diff --git a/components/ambient-api-server/plugins/sessions/message_model.go b/components/ambient-api-server/plugins/sessions/message_model.go index 7ef7396c1..8a4f88237 100644 --- a/components/ambient-api-server/plugins/sessions/message_model.go +++ b/components/ambient-api-server/plugins/sessions/message_model.go @@ -5,7 +5,7 @@ import "time" type SessionMessage struct { ID string `gorm:"column:id;primaryKey;type:varchar(36)" json:"id"` SessionID string `gorm:"column:session_id;type:varchar(36)" json:"session_id"` - Seq int64 `gorm:"column:seq" json:"seq"` + Seq int64 `gorm:"column:seq;->" json:"seq"` EventType string `gorm:"column:event_type;type:varchar(255)" json:"event_type"` Payload string `gorm:"column:payload;type:text" json:"payload"` CreatedAt time.Time `gorm:"column:created_at;type:timestamptz" json:"created_at"` diff --git a/components/manifests/README.md b/components/manifests/README.md index 41d00f90c..b673fcb5b 100644 --- a/components/manifests/README.md +++ b/components/manifests/README.md @@ -124,6 +124,32 @@ Components are opt-in kustomize modules included via the `components:` block in | `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` | | `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` | +## Prerequisites for New Deployments + +Before deploying, create these secrets in the target namespace: + +### Control-plane OIDC credentials + +The control-plane authenticates to the api-server using Keycloak client credentials (OAuth2 `client_credentials` grant). Create a **confidential** Keycloak client with only the **Service accounts roles** flow enabled, then: + +```bash +oc create secret generic ambient-control-plane-oidc \ + -n \ + --from-literal=client-id= \ + --from-literal=client-secret= +``` + +### API server auth ConfigMap + +The api-server validates JWTs using keys from the Keycloak JWKS endpoint (configured via `--jwk-cert-url`). A local fallback is also loaded from a ConfigMap: + +```bash +oc create configmap ambient-api-server-auth \ + -n \ + --from-file=jwks.json=<(curl -s /protocol/openid-connect/certs) \ + --from-file=acl.yml=<(echo '- claim: email\n pattern: ^.*$') +``` + ## Building and Validating ```bash diff --git a/components/manifests/overlays/hcmais/control-plane-env-patch.yaml b/components/manifests/overlays/hcmais/control-plane-env-patch.yaml index d0841fabd..139adb9b3 100644 --- a/components/manifests/overlays/hcmais/control-plane-env-patch.yaml +++ b/components/manifests/overlays/hcmais/control-plane-env-patch.yaml @@ -16,8 +16,15 @@ spec: value: "false" - name: CP_TOKEN_URL value: "http://ambient-control-plane.ambient-api.svc:8080/token" - - name: AMBIENT_API_TOKEN + - name: OIDC_TOKEN_URL + value: "https://keycloak-ambient-keycloak.apps.rosa.hcmais01ue1.s9m2.p3.openshiftapps.com/realms/ambient-code/protocol/openid-connect/token" + - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: ambient-control-plane-token - key: token + name: ambient-control-plane-oidc + key: client-id + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: ambient-control-plane-oidc + key: client-secret diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index ebfdd46f6..cb72754de 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -105,6 +105,7 @@ objects: initialDelaySeconds: 30 periodSeconds: 30 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: @@ -189,6 +190,7 @@ objects: cpu: 500m memory: 512Mi securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: @@ -200,13 +202,11 @@ objects: env: - name: AMBIENT_ENV value: production - - name: AMBIENT_API_TOKEN + - name: GRPC_SERVICE_ACCOUNT valueFrom: secretKeyRef: - name: ambient-control-plane-token - key: token - - name: JWK_CERT_URL - value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs" + name: ambient-control-plane-oidc + key: client-id - name: CREDENTIAL_ENCRYPTION_KEYRING valueFrom: secretKeyRef: @@ -219,8 +219,6 @@ objects: name: credential-encryption-key key: version optional: true - - name: CREDENTIAL_ENCRYPTION_ALLOW_PLAINTEXT - value: "true" command: - /usr/local/bin/ambient-api-server - serve @@ -230,8 +228,9 @@ objects: - --db-password-file=/secrets/db/db.password - --db-name-file=/secrets/db/db.name - --enable-jwt=true - - --enable-authz=false + - --enable-authz=true - --jwk-cert-file=/configs/authentication/jwks.json + - --jwk-cert-url=${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs - --enable-https=false - --enable-grpc=true - --grpc-enable-tls=false @@ -295,6 +294,7 @@ objects: initialDelaySeconds: 20 periodSeconds: 10 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: @@ -375,11 +375,18 @@ objects: value: standard - name: LOG_LEVEL value: info - - name: AMBIENT_API_TOKEN + - name: OIDC_TOKEN_URL + value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/token" + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: ambient-control-plane-oidc + key: client-id + - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: ambient-control-plane-token - key: token + name: ambient-control-plane-oidc + key: client-secret - name: AMBIENT_API_SERVER_URL value: "http://ambient-api-server.${NAMESPACE}.svc:8000" - name: AMBIENT_GRPC_SERVER_ADDR