chore(dsl): Forbid global auth

[AndesKrrrrrrrrrrr]

Override any global auth config

Depends on #16405 and #16375

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1208509734870149

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Enabled global authentication for multiple services, enhancing security.
  • Updated ingress configurations to reflect new global authentication settings.

• Bug Fixes

  • Removed unnecessary demo ingress configurations, simplifying service setup.

• Documentation

  • Improved clarity in type definitions and interfaces related to ingress configurations.

• Chores

  • Adjusted resource limits and health check paths for better resource management across services.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.73%. Comparing base (e3e51fc) to head (1929ca3).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #16376   +/-   ##
=======================================
  Coverage   36.73%   36.73%           
=======================================
  Files        6809     6809           
  Lines      141086   141077    -9     
  Branches    40224    40219    -5     
=======================================
  Hits        51825    51825           
+ Misses      89261    89252    -9     

Flag	Coverage Δ
api	3.37% <ø> (ø)
application-system-api	41.42% <ø> (ø)
application-template-api-modules	27.88% <ø> (ø)
application-ui-shell	21.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 3 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e3e51fc...1929ca3. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs 0c5ebac 🔗

✅ 4 Total Test Services: 0 Failed, 4 Passed
➡️ Test Sessions change in coverage: 13 no change

Test Services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
api	0	0	0	4	0	2.93s	1 no change	Link
application-system-api	0	0	0	120	2	3m 25.19s	1 no change	Link
application-template-api-modules	0	0	0	123	0	2m 19.91s	1 no change	Link
application-ui-shell	0	0	0	74	0	31.9s	1 no change	Link

[coderabbitai]

Walkthrough

The changes in this pull request primarily involve modifications to ingress configurations, type definitions, and resource management across various services. The demo ingress configuration has been removed from both personal-representative-public.ts and personal-representative.ts. The ingress configurations in the YAML files for the identity server and Islandis services have been updated to enable global authentication and adjust resource limits. Additionally, TypeScript types in the infra/src/dsl directory have been refined for improved clarity and type safety.

Changes

File Path	Change Summary
apps/services/auth/personal-representative-public/infra/personal-representative-public.ts apps/services/auth/personal-representative/infra/personal-representative.ts	Removed demo ingress configuration and the import of MissingSetting.
charts/identity-server/values.dev.yaml charts/identity-server/values.prod.yaml charts/identity-server/values.staging.yaml	Enabled global authentication, updated ingress annotations, adjusted resource limits, and added a new ingress configuration for services-auth-personal-representative.
charts/islandis/values.dev.yaml charts/islandis/values.prod.yaml charts/islandis/values.staging.yaml	Enabled global authentication and updated ingress configurations and health check paths.
infra/src/dsl/dsl.ts infra/src/dsl/types/input-types.ts infra/src/dsl/types/charts.ts infra/src/dsl/ingress.spec.ts	Introduced IngressMapping, updated method signatures, and refined type declarations for clarity.

Possibly related PRs

• chore(personal-representative): Remove demo-alb ingress #16404: The changes in this PR involve the removal of the demo-alb ingress configuration, which directly relates to the ingress configuration changes made in the main PR, where the demo ingress configuration was also removed.

Suggested labels

automerge

Suggested reviewers

• eirikurn
• robertaandersen
• svanaeinars

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (11)

infra/src/dsl/types/input-types.ts (1)

Line range hint 1-234: Overall assessment: Significant improvements in DSL structure and clarity

The changes made to this file collectively enhance the DSL's structure, type safety, and semantic clarity. Key improvements include:

1. Consistent use of env instead of idx or name for environment-related index signatures.
2. Introduction of IngressType and IngressMapping for more structured ingress configurations.
3. Enhanced clarity in property names, particularly in the Ingress interface.

These modifications align well with the DSL's objectives of providing clear and expressive syntax for infrastructure configuration. They also improve the DSL's integration with Helm charts and Kubernetes resources by providing more precise and self-documenting type definitions.

