daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70fd268a0d8f33d0da4ccf8331abf2c9af101b83
microdao-daarion/infrastructure/auth/enforce-auth.sh
Apple 70fd268a0d 🚀 Production-ready: Auth enforcement + Observability + Policy 
- Atomic генерація всіх секретів (generate-all-secrets.sh)
- Auth enforcement перевірка (enforce-auth.sh)
- Оновлений full flow test (must-pass)
- Prometheus alerting rules для Memory Module
- Matrix alerts bridge (алерти в ops room)
- Policy engine документація для пам'яті

Готово до production deployment!
2026-01-10 10:56:05 -08:00

88 lines
3.3 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# Auth Enforcement - перевірка, що всі сервіси вимагають auth
set -e
echo "🔒 Перевірка Auth Enforcement..."
echo ""
FAILED=0
# ============================================================================
# 1. NATS - перевірка конфігурації
# ============================================================================
echo "=== 1. NATS Auth ==="
if kubectl get configmap -n nats nats-config -o yaml 2>/dev/null | grep -q "operator:"; then
echo "✅ NATS operator JWT налаштовано"
else
echo "❌ NATS operator JWT НЕ налаштовано"
FAILED=1
fi
if kubectl get secret -n nats nats-operator-jwt 2>/dev/null | grep -q "operator.jwt"; then
echo "✅ NATS operator JWT Secret існує"
else
echo "❌ NATS operator JWT Secret НЕ існує"
FAILED=1
fi
# ============================================================================
# 2. Memory Service - перевірка JWT
# ============================================================================
echo ""
echo "=== 2. Memory Service JWT ==="
if kubectl get secret -n daarion memory-service-secrets 2>/dev/null | grep -q "jwt_secret"; then
echo "✅ Memory Service JWT secret існує"
else
echo "❌ Memory Service JWT secret НЕ існує"
FAILED=1
fi
# Тест: запит без JWT має бути відхилено
echo "Тест: запит без JWT..."
MEMORY_SERVICE_URL=$(kubectl get svc -n daarion memory-service -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "")
if [ -n "$MEMORY_SERVICE_URL" ]; then
RESPONSE=$(kubectl run test-auth --image=curlimages/curl --rm -i --restart=Never -- curl -s -o /dev/null -w "%{http_code}" "http://$MEMORY_SERVICE_URL:8000/memories" 2>/dev/null || echo "000")
if [ "$RESPONSE" = "401" ] || [ "$RESPONSE" = "403" ]; then
echo "✅ Memory Service відхиляє запити без JWT"
else
echo "⚠️ Memory Service приймає запити без JWT (auth не enforced)"
FAILED=1
fi
else
echo "⚠️ Memory Service не знайдено (може бути нормально)"
fi
# ============================================================================
# 3. Qdrant - перевірка API key
# ============================================================================
echo ""
echo "=== 3. Qdrant API Key ==="
if kubectl get secret -n qdrant qdrant-api-keys 2>/dev/null | grep -q "memory-service-key"; then
echo "✅ Qdrant API keys Secret існує"
else
echo "❌ Qdrant API keys Secret НЕ існує"
FAILED=1
fi
# ============================================================================
# Підсумок
# ============================================================================
echo ""
if [ $FAILED -eq 0 ]; then
echo "✅ Всі перевірки пройдено - Auth enforcement активний"
exit 0
else
echo "❌ Деякі перевірки не пройдено - Auth enforcement НЕ активний"
echo ""
echo "Дії:"
echo " 1. Запустіть: infrastructure/auth/generate-all-secrets.sh"
echo " 2. Завантажте секрети в Vault"
echo " 3. Оновіть External Secrets Operator"
echo " 4. Застосуйте auth конфігурації"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink