Deploy subgraph on protected Graph and IPFS endpoints

[air3ijai]

Hello, we are started to use Graph node and IPFS in some of our projects which are deployed in the cloud and behind ALB.

Architecture

Subgraph deployment is usually done via GitHub Actions

                 Graph node
               /
GitHub --> ALB
               \
                 IPFS

Deploy

In our pipeline we have two steps which should be protected using authentication

graph create ...
graph deploy ...

Pipeline

name: Build and deploy Subgraph

on:
  push:
    tags:
      - 'prod-v*'
  workflow_dispatch:

jobs:
  run:
    runs-on: ubuntu-latest
    env:
      INDEX_NODE_ENDPOINT: index.domain.tld
      IPFS_ENDPOINT: ipfs.domain.tld
      SUBGRAPH_NAME: prod/subgraph
    steps:
        - uses: actions/checkout@v2
        - uses: actions/setup-node@v2
          with:
              node-version: 12

        - name: Install graph-cli
          run: yarn global add @graphprotocol/[email protected]

        - name: Install dependencies
          run: yarn install
        
        - name: Codegen
          run: yarn codegen

        - name: Build
          run: yarn build

        - name: Graph create
          run: graph create --node {{ env.INDEX_NODE_ENDPOINT }}
             
        - name: Graph deploy
          run: |
               graph deploy ${{ env.SUBGRAPH_NAME }} \
                 --version-label $GITHUB_REF_NAME \
                 --node ${{ env.INDEX_NODE_ENDPOINT }} \
                 --ipfs ${{ env.IPFS_ENDPOINT }}

Authentication

I found the following PR - Make graph auth and --access-token useful for IPFS as well #184 but not sure if it is related just for hosted service.

The easiest way for us is to protect ALB using custom HTTP header, but maybe there some other options?

Workaround

We considering to use a very simple workaround, but it anyway will require a public access to IPFS node and curl usage

# Build and upload build results to an IPFS node
yarn build --ipfs ${{ env.IPFS_ENDPOINT }}" >build.log

# Get IPFS_HASH
echo "IPFS_HASH=$(awk -F': ' '/Build completed/ {print $2}' build.log)" >> $GITHUB_ENV

# Graph create
curl -X POST ${{ env.INDEX_NODE_ENDPOINT }} \
  -H 'header: password' \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc": "2.0", "id": "2", "method": "subgraph_create", "params": {"name": "${{ env.SUBGRAPH_NAME }}"}}'

# Graph deploy
curl -X POST ${{ env.INDEX_NODE_ENDPOINT }} \
  -H 'header: password' \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc": "2.0", "id": "2", "method": "subgraph_deploy", "params": {"name": "${{ env.SUBGRAPH_NAME }}", "ipfs_hash": "${{ env.IPFS_HASH }}"}}'

Questions

1. Can we send a custom HTTP header when we access IPFS and Graph node using graph-cli when create and deploy subgraph?
2. Is there a way to use access-token on self-deployed IPFS and Graph node?
3. If we can use access-token how it can be configured on IPFS and Graph node side?