To further enhance the DSL:

1. Consider adding inline documentation for the new types, especially IngressType and IngressMapping, to explain their purpose and usage.
2. If not already present, consider creating or updating documentation on how to use these new and modified types to create complex Helm values.

infra/src/dsl/ingress.spec.ts (2)

152-184: LGTM: New test case for overriding global auth annotation

This new test case effectively verifies the ability to override the global auth annotation. It follows the existing structure and style of other test cases, which is good for consistency.

One suggestion for improvement:

Consider adding a comment explaining why the expected output shows 'true' for the global auth annotation when the input specifies 'false'. This would enhance clarity for future readers.

+           // The global auth annotation is set to 'true' by default and cannot be overridden

---

185-214: LGTM: New test case for missing global auth annotation

This new test case effectively verifies that the global auth annotation is not set when it's missing from the extraAnnotations. The test structure and style are consistent with other test cases in the file.

For consistency and clarity:

Consider adding a descriptive comment above the test case to explain its purpose, similar to other test cases in the file. This would improve readability and make the test's intention clearer.

+  // Verify that the global auth annotation is not set when missing from extraAnnotations

charts/identity-server/values.prod.yaml (3)

267-267: Significant changes in services-auth-admin-api configuration

1. Global authentication has been enabled for this service. This change enhances security but may impact existing integrations or access patterns.
2. The memory limit has been increased from 768Mi to 1024Mi, which suggests the service was experiencing memory pressure. Monitor the service to ensure this new limit is sufficient.
3. The readiness health check path has changed from '/backend/health/check' to '/health/check'. Ensure that this new endpoint correctly reflects the service's readiness state.

Consider the following:

1. Review and update any documentation or client configurations that may be affected by the global auth change.
2. Implement proper monitoring to track memory usage and ensure the new limit is appropriate.
3. Verify that the new health check endpoint is implemented correctly and returns accurate readiness information.

Also applies to: 268-268, 269-269

---

782-782: Global authentication enabled for services-auth-public-api

The nginx.ingress.kubernetes.io/enable-global-auth annotation has been changed from 'false' to 'true' for the public API service. This change aligns with the similar modification made to the admin API, indicating a consistent approach to authentication across services.

Consider the following:

1. Review the impact of this change on public API consumers. Ensure that all clients are prepared for the new authentication requirements.
2. Update API documentation to reflect the new authentication mechanism.
3. Implement proper monitoring and logging to track any potential issues or increased error rates that may arise from this change.
4. Consider a phased rollout or feature flag to control the activation of global auth, allowing for easier rollback if issues are encountered.

Also applies to: 783-783, 784-784, 785-785, 786-786

---

Line range hint 1-786: Summary of changes and recommendations

The primary changes in this update revolve around enabling global authentication for both admin and public API services, along with some adjustments to the admin API's configuration. These changes suggest a focus on enhancing security and potentially addressing performance issues.

Key points:

1. Global authentication has been enabled for both services-auth-admin-api and services-auth-public-api.
2. The memory limit for services-auth-admin-api has been increased from 768Mi to 1024Mi.
3. The readiness health check path for services-auth-admin-api has been modified.

Recommendations:

1. Develop a comprehensive rollout plan for the global authentication changes, considering the impact on all API consumers and internal services.
2. Implement thorough monitoring and alerting to track the effects of these changes, particularly focusing on authentication failures, API response times, and memory usage for the admin API.
3. Update all relevant documentation, including API specs, client integration guides, and internal architecture documents.
4. Consider conducting a security audit to ensure that the global authentication implementation adheres to best practices and doesn't introduce any vulnerabilities.
5. Plan for a potential rollback strategy in case unforeseen issues arise from these changes.
6. Review the entire identity server architecture to identify if similar authentication and resource adjustments are needed for other services not covered in this update.

charts/identity-server/values.dev.yaml (4)

152-154: Review changes in identity-server ingress annotations

The following changes have been made to the ingress annotations for the identity-server:

1. Global authentication has been enabled (nginx.ingress.kubernetes.io/enable-global-auth: 'true').
2. The proxy buffer size has been reduced from 16k to 8k.

These changes may have the following impacts:

• Enabling global auth could affect the authentication flow for the identity server. Ensure that this aligns with the intended security model.
• Reducing the proxy buffer size might impact the handling of large headers or requests. Monitor for any potential issues related to request processing.

