-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #15 from FIWARE/contract-management
add cm
- Loading branch information
Showing
26 changed files
with
1,826 additions
and
136 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,286 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: opa-lua | ||
namespace: {{ $.Release.Namespace | quote }} | ||
labels: | ||
{{ include "dsc.labels" . | nindent 4 }} | ||
data: | ||
# extends the apisix opa-plugin to forward the http-body as part of the decision request. | ||
opa.lua: |- | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
local core = require("apisix.core") | ||
local http = require("resty.http") | ||
local helper = require("apisix.plugins.opa.helper") | ||
local type = type | ||
local ipairs = ipairs | ||
local schema = { | ||
type = "object", | ||
properties = { | ||
host = {type = "string"}, | ||
ssl_verify = { | ||
type = "boolean", | ||
default = true, | ||
}, | ||
policy = {type = "string"}, | ||
timeout = { | ||
type = "integer", | ||
minimum = 1, | ||
maximum = 60000, | ||
default = 3000, | ||
description = "timeout in milliseconds", | ||
}, | ||
keepalive = {type = "boolean", default = true}, | ||
send_headers_upstream = { | ||
type = "array", | ||
minItems = 1, | ||
items = { | ||
type = "string" | ||
}, | ||
description = "list of headers to pass to upstream in request" | ||
}, | ||
keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, | ||
keepalive_pool = {type = "integer", minimum = 1, default = 5}, | ||
with_route = {type = "boolean", default = false}, | ||
with_service = {type = "boolean", default = false}, | ||
with_consumer = {type = "boolean", default = false}, | ||
with_body = {type = "boolean", default = false}, | ||
}, | ||
required = {"host", "policy"} | ||
} | ||
local _M = { | ||
version = 0.1, | ||
priority = 2001, | ||
name = "opa", | ||
schema = schema, | ||
} | ||
function _M.check_schema(conf) | ||
return core.schema.check(schema, conf) | ||
end | ||
function _M.access(conf, ctx) | ||
local body = helper.build_opa_input(conf, ctx, "http") | ||
local params = { | ||
method = "POST", | ||
body = core.json.encode(body), | ||
headers = { | ||
["Content-Type"] = "application/json", | ||
}, | ||
keepalive = conf.keepalive, | ||
ssl_verify = conf.ssl_verify | ||
} | ||
if conf.keepalive then | ||
params.keepalive_timeout = conf.keepalive_timeout | ||
params.keepalive_pool = conf.keepalive_pool | ||
end | ||
local endpoint = conf.host .. "/v1/data/" .. conf.policy | ||
local httpc = http.new() | ||
httpc:set_timeout(conf.timeout) | ||
local res, err = httpc:request_uri(endpoint, params) | ||
-- block by default when decision is unavailable | ||
if not res then | ||
core.log.error("failed to process OPA decision, err: ", err) | ||
return 403 | ||
end | ||
-- parse the results of the decision | ||
local data, err = core.json.decode(res.body) | ||
if not data then | ||
core.log.error("invalid response body: ", res.body, " err: ", err) | ||
return 503 | ||
end | ||
if not data.result then | ||
core.log.error("invalid OPA decision format: ", res.body, | ||
" err: `result` field does not exist") | ||
return 503 | ||
end | ||
local result = data.result | ||
if not result.allow then | ||
if result.headers then | ||
core.response.set_header(result.headers) | ||
end | ||
local status_code = 403 | ||
if result.status_code then | ||
status_code = result.status_code | ||
end | ||
local reason = nil | ||
if result.reason then | ||
reason = type(result.reason) == "table" | ||
and core.json.encode(result.reason) | ||
or result.reason | ||
end | ||
return status_code, reason | ||
else if result.headers and conf.send_headers_upstream then | ||
for _, name in ipairs(conf.send_headers_upstream) do | ||
local value = result.headers[name] | ||
if value then | ||
core.request.set_header(ctx, name, value) | ||
end | ||
end | ||
end | ||
end | ||
end | ||
return _M | ||
helper.lua: |- | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
local core = require("apisix.core") | ||
local get_service = require("apisix.http.service").get | ||
local ngx_time = ngx.time | ||
local _M = {} | ||
-- build a table of Nginx variables with some generality | ||
-- between http subsystem and stream subsystem | ||
local function build_var(conf, ctx) | ||
return { | ||
server_addr = ctx.var.server_addr, | ||
server_port = ctx.var.server_port, | ||
remote_addr = ctx.var.remote_addr, | ||
remote_port = ctx.var.remote_port, | ||
timestamp = ngx_time(), | ||
} | ||
end | ||
