onyxia-api
onyxia-api copied to clipboard
InseeFrLab
REST API of Onyxia
Onyxia API
This is the server part of the Onyxia datalab, it interacts with your container orchestrator (Kubernetes) to deploy users services.
Deployable services are listed and configured inside catalogs.
Default catalogs are from InseeFrlab : Interactive services, Databases, Automation but more catalogs (including your own) can be added.
Quick start
Onyxia-api is usually run as a component within the Onyxia stack. See Onyxia helm chart and docs.onyxia.sh for installation instruction.
Running Onyxia-API standalone
Using docker
docker run -p 8080:8080 inseefrlab/onyxia-api
Using Java / maven (from sources)
git clone https://github.com/InseeFrLab/onyxia-api.git
cd onyxia-api
mvn spring-boot:run
Usage
Once Onyxia is started, browse to http://localhost:8080 to get started with the OpenAPI documentation.
Contributing
Contributions are welcome.
Make sure to conform to Android Open Source Project code style : mvn spotless:apply can enforce it.
Configuration
Main configuration file is onyxia-api/src/main/resources/application.properties.
Each variable can be overridden using environment variables.
Regions configuration :
| Key | Default | Description |
|---|---|---|
regions |
onyxia-api/src/main/resources/regions.json | List of regions, see Region configuration |
Catalogs configuration :
| Key | Default | Description |
|---|---|---|
catalogs |
onyxia-api/src/main/resources/catalogs.json | List of helm catalogs, see Admin doc |
catalogs.refresh.ms |
300000 (5 minutes) |
The rate at which the catalogs should be refreshed. <= 0 means no refreshs after initial loading |
Authentication configuration
| Key | Default | Description |
|---|---|---|
authentication.mode |
none |
Supported modes are : none, openidconnect (must be configured) |
Open id configuration (used when authentication.mode=openidconnect)
You have to specify oidc.issuer-uri. oidc.jwk-uri is optional.
Common used configurations :
| Provider | oidc.issuer-uri |
oidc.jwk-uri |
|---|---|---|
| Keycloak | https://keycloak.example.com/auth/realms/REALMNAME |
|
| https://accounts.google.com | https://www.googleapis.com/oauth2/v3/certs |
|
| Microsoft | https://login.microsoftonline.com/TENANTID/v2.0 |
Configurable properties :
| Key | Default | Description |
|---|---|---|
oidc.issuer-uri |
Issuer URI, should be the same as the iss field of the tokens |
|
oidc.jwk-uri |
JWK URI, useful when auto discovery is not available or when iss is not consistent across tokens (e.g Google) |
|
oidc.clientID |
Client id to be used by Onyxia web application | |
oidc.audience |
Optional : audience to validate. Must be the same as the token's aud field |
|
oidc.username-claim |
preferred_username |
Claim to be used as user id. Must conform to RFC 1123 |
oidc.groups-claim |
groups |
Claim to be used as list of user groups. |
oidc.extra-query-params |
Optional : query params to be added by client. e.g : prompt=consent&kc_idp_hint=google |
Security configuration :
| Key | Default | Description |
|---|---|---|
security.cors.allowed_origins |
To indicate which origins are allowed by CORS |
HTTP configuration
| Key | Default | Description |
|---|---|---|
http.proxyHost |
Proxy hostname (e.g : proxy.example.com) | |
http.proxyPort |
80 for HTTP, 443 for HTTPS |
Proxy port |
http.noProxy |
Hosts that should not use the proxy (e.g : localhost,host.example.com) |
|
http.proxyUsername |
Username if the proxy requires authentication | |
http.proxyPassword |
Password if the proxy requires authentication |
Events
| Key | Default | Description |
|---|---|---|
event.logging.enabled |
true |
whether events should be logged or not |
Other configurations
| Key | Default | Description |
|---|---|---|
springdoc.swagger-ui.path |
/ |
Open API (swagger) UI path |
springdoc.swagger-ui.oauth.clientId |
`` | clientid used by swagger to authenticate the user, in general the same which is used by onyxia-ui is ok. |
Onyxia API dependency to Helm
Onyxia-API makes system calls to helm using the helm-wrapper Java library.
helm is bundled in the Onyxia API Docker image, see current version bundled here : Dockerfile.
If running Onyxia API locally you need to have helm available in the PATH.
Onyxia Helm format extension
Onyxia's catalogs are based on the Helm chart format and especially the values.schema.json (see https://helm.sh/docs/topics/charts/#schema-files) file used to populate the personalization tabs displayed by the UI.
Onyxia is fully interoperable with the Helm chart format which means you can use any helm chart repository as a onyxia catalog. But you probably want to use one that includes values.schema.json files (those files are optional in helm).
Onyxia extends this format to enhance it and provide more customization tools in the UI.
An example of such extension can be found here, see x-onyxia.
InseeFrLab