Please verify that these changes are intentional and align with the overall system architecture. Consider monitoring the system after deployment to ensure there are no negative impacts on performance or functionality.

---

270-271: Global authentication enabled for services-auth-admin-api

The ingress annotation for services-auth-admin-api has been updated to enable global authentication:

nginx.ingress.kubernetes.io/enable-global-auth: 'true'

This change may affect the authentication flow for the admin API. Ensure that this aligns with the intended security model for admin access.

Verify that enabling global authentication for the admin API is intentional and doesn't introduce any security risks or unintended access restrictions. Consider reviewing the global authentication configuration to ensure it provides the appropriate level of security for admin endpoints.

---

Line range hint 785-789: Multiple changes in services-auth-public-api ingress annotations

Several changes have been made to the ingress annotations for services-auth-public-api:

1. Global authentication has been enabled:

   nginx.ingress.kubernetes.io/enable-global-auth: 'true'

2. A rewrite target has been added:

   nginx.ingress.kubernetes.io/rewrite-target: '/$2'

3. The proxy buffer size has been reduced from 16k to 8k.

These changes may have the following impacts:

• Enabling global auth could affect the authentication flow for the public API.
• The rewrite target change might modify how URLs are processed and routed.
• Reducing the proxy buffer size might impact the handling of large headers or requests.

Please review these changes carefully:

1. Ensure that enabling global authentication for the public API aligns with the intended security model.
2. Verify that the rewrite target configuration correctly handles all expected URL patterns.
3. Monitor the system after deployment to ensure the reduced proxy buffer size doesn't negatively impact request processing.

Consider documenting these changes and their rationale for future reference.

---

Line range hint 1-815: Summary of changes and overall recommendations

This pull request introduces several changes to the ingress configurations across multiple services in the identity server chart:

1. Global authentication has been enabled for identity-server, services-auth-admin-api, and services-auth-public-api.
2. Proxy buffer sizes have been adjusted for some services.
3. A rewrite target has been added to the services-auth-public-api ingress.

These changes appear to be part of a broader effort to standardize authentication across services and optimize ingress configurations.

Given the scope of these changes, consider the following recommendations:

1. Conduct thorough testing of the authentication flows for all affected services to ensure they work as expected with global auth enabled.
2. Monitor system performance after deployment, particularly focusing on request processing times and any potential issues related to the reduced proxy buffer sizes.
3. Review and update any documentation or runbooks related to the authentication mechanisms and ingress configurations.
4. Consider creating or updating integration tests that verify the correct behavior of the rewrite rules and authentication flows across all affected services.
5. Plan for a staged rollout or have a rollback strategy in place, given the wide-reaching nature of these changes.

These changes represent a significant shift in the authentication architecture. Ensure all stakeholders are aware of these changes and their potential impacts on the system's behavior and security posture.

charts/identity-server/values.staging.yaml (1)

Line range hint 1-820: Review the overall impact of global auth changes on the system

The main changes in this configuration file are related to enabling global auth for specific services (identity-server, services-auth-admin-api, and services-auth-public-api) and increasing resource limits for the identity-server. While these changes seem intentional and targeted, it's crucial to consider their potential impact on the entire system.

Please consider the following:

1. Consistency: Ensure that the global auth changes are applied consistently across all services that require it.
2. System-wide impact: Verify that services not directly modified in this change won't be adversely affected by the new global auth settings.
3. Performance: Monitor the system's performance after implementing these changes, especially considering the increased resource limits for the identity-server.
4. Security: Confirm that these changes align with the overall security strategy and don't introduce any vulnerabilities.

It's recommended to:

1. Conduct thorough testing in a staging environment that closely mimics production.
2. Plan for a phased rollout if possible, to minimize potential disruptions.
3. Have a rollback plan ready in case of unexpected issues.
4. Update documentation to reflect these architectural changes, especially regarding authentication flows and resource allocations.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e3e51fc and 1929ca3.

