Add subdomain label (#1964)

* Move tenant fetcher to director

* Fix unit tests

* Adapt charts

* Add subdomain label for tenants in tenant-fetcher deployment

* Refactor code

* Adjust tests

* Add subdomain label for tenants in tenant-fetcher job

* Add default command in tenant-fetcher deployment

* Minor improvement

* Change jwks endpoint

* Adjust deployment chart

* Fix unit tests

* Update DB migration

* Revert run.sh script

* Refactor existing code

* Remove duplicate code

* Improve handler test

* Improve implementation

* Fix imports

* Move label creation to tenant service

* Add tests

* Apply comments

* Fix go.sum

* Use correct e2e-tests version in chart

* Use correct schema-migrator as well

* Add new tenant query

* Adjust tests

* Fix tenant fetcher tests

* Revert unused config

* Apply comments

* Remove lefotver regional config

Co-authored-by: Desislava Asenova <9128192+desislavaa@users.noreply.github.com>
Co-authored-by: Desislava Asenova <desislava.asenova@sap.com>

chart/compass/charts/tenant-fetcher/templates/deployment.yaml

@@ -37,8 +37,13 @@ spec:
         {{- toYaml .Values.deployment.nodeSelector | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
-          image: {{ .Values.global.images.containerRegistry.path }}/{{ .Values.global.images.tenant_fetcher.dir }}compass-tenant-fetcher:{{ .Values.global.images.tenant_fetcher.version }}
+          image: {{ .Values.global.images.containerRegistry.path }}/{{ .Values.global.images.director.dir }}compass-director:{{ .Values.global.images.director.version }}
           imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
+          command:
+            - "/bin/sh"
+          args:
+              - "-c"
+              - "./tenantfetcher-svc; exit_code=$?; echo '# KILLING PILOT-AGENT #'; pkill -INT cloud_sql_proxy; curl -XPOST http://127.0.0.1:15020/quitquitquit; sleep 5; exit $exit_code;"
           ports:
             - name: http
               containerPort: {{ .Values.deployment.args.containerPort }}
@@ -54,6 +59,8 @@ spec:
               value: {{ .Values.global.tenantFetcher.tenantProvider.tenantIdProperty }}
             - name: APP_TENANT_PROVIDER_CUSTOMER_ID_PROPERTY
               value: {{ .Values.global.tenantFetcher.tenantProvider.customerIdProperty }}
+            - name: APP_TENANT_PROVIDER_SUBDOMAIN_PROPERTY
+              value: {{ .Values.global.tenantFetcher.tenantProvider.subdomainProperty }}
             - name: APP_TENANT_PROVIDER
               value: {{ .Values.global.tenantFetcher.tenantProvider.name }}
             - name: APP_LOG_FORMAT
@@ -64,8 +71,8 @@ spec:
               value: "{{ .Values.global.tenantFetcher.prefix }}"
             - name: APP_HANDLER_ENDPOINT
               value: "{{ .Values.server.handlerEndpoint }}"
-            - name: APP_JWKS_ENDPOINTS
-              value: {{ .Values.global.tenantFetcher.authentication.jwksEndpoints | quote }}
+            - name: APP_JWKS_ENDPOINT
+              value: "{{ .Values.global.tenantFetcher.authentication.jwksEndpoint }}"
             - name: APP_TENANT_PATH_PARAM
               value: "{{ .Values.server.tenantPathParam }}"
             - name: APP_DB_USER
@@ -105,7 +112,7 @@ spec:
             - name: APP_ALLOW_JWT_SIGNING_NONE
               value: {{ .Values.global.tenantFetcher.authentication.allowJWTSigningNone | quote }}
             - name: APP_SUBSCRIPTION_CALLBACK_SCOPE
-              value: Callback
+              value: "{{ .Values.global.tenantFetcher.requiredAuthScope }}"
           livenessProbe:
             httpGet:
               port: {{.Values.deployment.args.containerPort }}

chart/compass/templates/tenant-fetcher-job.yaml

@@ -118,6 +118,8 @@ spec:
                 value: {{ $config.fieldMapping.nameField }}
               - name: APP_MAPPING_FIELD_CUSTOMER_ID
                 value: {{ $config.fieldMapping.customerIdField }}
+              - name: APP_MAPPING_FIELD_SUBDOMAIN
+                value: {{ $config.fieldMapping.subdomainField }}
               - name: APP_MAPPING_FIELD_DISCRIMINATOR
                 value: {{ $config.fieldMapping.discriminatorField }}
               - name: APP_MAPPING_VALUE_DISCRIMINATOR
@@ -156,7 +158,7 @@ spec:
               - "/bin/sh"
             args:
               - "-c"
-              - "./tenantfetcher; exit_code=$?; echo '# KILLING PILOT-AGENT #'; pkill -INT cloud_sql_proxy; curl -XPOST http://127.0.0.1:15020/quitquitquit; sleep 5; exit $exit_code;"
+              - "./tenantfetcher-job; exit_code=$?; echo '# KILLING PILOT-AGENT #'; pkill -INT cloud_sql_proxy; curl -XPOST http://127.0.0.1:15020/quitquitquit; sleep 5; exit $exit_code;"
           {{if eq $.Values.global.database.embedded.enabled false}}
           - name: cloudsql-proxy
             image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine

chart/compass/templates/tests/tenant-fetcher/tenant-fetcher-test.yaml

@@ -33,8 +33,10 @@ spec:
           env:
             - name: APP_TENANT_PROVIDER_TENANT_ID_PROPERTY
               value: {{ .Values.global.tenantFetcher.tenantProvider.tenantIdProperty }}
-            - name: APP_TENANT_PROVIDER_TENANT_ID_PROPERTY
+            - name: APP_TENANT_PROVIDER_CUSTOMER_ID_PROPERTY
               value: {{ .Values.global.tenantFetcher.tenantProvider.customerIdProperty }}
+            - name: APP_TENANT_PROVIDER_SUBDOMAIN_PROPERTY
+              value: {{ .Values.global.tenantFetcher.tenantProvider.subdomainProperty }}
             - name: APP_TENANT_PROVIDER
               value: "test-provider"
             - name: APP_TENANT
@@ -91,5 +93,5 @@ spec:
             - name: APP_DB_MAX_IDLE_CONNECTIONS
               value: "{{ .Values.global.tests.db.maxIdleConnections }}"
             - name: APP_SUBSCRIPTION_CALLBACK_SCOPE
-              value: Callback
+              value: "{{ .Values.global.tenantFetcher.requiredAuthScope }}"
       restartPolicy: Never

chart/compass/values.yaml

@@ -75,7 +75,7 @@ global:
       version: "PR-1979"
     director:
       dir:
-      version: "PR-1950"
+      version: "PR-1964"
     gateway:
       dir:
       version: "PR-1979"
@@ -90,7 +90,7 @@ global:
       version: "PR-37"
     schema_migrator:
       dir:
-      version: "PR-1979"
+      version: "PR-1964"
     system_broker:
       dir:
       version: "PR-1979"
@@ -107,7 +107,7 @@ global:
       version: "PR-40"
     e2e_tests:
       dir:
-      version: "PR-1950"
+      version: "PR-1964"
   isLocalEnv: false
   oauth2:
     host: oauth2
@@ -343,12 +343,14 @@ global:
     host: compass-tenant-fetcher.compass-system.svc.cluster.local
     prefix: /tenants
     port: 3000
+    requiredAuthScope: Callback
     authentication:
       allowJWTSigningNone: true
-      jwksEndpoints: '["http://ory-oathkeeper-api.kyma-system.svc.cluster.local:4456/.well-known/jwks.json"]'
+      jwksEndpoint: "http://ory-oathkeeper-api.kyma-system.svc.cluster.local:4456/.well-known/jwks.json"
     tenantProvider:
       tenantIdProperty: "tenantId"
       customerIdProperty: "customerId"
+      subdomainProperty: "subdomain"
       name: "provider"
 
   ordService:
@@ -432,6 +434,7 @@ global:
         idField: "id"
         nameField: "name"
         customerIdField: "customerId"
+        subdomainField: "subdomain"
         discriminatorField: ""
         discriminatorValue: ""
         detailsField: "details"