local function build_http_request(conf, ctx) | ||
local http = { | ||
scheme = core.request.get_scheme(ctx), | ||
method = core.request.get_method(), | ||
host = core.request.get_host(ctx), | ||
port = core.request.get_port(ctx), | ||
path = ctx.var.uri, | ||
headers = core.request.headers(ctx), | ||
query = core.request.get_uri_args(ctx), | ||
} | ||
if conf.with_body then | ||
http.body = core.json.decode(core.request.get_body()) | ||
end | ||
return http | ||
end | ||
local function build_http_route(conf, ctx, remove_upstream) | ||
local route = core.table.deepcopy(ctx.matched_route).value | ||
if remove_upstream and route and route.upstream then | ||
-- unimportant to send upstream info to OPA | ||
route.upstream = nil | ||
end | ||
return route | ||
end | ||
local function build_http_service(conf, ctx) | ||
local service_id = ctx.service_id | ||
-- possible that there is no service bound to the route | ||
if service_id then | ||
local service = core.table.clone(get_service(service_id)).value | ||
if service then | ||
if service.upstream then | ||
service.upstream = nil | ||
end | ||
return service | ||
end | ||
end | ||
return nil | ||
end | ||
local function build_http_consumer(conf, ctx) | ||
-- possible that there is no consumer bound to the route | ||
if ctx.consumer then | ||
return core.table.clone(ctx.consumer) | ||
end | ||
return nil | ||
end | ||
function _M.build_opa_input(conf, ctx, subsystem) | ||
local data = { | ||
type = subsystem, | ||
request = build_http_request(conf, ctx), | ||
var = build_var(conf, ctx) | ||
} | ||
if conf.with_route then | ||
data.route = build_http_route(conf, ctx, true) | ||
end | ||
if conf.with_consumer then | ||
data.consumer = build_http_consumer(conf, ctx) | ||
end | ||
if conf.with_service then | ||
data.service = build_http_service(conf, ctx) | ||
end | ||
return { | ||
input = data, | ||
} | ||
end | ||
return _M |
40 changes: 40 additions & 0 deletions
40
charts/data-space-connector/templates/tmf-registration-cm.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
{{- $tmf := index .Values "tm-forum-api" }} | ||
{{- if and (eq $tmf.registration.enabled true) (eq $tmf.enabled true) }} | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ $tmf.registration.name }} | ||
namespace: {{ $.Release.Namespace | quote }} | ||
labels: | ||
{{- include "dsc.labels" . | nindent 4 }} | ||
data: | ||
init.sh: |- | ||
# credentials config service registration | ||
curl -X 'POST' \ | ||
'{{ $tmf.registration.ccs.endpoint }}/service' \ | ||
-H 'accept: */*' \ | ||
-H 'Content-Type: application/json' \ | ||
-d '{ | ||
"id": {{ $tmf.registration.ccs.id | quote }}, | ||
"defaultOidcScope": {{ $tmf.registration.ccs.defaultOidcScope.name | quote }}, | ||
{{- if and ($tmf.registration.ccs.defaultOidcScope.credentialType) ($tmf.registration.ccs.defaultOidcScope.trustedParticipantsLists) ($tmf.registration.ccs.defaultOidcScope.trustedIssuersLists) -}} | ||
"oidcScopes": { | ||
{{ $tmf.registration.ccs.defaultOidcScope.name | quote }}: [ | ||
{ | ||
"type": {{ $tmf.registration.ccs.defaultOidcScope.credentialType | quote }}, | ||
"trustedParticipantsLists": [ | ||
{{ $tmf.registration.ccs.defaultOidcScope.trustedParticipantsLists | quote }} | ||
], | ||
"trustedIssuersLists": [ | ||
{{ $tmf.registration.ccs.defaultOidcScope.trustedIssuersLists | quote }} | ||
] | ||
} | ||
] | ||
} | ||
{{- end }} | ||
{{- if $tmf.registration.ccs.oidcScopes -}} | ||
"oidcScopes": {{- toJson $tmf.registration.ccs.oidcScopes }} | ||
{{- end }} | ||
}' | ||
{{- end }} |
29 changes: 29 additions & 0 deletions
29
charts/data-space-connector/templates/tmf-registration-job.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{{- $tmf := index .Values "tm-forum-api" }} | ||
{{- if and (eq $tmf.registration.enabled true) (eq $tmf.enabled true) }} | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: {{ $tmf.registration.name }} | ||
namespace: {{ $.Release.Namespace | quote }} | ||
labels: | ||
{{- include "dsc.labels" . | nindent 4 }} | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: register-credential-config | ||
image: quay.io/curl/curl:8.1.2 | ||
command: [ "/bin/sh", "-c", "/bin/init.sh" ] | ||
volumeMounts: | ||
- name: tm-forum-registration | ||
mountPath: /bin/init.sh | ||
subPath: init.sh | ||
volumes: | ||
- name: tm-forum-registration | ||
configMap: | ||
name: {{ $tmf.registration.name }} | ||
defaultMode: 0755 | ||
|
||
restartPolicy: Never | ||
backoffLimit: 10 | ||
{{- end }} |
Oops, something went wrong.