fix(services-bff): Fix bff proxy download service aws cognito

[snaerseljan]

Fix bff proxy download service aws cognito

What

Since the introduction of our bff server we need to be able to download from the download service through the bff proxy. Currently we are blocked by aws cognito

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Updated ingress configurations to disable global authentication for development and staging environments.

• Bug Fixes

  • Ensured consistent health check configurations across multiple services for improved reliability.

• Chores

  • Minor adjustments made to environment variables, resource limits, and requests for better resource management.

[coderabbitai]

Walkthrough

The changes introduce a new annotation in the ingress configuration for both dev and staging environments within the admin-portal.infra.ts file and the charts/islandis/values.dev.yaml file. The annotation 'nginx.ingress.kubernetes.io/enable-global-auth': 'false' indicates that global authentication should be disabled. Other configurations, such as health checks and resource limits, remain largely unchanged, ensuring consistency across services.

Changes

File Path	Change Summary
apps/services/bff/infra/admin-portal.infra.ts	Added annotation 'nginx.ingress.kubernetes.io/enable-global-auth': 'false' to extraAnnotations for dev and staging.
charts/islandis/values.dev.yaml	Updated services-bff-portals-admin section to include the annotation 'nginx.ingress.kubernetes.io/enable-global-auth': 'false'. Minor adjustments in health checks and resource configurations were also made.

Possibly related PRs

• chore(dsl): Remove global auth annotations #16433: This PR adds the annotation 'nginx.ingress.kubernetes.io/enable-global-auth': 'false' for the dev and staging environments in multiple services, which directly relates to the changes made in the main PR that also adds this annotation in the admin-portal.infra.ts file.
• fix: reverting cognito #16454: This PR introduces the same annotation for the prod environment in the air-discount-scheme services, indicating a broader application of the same configuration change seen in the main PR.
• fix(search-indexer): Disable global auth on dev and staging #16443: This PR also adds the annotation 'nginx.ingress.kubernetes.io/enable-global-auth': 'false' for the search-indexer service in the dev and staging environments, aligning with the changes in the main PR.
• chore(application-system): using aws-sdkv3 initial implementation #16281: This PR modifies the charts/islandis/values.dev.yaml file to include the same annotation under the ingress configuration for the services-bff-portals-admin, showing a direct connection to the changes in the main PR.

Suggested labels

high priority

Suggested reviewers

• eirikurn
• thordurhhh

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[busla]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

apps/services/bff/infra/admin-portal.infra.ts (1)

Line range hint 58-72: Consider documenting the security implications.

While disabling global auth is necessary for the download service, it's important to document:

1. Why this configuration is needed
2. What security measures are in place to protect the endpoints
3. Why it's safe to disable in dev/staging but not in prod

Would you like me to help create documentation explaining these security considerations?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b3a585b and af6e5d8.

📒 Files selected for processing (2)

• apps/services/bff/infra/admin-portal.infra.ts (1 hunks)
• charts/islandis/values.dev.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

apps/services/bff/infra/admin-portal.infra.ts (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

🔇 Additional comments (3)

apps/services/bff/infra/admin-portal.infra.ts (1)

Line range hint 58-72: LGTM! The changes align with the PR objective.

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'false' in dev and staging environments should resolve the AWS Cognito blocking issue for the download service.

Let's verify the ingress configuration in other services to ensure this change doesn't have unintended side effects:

✅ Verification successful

The ingress configuration changes follow established patterns

The changes to disable global auth in dev and staging environments while maintaining proxy buffering settings align with existing patterns in the codebase:

• Auth-related services (auth-admin-api, ids-api, auth-public-api) consistently use enable-global-auth: false with similar proxy buffering configurations
• Search indexer service also disables global auth in dev/staging while keeping prod secure
• The proxy buffer settings (8k size, buffering on) match the configurations used in other services

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for similar auth configurations in other services
# Expected: This should be a unique case specific to the download service

# Search for global auth configurations
echo "Checking for global auth configurations in other services:"
rg -l "enable-global-auth" apps/services

# Search for download-related ingress configurations
echo "Checking for download service ingress configurations:"
rg -l "download.*ingress" apps/services

Length of output: 593

---

Script:

#!/bin/bash
# Let's check the actual auth configurations in these files to understand the pattern
echo "Checking auth configurations in related services:"
rg -B 2 -A 2 "enable-global-auth" apps/services/search-indexer/infra/search-indexer-service.ts apps/services/auth/public-api/infra/auth-public-api.ts apps/services/auth/ids-api/infra/identity-server.ts apps/services/auth/admin-api/infra/auth-admin-api.ts

# Let's also check if there are any proxy buffer configurations in these files
echo -e "\nChecking proxy buffer configurations:"
rg "proxy-buffer" apps/services/search-indexer/infra/search-indexer-service.ts apps/services/auth/public-api/infra/auth-public-api.ts apps/services/auth/ids-api/infra/identity-server.ts apps/services/auth/admin-api/infra/auth-admin-api.ts

Length of output: 6472

charts/islandis/values.dev.yaml (2)

Line range hint 1453-1557: LGTM: Download service has proper authentication.

The download-service configuration includes:

• Identity Server integration for authentication
• Proper health checks
• Resource limits and requests
• Appropriate security context settings

---

2332-2332: ⚠️ Potential issue

Verify security implications of disabling global auth.

The addition of nginx.ingress.kubernetes.io/enable-global-auth: 'false' will disable AWS Cognito authentication for the BFF proxy service. While this fixes the download functionality, it could potentially expose endpoints that should be protected.

Let's check if other download-related services have similar configurations:

Please ensure that:

1. Only specific download endpoints are exposed without authentication
2. Consider using path-based auth exclusion instead of disabling auth for the entire service
3. Document the security implications and mitigation strategies

✅ Verification successful

Disabling global auth is a common pattern for specific services and endpoints

Based on the codebase analysis, disabling global auth is an established pattern used across multiple services where authentication needs to be handled differently:

1. Identity Server and Auth APIs have it disabled by design since they handle authentication themselves
2. Public endpoints like /api/swagger and /api/public paths have it disabled intentionally
3. The BFF service has this configuration in dev, staging and prod environments
4. Similar services like search-indexer and github-actions-cache also follow this pattern

The change aligns with existing security practices in the codebase where certain endpoints need to bypass the global auth mechanism. The PR's change to disable global auth for the BFF proxy download service follows this established pattern.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for download-related ingress configurations and their auth settings
rg -A 5 -B 5 "download.*ingress:|nginx\.ingress\.kubernetes\.io/enable-global-auth"

Length of output: 26042