More tests for authentication.

Author: pantierra

charts/eoapi/profiles/experimental.yaml

@@ -371,11 +371,14 @@ stac-auth-proxy:
   enabled: true
   service:
     port: 8080
-  # Wait for mock-oidc to be ready in testing scenarios
+  # Wait for dependencies to be ready before starting stac-auth-proxy
   initContainers:
     - name: wait-for-mock-oidc
       image: busybox:1.35
       command: ['sh', '-c', 'until nc -z eoapi-mock-oidc-server.eoapi.svc.cluster.local 8080; do echo waiting for mock-oidc; sleep 2; done']
+    - name: wait-for-stac
+      image: busybox:1.35
+      command: ['sh', '-c', 'until nc -z eoapi-stac.eoapi.svc.cluster.local 8080; do echo waiting for stac service; sleep 2; done']
   env:
     UPSTREAM_URL: "http://eoapi-stac:8080"
     # For testing one could deploy a mock OIDC server (https://github.com/alukach/mock-oidc-server)

charts/eoapi/templates/core/stac-auth-proxy-patch.yaml

@@ -27,6 +27,7 @@ spec:
       - name: patch-deployment
         image: bitnami/kubectl:latest
         imagePullPolicy: IfNotPresent
+        # Use python3 for JSON manipulation (bitnami/kubectl includes python3)
         command:
         - /bin/bash
         - -c
@@ -45,7 +46,8 @@ spec:
             exit 0
           fi
           echo "Patching deployment with initContainers..."
-          INIT_CONTAINERS_JSON='{{ index .Values "stac-auth-proxy" "initContainers" | toJson }}'
+          # Use Helm templating to replace service names in the JSON string
+          INIT_CONTAINERS_JSON='{{ index .Values "stac-auth-proxy" "initContainers" | toJson | replace "eoapi-stac.eoapi" (printf "%s-stac.%s" .Release.Name .Release.Namespace) | replace "eoapi-mock-oidc-server.eoapi" (printf "%s-mock-oidc-server.%s" .Release.Name .Release.Namespace) }}'
           kubectl patch deployment "$DEPLOYMENT_NAME" -n "$NAMESPACE" --type='json' -p="[{\"op\":\"add\",\"path\":\"/spec/template/spec/initContainers\",\"value\":$INIT_CONTAINERS_JSON}]"
           echo "Waiting for rollout..."
           kubectl rollout status deployment/"$DEPLOYMENT_NAME" -n "$NAMESPACE" --timeout=300s

scripts/deploy.sh

@@ -393,8 +393,13 @@ deploy_eoapi() {
 
         # Set UPSTREAM_URL and OIDC_DISCOVERY_URL dynamically for stac-auth-proxy when experimental profile is used
         # The experimental profile enables stac-auth-proxy, so we need to set the correct service names
+        # Also configure STAC service to run without root path when behind auth proxy
         HELM_CMD="$HELM_CMD --set stac-auth-proxy.env.UPSTREAM_URL=http://$RELEASE_NAME-stac:8080"
         HELM_CMD="$HELM_CMD --set stac-auth-proxy.env.OIDC_DISCOVERY_URL=http://$RELEASE_NAME-mock-oidc-server.$NAMESPACE.svc.cluster.local:8080/.well-known/openid-configuration"
+        # Note: initContainer service names are dynamically replaced by the stac-auth-proxy-patch job
+        # Configure STAC service to run without root path when behind auth proxy
+        # Empty string makes STAC service run at root path (no --root-path argument)
+        HELM_CMD="$HELM_CMD --set 'stac.overrideRootPath='"
 
         HELM_CMD="$HELM_CMD --set eoapi-notifier.enabled=true"
         HELM_CMD="$HELM_CMD --set eoapi-notifier.config.sources[0].config.connection.existingSecret.name=$RELEASE_NAME-pguser-eoapi"

scripts/deployment.sh

@@ -86,9 +86,14 @@ run_deployment() {
 
     # Set UPSTREAM_URL and OIDC_DISCOVERY_URL dynamically for stac-auth-proxy when experimental profile is used
     # The experimental profile enables stac-auth-proxy, so we need to set the correct service names
+    # Also configure STAC service to run without root path when behind auth proxy
     if [[ "$use_experimental" == "true" ]]; then
         helm_cmd="$helm_cmd --set stac-auth-proxy.env.UPSTREAM_URL=http://$RELEASE_NAME-stac:8080"
         helm_cmd="$helm_cmd --set stac-auth-proxy.env.OIDC_DISCOVERY_URL=http://$RELEASE_NAME-mock-oidc-server.$NAMESPACE.svc.cluster.local:8080/.well-known/openid-configuration"
+        # Note: initContainer service names are dynamically replaced by the stac-auth-proxy-patch job
+        # Configure STAC service to run without root path when behind auth proxy
+        # Empty string makes STAC service run at root path (no --root-path argument)
+        helm_cmd="$helm_cmd --set 'stac.overrideRootPath='"
     fi
 
     if is_ci; then

tests/conftest.py

@@ -11,17 +11,17 @@
 
 @pytest.fixture(scope="session")
 def raster_endpoint() -> str:
-    return os.getenv("RASTER_ENDPOINT", "http://127.0.0.1/raster")
+    return os.getenv("RASTER_ENDPOINT", "http://localhost/raster")
 
 
 @pytest.fixture(scope="session")
 def vector_endpoint() -> str:
-    return os.getenv("VECTOR_ENDPOINT", "http://127.0.0.1/vector")
+    return os.getenv("VECTOR_ENDPOINT", "http://localhost/vector")
 
 
 @pytest.fixture(scope="session")
 def stac_endpoint() -> str:
-    return os.getenv("STAC_ENDPOINT", "http://127.0.0.1/stac")
+    return os.getenv("STAC_ENDPOINT", "http://localhost/stac")
 
 
 def get_namespace() -> str: