amundsen-io · feng-tao · Jan 31, 2020 · Jan 31, 2020 · Jan 31, 2020 · Jan 31, 2020
@@ -14,10 +14,11 @@ stringData:
         "auth_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/authorize",
         "token_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/token",
         "issuer": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}",
-        "userinfo_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/userinfo",
+        "userinfo_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/userinfo",
         "redirect_uris": [
           "http://localhost/oidc_callback"
-        ]
+        ],
+        "token_introspection_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/introspect"
       }
     }
 {{- end }}
@@ -97,3 +97,54 @@ AUTH_USER_METHOD = get_auth_user
 ```
 
 Once done, you'll have the end-to-end authentication in Amundsen without any proxy or code changes.
+
+
+## Using Okta with Amundsen on K8s
+Assumptions:
+- You have access to okta (you can create a developer account for free!)
+- You are using k8s to setup amundsen. See [amundsen-kube-helm](../../amundsen-kube-helm/README.md)
+
+1. You need to have a stable DNS entry for amundsen-frontend that can be registered in okta.
+    - for example in AWS you can setup route53
+    I will assume for the rest of this tutorial that your stable uri is "http://amundsen-frontend"
+2. You need to register amundsen in okta as an app. More info [here](https://developer.okta.com/blog/2018/07/12/flask-tutorial-simple-user-registration-and-login). 
+But here are specific instructions for amundsen:
+    - At this time, I have only succesfully tested integration after ALL grants were checked.
+    - Set the Login redirect URIs to: http://amundsen-frontend/oidc_callback
+    - No need to set a logout redirect URI
+    - Set the Initiate login URI to: http://amundsen-frontend/oidc_callback
+    - Copy the Client ID and Client secret as you will need this later.
+3. At present, there is no oidc build of the frontend. So you will need to build an oidc build yourself and upload it to, for example ECR, for use by k8s.
+   You can then specify which image you want to use as a property override for your helm install like so:
+   ```yaml
+   frontEndServiceImage: 123.dkr.ecr.us-west-2.amazonaws.com/edmunds/amundsen-frontend:oidc-test
+   ```
+   Please see further down in this doc for more instructions on how to build frontend.
+4. When you start up helm you will need to provide some properties. Here are the properties that need to be overridden for oidc to work:
+    ```yaml
+    oidcEnabled: true
+    createOidcSecret: true
+    OIDC_CLIENT_ID: YOUR_CLIENT_ID
+    OIDC_CLIENT_SECRET: YOUR_SECRET_ID
+    OIDC_ORG_URL: https://edmunds.okta.com
+    OIDC_AUTH_SERVER_ID: default
+    # You also will need a custom oidc frontend build too
+    frontEndServiceImage: 123.dkr.ecr.us-west-2.amazonaws.com/edmunds/amundsen-frontend:oidc-test
+    ```
+
+
+## Building frontend with OIDC
+
+1. Please look at [this guide](../developer_guide.md) for instructions on how to build a custom frontend docker image.
+2. The only difference to above is that in your docker file you will want to add the following at the end. This will make sure its ready to go for oidc.
+You can take alook at the public.Dockerfile as a reference.
+```dockerfile
+RUN pip3 install .[oidc]
+ENV FRONTEND_SVC_CONFIG_MODULE_CLASS amundsen_application.oidc_config.OidcConfig
+ENV APP_WRAPPER flaskoidc
+ENV APP_WRAPPER_CLASS FlaskOIDC
+ENV FLASK_OIDC_WHITELISTED_ENDPOINTS status,healthcheck,health
+ENV FLASK_OIDC_SQLALCHEMY_DATABASE_URI sqlite:///sessions.db
+```
+
+
@@ -63,3 +63,86 @@ rm -rf .local/neo4j
 
 ### Troubleshooting
 1. If you have made a change in `amundsen/amundsenfrontendlibrary` and do not see your changes, this could be due to your browser's caching behaviors. Either execute a hard refresh (recommended) or clear your browser cache (last resort).
+
+
+
+### Testing Amundsen frontend locally
+
+Amundsen has an instruction regarding local frontend launch [here](https://github.com/lyft/amundsenfrontendlibrary/blob/master/docs/installation.md)
+
+Here are some additional changes you might need for windows (OS Win 10):
+
+ - amundsen_application/config.py, set LOCAL_HOST = '127.0.0.1'
+ - amundsen_application/wsgi.py, set host='127.0.0.1'
+ (for other microservices also need to change `port` here because the default is 5000)
+
+(using that approach you can run locally another microservices as well if needed)  
+
+Once you have a running frontend microservice, the rest of Amundsen components can be launched with docker-compose 
+from the root Amundsen project (don't forget to remove frontend microservice section from docker-amundsen.yml):
+`docker-compose -f docker-amundsen.yml up`
+https://github.com/lyft/amundsen/blob/master/docs/installation.md
+
+### Developing Dockerbuild file
+
+When making edits to Dockerbuild file (docker-amundsen-local.yml) it is good to see what you are getting wrong locally.
+To do that you build it `docker build .`
+
+And then the output should include a line like so at the step right before it failed:
+```bash
+Step 3/20 : RUN git clone --recursive git://github.com/lyft/amundsenfrontendlibrary.git  && cd amundsenfrontendlibrary  && git submodule foreach git pull origin master
+ ---> Using cache
+ ---> ec052612747e
+```
+
+You can then launch a container from this image like so
+```bash
+docker container run -it --name=debug ec052612747e /bin/sh
+```
+
+### Building and Testing Amundsen Frontend Docker Image (or any other service)
+
+1. Build your image
+`docker build --no-cache .` it is recommended that you use --no-cache so you aren't accidentally using an old version of an image.
+2. Determine the hash of your images by running `docker images` and getting the id of your most recent image
+3. Go to your locally cloned amundsen repo and edit the docker compose file "docker-amundsen.yml" to have 
+the amundsenfrontend image point to the hash of the image that you built
+
+```yaml
+  amundsenfrontend:
+      #image: amundsendev/amundsen-frontend:1.0.9
+      #image: 1234.dkr.ecr.us-west-2.amazonaws.com/edmunds/amundsen-frontend:2020-01-21
+      image: 0312d0ac3938
+```
+
+
+### Pushing image to ECR and using in K8s
+
+Assumptions:
+- You have an aws account
+- You have aws command line set up and ready to go
+
+1. Choose an ECR repository you'd like to push to (or create a new one)
+https://us-west-2.console.aws.amazon.com/ecr/repositories
+2. Click onto repository name and open "View push commands" cheat sheet
+2b. Login
+
+    it would look something like this:
+
+    `aws ecr get-login --no-include-email --region us-west-2`
+    Then execute what is returned by above
+
+3. Follow the instructions (you may need to install first AWS CLI, aws-okta and configure your AWS credentials if you haven't done it before)
+Given image name is amundsen-frontend, build, tag and push commands will be the following:
+Here you can see the tag is YYYY-MM-dd but you should choose whatever you like. 
+    ```
+    docker build -t amundsen-frontend:{YYYY-MM-dd} .
+    docker tag amundsen-frontend:{YYYY-MM-dd} <?>.dkr.ecr.<?>.amazonaws.com/amundsen-frontend:{YYYY-MM-dd}
+    docker push <?>.dkr.ecr.<?>.amazonaws.com/amundsen-frontend:{YYYY-MM-dd}
+    ```
+
+4. Go to the `helm/{env}/amundsen/values.yaml` and modify to the image tag that you want to use.
+
+
+5. When updating amundsen-frontend, make sure to do a hard refresh of amundsen with emptying the cache,
+otherwise you will see stale version of webpage.