📒 Files selected for processing (12)

• apps/services/auth/personal-representative-public/infra/personal-representative-public.ts (0 hunks)
• apps/services/auth/personal-representative/infra/personal-representative.ts (0 hunks)
• charts/identity-server/values.dev.yaml (3 hunks)
• charts/identity-server/values.prod.yaml (2 hunks)
• charts/identity-server/values.staging.yaml (3 hunks)
• charts/islandis/values.dev.yaml (6 hunks)
• charts/islandis/values.prod.yaml (6 hunks)
• charts/islandis/values.staging.yaml (10 hunks)
• infra/src/dsl/dsl.ts (3 hunks)
• infra/src/dsl/ingress.spec.ts (4 hunks)
• infra/src/dsl/types/charts.ts (1 hunks)
• infra/src/dsl/types/input-types.ts (5 hunks)

💤 Files with no reviewable changes (2)

• apps/services/auth/personal-representative-public/infra/personal-representative-public.ts
• apps/services/auth/personal-representative/infra/personal-representative.ts

🧰 Additional context used

📓 Path-based instructions (4)

infra/src/dsl/dsl.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

infra/src/dsl/ingress.spec.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

infra/src/dsl/types/charts.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

infra/src/dsl/types/input-types.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

🔇 Additional comments (30)

infra/src/dsl/types/charts.ts (1)

39-39: Improved parameter naming enhances code clarity.

The change from [name in OpsEnv] to [env in OpsEnv] is a good improvement. It enhances the clarity and expressiveness of the DSL syntax by using a more descriptive parameter name. 'env' better represents the nature of the key in this context (environment) compared to 'name'.

This minor change contributes to better self-documentation of the code, making it easier for developers to understand the purpose of this type at a glance.

infra/src/dsl/types/input-types.ts (6)

21-21: Improved semantic clarity in PostgresInfo type

The change from [idx in OpsEnv] to [env in OpsEnv] enhances the readability and semantic meaning of the type definition. This modification aligns well with the context of environment-specific configurations.

---

38-38: Consistent naming in RedisInfo type

The change from [idx in OpsEnv] to [env in OpsEnv] in the RedisInfo type is consistent with the previous modification in PostgresInfo. This consistency improves the overall readability and maintainability of the codebase.

---

109-110: Enhanced type safety with new IngressType and IngressMapping

The introduction of IngressType and IngressMapping types significantly improves the type safety and expressiveness of the DSL. These additions provide a more structured approach to defining ingress configurations, which aligns well with the DSL's objectives.

The IngressType limits the possible ingress types to 'primary' and 'internal', preventing potential errors from incorrect string literals. The IngressMapping type then uses this to create a partial mapping to Ingress, offering a clear and type-safe way to define different ingress configurations.

---

117-117: Improved structure in ServiceDefinition with IngressMapping

The modification of the ingress property in ServiceDefinition to use the new IngressMapping type is a significant improvement. This change provides a more structured and type-safe approach to defining ingress configurations for services.

By using IngressMapping, the DSL now enforces a clear distinction between 'primary' and 'internal' ingress types, which can help prevent configuration errors and improve the overall reliability of the service definitions.

---

138-138: Enhanced clarity in Ingress interface

The modifications in the Ingress interface significantly improve the semantic clarity of the type definitions:

1. Changing [name in OpsEnv] to [env in OpsEnv] in the host property maintains consistency with earlier changes and clearly indicates that the keys represent environments.

2. In extraAnnotations, the change from [name in OpsEnv] to [env in OpsEnv] follows the same pattern, improving consistency.

3. The inner index signature change from [idx: string] to [annotation: string] in extraAnnotations is particularly noteworthy. It clearly communicates that the keys represent annotation names, enhancing the self-documenting nature of the code.

These changes collectively contribute to a more intuitive and maintainable DSL structure.

Also applies to: 142-144

---

234-234: Consistent naming in ExtraValues type

The modification of the index signature from [idx in OpsEnv] to [env in OpsEnv] in the ExtraValues type maintains consistency with the earlier changes in the file. This change reinforces the semantic meaning of the keys as representing different environments, contributing to the overall clarity and maintainability of the DSL.

infra/src/dsl/ingress.spec.ts (3)

30-33: LGTM: Consistent renaming from 'secondary' to 'internal'

The changes in this test case accurately reflect the renaming of the 'secondary' ingress to 'internal'. The expected output has been updated accordingly, maintaining consistency throughout the test.

