authN-authZ: update configs (#378)

Ruoyu-y · web-flow · commit 0f5cef1f6c3b · 2024-09-04T08:59:27.000-07:00
* update configs to return user info headers
* add back redis deployment for oauth2-proxy
* update service names
* fix minor issues

Signed-off-by: Ruoyu Ying &lt;ruoyu.ying@intel.com&gt;
diff --git a/authN-authZ/auth-istio/README.md b/authN-authZ/auth-istio/README.md
@@ -58,12 +58,12 @@ In this example, we setup rules that only users with JWT token issued by "testin
 ```sh
 # make sure running under authN-authZ/auth-istio folder
 # apply the yaml to request authentication using JWT token
-kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_authZ_fakejwt.yaml -n chatqa
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_authZ_fakejwt.yaml -n chatqa
 
 # apply the yaml file to request that only JWT token with
 # issuer & sub == "testing@secure.istio.io" and groups belongs to group1
 # can access the endpoint of chatQnA service
-kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_authN_fakejwt.yaml -n chatqa
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_authN_fakejwt.yaml -n chatqa
 ```
 
 After applying these two yaml files, we have setup the policy that only user with a valid JWT token (with valid issuer and claims) could access the pipeline endpoint.
@@ -151,14 +151,14 @@ Use the commands to apply the authentication and authorization rules.
 
 ```bash
 # export the router service through istio ingress gateway
-kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_router_gateway.yaml
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway.yaml
 
 # 'envsubst' is used to substitute envs in yaml.
 # use 'sudo apt-get install gettext-base' to install envsubst if it does not exist on your machine
 # apply the authentication and authorization rule
 # these files will restrict user access with valid token (with valid issuer, username and realm role)
-envsubst < $(pwd)/$(DEPLOY_METHOD)/chatQnA_authN_keycloak.yaml | kubectl -n chatqa apply -f -
-envsubst < $(pwd)/$(DEPLOY_METHOD)/chatQnA_authZ_keycloak.yaml | kubectl -n chatqa apply -f -
+envsubst < $(pwd)/$DEPLOY_METHOD/chatQnA_authN_keycloak.yaml | kubectl -n chatqa apply -f -
+envsubst < $(pwd)/$DEPLOY_METHOD/chatQnA_authZ_keycloak.yaml | kubectl -n chatqa apply -f -
 ```
 
 User could customize the chatQnA_authZ_keycloak.yaml to reflect roles, groups or any other claims they defined in the OIDC provider for the user.
@@ -261,6 +261,7 @@ export CLIENT_SECRET=<YOUR_CLIENT_SECRET>
 # Using bash here. More methods found here:
 # https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#generating-a-cookie-secret
 export COOKIE_SECRET=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo)
+kubectl create ns oauth2-proxy
 envsubst < $(pwd)/oauth2_install.yaml | kubectl apply -f -
 ```
 
@@ -270,7 +271,7 @@ Here we expose the chatQnA endpoint through the ingress gateway and then install
 
 ```bash
 # expose chatqna endpoint
-kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_router_gateway_oauth.yaml
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway_oauth.yaml
 # build chatqna UI image if not exist on your machine
 git clone https://github.com/opea-project/GenAIExamples.git
 cd GenAIExamples/ChatQnA/docker/ui/
@@ -280,7 +281,11 @@ docker save -o ui.tar opea/chatqna-conversation-ui:latest
 sudo ctr -n k8s.io image import ui.tar
 # install chatqna conversation UI
 cd && cd GenAIInfra
-helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui --set BACKEND_SERVICE_ENDPOINT="http://${INGRESS_HOST}:${INGRESS_PORT}/",DATAPREP_SERVICE_ENDPOINT="http://${INGRESS_HOST}:${INGRESS_PORT}/dataprep"
+if [ "${DEPLOY_METHOD}" = "gmc-based" ]; then
+    helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui --set BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/",DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/dataprep"
+else
+    helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui --set BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/v1/chatqna",DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/v1/dataprep"
+fi
 # expose ui service outside
 kubectl apply -f $(pwd)/chatQnA_ui_gateway.yaml
 ```
@@ -292,6 +297,7 @@ Here we apply the authentication and authorization rules.
 ```bash
 # Before applying the authorization rule, need to add the oauth2-proxy as the external authorization provider
 kubectl apply -f $(pwd)/chatQnA_istio_external_auth.yaml
+kubectl rollout restart deployment/istiod -n istio-system
 # 'envsubst' is used to substitute envs in yaml.
 # use 'sudo apt-get install gettext-base' to install envsubst if it does not exist on your machine
 # apply the authentication and authorization rule
diff --git a/authN-authZ/auth-istio/chatQnA_ui_gateway.yaml b/authN-authZ/auth-istio/chatQnA_ui_gateway.yaml
@@ -42,6 +42,6 @@ spec:
         prefix: /
     route:
     - destination:
-        host: ui.default.svc.cluster.local
+        host: chatqna-ui.default.svc.cluster.local
         port:
           number: 5174
diff --git a/authN-authZ/auth-istio/helm-chart-based/chatQnA_router_gateway_oauth.yaml b/authN-authZ/auth-istio/helm-chart-based/chatQnA_router_gateway_oauth.yaml
@@ -31,9 +31,17 @@ spec:
   http:
   - match:
     - uri:
-        prefix: /
+        prefix: /v1/chatqna
     route:
     - destination:
         host: chatqna.chatqa.svc.cluster.local
         port:
           number: 8888
+  - match:
+    - uri:
+        prefix: /v1/dataprep
+    route:
+    - destination:
+        host: chatqna-data-prep.chatqa.svc.cluster.local
+        port:
+          number: 6007
diff --git a/authN-authZ/auth-istio/oauth2_install.yaml b/authN-authZ/auth-istio/oauth2_install.yaml
@@ -33,7 +33,6 @@ data:
     # Redirect url
     redirect_url="http://chatqna-ui.com:${INGRESS_PORT}/oauth2/callback"
     #extra attributes
-    pass_host_header = true
     reverse_proxy = true
     auth_logging = true
     cookie_httponly = true
@@ -42,6 +41,8 @@ data:
     email_domains = "*"
     pass_access_token = true
     pass_authorization_header = true
+    pass_basic_auth = true
+    pass_user_headers = true
     request_logging = true
     set_authorization_header = true
     set_xauthrequest = true
@@ -58,6 +59,46 @@ metadata:
 ---
 apiVersion: apps/v1
 kind: Deployment
+metadata:
+  name: redis
+  namespace: oauth2-proxy
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:latest
+          ports:
+            - containerPort: 6379
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "512Mi"
+          command: ["redis-server"]
+          args: ["--save", "", "--appendonly", "no"]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-service
+  namespace: oauth2-proxy
+spec:
+  selector:
+    app: redis
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379
+---
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   labels:
     app: oauth2-proxy
@@ -94,7 +135,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: oauth-proxy
+    app: oauth2-proxy
   name: oauth-proxy
   namespace: oauth2-proxy
 spec:
@@ -104,7 +145,7 @@ spec:
     protocol: TCP
     targetPort: 4180
   selector:
-    app: oauth-proxy
+    app: oauth2-proxy
   sessionAffinity: None
   type: ClusterIP
 status:
