Use nais-api instead of teams backend

Makefile

@@ -6,6 +6,8 @@ K8S_VERSION := 1.27.1
 LAST_COMMIT = $(shell git rev-parse --short HEAD)
 VERSION ?= $(DATE)-$(LAST_COMMIT)
 LDFLAGS := -X github.com/nais/deploy/pkg/version.Revision=$(LAST_COMMIT) -X github.com/nais/deploy/pkg/version.Date=$(DATE) -X github.com/nais/deploy/pkg/version.BuildUnixTime=$(BUILDTIME)
+NAIS_API_COMMIT_SHA := 0f2590f0befcdc5473474007174bb4a5d0b1f97e
+NAIS_API_TARGET_DIR=pkg/naisapi/protoapi
 arch := $(shell uname -m | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
 os := $(shell uname -s | tr '[:upper:]' '[:lower:]')
 testbin_dir := ./.testbin/
@@ -88,3 +90,23 @@ hookd-alpine:
 
 deploy-alpine:
 	go build -a -installsuffix cgo -o bin/deploy -ldflags "-s $(LDFLAGS)" ./cmd/deploy/
+
+generate-nais-api:
+	mkdir -p ./$(NAIS_API_TARGET_DIR)
+	wget -O ./$(NAIS_API_TARGET_DIR)/teams.proto https://raw.githubusercontent.com/nais/api/$(NAIS_API_COMMIT_SHA)/pkg/protoapi/schema/teams.proto
+	wget -O ./$(NAIS_API_TARGET_DIR)/users.proto https://raw.githubusercontent.com/nais/api/$(NAIS_API_COMMIT_SHA)/pkg/protoapi/schema/users.proto
+	wget -O ./$(NAIS_API_TARGET_DIR)/pagination.proto https://raw.githubusercontent.com/nais/api/$(NAIS_API_COMMIT_SHA)/pkg/protoapi/schema/pagination.proto
+	$(PROTOC) \
+		--proto_path=$(NAIS_API_TARGET_DIR) \
+		--go_opt=Mpagination.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go_opt=Musers.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go_opt=Mteams.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go_opt=paths=source_relative \
+		--go_out=$(NAIS_API_TARGET_DIR) \
+		--go-grpc_opt=Mpagination.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go-grpc_opt=Musers.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go-grpc_opt=Mteams.proto=github.com/nais/deploy/$(NAIS_API_TARGET_DIR) \
+		--go-grpc_opt=paths=source_relative \
+		--go-grpc_out=$(NAIS_API_TARGET_DIR) \
+		$(NAIS_API_TARGET_DIR)/*.proto
+	rm -f $(NAIS_API_TARGET_DIR)/*.proto

charts/hookd/Feature.yaml

@@ -1,6 +1,6 @@
 dependencies:
   - allOf:
-      - teams-backend
+      - nais-api
 environmentKinds:
   - management
 values:
@@ -61,13 +61,12 @@ values:
     displayName: Ingress URL
     computed:
       template: '"{{ subdomain . "deploy" }}"'
-  teamsAPIKey:
-    displayName: "teams api key"
-    computed:
-      template: "{{.Management.hookd_teams_api_key | quote}}"
-    description: "API key used for teams integration"
   frontendPreSharedKey:
     displayName: "console-backend pre-shared key"
     computed:
       template: "{{.Management.hookd_frontend_pre_shared_key | quote}}"
     description: "The pre-shared key used to authenticate the console-backend"
+  naisAPI.insecure:
+    displayName: Insecure connection to NAIS API
+    config:
+      type: bool

charts/hookd/templates/netpol.yaml

@@ -25,8 +25,7 @@ spec:
           kubernetes.io/metadata.name: nais-system
       podSelector:
         matchLabels:
-          app.kubernetes.io/instance: teams-backend
-          app.kubernetes.io/name: teams-backend
+          app: nais-api
   podSelector:
     matchLabels:
       {{- include "hookd.selectorLabels" . | nindent 6 }}

charts/hookd/templates/secret.yaml

@@ -25,5 +25,5 @@ stringData:
   HOOKD_LOG_LINK_FORMATTER: "{{ .Values.logLinkFormatter }}"
   HOOKD_OAUTH_ENABLED: "true"
   HOOKD_PROVISION_KEY: "{{ .Values.provisionKey }}"
-  HOOKD_TEAMS_API_KEY: "{{ .Values.teamsAPIKey }}"
-  HOOKD_TEAMS_URL: "{{ .Values.teamsURL }}"
+  HOOKD_NAIS_API_ADDRESS: "{{ .Values.naisAPI.address }}"
+  HOOKD_NAIS_API_INSECURE_CONNECTION: "{{ .Values.naisAPI.insecureConnection }}"

charts/hookd/values.yaml

@@ -44,5 +44,6 @@ frontendPreSharedKey: # mapped by fasit
 
 imagePullSecrets: []
 
-teamsAPIKey: # mapped by fasit
-teamsURL: "http://teams-backend/query"
+naisAPI:
+  address: "nais-api:3001"
+  insecureConnection: "false"

cmd/hookd/main.go

@@ -31,8 +31,8 @@ import (
 	"github.com/nais/deploy/pkg/hookd/logproxy"
 	"github.com/nais/deploy/pkg/hookd/middleware"
 	"github.com/nais/deploy/pkg/logging"
+	"github.com/nais/deploy/pkg/naisapi"
 	"github.com/nais/deploy/pkg/pb"
-	"github.com/nais/deploy/pkg/teams"
 	"github.com/nais/deploy/pkg/version"
 )
 