Also applies to: 50-57

---

Line range hint 100-107: LGTM: Consistent renaming in test case

The changes in this test case maintain consistency with the previous renaming from 'secondary' to 'internal'. The structure of the test remains unchanged, ensuring that the existing functionality is still being tested correctly.

---

Line range hint 1-214: Overall improvements to ingress configuration testing

The changes in this file enhance the test coverage for ingress configurations, particularly regarding global auth annotations. The consistent renaming from 'secondary' to 'internal' throughout the file improves clarity. The new test cases align well with the existing structure and style, maintaining the file's overall consistency.

These changes contribute to:

1. Better verification of ingress configuration behavior
2. Improved clarity in naming conventions
3. Enhanced test coverage for edge cases in global auth settings

The file continues to adhere to the DSL syntax for defining ingress configurations, which is crucial for maintaining the clarity and expressiveness of the DSL.

charts/identity-server/values.staging.yaml (4)

Line range hint 176-180: Review the significant increase in resource limits

The CPU and memory limits for the identity-server have been substantially increased:

• CPU limit: from '400m' to '4000m' (10x increase)
• Memory limit: from '256Mi' to '2048Mi' (8x increase)

While this may improve performance, it could also impact the cluster's overall resource allocation.

Please confirm:

1. The necessity of such a large increase in resources.
2. That the cluster has sufficient capacity to handle this change without affecting other services.

Run the following script to check the current resource usage and limits in the cluster:

#!/bin/bash
# Check current resource usage and limits in the cluster

# Get current CPU and memory usage for pods in the identity-server namespace
kubectl top pods -n identity-server

# Get resource quotas for the identity-server namespace
kubectl get resourcequota -n identity-server

# Get current resource limits for all containers in the identity-server deployment
kubectl get deployment -n identity-server -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.template.spec.containers[*]}  {.name}:{.resources.limits}{"\n"}{end}{end}'

---

270-270: Verify the impact of enabling global auth for services-auth-admin-api

The change to enable global auth (nginx.ingress.kubernetes.io/enable-global-auth: 'true') for the services-auth-admin-api ingress could affect the authentication flow for this service.

Please ensure that:

1. This change is intentional and consistent with the changes made to the identity-server ingress.
2. The services-auth-admin-api is prepared for this change and won't be negatively impacted.

Run the following script to check for any dependencies or configurations that might be affected by this change:

#!/bin/bash
# Check for configurations or dependencies related to services-auth-admin-api authentication

# Search for references to services-auth-admin-api in other configuration files
rg --type yaml 'services-auth-admin-api'

# Check for any environment variables related to authentication in the services-auth-admin-api deployment
kubectl get deployment -n identity-server-admin services-auth-admin-api -o=jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="IDENTITY_SERVER_ISSUER_URL" || @.name=="IDENTITY_SERVER_CLIENT_ID")]}'

---

785-785: Verify the impact of enabling global auth for services-auth-public-api

The change to enable global auth (nginx.ingress.kubernetes.io/enable-global-auth: 'true') for the services-auth-public-api ingress could affect the authentication flow for this public-facing API service.

Please ensure that:

1. This change is intentional and consistent with the changes made to other services.
2. The services-auth-public-api is prepared for this change and won't be negatively impacted.
3. Any external clients or services consuming this API are aware of and can handle the change in authentication flow.

Run the following script to check for any dependencies or configurations that might be affected by this change:

#!/bin/bash
# Check for configurations or dependencies related to services-auth-public-api authentication

# Search for references to services-auth-public-api in other configuration files
rg --type yaml 'services-auth-public-api'

# Check for any environment variables related to authentication in the services-auth-public-api deployment
kubectl get deployment -n identity-server-admin services-auth-public-api -o=jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="IDENTITY_SERVER_ISSUER_URL" || @.name=="IDENTITY_SERVER_CLIENT_ID")]}'

# Check for any ingress rules that might be affected by this change
kubectl get ingress -n identity-server-admin -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.rules[*].http.paths[*]}{.path}{"\n"}{end}{end}'

---

152-152: Verify the impact of enabling global auth

The change to enable global auth (nginx.ingress.kubernetes.io/enable-global-auth: 'true') for the identity-server ingress could significantly affect the authentication flow for all services using this ingress.