components/director/Dockerfile

@@ -21,13 +21,15 @@ COPY . .
 #
 
 RUN go build -v -o director ./cmd/director/main.go \
-  && go build -v -o tenantfetcher ./cmd/tenantfetcher/main.go \
+  && go build -v -o tenantfetcher-job ./cmd/tenantfetcher-job/main.go \
+  && go build -v -o tenantfetcher-svc ./cmd/tenantfetcher-svc/main.go \
   && go build -v -o tenantloader ./cmd/tenantloader/main.go \
   && go build -v -o ordaggregator ./cmd/ordaggregator/main.go \
   && go build -v -o scopessynchronizer ./cmd/scopessynchronizer/main.go \
   && go build -v -o systemfetcher ./cmd/systemfetcher/main.go
 RUN mkdir /app && mv ./director /app/director \
-  && mv ./tenantfetcher /app/tenantfetcher \
+  && mv ./tenantfetcher-job /app/tenantfetcher-job \
+  && mv ./tenantfetcher-svc /app/tenantfetcher-svc \
   && mv ./tenantloader /app/tenantloader \
   && mv ./ordaggregator /app/ordaggregator \
   && mv ./scopessynchronizer /app/scopessynchronizer \

components/director/Makefile

@@ -27,10 +27,10 @@ dep-status-local:
 
 build-local:
 	env go build -o bin/director ./cmd/director/main.go
-	env go build -o bin/tenantfetcher ./cmd/tenantfetcher/main.go
+	env go build -o bin/tenantfetcher-job ./cmd/tenantfetcher-job/main.go
+	env go build -o bin/tenantfetcher-svc ./cmd/tenantfetcher-svc/main.go
 
 install-tools:
 	go mod download
 	@echo Installing tools from tools.go
 	cat tools/tools.go | grep _ | awk -F'"' '{print $$2}' | xargs -tI % go install %
-

components/director/cmd/director/main.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/kyma-incubator/compass/components/director/internal/authenticator/claims"
 	dataloader "github.com/kyma-incubator/compass/components/director/internal/dataloaders"
 	"github.com/kyma-incubator/compass/components/director/internal/domain/schema"
 
@@ -218,7 +219,7 @@ func main() {
 	executableSchema := graphql.NewExecutableSchema(gqlCfg)
 
 	logger.Infof("Registering GraphQL endpoint on %s...", cfg.APIEndpoint)
-	authMiddleware := mp_authenticator.New(cfg.JWKSEndpoint, cfg.AllowJWTSigningNone, cfg.ClientIDHttpHeaderKey)
+	authMiddleware := mp_authenticator.New(cfg.JWKSEndpoint, cfg.AllowJWTSigningNone, cfg.ClientIDHttpHeaderKey, claims.NewValidator())
 
 	if cfg.JWKSSyncPeriod != 0 {
 		logger.Infof("JWKS synchronization enabled. Sync period: %v", cfg.JWKSSyncPeriod)

components/director/cmd/tenantfetcher/main.go → components/director/cmd/tenantfetcher-job/main.go

@@ -87,18 +87,19 @@ func createTenantFetcherSvc(cfg config, transact persistence.Transactioner, kube
 	metricsPusher *metrics.Pusher) *tenantfetcher.Service {
 	uidSvc := uid.NewService()
 
-	tenantStorageConv := tenant.NewConverter()
-	tenantStorageRepo := tenant.NewRepository(tenantStorageConv)
-	tenantStorageSvc := tenant.NewService(tenantStorageRepo, uidSvc)
-
 	labelDefConverter := labeldef.NewConverter()
 	labelDefRepository := labeldef.NewRepository(labelDefConverter)
-	scenariosService := labeldef.NewScenariosService(labelDefRepository, uidSvc, cfg.Features.DefaultScenarioEnabled)
 
 	labelConverter := label.NewConverter()
 	labelRepository := label.NewRepository(labelConverter)
 	labelUpsertService := label.NewLabelUpsertService(labelRepository, labelDefRepository, uidSvc)
 
+	tenantStorageConv := tenant.NewConverter()
+	tenantStorageRepo := tenant.NewRepository(tenantStorageConv)
+	tenantStorageSvc := tenant.NewServiceWithLabels(tenantStorageRepo, uidSvc, labelRepository, labelUpsertService)
+
+	scenariosService := labeldef.NewScenariosService(labelDefRepository, uidSvc, cfg.Features.DefaultScenarioEnabled)
+
 	scenarioAssignConv := scenarioassignment.NewConverter()
 	scenarioAssignRepo := scenarioassignment.NewRepository(scenarioAssignConv)
 	scenarioAssignEngine := scenarioassignment.NewEngine(labelUpsertService, labelRepository, scenarioAssignRepo)

components/tenant-fetcher/cmd/main.go → components/director/cmd/tenantfetcher-svc/main.go

@@ -22,11 +22,18 @@ import (
 	"os"
 	"time"
 
+	auth "github.com/kyma-incubator/compass/components/director/internal/authenticator"
+	"github.com/kyma-incubator/compass/components/director/internal/authenticator/claims"
+	"github.com/kyma-incubator/compass/components/director/internal/domain/label"
+	"github.com/kyma-incubator/compass/components/director/internal/domain/labeldef"
+	"github.com/kyma-incubator/compass/components/director/internal/domain/tenant"
+	"github.com/kyma-incubator/compass/components/director/internal/uid"
+	"github.com/kyma-incubator/compass/components/director/pkg/executor"
 	"github.com/kyma-incubator/compass/components/director/pkg/persistence"
 
 	"github.com/kyma-incubator/compass/components/director/pkg/correlation"
 
-	"github.com/kyma-incubator/compass/components/tenant-fetcher/internal/tenant"
+	tenantfetcher "github.com/kyma-incubator/compass/components/director/internal/tenantfetchersvc"
 
 	"github.com/gorilla/mux"
 	timeouthandler "github.com/kyma-incubator/compass/components/director/pkg/handler"
@@ -48,7 +55,7 @@ type config struct {
 
 	RootAPI string `envconfig:"APP_ROOT_API,default=/tenants"`
 
-	Handler tenant.Config
+	Handler tenantfetcher.HandlerConfig
 
 	Database persistence.DatabaseConfig
 }
@@ -65,6 +72,9 @@ func main() {
 	err := envconfig.InitWithPrefix(&cfg, envPrefix)
 	exitOnError(err, "Error while loading app config")
 
+	ctx, err = log.Configure(ctx, &cfg.Log)
+	exitOnError(err, "Failed to configure Logger")
+
 	if cfg.Handler.HandlerEndpoint == "" || cfg.Handler.TenantPathParam == "" {
 		exitOnError(errors.New("missing handler endpoint or tenant path parameter"), "Error while loading app handler config")
 	}
@@ -77,43 +87,37 @@ func main() {
 		exitOnError(err, "Error while closing the connection to the database")
 	}()
 
-	ctx, err = log.Configure(ctx, &cfg.Log)
-	exitOnError(err, "Failed to configure Logger")
-
-	handler, err := initAPIHandler(ctx, cfg, transact)
-	exitOnError(err, "Failed to init tenant fetcher handlers")
-
+	handler := initAPIHandler(ctx, cfg, transact)
 	runMainSrv, shutdownMainSrv := createServer(ctx, cfg, handler, "main")
 
 	go func() {
 		<-ctx.Done()
-
 		// Interrupt signal received - shut down the servers
 		shutdownMainSrv()
 	}()
 
 	runMainSrv()
 }
 
-func initAPIHandler(ctx context.Context, cfg config, transact persistence.Transactioner) (http.Handler, error) {
+func initAPIHandler(ctx context.Context, cfg config, transact persistence.Transactioner) http.Handler {
 	logger := log.C(ctx)
 	mainRouter := mux.NewRouter()
 	mainRouter.Use(correlation.AttachCorrelationIDToContext(), log.RequestLogger())
 
 	router := mainRouter.PathPrefix(cfg.RootAPI).Subrouter()
 	healthCheckRouter := mainRouter.PathPrefix(cfg.RootAPI).Subrouter()
 
-	if err := tenant.RegisterHandler(ctx, router, cfg.Handler, transact); err != nil {
-		return nil, err
-	}
+	configureAuthMiddleware(ctx, router, cfg.Handler)
+
+	registerHandler(ctx, router, cfg.Handler, transact)
 
 	logger.Infof("Registering readiness endpoint...")
 	healthCheckRouter.HandleFunc("/readyz", newReadinessHandler())
 
 	logger.Infof("Registering liveness endpoint...")
 	healthCheckRouter.HandleFunc("/healthz", newReadinessHandler())
 
-	return mainRouter, nil
+	return mainRouter
 }
 
 func exitOnError(err error, context string) {
@@ -155,6 +159,43 @@ func createServer(ctx context.Context, cfg config, handler http.Handler, name st
 	return runFn, shutdownFn
 }
 
