Helm chart for stac-auth-proxy (#44)

Creates a Helm Chart for `stac-auth-proxy`. See README in `helm/` folder for instructions on usage.

Author: batpad

.github/workflows/publish-helm.yaml

@@ -0,0 +1,44 @@
+name: Publish Helm Chart
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm/**'
+      - '.github/workflows/publish-helm.yaml'
+  release:
+    types: [created]
+
+jobs:
+  publish-helm:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.1
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package Helm Chart
+        run: |
+          helm package helm/
+
+      - name: Push Helm Chart
+        run: |
+          helm push *.tgz oci://ghcr.io/${{ github.repository }}/charts 

helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: stac-auth-proxy
+description: A Helm chart for stac-auth-proxy
+type: application
+version: 0.1.0
+appVersion: "1.0.0" 

helm/README.md

@@ -0,0 +1,126 @@
+# STAC Auth Proxy Helm Chart
+
+This Helm chart deploys the STAC Auth Proxy, which provides authentication and authorization for STAC APIs.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+- An OIDC provider (e.g., Auth0, Cognito, Keycloak)
+- A STAC API endpoint
+
+## Installation
+
+### Add the Helm Repository
+
+```bash
+helm registry login ghcr.io
+helm pull oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy --version 0.1.0
+```
+
+### Install the Chart
+
+Basic installation with minimal configuration:
+
+```bash
+helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \
+  --set env.UPSTREAM_URL=https://your-stac-api.com/stac \
+  --set env.OIDC_DISCOVERY_URL=https://your-auth-server/.well-known/openid-configuration \
+  --set ingress.host=stac-proxy.your-domain.com
+```
+
+### Using a Values File
+
+Create a `values.yaml` file:
+
+```yaml
+env:
+  UPSTREAM_URL: "https://your-stac-api.com/stac"
+  OIDC_DISCOVERY_URL: "https://your-auth-server/.well-known/openid-configuration"
+  OIDC_DISCOVERY_INTERNAL_URL: "http://auth-server-internal/.well-known/openid-configuration"
+  DEFAULT_PUBLIC: "false"
+  HEALTHZ_PREFIX: "/healthz"
+
+ingress:
+  enabled: true
+  host: "stac-proxy.your-domain.com"
+  tls:
+    enabled: true
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+```
+
+Install using the values file:
+
+```bash
+helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy -f values.yaml
+```
+
+### Using Image Pull Secrets
+
+To use private container registries, you can configure image pull secrets:
+
+```yaml
+
+serviceAccount:
+    create: true
+    imagePullSecrets:
+        name: "my-registry-secret"
+```
+
+
+## Configuration
+
+### Required Values
+
+| Parameter | Description |
+|-----------|-------------|
+| `env.UPSTREAM_URL` | URL of the STAC API to proxy |
+| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery document URL |
+
+### Optional Values
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `env` | Environment variables passed to the container. See [STAC Auth Proxy documentation](https://github.com/developmentseed/stac-auth-proxy#configuration) for details | `{}` |
+| `ingress.enabled` | Enable ingress | `true` |
+| `ingress.className` | Ingress class name | `nginx` |
+| `ingress.host` | Hostname for the ingress | `""` |
+| `ingress.tls.enabled` | Enable TLS for ingress | `true` |
+| `replicaCount` | Number of replicas | `1` |
+
+For a complete list of values, see the [values.yaml](./values.yaml) file.
+
+## Upgrading
+
+To upgrade the release:
+
+```bash
+helm upgrade stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy -f values.yaml
+```
+
+## Uninstalling
+
+To uninstall/delete the deployment:
+
+```bash
+helm uninstall stac-auth-proxy
+```
+
+## Development
+
+To test the chart locally:
+
+```bash
+helm install stac-auth-proxy ./helm --dry-run --debug
+```
+
+## Support
+
+For support, please open an issue in the [STAC Auth Proxy repository](https://github.com/developmentseed/stac-auth-proxy/issues). 

helm/templates/NOTES.txt

@@ -0,0 +1,71 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your STAC Auth Proxy has been deployed with the following configuration:
+
+1. Application Access:
+{{- if .Values.ingress.enabled }}
+{{- if .Values.ingress.host }}
+   Your proxy is available at:
+   {{- if .Values.ingress.tls.enabled }}
+   https://{{ .Values.ingress.host }}
+   {{- else }}
+   http://{{ .Values.ingress.host }}
+   {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+   Get the application URL by running these commands:
+   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "stac-auth-proxy.fullname" . }})
+   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+   echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+   Get the application URL by running these commands:
+   NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+   You can watch the status by running: 
+   kubectl get svc --namespace {{ .Release.Namespace }} {{ include "stac-auth-proxy.fullname" . }} -w
+   
+   Once ready, get the external IP/hostname with:
+   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "stac-auth-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+   echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else }}
+   The service is accessible within the cluster at:
+   {{ include "stac-auth-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}
+{{- end }}
+
+2. Configuration Details:
+   - Upstream STAC API: {{ .Values.env.UPSTREAM_URL }}
+   - OIDC Discovery URL: {{ .Values.env.OIDC_DISCOVERY_URL }}
+   - Health Check Endpoint: {{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }}
+   - Default Public Access: {{ .Values.env.DEFAULT_PUBLIC | default "false" }}
+
+3. Verify the deployment:
+   kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "stac-auth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+
+4. View the logs:
+   kubectl logs --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "stac-auth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+
+5. Health check:
+{{- if .Values.ingress.enabled }}
+{{- if .Values.ingress.host }}
+   {{- if .Values.ingress.tls.enabled }}
+   curl https://{{ .Values.ingress.host }}{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }}
+   {{- else }}
+   curl http://{{ .Values.ingress.host }}{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }}
+   {{- end }}
+{{- end }}
+{{- else }}
+   kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ include "stac-auth-proxy.fullname" . }} 8000:{{ .Values.service.port }}
+   curl http://localhost:8000{{ .Values.env.HEALTHZ_PREFIX | default "/healthz" }}
+{{- end }}
+
+For more information about STAC Auth Proxy, please visit:
+https://github.com/developmentseed/stac-auth-proxy
+
+{{- if or (not .Values.env.UPSTREAM_URL) (not .Values.env.OIDC_DISCOVERY_URL) }}
+WARNING: Some required configuration values are not set. Please ensure you have configured:
+{{- if not .Values.env.UPSTREAM_URL }}
+  - env.UPSTREAM_URL
+{{- end }}
+{{- if not .Values.env.OIDC_DISCOVERY_URL }}
+  - env.OIDC_DISCOVERY_URL
+{{- end }}
+{{- end }} 

helm/templates/_helpers.tpl

@@ -0,0 +1,71 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "stac-auth-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "stac-auth-proxy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "stac-auth-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "stac-auth-proxy.labels" -}}
+helm.sh/chart: {{ include "stac-auth-proxy.chart" . }}
+{{ include "stac-auth-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "stac-auth-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stac-auth-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "stac-auth-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "stac-auth-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Render env var value based on type
+*/}}
+{{- define "stac-auth-proxy.envValue" -}}
+{{- if kindIs "string" . -}}
+  {{- . | quote -}}
+{{- else -}}
+  {{- . | toJson | quote -}}
+{{- end -}}
+{{- end -}}

helm/templates/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stac-auth-proxy.fullname" . }}
+  labels:
+    {{- include "stac-auth-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "stac-auth-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "stac-auth-proxy.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "stac-auth-proxy.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          env:
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ include "stac-auth-proxy.envValue" $value }}
+            {{- end }}
+
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}