Please ensure that:

1. This change is intentional and aligns with the security requirements.
2. All dependent services are prepared for this change and won't be negatively impacted.

Run the following script to check for other ingress configurations that might be affected:

charts/islandis/values.staging.yaml (3)

444-444: Global authentication enabled for api service: Ensure consistency

The change to enable global authentication for the api service is consistent with the PR objectives and follows the same pattern as other services.

To ensure consistency across all services, run the following script to check which services have global authentication enabled:

#!/bin/bash
# Check for global authentication configuration across all services
kubectl get ingress -A -o json | jq '.items[] | select(.metadata.annotations["nginx.ingress.kubernetes.io/enable-global-auth"] == "true") | .metadata.name + " in namespace " + .metadata.namespace'

---

952-952: Global authentication enabled for multiple services: Verify completeness

The changes to enable global authentication have been consistently applied to multiple services including application-system-form, consultation-portal, download-service, island-ui-storybook, license-api, and portals-admin. This is a positive step towards improving the overall security posture.

To ensure that all required services have global authentication enabled, please run the following script and compare its output with your list of services that should have this feature:

#!/bin/bash
# List all ingress resources and their global auth status
kubectl get ingress -A -o json | jq -r '.items[] | "\(.metadata.name) in \(.metadata.namespace): \(.metadata.annotations["nginx.ingress.kubernetes.io/enable-global-auth"] // "false")"'

Review the output to confirm that all necessary services have global authentication enabled, and no services that should be excluded have it enabled by mistake.

Also applies to: 1020-1020, 1111-1111, 1394-1394, 1467-1467, 1571-1571

---

133-133: Global authentication enabled for air-discount-scheme-backend: Verify impact

The change to enable global authentication for the air-discount-scheme-backend service is in line with the PR objectives. This security enhancement is a positive step.

Please verify that this change doesn't unintentionally block legitimate access to the service. Run the following script to check for any recent authentication-related errors in the air-discount-scheme-backend logs:

charts/islandis/values.prod.yaml (4)

3193-3193: Carefully verify the impact of enabling global authentication for the main web service

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the main web service. This is a significant change that could affect all users and integrated services across the platform.

Given the potential wide-ranging impact, please ensure that:

1. This change aligns with the overall authentication strategy for the entire platform.
2. All integrated services and microsites are compatible with this global authentication approach.
3. User experience has been thoroughly tested across different scenarios and user types.
4. Performance implications of adding this authentication layer have been evaluated.
5. A rollback plan is in place in case of unexpected issues.

Run the following comprehensive check:

#!/bin/bash
# Check for authentication-related code across the project
echo "Searching for authentication-related code:"
grep -R --include="*.{js,ts,jsx,tsx,py,java,go,rb}" "auth" .

# List all ingress configurations to ensure consistency
echo "Listing all ingress configurations:"
grep -R --include="*.yaml" "ingress:" .

# Check for potential hardcoded URLs that might bypass authentication
echo "Checking for hardcoded URLs:"
grep -R --include="*.{js,ts,jsx,tsx,py,java,go,rb}" "https://island.is" .

# Verify API endpoints for potential conflicts
echo "Checking API endpoints:"
grep -R --include="*.{js,ts,py,java,go,rb}" "api" .

Additionally, please conduct thorough end-to-end testing of critical user journeys to ensure they remain unaffected by this change.

---

227-227: Verify impact of enabling global authentication for air-discount-scheme-web

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the air-discount-scheme-web interface. This change may affect user access and experience.

Please ensure that:

1. The user flow has been updated to accommodate this additional authentication step.
2. User documentation or guides have been updated to reflect this change.
3. The change aligns with the intended security posture for the air discount scheme web interface.

