Added custom filter logic for stac-auth-proxy.

pantierra · pantierra · commit 1c275a93c5fb · 2026-01-14T10:36:04.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
 - Added load testing scripts [#373](https://github.com/developmentseed/eoapi-k8s/pull/373)
 - Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
+- Added support for custom filters configuration via `customFiltersFile` in values.yaml [#388](https://github.com/developmentseed/eoapi-k8s/pull/388)
 
 ### Fixed
 
diff --git a/charts/eoapi/data/stac-auth-proxy/custom_filters.py b/charts/eoapi/data/stac-auth-proxy/custom_filters.py
@@ -0,0 +1,27 @@
+"""
+Sample custom filters for STAC Auth Proxy.
+This file demonstrates the structure needed for custom collection and item filters.
+"""
+
+import dataclasses
+from typing import Any
+
+
+@dataclasses.dataclass
+class CollectionsFilter:
+    """Filter collections based on user permissions."""
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        """Return True if user can access this collection."""
+        # Example: Allow all collections for authenticated users
+        return "1=1"
+
+
+@dataclasses.dataclass
+class ItemsFilter:
+    """Filter items based on user permissions."""
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        """Return True if user can access this item."""
+        # Example: Allow all items for authenticated users
+        return "1=1"
diff --git a/charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml b/charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if index .Values "stac-auth-proxy" "enabled" }}
+{{- $stacAuthProxy := index .Values "stac-auth-proxy" }}
+{{- if and (hasKey $stacAuthProxy "extraVolumes") $stacAuthProxy.extraVolumes }}
+{{- $filterFile := $stacAuthProxy.customFiltersFile | default "data/stac-auth-proxy/custom_filters.py" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-stac-auth-proxy-filters
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: stac-auth-proxy
+data:
+  custom_filters.py: |
+{{ .Files.Get $filterFile | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/eoapi/tests/stac-auth-proxy-filters_test.yaml b/charts/eoapi/tests/stac-auth-proxy-filters_test.yaml
@@ -0,0 +1,77 @@
+suite: test stac-auth-proxy custom filters ConfigMap
+templates:
+  - templates/_helpers/core.tpl
+  - templates/core/stac-auth-proxy-filters-configmap.yaml
+
+tests:
+  - it: should create ConfigMap when stac-auth-proxy is enabled and extraVolumes is defined
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-stac-auth-proxy-filters
+      - isNotEmpty:
+          path: data
+
+  - it: should not create ConfigMap when stac-auth-proxy is disabled
+    set:
+      stac-auth-proxy.enabled: false
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not create ConfigMap when extraVolumes is not defined
+    set:
+      stac-auth-proxy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should have correct labels
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: stac-auth-proxy
+      - exists:
+          path: metadata.labels["app.kubernetes.io/name"]
+      - exists:
+          path: metadata.labels["app.kubernetes.io/instance"]
+      - exists:
+          path: metadata.labels["helm.sh/chart"]
+
+  - it: should use custom file path when customFiltersFile is specified
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.customFiltersFile: "data/eoepca_filters.py"
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-stac-auth-proxy-filters
+      - isNotEmpty:
+          path: data
diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml
@@ -416,18 +416,46 @@ stac:
 stac-auth-proxy:
   enabled: false
   image:
-    tag: "v0.11.0"
-  env:
-    ROOT_PATH: "/stac"
-    OVERRIDE_HOST: "false"
-    DEFAULT_PUBLIC: "true"
-    # UPSTREAM_URL will be set dynamically in template to point to stac service
-    # OIDC_DISCOVERY_URL must be configured when enabling auth
+    tag: "v0.11.1"
   ingress:
     enabled: false  # Handled by main eoapi ingress
   service:
     port: 8080
   resources: {}
+  env:
+    ROOT_PATH: "/stac"
+    OVERRIDE_HOST: "false"
+    # UPSTREAM_URL will be set dynamically in template to point to stac service
+    # OIDC_DISCOVERY_URL must be configured when enabling auth
+    # OIDC_DISCOVERY_URL must be configured when enabling auth
+    # UPSTREAM_URL will be set dynamically in template to point to stac service
+    #
+    # Authentication filters settings:
+    DEFAULT_PUBLIC: "true" # This enables standard profile for authentication filters
+    # Alternatively with the following settings custom filters can be added
+    # These must be mounted with extraVolumes/extraVolumeMounts (see below)
+    # COLLECTIONS_FILTER_CLS: stac_auth_proxy.custom_filters:CollectionsFilter
+    # ITEMS_FILTER_CLS: stac_auth_proxy.custom_filters:ItemsFilter
+
+  # Path to custom filters file (relative to chart root)
+  # When extraVolumes is configured, a ConfigMap will be created from this file
+  # customFiltersFile: "data/stac-auth-proxy/custom_filters.py"
+
+  # Additional volumes to mount (e.g., for custom filter files)
+  extraVolumes: []
+  # Example:
+  # extraVolumes:
+  #   - name: filters
+  #     configMap:
+  #       name: stac-auth-proxy-filters
+  # Additional volume mounts for the container
+  extraVolumeMounts: []
+  # Example:
+  # extraVolumeMounts:
+  #   - name: filters
+  #     mountPath: /app/src/stac_auth_proxy/custom_filters.py
+  #     subPath: custom_filters.py
+  #     readOnly: true
 
 vector:
   enabled: true
