esm auth server #34

Supports: xenial bionic
Add to new model

Description

This Go server coordinates with nginx for handling ESM authorization, using
the nginx auth_request system. The server returns a 200 response with an
empty body if the access is granted, a 401 response with an empty body
otherwise. When a request arrives, we extract the resource token from the
auth header and use the /v1/resources/esm?token=... endpoint on the contract
service to validate that the resource token can perform the request. The
resource token will be provided in the request header, the entitlement will
be returned in the response body.


esm-auth-server charm

This charm deploys
the esm-auth-server,
which provides HTTP credentials validation and management for ESM and any
other application requiring basic-auth-check. Credential validation is done
with information retrieved from the contract service.

basic-auth-check relation

This charm can be related via basic-auth-check relation with applications
that need Basic-Auth credentials validation. This is done by:

juju add-relation esm-auth-server:basic-auth-check <other-service>:basic-auth-check

The related service can use the
basic-auth-check interface
to implement relation configuration handling.

Multiple units of this application can be deployed in order to achieve
high-availability.


Configuration

contracts-addr
(string) The address of the contracts service, optionally including basic auth credentials and port. The contracts service is used for retrieving entitlements associated with resource tokens.
https://admin@contracts.staging.canonical.com
kafka_brokers
(string) Comma separated list of Kafka brokers. If not provided, the service will still work, but will not be sending audit data to Kafka.
kafka_ca_cert
(string) Certificate of the CA that issued Kafka certificates.
kafka_client_cert
(string) Kafka client certificate.
kafka_client_key
(string) Kafka client key.
legacy-auth-app-name
(string) The name of the Juju application, previously related to the postgres charm, which originally created the legacy database of ESM credentials.
basic-auth-service
log-level
(string) The log level to apply to the service.
info
nagios_context
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
nagios_servicegroups
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
port
(int) The port on which the service will be listening.
8080
snap_proxy
(string) DEPRECATED. Use snap-http-proxy and snap-https-proxy model configuration settings. HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
snap_proxy_url
(string) DEPRECATED. Use snap-store-proxy model configuration setting. The address of a Snap Store Proxy to use for snaps e.g. http://snap-proxy.example.com
snapd_refresh
(string) How often snapd handles updates for installed snaps. The default (an empty string) is 4x per day. Set to "max" to check once per month based on the charm deployment date. You may also set a custom string as described in the 'refresh.timer' section here: https://forum.snapcraft.io/t/system-options/87