Run the following script to check for any custom authentication logic that might need to be updated:

#!/bin/bash
# Search for authentication-related code in the air-discount-scheme-web
echo "Searching for authentication-related code in air-discount-scheme-web:"
grep -R --include="*.{js,ts,jsx,tsx}" "auth" ./air-discount-scheme-web

---

1141-1141: Verify impact of enabling global authentication for contentful-entry-tagger-service

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the contentful-entry-tagger-service. This change may affect how the service integrates with Contentful and other systems.

Please ensure that:

1. The authentication mechanism is compatible with Contentful's API and any other systems that interact with this service.
2. Any automated processes or scripts that use this service have been updated to handle the new authentication requirement.
3. The content tagging workflow remains unaffected by this change.

Run the following script to check for potential integration points that might need updating:

#!/bin/bash
# Search for references to contentful-entry-tagger-service in the codebase
echo "Searching for references to contentful-entry-tagger-service:"
grep -R --include="*.{js,ts,py,java,go,rb}" "contentful-entry-tagger-service" .

# Check for Contentful API usage
echo "Checking for Contentful API usage:"
grep -R --include="*.{js,ts,py,java,go,rb}" "contentful.*api" .

---

45-45: Verify impact of enabling global authentication for air-discount-scheme-api

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the air-discount-scheme-api. This change may affect the accessibility of the API and might require updates to client applications.

Please ensure that:

1. All client applications are prepared for this authentication change.
2. The security requirements of the air discount scheme service align with this global authentication approach.
3. Proper testing has been conducted to verify that the API remains accessible to authorized clients.

Run the following script to check for potential client applications that might be affected:

✅ Verification successful

Global authentication enabled successfully without impacting client applications

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' in air-discount-scheme-api has been verified. No client applications reference the air-discount-scheme-api, indicating that accessibility remains unaffected for clients and no further updates are required.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for references to the air-discount-scheme-api in the codebase
echo "Searching for references to air-discount-scheme-api:"
grep -R --include="*.{js,ts,py,java,go,rb}" "air-discount-scheme-api" .

Length of output: 879

---

Script:

#!/bin/bash
# Search for references to the air-discount-scheme-api in the codebase using ripgrep
echo "Searching for references to air-discount-scheme-api using ripgrep:"
rg "air-discount-scheme-api" --type-add 'scripts:*.{js,ts,py,java,go,rb}' --type scripts

Length of output: 590

charts/islandis/values.dev.yaml (7)

133-133: Global authentication enabled for air-discount-scheme-backend ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the air-discount-scheme-backend ingress. This change aligns with the PR objective of overriding global authentication configuration.

---

1082-1082: Global authentication enabled for contentful-apps ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the contentful-apps ingress. This change is in line with the PR objective of overriding global authentication configuration.

---

1146-1146: Global authentication enabled for contentful-entry-tagger-service ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the contentful-entry-tagger-service ingress. This modification supports the PR's objective of overriding global authentication configuration.

---

1484-1484: Global authentication enabled for github-actions-cache ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the github-actions-cache ingress. This change supports the PR's goal of overriding global authentication configuration.

---

1650-1650: Global authentication enabled for island-ui-storybook ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the island-ui-storybook ingress. This modification is in line with the PR's objective of overriding global authentication configuration.

---

1994-1994: Global authentication enabled for search-indexer-service ingress

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'true' enables global authentication for the search-indexer-service ingress. This change supports the PR's objective of overriding global authentication configuration.

---

133-133: Summary: Global authentication enabled for multiple services

This change consistently adds the nginx.ingress.kubernetes.io/enable-global-auth: 'true' annotation to the ingress configurations of several services:

1. air-discount-scheme-backend
2. contentful-apps
3. contentful-entry-tagger-service
4. github-actions-cache
5. island-ui-storybook
6. search-indexer-service

These modifications align with the PR objective of overriding global authentication configuration. The implementation is uniform across all affected services, ensuring consistent behavior. This change enhances the security posture of the system by enabling global authentication for these specific ingress points.

