Create oAuth client for frontend service (#87)

This is work on #27, just the part that sets up and provides the details
to Kubernetes for the oAuth authentication tokens.

This PR:

* Generates an internal oAuth brand and client token
* Provides instructions on how to make it external
* Generates a `ConfigMap` with the env data that will need to be passed
  to the eventual `frontend` Pod container.
* Deploy said ConfigMap to the Services cluster.

I also rename "frontend-api" to "frontend", since the "api" part seemed
redundant.

Next should be Cloud Build the image and Deploy it as a `Deployment` and
`Service`.

README.md

@@ -66,6 +66,16 @@ cp terraform.tfvars.sample terraform.tfvars
 terraform apply
 ```
 
+### OAuth Authentication
+
+Terraform is only able to make an [Internal Oauth consent screen](https://support.google.com/cloud/answer/10311615),
+which means that only users from your Google organisation will be able to authenticate against the project when 
+using logging in via the Game Launcher.
+
+You can manually move the consent screen to External (Testing), such that you can allow list accounts outside your 
+organisation to be able to authenticate against the project, but that has to be a manual step through the
+[OAuth Consent screen](https://console.cloud.google.com/apis/credentials/consent).
+
 ### Deploy Agones To Agones GKE Clusters
 
 The Agones deployment is in two steps: The Initial Install and the Allocation Endpoint Patch.

infrastructure/files/services/frontend-configmap.yaml.tpl

@@ -0,0 +1,26 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: frontend-service
+data:
+  CLIENT_ID: ${client_id}
+  CLIENT_SECRET: ${client_secret}
+  LISTEN_PORT: "8080"
+  CLIENT_LAUNCHER_PORT: "8082"
+  PROFILE_SERVICE: http://profile
+  PING_SERVICE: http://ping-discovery
+  JWT_KEY: ${jwt_key}

infrastructure/services-gke.tf

@@ -115,3 +115,31 @@ resource "local_file" "services-ping-service-account" {
   })
   filename = "${path.module}/${var.services_directory}/ping-discovery/service-account.yaml"
 }
+
+#
+# OAuth Credentials for the Frontend Service
+#
+
+resource "google_iap_brand" "project_brand" {
+  support_email     = "[email protected]"
+  application_title = "Global Game Demo"
+  project           = var.project
+
+  depends_on = [google_project_service.project]
+}
+
+resource "google_iap_client" "project_client" {
+  display_name = "Global Game Client"
+  brand        = google_iap_brand.project_brand.name
+}
+
+# Make the environment configmap for the front service
+resource "local_file" "services-frontend-config-map" {
+  content = templatefile(
+    "${path.module}/files/services/frontend-configmap.yaml.tpl", {
+      client_id     = google_iap_client.project_client.client_id
+      client_secret = google_iap_client.project_client.secret
+      jwt_key       = var.frontend-service.jwt_key
+  })
+  filename = "${path.module}/${var.services_directory}/frontend/configmap.yaml"
+}

infrastructure/terraform.tfvars.sample

@@ -86,7 +86,8 @@ gcp_project_services = [
   "spanner.googleapis.com",
   "secretmanager.googleapis.com",
   "servicecontrol.googleapis.com",
-  "run.googleapis.com"
+  "run.googleapis.com",
+  "iap.googleapis.com"
 ]
 
 
@@ -107,6 +108,11 @@ services_gke_config = {
   }
 }
 
+# Frontend Service Config Values
+frontend-service = {
+  jwt_key = "r@nd0m$"
+}
+
 # Artifact Registry variables
 ### NOTE: If you change the Artifact registry location, please make sure to change `cloudbuild.yaml` in
 ### `services/clouddeploy.yaml;` as it is not dynamically created.

infrastructure/variables.tf

@@ -103,6 +103,15 @@ variable "k8s_service_account_id" {
   description = "The kubernetes service account that will impersonate the IAM service account to access Cloud Spanner. This account will be created."
 }
 
+### Frontend Service Variables ###
+
+variable "frontend-service" {
+  type = object({
+    jwt_key = string
+  })
+  description = "Configuration for the frontend service that provides oAuth authentications"
+}
+
 ### Allocation Endpoint Variables ###
 
 variable "allocation_endpoint" {
@@ -125,3 +134,4 @@ variable "services_directory" {
   type        = string
   description = "Services Directory for output to Cloud Deploy related files"
 }
+

services/frontend/.gitignore

@@ -0,0 +1,15 @@
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+configmap.yaml

services/frontend-api/README.md → services/frontend/README.md

@@ -2,6 +2,8 @@
 
 CLIENT_ID and SECRET_ID need to be generated and fetched from https://console.cloud.google.com/apis/credentials (OAuth 2.0 Client IDs)
 
+For the JWT_KEY, this can be any arbitrary string, but has to be consistent between deployments.
+s
 # For Local development
 
 Please create a .env file in the same with the following variables:
@@ -16,6 +18,9 @@ PING_SERVICE=http://localhost:8083
 JWT_KEY=<JWT_KEY>
 ```
 
+* `LISTEN_PORT` is the local port for this Docker container
+* `CLIENT_LAUNCHER_PORT` is the port that the launcher uses. There shouldn't be any reason to change this value.
+
 # Building locally
 
 `make build`

services/skaffold.yaml

@@ -19,3 +19,4 @@ deploy:
     manifests:
       - ping-discovery/service-account.yaml
       - ping-discovery/deployment.yaml
+      - frontend/configmap.yaml