+func configureAuthMiddleware(ctx context.Context, router *mux.Router, cfg tenantfetcher.HandlerConfig) {
+	scopeValidator := claims.NewScopesValidator([]string{cfg.SubscriptionCallbackScope})
+	middleware := auth.New(cfg.JwksEndpoint, cfg.AllowJWTSigningNone, "", scopeValidator)
+	router.Use(middleware.Handler())
+
+	log.C(ctx).Infof("JWKS synchronization enabled. Sync period: %v", cfg.JWKSSyncPeriod)
+	periodicExecutor := executor.NewPeriodic(cfg.JWKSSyncPeriod, func(ctx context.Context) {
+		if err := middleware.SynchronizeJWKS(ctx); err != nil {
+			log.C(ctx).WithError(err).Errorf("An error has occurred while synchronizing JWKS: %v", err)
+		}
+	})
+	go periodicExecutor.Run(ctx)
+}
+
+func registerHandler(ctx context.Context, router *mux.Router, cfg tenantfetcher.HandlerConfig, transact persistence.Transactioner) {
+	uidSvc := uid.NewService()
+
+	labelConv := label.NewConverter()
+	labelRepo := label.NewRepository(labelConv)
+	labelDefConv := labeldef.NewConverter()
+	labelDefRepo := labeldef.NewRepository(labelDefConv)
+	labelUpsertSvc := label.NewLabelUpsertService(labelRepo, labelDefRepo, uidSvc)
+
+	converter := tenant.NewConverter()
+	tenantRepo := tenant.NewRepository(converter)
+	tenantSvc := tenant.NewServiceWithLabels(tenantRepo, uidSvc, labelRepo, labelUpsertSvc)
+
+	provisioner := tenantfetcher.NewTenantProvisioner(tenantSvc)
+	tenantHandler := tenantfetcher.NewTenantsHTTPHandler(provisioner, transact, cfg)
+
+	log.C(ctx).Infof("Registering Tenant Onboarding endpoint on %s...", cfg.HandlerEndpoint)
+	router.HandleFunc(cfg.HandlerEndpoint, tenantHandler.Create).Methods(http.MethodPut)
+
+	log.C(ctx).Infof("Registering Tenant Decommissioning endpoint on %s...", cfg.HandlerEndpoint)
+	router.HandleFunc(cfg.HandlerEndpoint, tenantHandler.DeleteByExternalID).Methods(http.MethodDelete)
+}
+
 func newReadinessHandler() func(writer http.ResponseWriter, request *http.Request) {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		writer.WriteHeader(http.StatusOK)

components/director/cmd/tenantloader/main.go

@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 
+	"github.com/kyma-incubator/compass/components/director/internal/domain/label"
+	"github.com/kyma-incubator/compass/components/director/internal/domain/labeldef"
 	"github.com/kyma-incubator/compass/components/director/internal/domain/tenant"
 	"github.com/kyma-incubator/compass/components/director/internal/uid"
 	"github.com/kyma-incubator/compass/components/director/pkg/log"
@@ -35,10 +37,17 @@ func main() {
 		exitOnError(err, "error while closing the connection to the database")
 	}()
 
+	UIDSvc := uid.NewService()
+
+	labelConv := label.NewConverter()
+	labelRepo := label.NewRepository(labelConv)
+	labelDefConv := labeldef.NewConverter()
+	labelDefRepo := labeldef.NewRepository(labelDefConv)
+	labelUpsertSvc := label.NewLabelUpsertService(labelRepo, labelDefRepo, UIDSvc)
+
 	tenantConverter := tenant.NewConverter()
 	tenantRepo := tenant.NewRepository(tenantConverter)
-	UIDSvc := uid.NewService()
-	tenantSvc := tenant.NewService(tenantRepo, UIDSvc)
+	tenantSvc := tenant.NewServiceWithLabels(tenantRepo, UIDSvc, labelRepo, labelUpsertSvc)
 
 	tenants, err := externaltenant.MapTenants(tenantsDirectoryPath)
 	exitOnError(err, "error while mapping tenants from file")
@@ -49,7 +58,7 @@ func main() {
 
 	ctx = persistence.SaveToContext(ctx, tx)
 
-	err = tenantSvc.CreateManyIfNotExists(ctx, tenants)
+	err = tenantSvc.CreateManyIfNotExists(ctx, tenants...)
 	exitOnError(err, "error while creating tenants")
 
 	err = tx.Commit()