feat(api): adds initial auth to endpoints (#181)

Author: jmgilman

foundry/api/Earthfile

@@ -95,4 +95,21 @@ docker:
     COPY entrypoint.sh .
 
     ENTRYPOINT [ "/bin/bash", "/app/entrypoint.sh" ]
-    SAVE IMAGE ${container}:${tag}
+    SAVE IMAGE ${container}:${tag}
+
+certs:
+    FROM +build
+
+    RUN ./bin/foundry-api auth init --output-dir /certs
+
+    SAVE ARTIFACT /certs certs
+
+jwt:
+    FROM +build
+
+    COPY --dir certs .
+
+    RUN mkdir -p /jwt
+    RUN ./bin/foundry-api auth generate -a -k ./certs/private.pem > /jwt/token.txt
+
+    SAVE ARTIFACT /jwt jwt

foundry/api/blueprint.cue

@@ -46,6 +46,12 @@ project: {
 							"LOG_FORMAT": {
 								value: "json"
 							}
+							"AUTH_PRIVATE_KEY": {
+								value: "/certs/private.pem"
+							}
+							"AUTH_PUBLIC_KEY": {
+								value: "/certs/public.pem"
+							}
 							"DB_INIT": {
 								value: "true"
 							}
@@ -96,6 +102,13 @@ project: {
 							}
 						}
 
+						mounts: {
+							certs: {
+								ref: secret: name: "certs"
+								path: "/certs"
+							}
+						}
+
 						port: 8080
 
 						probes: {
@@ -110,6 +123,9 @@ project: {
 					}
 
 					secrets: {
+						certs: {
+							ref: "foundry-api/certs"
+						}
 						db: {
 							ref: "db/foundry"
 						}

foundry/api/scripts/README.md

@@ -0,0 +1,65 @@
+# Foundry API Scripts
+
+This directory contains scripts for managing the Foundry API infrastructure.
+
+## init.sh
+
+The `init.sh` script is responsible for generating and uploading authentication credentials to AWS Secrets Manager for the Foundry API and Operator services.
+
+### What it does
+
+1. **Generates certificates**: Uses Earthly to generate public and private key pairs for API authentication
+2. **Uploads certificates to AWS Secrets Manager**: Stores the certificates in the secret `FOUNDRY_API_CERTS_SECRET` with the following structure:
+   ```json
+   {
+     "public.pem": "-----BEGIN PUBLIC KEY-----...",
+     "private.pem": "-----BEGIN PRIVATE KEY-----..."
+   }
+   ```
+3. **Generates operator token**: Uses Earthly to generate a JWT token for the Foundry Operator
+4. **Uploads operator token to AWS Secrets Manager**: Stores the token in the secret `FOUNDRY_OPERATOR_TOKEN_SECRET` with the following structure:
+   ```json
+   {
+     "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
+   }
+   ```
+
+### Prerequisites
+
+- AWS CLI configured with appropriate permissions
+- Earthly installed and configured
+- `jq` command-line tool installed
+- AWS region set via `AWS_REGION` environment variable (defaults to `eu-central-1`)
+
+### Environment Variables
+
+The script requires the following environment variables to be set:
+
+- `FOUNDRY_API_CERTS_SECRET` - AWS Secrets Manager path for API certificates
+- `FOUNDRY_OPERATOR_TOKEN_SECRET` - AWS Secrets Manager path for operator JWT token
+
+You can set these variables in a `.env` file in the same directory as the script. Copy `env.example` to `.env` and update the values:
+
+```bash
+cp env.example .env
+# Edit .env with your actual secret paths
+```
+
+### Usage
+
+```bash
+./init.sh
+```
+
+### Security
+
+- The script automatically cleans up local certificate and token files after upload
+- Sensitive files are removed from the local filesystem using a trap that runs on script exit
+- All credentials are stored securely in AWS Secrets Manager
+
+### AWS Secrets Created/Updated
+
+The script creates or updates secrets at the paths specified in your environment variables:
+
+- `$FOUNDRY_API_CERTS_SECRET` - Contains API authentication certificates
+- `$FOUNDRY_OPERATOR_TOKEN_SECRET` - Contains operator JWT token