@@ -179,8 +179,11 @@ func startGrpcServer(cfg config.Config, db database.DeploymentStore, apikeys dat
 				return nil, nil, fmt.Errorf("unable to set up github validator: %w", err)
 			}
 
-			teamsClient := teams.New(cfg.TeamsURL, cfg.TeamsAPIKey)
-			authInterceptor := auth_interceptor.NewServerInterceptor(apikeys, ghValidator, teamsClient)
+			apiClient, err := naisapi.NewClient(cfg.NaisAPIAddress, cfg.NaisAPIInsecureConnection)
+			if err != nil {
+				return nil, nil, fmt.Errorf("unable to set up nais-api client: %w", err)
+			}
+			authInterceptor := auth_interceptor.NewServerInterceptor(apikeys, ghValidator, apiClient)
 
 			interceptor.Add(pb.Deploy_ServiceDesc.ServiceName, authInterceptor)
 			log.Infof("Authentication enabled for deployment requests")

pkg/hookd/config/config.go

@@ -16,24 +16,24 @@ type GRPC struct {
 }
 
 type Config struct {
-	BaseURL                string        `json:"base-url"`
-	DatabaseConnectTimeout time.Duration `json:"database-connect-timeout"`
-	DatabaseEncryptionKey  string        `json:"database-encryption-key"`
-	DatabaseURL            string        `json:"database-url"`
-	DeploydKeys            []string      `json:"deployd-keys"`
-	FrontendKeys           []string      `json:"frontend-keys"`
-	GRPC                   GRPC          `json:"grpc"`
-	GoogleAllowedDomains   []string      `json:"google-allowed-domains"`
-	GoogleClientId         string        `json:"google-client-id"`
-	GoogleClusterProjects  []string      `json:"google-cluster-projects"`
-	ListenAddress          string        `json:"listen-address"`
-	LogFormat              string        `json:"log-format"`
-	LogLevel               string        `json:"log-level"`
-	LogLinkFormatter       string        `json:"log-link-formatter"`
-	MetricsPath            string        `json:"metrics-path"`
-	ProvisionKey           string        `json:"provision-key"`
-	TeamsAPIKey            string        `json:"teams-api-key"`
-	TeamsURL               string        `json:"teams-url"`
+	BaseURL                   string        `json:"base-url"`
+	DatabaseConnectTimeout    time.Duration `json:"database-connect-timeout"`
+	DatabaseEncryptionKey     string        `json:"database-encryption-key"`
+	DatabaseURL               string        `json:"database-url"`
+	DeploydKeys               []string      `json:"deployd-keys"`
+	FrontendKeys              []string      `json:"frontend-keys"`
+	GRPC                      GRPC          `json:"grpc"`
+	GoogleAllowedDomains      []string      `json:"google-allowed-domains"`
+	GoogleClientId            string        `json:"google-client-id"`
+	GoogleClusterProjects     []string      `json:"google-cluster-projects"`
+	ListenAddress             string        `json:"listen-address"`
+	LogFormat                 string        `json:"log-format"`
+	LogLevel                  string        `json:"log-level"`
+	LogLinkFormatter          string        `json:"log-link-formatter"`
+	MetricsPath               string        `json:"metrics-path"`
+	ProvisionKey              string        `json:"provision-key"`
+	NaisAPIAddress            string        `json:"nais-api-address"`
+	NaisAPIInsecureConnection bool          `json:"nais-api-insecure-connection"`
 }
 
 const (
@@ -56,8 +56,8 @@ const (
 	LogLinkFormatter          = "log-link-formatter"
 	MetricsPath               = "metrics-path"
 	ProvisionKey              = "provision-key"
-	TeamsAPIKey               = "teams-api-key"
-	TeamsURL                  = "teams-url"
+	NaisAPIAddress            = "nais-api-address"
+	NaisAPIInsecureConnection = "nais-api-insecure-connection"
 )
 
 // Bind environment variables provided by the NAIS platform
@@ -99,8 +99,8 @@ func Initialize() *Config {
 	flag.StringSlice(GoogleAllowedDomains, []string{}, "Allowed Google Domains")
 	flag.StringSlice(GoogleClusterProjects, []string{}, "Mapping cluster to google project: cluster1=project1,cluster2=project2")
 
-	flag.String(TeamsAPIKey, "", "Teams API Key")
-	flag.String(TeamsURL, "http://localhost:3000/query", "Teams URL")
+	flag.Bool(NaisAPIInsecureConnection, false, "Insecure connection to API server")
+	flag.String(NaisAPIAddress, "localhost:3001", "NAIS API target")
 
 	return &Config{}
 }

pkg/naisapi/naisapi.go

@@ -0,0 +1,45 @@
+package naisapi
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/nais/deploy/pkg/naisapi/protoapi"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+type Client struct {
+	client protoapi.TeamsClient
+}
+
+func NewClient(target string, insecureConnection bool) (*Client, error) {
+	opts := []grpc.DialOption{}
+	if insecureConnection {
+		opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
+
+	gclient, err := grpc.Dial(target, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to nais-api: %w", err)
+	}
+
+	return &Client{
+		client: protoapi.NewTeamsClient(gclient),
+	}, nil
+}
+
+func (c *Client) IsAuthorized(ctx context.Context, repo, team string) bool {
+	resp, err := c.client.IsRepositoryAuthorized(ctx, &protoapi.IsRepositoryAuthorizedRequest{
+		TeamSlug:      team,
+		Repository:    repo,
+		Authorization: protoapi.RepositoryAuthorization_DEPLOY,
+	})
+	if err != nil {
+		log.WithError(err).Error("checking repo authorization in teams")
+		return false
+	}
+
+	return resp.IsAuthorized
+}