[Wip] prepare deployment #20
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lebaudantoine
force-pushed
the
al-devops
branch
5 times, most recently
from
2317b19
to
c12a2c4
Compare
lebaudantoine
force-pushed
the
al-devops
branch
2 times, most recently
from
2a4c8e7
to
ec563e6
Compare
* rename client people-front to people * add a client secret shared with the backend * add allowed redirect uris * disable implicit flow and enable Authorization Code flow without PCKE * sign userinfo endpoint to return application/jwt content
Backend and Frontend send requests to Keycloak through Nginx. Thus, all requests from frontend and backend shared a same host when received by Keycloak. Otherwise, the flow is initiated from http://localhost:8080. When the Backend calls token endpoint from Keycloak container at http://keycloak:8080, the JWT token issuer and sender are mismatching.
force login to bypass authorization checks when necessary. Note: Generating a session cookie through OIDC flow is not supported while testing our API.
Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: * Replace JWT authentication by Session based authentication in DRF * Update Django settings to make OIDC configurations easily editable * Add 'mozilla-django-oidc' routes to our router * Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: * /authenticate * /callback (the redirect_uri called back by the Idp) * /logout Todo in dedicated PR: * Configure redis to manage these session cookies * Test and adjust code if necessary when the session cookie expires * Test and adjust code if necessary when the user logout
Instead of interacting with Keycloak, the frontend navigate to the /authenticate endpoint, which starts the Authorization code flow. When the flow is done, the backend redirect back to the SPA, passing a session cookie and a csrf cookie. Done: * Query GET user/me to determine if user is authenticated yet * Remove Keycloak js dependency, as all the OIDC logic is handled by the backend * Store user's data instead of the JWT token Todo in a dedicated PR: * Implement the home screen with the SSO login buton * Handle Logout properly * Intercept 401 and 403 error properly
The local deployment of the Production image through docker-compose was failing due to issues in the Django configurations, influenced by Joanie. The bug stemmed from a dependency on a development-specific package (drf-spectacular-sidecar) while attempting to run the application in production mode. Changes Made: - Introduced new Django settings for local demo environments. - Uncommented the nginx configuration to address the production image deployment issues.
Updated to Node Image version 20 to align with the upcoming frontend image.
To facilitate deployment on Kubernetes, we've introduced a Docker image for the frontend. The Next project is built, and its static output is served using an Nginx reverse proxy. Since DevOps lacks a certified cold storage solution (e.g., S3) for serving static files, we've opted to containerize the frontend as a quick workaround for deploying staging environments.
Enabled Dockerflow Django app by activating liveness probes. The previously unavailable routes such as `__heartbeat__` and `__lbheartbeat__` are now accessible. New endpoints include: * GET /__version__ * GET /__heartbeat__ * GET /__lbheartbeat__
Found typos, fixed them.
lebaudantoine
force-pushed
the
al-devops
branch
from
ec563e6
to
e5b2aee
Compare
lebaudantoine
force-pushed
the
al-devops
branch
from
e5b2aee
to
64150da
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
Prepare project deployment in staging.
Proposal
We've introduced a Docker image for the frontend, which serves Next static build output using Nginx.
Some updates have been made to the production settings.