foundry/api/scripts/env.example

@@ -0,0 +1,8 @@
+# AWS Secrets Manager paths for Foundry API and Operator
+# Copy this file to .env and update with your actual secret paths
+
+# Path for API certificates secret
+FOUNDRY_API_CERTS_SECRET="path/to/secret"
+
+# Path for operator JWT token secret
+FOUNDRY_OPERATOR_TOKEN_SECRET="path/to/secret"

foundry/api/scripts/init.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Disable AWS CLI pager to prevent interactive prompts
+export AWS_PAGER=""
+
+# Source environment variables if .env file exists
+if [[ -f .env ]]; then
+    echo ">>> Loading environment variables from .env"
+    source .env
+fi
+
+# Validate required environment variables
+if [[ -z "${FOUNDRY_API_CERTS_SECRET:-}" ]]; then
+    echo "ERROR: FOUNDRY_API_CERTS_SECRET environment variable is required"
+    echo "Please set it in a .env file or export it directly"
+    exit 1
+fi
+
+if [[ -z "${FOUNDRY_OPERATOR_TOKEN_SECRET:-}" ]]; then
+    echo "ERROR: FOUNDRY_OPERATOR_TOKEN_SECRET environment variable is required"
+    echo "Please set it in a .env file or export it directly"
+    exit 1
+fi
+
+cleanup() {
+    echo ">>> Cleaning up certificates"
+    rm -rf certs/
+    rm -rf jwt/
+}
+trap cleanup EXIT
+
+echo ">>> Generating certificates"
+earthly --config "" --artifact +certs/certs .
+
+echo ">>> Uploading certificates to AWS Secrets Manager"
+PUBLIC_CERT=$(cat certs/public.pem)
+PRIVATE_CERT=$(cat certs/private.pem)
+
+SECRET_JSON=$(jq -n \
+  --arg public "$PUBLIC_CERT" \
+  --arg private "$PRIVATE_CERT" \
+  '{
+    "public.pem": $public,
+    "private.pem": $private
+  }')
+
+if aws secretsmanager describe-secret \
+  --secret-id "$FOUNDRY_API_CERTS_SECRET" \
+  --region "${AWS_REGION:-eu-central-1}" >/dev/null 2>&1; then
+  echo ">>> Secret exists, updating..."
+  aws secretsmanager put-secret-value \
+    --secret-id "$FOUNDRY_API_CERTS_SECRET" \
+    --secret-string "$SECRET_JSON" \
+    --region "${AWS_REGION:-eu-central-1}"
+else
+  echo ">>> Secret does not exist, creating..."
+  aws secretsmanager create-secret \
+    --name "$FOUNDRY_API_CERTS_SECRET" \
+    --secret-string "$SECRET_JSON" \
+    --region "${AWS_REGION:-eu-central-1}"
+fi
+
+echo ">>> Generating operator token"
+earthly --config "" --artifact +jwt/jwt .
+
+echo ">>> Uploading operator token to AWS Secrets Manager"
+JWT_TOKEN=$(cat jwt/token.txt)
+TOKEN_JSON=$(jq -n \
+  --arg token "$JWT_TOKEN" \
+  '{
+    "token": $token
+  }')
+
+if aws secretsmanager describe-secret \
+  --secret-id "$FOUNDRY_OPERATOR_TOKEN_SECRET" \
+  --region "${AWS_REGION:-eu-central-1}" >/dev/null 2>&1; then
+  echo ">>> Operator token secret exists, updating..."
+  aws secretsmanager put-secret-value \
+    --secret-id "$FOUNDRY_OPERATOR_TOKEN_SECRET" \
+    --secret-string "$TOKEN_JSON" \
+    --region "${AWS_REGION:-eu-central-1}"
+else
+  echo ">>> Operator token secret does not exist, creating..."
+  aws secretsmanager create-secret \
+    --name "$FOUNDRY_OPERATOR_TOKEN_SECRET" \
+    --secret-string "$TOKEN_JSON" \
+    --region "${AWS_REGION:-eu-central-1}"
+fi
+
+echo ">>> Certificates and operator token uploaded successfully to AWS Secrets Manager"

foundry/operator/Earthfile

@@ -92,12 +92,12 @@ docker:
 
