proxy the request to stac-fastapi. It would be important for stac-fastapi to NOT have external facing ingress, and stac-auth-proxy to proxy to stac-fastapi on the internal cluster network.

Implementation

I imagine the way to do this would be to disable external ingress on the stac-fastapi service in eoapi-k8s, and then pass in the internal service name to stac-auth-proxy to access stac-fastapi over the internal cluster network.

Currently, this would be a bit awkward to do because of the "looping" through services - i.e. it seems not possible to disable ingress for only stac-fastapi, but continue to have external facing ingress for other eoapi-k8s services.

This seems like it should be a lot easier once we split up configuration per-service as per #211

Next Steps

Since we do need this a bit urgently for the IFRC deploy, am wondering what the best next steps are. I think there are a couple options:

• Add some if condition in the current services loop mechanism, to allow disabling ingress for individual services. This is likely a bit hacky.
• Finish up Helm Chart Refactoring Proposal: Improving Readability and Maintainability #211 and then be able to configure disabling ingress for just stac-fastapi in a cleaner manner.

Me and @alukach have tested that stac-auth-proxy otherwise works well - I think this is potentially a straightforward way to handle user authentication, and with the stac-auth-proxy helm chart, can hopefully be a pretty easy addition to eoapi-k8s for those who want authentication but don't want to mess with custom middleware on the stac-fastapi application.

cc @pantierra @emmanuelmathot @sunu - would be great to get some thoughts here - am happy to help with #211 if that seems like the cleanest way forward, or if it seems like there's a good intermediary solution to disable ingress for stac-fastapi, can work on testing this integration a bit sooner.

[emmanuelmathot]

Thank you @batpad . I will coordinate the execution plan to have #211 solved quickly and enable your solution asap.

[emmanuelmathot]

We have implemented support for STAC Auth Proxy integration with EOAPI-K8S through service-specific ingress control in #219 and #220 (to be merged).
This feature allows the STAC service to be accessible only internally while other services remain externally available.

Implementation Details

1. Service-Specific Ingress Control

Each service can now independently control its ingress settings via the values.yaml configuration:

stac:
  enabled: true
  ingress:
    enabled: false  # Disable external ingress for STAC only

# Other services remain externally accessible
raster:
  enabled: true
  ingress:
    enabled: true

2. Template Changes

The ingress template now checks service-specific settings:

{{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }}
- pathType: {{ .Values.ingress.pathType }}
  path: /stac{{ .Values.ingress.pathSuffix }}
  backend:
    service:
      name: stac
      port:
        number: {{ .Values.service.port }}
{{- end }}

This ensures:

• Service paths are only included if the service and its ingress are enabled
• Backward compatibility is maintained (ingress enabled by default)
• Clean separation of service configurations

Deployment Guide

1. Configure EOAPI-K8S

# values.yaml for eoapi-k8s
stac:
  enabled: true
  ingress:
    enabled: false  # No external ingress for STAC

# Other services remain externally accessible
raster:
  enabled: true
vector:
  enabled: true
multidim:
  enabled: true

2. Deploy STAC Auth Proxy

Deploy the stac-auth-proxy Helm chart in the same namespace:

# values.yaml for stac-auth-proxy
backend:
  service: stac  # Internal K8s service name
  port: 8080     # Service port

auth:
  # Configure authentication settings
  provider: oauth2
  # ... other auth settings

3. Network Flow

graph LR
    A[External Request] --> B[STAC Auth Proxy]
    B -->|Authentication| C[Internal STAC Service]
    D[External Request] -->|Direct Access| E[Raster/Vector/Other Services]

Loading

Testing

Verify the configuration:

# Check that STAC paths are excluded
helm template eoapi --set stac.ingress.enabled=false,stac.enabled=true -f values.yaml

# Verify other services remain accessible
kubectl get ingress
kubectl get services

Expected behavior:

• STAC service accessible only within the cluster
• Other services (raster, vector, etc.) accessible via their ingress paths
• Auth proxy successfully routing authenticated requests to STAC