supabase-operator/internal/controlplane/gotrue.go

package controlplane

import (
	"fmt"

	clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
	matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
	"google.golang.org/protobuf/types/known/anypb"

	"code.icb4dc0.de/prskr/supabase-operator/internal/supabase"
)

type GoTrueCluster struct {
	ServiceCluster
}

func (c *GoTrueCluster) Cluster(instance string) []*clusterv3.Cluster {
	if c == nil {
		return nil
	}

	return []*clusterv3.Cluster{c.ServiceCluster.Cluster(fmt.Sprintf("auth@%s", instance), 9999)}
}

func (c *GoTrueCluster) Routes(instance string) []*routev3.Route {
	if c == nil {
		return nil
	}

	return []*routev3.Route{
		{
			Name: "GoTrue (Open) /auth/v1/(callback|verify) -> http://auth:9999/$1",
			Match: &routev3.RouteMatch{
				PathSpecifier: &routev3.RouteMatch_SafeRegex{
					SafeRegex: &matcherv3.RegexMatcher{
						Regex: `/auth/v1/(callback|verify|authorize)`,
					},
				},
			},
			Action: &routev3.Route_Route{
				Route: &routev3.RouteAction{
					ClusterSpecifier: &routev3.RouteAction_Cluster{
						Cluster: fmt.Sprintf("%s@%s", supabase.ServiceConfig.Auth.Name, instance),
					},
					RegexRewrite: &matcherv3.RegexMatchAndSubstitute{
						Pattern: &matcherv3.RegexMatcher{
							Regex: `/auth/v1/(callback|verify|authorize)`,
						},
						Substitution: `/\1`,
					},
				},
			},
			TypedPerFilterConfig: map[string]*anypb.Any{
				FilterNameRBAC:     MustAny(RBACPerRoute(RBACAllowAllConfig())),
				FilterNameJwtAuthn: MustAny(JWTAllowAll()),
			},
		},
		{
			Name: "GoTrue: /auth/v1/* -> http://auth:9999/*",
			Match: &routev3.RouteMatch{
				PathSpecifier: &routev3.RouteMatch_Prefix{
					Prefix: "/auth/v1",
				},
			},
			Action: &routev3.Route_Route{
				Route: &routev3.RouteAction{
					ClusterSpecifier: &routev3.RouteAction_Cluster{
						Cluster: fmt.Sprintf("%s@%s", supabase.ServiceConfig.Auth.Name, instance),
					},
					PrefixRewrite: "/",
				},
			},
		},
	}
}
feat: basic functionality implemented - added Core CRD to manage DB migrations & configuration, PostgREST and GoTrue (auth) - added APIGateway CRD to manage Envoy proxy - added Dashboard CRD to manage (so far) pg-meta and (soon) studio deployments - implemented basic Envoy control plane based on K8s watcher 2025-01-04 16:07:49 +00:00			`package controlplane`

			`import (`
			`"fmt"`

			`clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"`
			`routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"`
			`matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"`
			`"google.golang.org/protobuf/types/known/anypb"`

			`"code.icb4dc0.de/prskr/supabase-operator/internal/supabase"`
			`)`

			`type GoTrueCluster struct {`
			`ServiceCluster`
			`}`

			`func (c GoTrueCluster) Cluster(instance string) []clusterv3.Cluster {`
			`if c == nil {`
			`return nil`
			`}`

			`return []*clusterv3.Cluster{c.ServiceCluster.Cluster(fmt.Sprintf("auth@%s", instance), 9999)}`
			`}`

			`func (c GoTrueCluster) Routes(instance string) []routev3.Route {`
			`if c == nil {`
			`return nil`
			`}`

			`return []*routev3.Route{`
			`{`
			`Name: "GoTrue (Open) /auth/v1/(callback\|verify) -> http://auth:9999/$1",`
			`Match: &routev3.RouteMatch{`
			`PathSpecifier: &routev3.RouteMatch_SafeRegex{`
			`SafeRegex: &matcherv3.RegexMatcher{`
			Regex: `/auth/v1/(callback\|verify\|authorize)`,
			`},`
			`},`
			`},`
			`Action: &routev3.Route_Route{`
			`Route: &routev3.RouteAction{`
			`ClusterSpecifier: &routev3.RouteAction_Cluster{`
			`Cluster: fmt.Sprintf("%s@%s", supabase.ServiceConfig.Auth.Name, instance),`
			`},`
			`RegexRewrite: &matcherv3.RegexMatchAndSubstitute{`
			`Pattern: &matcherv3.RegexMatcher{`
			Regex: `/auth/v1/(callback\|verify\|authorize)`,
			`},`
			Substitution: `/\1`,
			`},`
			`},`
			`},`
			`TypedPerFilterConfig: map[string]*anypb.Any{`
			`FilterNameRBAC: MustAny(RBACPerRoute(RBACAllowAllConfig())),`
			`FilterNameJwtAuthn: MustAny(JWTAllowAll()),`
			`},`
			`},`
			`{`
			`Name: "GoTrue: /auth/v1/* -> http://auth:9999/*",`
			`Match: &routev3.RouteMatch{`
			`PathSpecifier: &routev3.RouteMatch_Prefix{`
			`Prefix: "/auth/v1",`
			`},`
			`},`
			`Action: &routev3.Route_Route{`
			`Route: &routev3.RouteAction{`
			`ClusterSpecifier: &routev3.RouteAction_Cluster{`
			`Cluster: fmt.Sprintf("%s@%s", supabase.ServiceConfig.Auth.Name, instance),`
			`},`
			`PrefixRewrite: "/",`
			`},`
			`},`
			`},`
			`}`
			`}`