Merge branch 'main' into feature/authentication-extension

Author: alukach

.github/workflows/cicd.yaml

@@ -1,7 +1,8 @@
 name: CI/CD
 
 on:
-  - push
+  push:
+  release:
 
 jobs:
   lint:

.github/workflows/publish-docker.yaml

@@ -0,0 +1,58 @@
+name: Publish Docker image
+
+on:
+  workflow_run:
+    workflows: ["CI/CD"]
+    types:
+      - completed
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=sha,format=long
+            type=ref,event=branch
+            type=ref,event=tag
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

README.md

@@ -18,9 +18,6 @@ STAC Auth Proxy is a proxy API that mediates between the client and your interna
 
 ## Usage
 
-> [!NOTE]
-> Currently, the project can only be installed by downloading the repository. It will eventually be available on Docker ([#5](https://github.com/developmentseed/stac-auth-proxy/issues/5)) and PyPi ([#30](https://github.com/developmentseed/stac-auth-proxy/issues/30)).
-
 ### Installation
 
 For local development, we use [`uv`](https://docs.astral.sh/uv/) to manage project dependencies and environment.
@@ -35,15 +32,27 @@ Otherwise, the application can be installed as a standard Python module:
 pip install -e .
 ```
 
+> [!NOTE]
+> This project will be available on PyPi in the near future ([#30](https://github.com/developmentseed/stac-auth-proxy/issues/30)).
+
 ### Running
 
-The simplest way to run the project is by calling the module directly:
+The simplest way to run the project is by invoking the application via Docker:
 
 ```sh
-python -m stac_auth_proxy
+docker run \
+  -it --rm \
+  -p 8000:8000 \
+  -e UPSTREAM_URL=https://google.com \
+  -e OIDC_DISCOVERY_URL=https://auth.openveda.cloud/realms/veda/.well-known/openid-configuration \
+  ghcr.io/developmentseed/stac-auth-proxy:latest
 ```
 
-Alternatively, the application's factory can be passed to Uvicorn:
+Alternatively, the module can be invoked directly or the application's factory can be passed to Uvicorn:
+
+```sh
+python -m stac_auth_proxy
+```
 
 ```sh
 uvicorn --factory stac_auth_proxy:create_app

pyproject.toml

@@ -1,5 +1,5 @@
 [project]
-authors = [{name = "Your Name", email = "your.email@example.com"}]
+authors = [{name = "Anthony Lukach", email = "anthonylukach@gmail.com"}]
 classifiers = [
   "Programming Language :: Python :: 3",
   "Programming Language :: Python :: 3.8",
@@ -10,7 +10,7 @@ dependencies = [
   "brotli>=1.1.0",
   "cql2>=0.3.5",
   "fastapi>=0.115.5",
-  "httpx>=0.28.0",
+  "httpx[http2]>=0.28.0",
   "jinja2>=3.1.4",
   "pydantic-settings>=2.6.1",
   "pyjwt>=2.10.1",

src/stac_auth_proxy/app.py

@@ -6,14 +6,14 @@
 """
 
 import logging
+from contextlib import asynccontextmanager
 from typing import Optional
 
 from fastapi import FastAPI
 from starlette_cramjam.middleware import CompressionMiddleware
 
 from .config import Settings
-from .handlers import HealthzHandler, ReverseProxyHandler, S3AssetSigner
-from .lifespan import LifespanManager, ServerHealthCheck
+from .handlers import HealthzHandler, ReverseProxyHandler
 from .middleware import (
     AddProcessTimeHeaderMiddleware,
     ApplyCql2FilterMiddleware,
@@ -22,6 +22,7 @@
     EnforceAuthMiddleware,
     OpenApiMiddleware,
 )
+from .utils.lifespan import check_server_health
 
 logger = logging.getLogger(__name__)
 
@@ -33,14 +34,17 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
     #
     # Application
     #
-    upstream_urls = (
-        [settings.upstream_url, settings.oidc_discovery_internal_url]
-        if settings.wait_for_upstream
-        else []
-    )
-    lifespan = LifespanManager(
-        on_startup=([ServerHealthCheck(url=url) for url in upstream_urls])
-    )
+
+    @asynccontextmanager
+    async def lifespan(app: FastAPI):
+        assert settings
+
+        # Wait for upstream servers to become available
+        if settings.wait_for_upstream:
+            for url in [settings.upstream_url, settings.oidc_discovery_internal_url]:
+                await check_server_health(url=url)
+
+        yield
 
     app = FastAPI(
         openapi_url=None,  # Disable OpenAPI schema endpoint, we want to serve upstream's schema

src/stac_auth_proxy/handlers/reverse_proxy.py

@@ -25,6 +25,7 @@ def __post_init__(self):
         self.client = self.client or httpx.AsyncClient(
             base_url=self.upstream,
             timeout=self.timeout,
+            http2=True,
         )
 
     async def proxy_request(self, request: Request) -> Response:

src/stac_auth_proxy/lifespan/LifespanManager.py

@@ -0,0 +1,42 @@
+"""Health check implementations for lifespan events."""
+
+import asyncio
+import logging
+
+import httpx
+from pydantic import HttpUrl
+
+logger = logging.getLogger(__name__)
+
+
+async def check_server_health(
+    url: str | HttpUrl,
+    max_retries: int = 10,
+    retry_delay: float = 1.0,
+    retry_delay_max: float = 5.0,
+    timeout: float = 5.0,
+) -> None:
+    """Wait for upstream API to become available."""
+    # Convert url to string if it's a HttpUrl
+    if isinstance(url, HttpUrl):
+        url = str(url)
+
+    async with httpx.AsyncClient(timeout=timeout, follow_redirects=True) as client:
+        for attempt in range(max_retries):
+            try:
+                response = await client.get(url)
+                response.raise_for_status()
+                logger.info(f"Upstream API {url!r} is healthy")
+                return
+            except Exception as e:
+                logger.warning(f"Upstream health check for {url!r} failed: {e}")
+                retry_in = min(retry_delay * (2**attempt), retry_delay_max)
+                logger.warning(
+                    f"Upstream API {url!r} not healthy, retrying in {retry_in:.1f}s "
+                    f"(attempt {attempt + 1}/{max_retries})"
+                )
+                await asyncio.sleep(retry_in)
+
+    raise RuntimeError(
+        f"Upstream API {url!r} failed to respond after {max_retries} attempts"
+    )