APISIX integration (#2061)

Author: mbertrand

.pre-commit-config.yaml

@@ -72,6 +72,10 @@ repos:
           - yarn.lock
           - --exclude-files
           - ".*/generated/"
+          - --exclude-files
+          - "config/keycloak/tls/*"
+          - --exclude-files
+          - "config/keycloak/realms/default-realm.json"
         additional_dependencies: ["gibberish-detector"]
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: "v0.9.4"

.secrets.baseline

@@ -100,7 +100,8 @@
         "test_.*.py",
         "poetry.lock",
         "yarn.lock",
-        ".*/generated/"
+        ".*/generated/",
+        "config/keycloak/tls/*"
       ]
     }
   ],

Dockerfile

@@ -54,7 +54,7 @@ RUN poetry install
 USER root
 COPY . /src
 WORKDIR /src
-RUN mkdir /src/staticfiles
+RUN mkdir -p /src/staticfiles
 
 RUN apt-get clean && apt-get purge
 

Dockerfile-litellm

@@ -0,0 +1,35 @@
+# Keycloak and APISIX Integration
+
+The "docker-compose.services.yml" file includes Keycloak and APISIX containers that you can use for authentication instead of spinning up separate ones or using the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak/APISIX instances.
+
+## Default Settings
+
+There are some defaults that are part of this.
+
+_SSL Certificate_: There's a self-signed cert that's in `config/keycloak/tls` - if you'd rather set up your own (or you have a real cert or something to use), you can drop the PEM files in there. See the README there for info.
+
+_Realm_: There's a `default-realm.json` in `config/keycloak` that will get loaded by Keycloak when it starts up, and will set up a realm for you with some users and a client so you don't have to set it up yourself. The realm it creates is called `ol-local`.
+
+The users it sets up are:
+
+| User                | Password  |
+| ------------------- | --------- |
+| `[email protected]` | `student` |
+| `[email protected]`    | `prof`    |
+| `[email protected]`   | `admin`   |
+
+The client it sets up is called `apisix`. You can change the passwords and get the secret in the admin.
+
+## Making it Work
+
+The Keycloak instance is part of the `keycloak` profile in the Composer file, so if you want to interact with it, you'll need to run `COMPOSE_PROFILES=backend,frontend,keycloak,apisix docker compose up`. (If you start the app without the profile, you can still start Keycloak later by specifying the profile.)
+
+If you want to use the Keycloak and APISIX instances, follow these steps:
+
+1. Change the value of `MITOL_API_BASE_URL` to `http://api.open.odl.local:8065` and `MITOL_API_LOGOUT_SUFFIX` to `logout/oidc` in your `shared.local.env` file.
+2. Add `MITOL_NEW_USER_LOGIN_URL=http://open.odl.local:8062/onboarding` to your `shared.local.env` file
+3. Copy all the env values under the "# APISIX/Keycloak " section of `backend.local.example.env` to your `backend.local.env` file. You can leave all the values as is.
+4. Keycloak needs to create its own database, which will only happen if you first destroy your current mit-learn database container: `docker compose down db`. If you prefer not to do this, you can manually create it by running the SQL in `config/postgres/init-keycloak.sql` in a postgres shell.
+5. Start containers with the command `COMPOSE_PROFILES=backend,frontend,keycloak,apisix docker compose up`
+
+The Keycloak and APISIX containers should start up and stay running. APISIX is on port 8065, Keycloak on port 8066. Now you should be able to log in at `https://open.odl.local:8065/login` with one of the users mentioned above, or just click "Log in" from the home page at http://open.odl.local:8062. Try logging out and back in a couple times to make sure it works.

README-keycloak.md

@@ -0,0 +1,79 @@
+upstreams:
+  - id: 1
+    nodes:
+      "nginx:${{NGINX_PORT}}": 1
+    type: roundrobin
+
+routes:
+  - id: 1
+    name: "passauth"
+    desc: "Wildcard route that can use auth but doesn't require it."
+    priority: 0
+    upstream_id: 1
+    plugins:
+      openid-connect:
+        client_id: ${{KEYCLOAK_CLIENT_ID}}
+        client_secret: ${{KEYCLOAK_CLIENT_SECRET}}
+        discovery: ${{KEYCLOAK_DISCOVERY_URL}}
+        realm: ${{KEYCLOAK_REALM_NAME}}
+        scope: ${{KEYCLOAK_SCOPES}}
+        bearer_only: false
+        introspection_endpoint_auth_method: "client_secret_post"
+        ssl_verify: false
+        session:
+          secret: ${{APISIX_SESSION_SECRET_KEY}}
+        logout_path: "/logout/oidc"
+        post_logout_redirect_uri: ${{APISIX_LOGOUT_URL}}
+        unauth_action: "pass"
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
+    uri: "*"
+  - id: 2
+    name: "logout-redirect"
+    desc: "Strip trailing slash from logout redirect."
+    priority: 10
+    upstream_id: 1
+    uri: "/logout/oidc/*"
+    plugins:
+      redirect:
+        uri: "/logout/oidc"
+  - id: 3
+    name: "reqauth"
+    desc: "Routes that require authentication."
+    priority: 10
+    upstream_id: 1
+    plugins:
+      openid-connect:
+        client_id: ${{KEYCLOAK_CLIENT_ID}}
+        client_secret: ${{KEYCLOAK_CLIENT_SECRET}}
+        discovery: ${{KEYCLOAK_DISCOVERY_URL}}
+        realm: ${{KEYCLOAK_REALM_NAME}}
+        scope: ${{KEYCLOAK_SCOPES}}
+        bearer_only: false
+        introspection_endpoint_auth_method: "client_secret_post"
+        ssl_verify: false
+        session:
+          secret: ${{APISIX_SESSION_SECRET_KEY}}
+        logout_path: "/logout/oidc"
+        post_logout_redirect_uri: ${{APISIX_LOGOUT_URL}}
+        unauth_action: "auth"
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
+    uris:
+      - "/admin/login/*"
+      - "/login/*"
+#END

config/apisix/apisix.yaml

@@ -0,0 +1,11 @@
+apisix:
+  enable_admin: false
+  enable_dev_mode: false
+  node_listen:
+    - port: ${{APISIX_PORT}}
+
+deployment:
+  role: data_plane
+  role_data_plane:
+    config_provider: yaml
+#END

config/apisix/config.yaml

@@ -0,0 +1,35 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+basic:
+  enable: true # Enable the basic debug mode.
+http_filter:
+  enable: false # Enable HTTP filter to dynamically apply advanced debug settings.
+  enable_header_name: X-APISIX-Dynamic-Debug # If the header is present in a request, apply the advanced debug settings.
+hook_conf:
+  enable: false # Enable hook debug trace to log the target module function's input arguments or returned values.
+  name: hook_phase # Name of module and function list.
+  log_level: warn # Severity level for input arguments and returned values in the error log.
+  is_print_input_args: true # Print the input arguments.
+  is_print_return_value: true # Print the return value.
+
+hook_phase: # Name of module and function list.
+  apisix: # Required module name.
+    - http_access_phase # Required function names.
+    - http_header_filter_phase
+    - http_body_filter_phase
+    - http_log_phase
+#END

config/apisix/debug.yaml

@@ -0,0 +1 @@
+Place the SCIM plugin here if you intend to run it locally.