Also applies to: 1082-1082, 1146-1146, 1484-1484, 1650-1650, 1994-1994

infra/src/dsl/dsl.ts (2)

20-20: Import of IngressMapping is appropriate

The addition of IngressMapping to the import statement ensures that the new type is available for use in the updated ingress method.

---

465-465: Verify all usages of the updated ingress method

The ingress method signature has been changed to accept an IngressMapping. Please ensure that all calls to this method in the codebase are updated to match the new signature.

You can run the following script to identify all usages:

This will help you locate all occurrences of the ingress method for review.

[coderabbitai]

🛠️ Refactor suggestion

Avoid forced type casting when initializing ingress

Using as IngressMapping to force type conformance can conceal type-related issues. It's better to initialize ingress with a proper default value that aligns with the IngressMapping type to maintain type safety.

Consider initializing ingress without type casting:

ingress: {},

If IngressMapping requires a specific structure, provide a default value that matches its definition.

[busla]

why is global auth now enabled on prod?

[AndesKrrrrrrrrrrr]

It shouldn't be. Working on a fix

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 1929ca3 and c55c693.

📒 Files selected for processing (3)

• charts/identity-server/values.prod.yaml (0 hunks)
• infra/src/dsl/dsl.ts (3 hunks)
• infra/src/dsl/types/input-types.ts (5 hunks)

💤 Files with no reviewable changes (1)

• charts/identity-server/values.prod.yaml

🧰 Additional context used

📓 Path-based instructions (2)

infra/src/dsl/dsl.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

infra/src/dsl/types/input-types.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

🔇 Additional comments (2)

infra/src/dsl/types/input-types.ts (1)

109-110: ⚠️ Potential issue

Verify potential impact of changing 'ingress' property type in 'ServiceDefinition'.

Changing the type of ingress from { [name: string]: Ingress } to IngressMapping may affect existing code that relies on the previous type definition. Please ensure that all usages of ServiceDefinition.ingress are updated accordingly to prevent any type errors or unexpected behaviors.

Run the following script to find all usages of ServiceDefinition.ingress in the codebase:

✅ Verification successful

Verification Complete: No usages of ServiceDefinition.ingress found.

The change to IngressMapping does not impact existing code.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find all usages of 'ServiceDefinition.ingress' to verify compatibility with new type.

# Test: Search for 'ServiceDefinition' definitions and references involving 'ingress'.
# Expect: All occurrences are compatible with the 'IngressMapping' type.

rg --type typescript 'ServiceDefinition.*ingress' -A 5

Length of output: 91

---

Script:

#!/bin/bash
# Description: Find all usages of 'ServiceDefinition.ingress' to verify compatibility with new type.

# Test: Search for 'ServiceDefinition' definitions and references involving 'ingress' in TypeScript files.
# Expect: All occurrences are compatible with the 'IngressMapping' type.

rg 'ServiceDefinition.*ingress' --glob '*.ts' -A 5

Length of output: 52

---

Script:

#!/bin/bash
# Description: Find all usages of 'ServiceDefinition.ingress' to verify compatibility with new type.

# Test: Search for 'ServiceDefinition.ingress' in TypeScript and TSX files with flexible pattern.
# Expect: All occurrences are compatible with the 'IngressMapping' type.

rg 'ServiceDefinition\s*\.\s*ingress' --type ts --type tsx -A 5

Length of output: 93

---

Script:

#!/bin/bash
# Description: Find all usages of 'ServiceDefinition.ingress' to verify compatibility with new type.

# Test: Search for 'ServiceDefinition.ingress' in TypeScript and TSX files with explicit file patterns.
# Expect: All occurrences are compatible with the 'IngressMapping' type.

rg 'ServiceDefinition\s*\.\s*ingress' --glob '*.ts' --glob '*.tsx' -A 5

Length of output: 73

infra/src/dsl/dsl.ts (1)

26-35: OVERRIDE_ANNOTATIONS constant is correctly defined

The OVERRIDE_ANNOTATIONS constant is appropriately set up for each environment, and the annotations are specified accurately. This ensures that the ingress configurations receive the intended annotations based on the deployment environment.

[AndesKrrrrrrrrrrr]

Getting too complex if we want to deal with IDS chart changes