feat: [NMP-83] Add basic keycloak (#85)

Co-authored-by: Dallas Richmond <[email protected]> Co-authored-by: dallascrichmond <[email protected]>
bcgov · Dec 10, 2024 · 78b5714 · 78b5714
1 parent 92232aa
commit 78b5714
Show file tree

Hide file tree

Showing 19 changed files with 229 additions and 50 deletions.
diff --git a/.env.template b/.env.template
@@ -14,6 +14,12 @@ PGADMIN_DEFAULT_EMAIL=
 PGADMIN_DEFAULT_PASSWORD=
 
 # VITE FRONTEND
-VITE_HOST=
 VITE_PORT=
 VITE_BACKEND_URL=
+
+# KEYCLOAK SETTINGS
+SSO_CLIENT_ID=
+SSO_CLIENT_SECRET=
+SSO_REDIRECT_URL=
+FRONTEND_URL=
+BACKEND_URL=
diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml
@@ -74,7 +74,6 @@ jobs:
           file: backend/openshift.deploy.yml
           overwrite: true
           parameters:
-            -p NAME_SUFFIX=-${{ inputs.target }}
             -p IMAGE_TAG=${{ inputs.tag }}
             -p TARGET=${{ inputs.target }}
           verification_path: /api/health

diff --git a/backend/openshift.deploy.yml b/backend/openshift.deploy.yml
@@ -20,16 +20,13 @@ parameters:
     description: Password for the PostgreSQL connection user.
     from: '[a-zA-Z0-9]{16}'
     generate: expression
-  - name: NAME_SUFFIX
-    description: Suffix for the name
-    required: true
 objects:
   - kind: Service
     apiVersion: v1
     metadata:
       labels:
-        app: nr-nmp${NAME_SUFFIX}
-      name: nr-nmp-backend${NAME_SUFFIX}
+        app: ${APP}-${TARGET}
+      name: ${APP}-${TARGET}-${COMPONENT}
     spec:
       type: ClusterIP
       ports:
@@ -38,51 +35,67 @@ objects:
           protocol: TCP
           name: http-3000
       selector:
-        service: nr-nmp-backend${NAME_SUFFIX}
+        service: ${APP}-${TARGET}-${COMPONENT}
   - kind: Deployment
     apiVersion: apps/v1
     metadata:
       labels:
-        app: nr-nmp${NAME_SUFFIX}
-        deployment: nr-nmp-backend${NAME_SUFFIX}
-      name: nr-nmp-backend${NAME_SUFFIX}
+        app: ${APP}-${TARGET}
+        deployment: ${APP}-${TARGET}-${COMPONENT}
+      name: ${APP}-${TARGET}-${COMPONENT}
     spec:
       strategy:
         type: Recreate
       selector:
         matchLabels:
-          deployment: nr-nmp-backend${NAME_SUFFIX}
+          deployment: ${APP}-${TARGET}-${COMPONENT}
       template:
         metadata:
           labels:
-            app: nr-nmp${NAME_SUFFIX}
-            deployment: nr-nmp-backend${NAME_SUFFIX}
-            service: nr-nmp-backend${NAME_SUFFIX}
+            app: ${APP}-${TARGET}
+            deployment: ${APP}-${TARGET}-${COMPONENT}
+            service: ${APP}-${TARGET}-${COMPONENT}
         spec:
           containers:
-            - name: nr-nmp-backend${NAME_SUFFIX}
-              image: ghcr.io/bcgov/nr-nmp/backend:${IMAGE_TAG}
+            - name: ${APP}-${TARGET}-${COMPONENT}
+              image: ghcr.io/${ORG}/${APP}/${COMPONENT}:${IMAGE_TAG}
               imagePullPolicy: Always
               env:
                 - name: LOG_LEVEL
                   value: info
                 - name: POSTGRES_HOST
-                  value: nr-nmp-database${NAME_SUFFIX}
+                  value: nr-nmp-database-${TARGET}
                 - name: POSTGRES_DB
                   valueFrom:
                     secretKeyRef:
-                      name: nr-nmp-database${NAME_SUFFIX}
+                      name: nr-nmp-database-${TARGET}
                       key: database-name
                 - name: POSTGRES_PASSWORD
                   valueFrom:
                     secretKeyRef:
-                      name: nr-nmp-database${NAME_SUFFIX}
+                      name: nr-nmp-database-${TARGET}
                       key: database-password
                 - name: POSTGRES_USER
                   valueFrom:
                     secretKeyRef:
-                      name: nr-nmp-database${NAME_SUFFIX}
+                      name: nr-nmp-database-${TARGET}
                       key: database-user
+                - name: SSO_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: nr-nmp-keycloak
+                      key: SSO_CLIENT_ID
+                - name: SSO_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: nr-nmp-keycloak
+                      key: SSO_CLIENT_SECRET
+                - name: SSO_REDIRECT_URL
+                  value: https://${APP}-${TARGET}-${COMPONENT}.apps.silver.devops.gov.bc.ca/auth/callback
+                - name: FRONTEND_URL
+                  value: https://${APP}-${TARGET}.apps.silver.devops.gov.bc.ca
+                - name: BACKEND_URL
+                  value: https://${APP}-${TARGET}-${COMPONENT}.apps.silver.devops.gov.bc.ca
               ports:
                 - containerPort: 3000
                   protocol: TCP
@@ -117,15 +130,15 @@ objects:
     apiVersion: route.openshift.io/v1
     metadata:
       labels:
-        app: nr-nmp${NAME_SUFFIX}
-      name: nr-nmp-backend${NAME_SUFFIX}
+        app: ${APP}-${TARGET}
+      name: ${APP}-${TARGET}-${COMPONENT}
     spec:
-      host: nr-nmp-backend${NAME_SUFFIX}.apps.silver.devops.gov.bc.ca
+      host: ${APP}-${TARGET}-${COMPONENT}.apps.silver.devops.gov.bc.ca
       port:
         targetPort: http-3000
       to:
         kind: Service
-        name: nr-nmp-backend${NAME_SUFFIX}
+        name: ${APP}-${TARGET}-${COMPONENT}
         weight: 100
       tls:
         termination: edge

diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -42,6 +42,7 @@
     "typescript-eslint": "^7.8.0"
   },
   "dependencies": {
+    "@bcgov/citz-imb-sso-express": "^1.0.2",
     "compression": "^1.7.4",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",

diff --git a/backend/src/controllers/health-api-controller.ts b/backend/src/controllers/health-api-controller.ts
@@ -1,6 +1,5 @@
 /**
- * @desc Simple health endpoint to check API status
- * @author GDamaso
+ * @dsummary Simple health endpoint to check API status
  */
 import { Response, Request } from 'express';
 

diff --git a/backend/src/express.ts b/backend/src/express.ts
@@ -13,11 +13,15 @@ import morgan from 'morgan';
 import cors from 'cors';
 import swaggerUi from 'swagger-ui-express';
 import swaggerJSDoc from 'swagger-jsdoc';
+import { sso } from '@bcgov/citz-imb-sso-express';
 import swaggerConfig from './config/swaggerConfig';
 import * as routers from './routes/index';
+import * as middleware from './middleware';
 
 const app = express();
 
+sso(app);
+
 // Express middleware
 app.use(express.json());
 app.use(express.urlencoded({ extended: false }));
@@ -27,7 +31,12 @@ app.use(morgan('dev')); // Logger Requests and Responses in the console
 app.use(cors()); // Activate CORS, allowing access
 app.use('/api/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerJSDoc(swaggerConfig)));
 
+// Add the protectedRoute function to any endpoint routes in the Admin Portal
+
 // Routes
 app.use('/api', [routers.healthRouter, routers.developersRouter]);
 
+// Integrate global error handler after routes to cover all ends.
+app.use(middleware.globalErrorHandler);
+
 export default app;
diff --git a/backend/src/middleware/globalErrorHandler.ts b/backend/src/middleware/globalErrorHandler.ts
@@ -0,0 +1,23 @@
+import { Request, Response, NextFunction } from 'express';
+/**
+ * PURPOSE: Global Error Handler is in place to give more meaningful communication with
+ *          the user if something in the application goes wrong
+ */
+
+type Props = {
+  req: Request;
+  res: Response;
+  next: NextFunction;
+}
+
+const globalErrorHandler = ({
+  res,
+  next,
+}: Props) => {
+  res.status(500).json({
+    message: 'Internal Server Error',
+  });
+  next();
+};
+
+export default globalErrorHandler;
diff --git a/backend/src/middleware/index.ts b/backend/src/middleware/index.ts
@@ -0,0 +1,2 @@
+// eslint-disable-next-line import/prefer-default-export
+export { default as globalErrorHandler } from './globalErrorHandler';
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -50,6 +50,7 @@ services:
           path: ./backend/
           target: app
           ignore: [node_modules]
+    env_file: .env
     environment:
       LOG_LEVEL: info
       PORT: 3000
@@ -72,8 +73,9 @@ services:
     #       path: ./frontend
     #       target: /app
     #       ignore: [node_modules]
+    env_file: .env
     environment:
-      VITE_BACKEND_URL: http://localhost:3000/api
+      VITE_BACKEND_URL: http://localhost:3000
     healthcheck:
       test: curl --fail http://localhost:5173 || exit 1
     ports: ["5173:5173"]

diff --git a/frontend/Caddyfile b/frontend/Caddyfile
@@ -14,11 +14,17 @@
 		}
 		level {$LOG_LEVEL}
 	}
+	handle /env.js {
+		header {
+			Content-Type "text/javascript"
+		}
+		respond `window.config = {"VITE_BACKEND_URL":"{$VITE_BACKEND_URL}","VITE_PORT":"{$VITE_PORT}"};`
+	}
 	root * /srv
 	encode zstd gzip
 	file_server
 	@spa_router {
-		not path /api*
+		not path /api* /env.js
 		file {
 			try_files {path} /index.html
 		}
@@ -36,7 +42,7 @@
 		Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"
 		X-Content-Type-Options "nosniff"
 		Strict-Transport-Security "max-age=31536000"
-		Content-Security-Policy "default-src 'self' https://spt.apps.gov.bc.ca data:; script-src 'self' 'unsafe-eval' https://www2.gov.bc.ca ;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://use.fontawesome.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://fonts.googleapis.com http://www.w3.org https://*.gov.bc.ca"
+		Content-Security-Policy "connect-src 'self' https://*.gov.bc.ca https://registry.npmjs.org ;default-src 'self' https://spt.apps.gov.bc.ca data:; script-src 'self' 'unsafe-eval' https://www2.gov.bc.ca ;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://use.fontawesome.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://fonts.googleapis.com http://www.w3.org https://*.gov.bc.ca"
 		Referrer-Policy "same-origin"
 		Feature-Policy "fullscreen 'self'; camera 'none'; microphone 'none'"
 	}

diff --git a/frontend/openshift.deploy.yml b/frontend/openshift.deploy.yml
@@ -64,7 +64,21 @@ objects:
                 - name: LOG_LEVEL
                   value: info
                 - name: VITE_BACKEND_URL
-                  value: http://${APP}-${TARGET}-backend/api
+                  value: https://${APP}-${TARGET}-backend.apps.silver.devops.gov.bc.ca
+                - name: BACKEND_URL
+                  value: https://${APP}-${TARGET}-backend.apps.silver.devops.gov.bc.ca
+                - name: VITE_PORT
+                  value: '5173'
+                - name: SSO_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: nr-nmp-keycloak
+                      key: SSO_CLIENT_ID
+                - name: SSO_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: nr-nmp-keycloak
+                      key: SSO_CLIENT_SECRET
               ports:
                 - name: http
                   containerPort: 5173
@@ -103,7 +117,7 @@ objects:
         app: ${APP}-${TARGET}
       name: ${APP}-${TARGET}-${COMPONENT}
     spec:
-      host: nr-nmp-${TARGET}.apps.silver.devops.gov.bc.ca
+      host: ${APP}-${TARGET}.apps.silver.devops.gov.bc.ca
       port:
         targetPort: http-3000
       to:

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -14,6 +14,7 @@
   },
   "dependencies": {
     "@bcgov/bc-sans": "^2.1.0",
+    "@bcgov/citz-imb-sso-react": "^1.0.1",
     "@bcgov/design-tokens": "^3.1.1",
     "@emotion/styled": "^11.13.0",
     "axios": "^1.7.7",
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// eslint-disable-next-line import/prefer-default-export
		export { default as globalErrorHandler } from './globalErrorHandler';