     ARG TARGETOS
     ARG TARGETARCH
-    ARG USERPLATFORM
+    ARG TARGETPLATFORM
 
     RUN apt-get update && apt-get install -y git
 
     COPY \
-        --platform=$USERPLATFORM \
+        --platform=$TARGETPLATFORM \
         (+build/foundry-operator \
         --GOOS=$TARGETOS \
         --GOARCH=$TARGETARCH) foundry-operator

foundry/operator/blueprint.cue

@@ -48,6 +48,10 @@ project: {
 									ref: config: name: "config"
 									path: "/config"
 								}
+								jwt: {
+									ref: secret: name: "jwt"
+									path: "/secret"
+								}
 							}
 
 							// probes: {
@@ -57,7 +61,10 @@ project: {
 						}
 
 						configs: config: data: "operator.json": json.Marshal({
-							api_url: "http://foundry-api:8080"
+							api: {
+								url:        "http://foundry-api:8080"
+								token_path: "/secret/token"
+							}
 							deployer: {
 								git: {
 									creds: {
@@ -93,6 +100,12 @@ project: {
 								},
 							]
 						}
+
+						secrets: {
+							jwt: {
+								ref: "foundry-operator/token"
+							}
+						}
 					}
 				}
 			}

foundry/operator/cmd/main.go

@@ -23,6 +23,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -235,7 +236,15 @@ func main() {
 		os.Exit(1)
 	}
 
-	apiClient := api.NewClient(cfg.ApiUrl, api.WithTimeout(10*time.Second))
+	setupLog.Info("Reading JWT token from file", "path", cfg.Api.TokenPath)
+	jwtToken, err := os.ReadFile(cfg.Api.TokenPath)
+	if err != nil {
+		setupLog.Error(err, "unable to read JWT token")
+		os.Exit(1)
+	}
+
+	jwtTokenStr := strings.TrimSpace(string(jwtToken))
+	apiClient := api.NewClient(cfg.Api.Url, api.WithTimeout(10*time.Second), api.WithToken(jwtTokenStr))
 	if err = (&controller.ReleaseDeploymentReconciler{
 		Client:            mgr.GetClient(),
 		Config:            cfg,

foundry/operator/pkg/config/config.go

@@ -10,11 +10,16 @@ import (
 
 // OperatorConfig is the configuration for the operator.
 type OperatorConfig struct {
-	ApiUrl      string                  `json:"api_url"`
+	Api         APIConfig               `json:"api"`
 	Deployer    deployer.DeployerConfig `json:"deployer"`
 	MaxAttempts int                     `json:"max_attempts"`
 }
 
+type APIConfig struct {
+	Url       string `json:"url"`
+	TokenPath string `json:"token_path"`
+}
+
 // Load loads the operator configuration from the given path.
 func Load(path string) (OperatorConfig, error) {
 	contents, err := os.ReadFile(path)

foundry/test/.justfile

@@ -6,7 +6,7 @@ down:
   kind delete cluster --name foundry
 
 api:
-  earthly ../api+docker
+  earthly --config "" ../api+docker
   docker tag foundry-api:latest localhost:5001/foundry-api:latest
   docker push localhost:5001/foundry-api:latest
   kubectl delete deployment api
@@ -28,7 +28,7 @@ kind-up:
   ./scripts/kind.sh
 
 operator:
-  earthly ../operator+docker
+  earthly --config "" ../operator+docker
   docker tag foundry-operator:latest localhost:5001/foundry-operator:latest
   docker push localhost:5001/foundry-operator:latest
   kubectl delete deployment operator