Skip to content

Registration API⚓︎

The Registration API provides a REST API through which resources can be registered with both the Resource Catalogue and (as applicable) with the Data Access services.

Helm Chart⚓︎

The Registration API is deployed via the rm-registration-api helm chart from the EOEPCA Helm Chart Repository.

The chart is configured via values that are fully documented in the README for the rm-registration-api chart.

helm install --version 1.4.0 --values registration-api-values.yaml \
  --repo https://eoepca.github.io/helm-charts \
  registration-api rm-registration-api

Values⚓︎

The Registration API supports many values to configure the service - as described in the Values section of the chart README.

Typically, values for the following attributes may be specified:

  • The fully-qualified public URL for the service
  • (optional) Specification of Ingress for reverse-proxy access to the service
    Note that this is only required in the case that the Registration API will not be protected by the identity-gatekeeper component - ref. Resource Protection. Otherwise the ingress will be handled by the identity-gatekeeper - use ingress.enabled: false.
  • Values for integration with the workspace-api and data-access services

Example registration-api-values.yaml

fullnameOverride: registration-api

ingress:
  enabled: false
  hosts:
    - host: registration-api-open.192-168-49-2.nip.io
      paths: ["/"]
  tls:
    - hosts:
        - registration-api-open.192-168-49-2.nip.io
      secretName: registration-api-tls

# some values for the workspace API
workspaceK8sNamespace: rm
redisServiceName: "data-access-redis-master"

Protection⚓︎

As described in section Resource Protection (Keycloak), the identity-gatekeeper component can be inserted into the request path of the registration-api service to provide access authorization decisions

Gatekeeper⚓︎

Gatekeeper is deployed using its helm chart…

helm install registration-api-protection identity-gatekeeper -f registration-api-protection-values.yaml \
  --repo https://eoepca.github.io/helm-charts \
  --namespace "rm" --create-namespace \
  --version 1.0.12

The identity-gatekeeper must be configured with the values applicable to the registration-api - in particular the specific ingress requirements for the registration-api backend service…

Example registration-api-protection-values.yaml

fullnameOverride: registration-api-protection
config:
  client-id: registration-api
  discovery-url: https://keycloak.192-168-49-2.nip.io/realms/master
  cookie-domain: 192-168-49-2.nip.io
targetService:
  host: registration-api.192-168-49-2.nip.io
  name: registration-api
  port:
    number: 8080
secrets:
  # Values for secret 'registration-api-protection'
  # Note - if ommitted, these can instead be set by creating the secret independently.
  clientSecret: "changeme"
  encryptionKey: "changemechangeme"
ingress:
  enabled: true
  className: nginx
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/enable-cors: "true"
  # open access
  openUri:
    - ^.*

Keycloak Client⚓︎

The Gatekeeper instance relies upon an associated client configured within Keycloak - ref. client-id: registration-api above.

This can be created with the create-client helper script, as descirbed in section Client Registration.

For example…

../bin/create-client \
  -a https://keycloak.192-168-49-2.nip.io \
  -i https://identity-api.192-168-49-2.nip.io \
  -r "master" \
  -u "admin" \
  -p "changeme" \
  -c "admin-cli" \
  --id=registration-api \
  --name="Registration API Gatekeeper" \
  --secret="changeme" \
  --description="Client to be used by Registration API Gatekeeper"

Additional Information⚓︎

Additional information regarding the Registration API can be found at: