Problem: K8s deployment with Access Token Authorization expects Access Token for GET calls and others (#2134)

* Fix for access token authorization for GET calls

- Naming inconsistency for cluster-fqdn causing issues
- Change cluster-frontend-port to node-frontend-port

* Change hardcoded 9984 to configurable

k8s/nginx-https/container/nginx.conf.template

@@ -61,7 +61,7 @@ http {
 
   # Frontend server for the external clients; acts as HTTPS termination point.
   server {
-    listen CLUSTER_FRONTEND_PORT ssl;
+    listen NODE_FRONTEND_PORT ssl;
     server_name "NODE_FQDN";
 
     ssl_certificate /etc/nginx/ssl/cert.pem;
@@ -86,6 +86,7 @@ http {
     # Forward other URL paths as per business logic/use case to BDB or
     # OpenResty instance.
     location / {
+      set $auth_check 1; #Flag to authorize POST requests
       proxy_ignore_client_abort on;
       proxy_set_header X-Real-IP  $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -93,35 +94,39 @@ http {
       # max client request body size: avg transaction size.
       client_max_body_size 15k;
 
+      if ($request_method = 'OPTIONS') {
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+          add_header 'Access-Control-Allow-Headers' 'DNT,X-Secret-Access-Token,User-Agent';
+          add_header 'Access-Control-Max-Age' 43200;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 204;
+      }
+
+      if ( $http_x_secret_access_token != "SECRET_ACCESS_TOKEN" ) {
+          set $auth_check 0;
+      }
+      if ($request_method = POST ) {
+          set $auth_check "${auth_check}1";
+      }
+
+      if ( $auth_check = "01" ) {
+          return 403;
+      }
+
       # No auth for GETs, forward directly to BDB.
       if ($request_method = GET) {
         proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
       }
 
-      # OPTIONS requests handling for CORS.
-      if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-Secret-Access-Token,User-Agent';
-        add_header 'Access-Control-Max-Age' 43200;
-        add_header 'Content-Type' 'text/plain charset=UTF-8';
-        add_header 'Content-Length' 0;
-        return 204;
-      }
-
-      # Check for security header to authorize POST requests
-      if ( $http_x_secret_access_token != "SECRET_ACCESS_TOKEN" ) {
-        return 403;
-      }
-
-      # POST requests get forwarded to BDB.
       if ($request_method = POST ) {
-        proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
+          proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
       }
 
       # Only return this reponse if request_method is neither POST|GET|OPTIONS
       if ($request_method !~ ^(GET|OPTIONS|POST)$) {
-        return 444;
+          return 444;
       }
     }
   }

k8s/nginx-https/container/nginx.conf.threescale.template

@@ -63,7 +63,7 @@ http {
 
   # Frontend server for the external clients; acts as HTTPS termination point.
   server {
-    listen CLUSTER_FRONTEND_PORT ssl;
+    listen NODE_FRONTEND_PORT ssl;
     server_name "NODE_FQDN";
 
     ssl_certificate /etc/nginx/ssl/cert.pem;

k8s/nginx-https/container/nginx_entrypoint.bash

@@ -8,7 +8,7 @@ secret_token_auth_mode="secret-token"
 
 # Cluster vars
 node_fqdn=`printenv NODE_FQDN`
-cluster_frontend_port=`printenv CLUSTER_FRONTEND_PORT`
+node_frontend_port=`printenv NODE_FRONTEND_PORT`
 
 
 # NGINX vars
@@ -36,7 +36,7 @@ tm_p2p_port=`printenv TM_P2P_PORT`
 
 
 # sanity check
-if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!}" || \
+if [[ -z "${node_frontend_port:?NODE_FRONTEND_PORT not specified. Exiting!}" || \
       -z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \
       -z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \
       -z "${openresty_backend_port:?OPENRESTY_BACKEND_PORT not specified. Exiting!}" || \
@@ -54,7 +54,7 @@ if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!
   exit 1
 else
   echo NODE_FQDN="$node_fqdn"
-  echo CLUSTER_FRONTEND_PORT="$cluster_frontend_port"
+  echo NODE_FRONTEND_PORT="$node_frontend_port"
   echo DNS_SERVER="$dns_server"
   echo HEALTH_CHECK_PORT="$health_check_port"
   echo MONGODB_BACKEND_HOST="$mongo_backend_host"
@@ -84,7 +84,7 @@ fi
 
 # configure the nginx.conf file with env variables
 sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE}
-sed -i "s|CLUSTER_FRONTEND_PORT|${cluster_frontend_port}|g" ${NGINX_CONF_FILE}
+sed -i "s|NODE_FRONTEND_PORT|${node_frontend_port}|g" ${NGINX_CONF_FILE}
 sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
 sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}
 sed -i "s|BIGCHAINDB_BACKEND_HOST|${bdb_backend_host}|g" ${NGINX_CONF_FILE}

k8s/nginx-https/nginx-https-dep.yaml

@@ -15,11 +15,11 @@ spec:
         image: bigchaindb/nginx_https:unstable
         imagePullPolicy: Always
         env:
-        - name: CLUSTER_FRONTEND_PORT
+        - name: NODE_FRONTEND_PORT
           valueFrom:
             configMapKeyRef:
               name: vars
-              key: cluster-frontend-port
+              key: node-frontend-port
         - name: HEALTH_CHECK_PORT
           valueFrom:
             configMapKeyRef: