Read mixer env helm charts for /v2/resolve authentication overrides

[clincoln8]

This is paired with datacommonsorg/mixer#1731 to always require an api key for /v2/resolve in autopush and dev environments.

Staging and prod api key protection is configured via apigee and not affected by this PR.

Main Change:

• In scripts/deploy_cloud_esp.sh, checks to see if the mixer helm environment file sets .esp.v2_resolve_allow_unregistered and sets the value accordingly in endpoints.yaml.

Side Changes:

• Add some clarifying doc comments to build/ci/cloudbuild.push.yaml and build/ci/cloudbuild.push_image.yaml
• Add tag name as a substitution var in tools/script_runner/cloudbuild.push_image.yaml and update the corresponding README.

Testing:


I first tested that deploying website+mixer PR together successfully blocked unauthenticated calls to /v2/resolve:

1. used the updated tools/script_runner/cloudbuild.push_image.yaml to push a new script-runner image with tag dev-calinc that contained both the mixer and website changes locally
2. locally changed this line to use gcr.io/datcom-ci/datacommons-script-runner:dev-calinc
3. deployed to datcom-mixer-dev and verified (1) the logs showed that the desired value was overridden and (2) calling https://dev.api.datacommons.org/v2/resolve?nodes=population&resolver=indicator threw a 401 Unauthenticated Error.

Then I tested that mixer environments that don't override this value will remain unaffected by:

1. pushed an image to the script runner with just the website change with tag dev-calinc2
2. changed the mixer-dev skaffold to use gcr.io/datcom-ci/datacommons-script-runner:dev-calinc2
3. deployed to datcom-mixer-dev and verified that datacommons.Mixer.V2Resolve.allow_unregistered_calls remained true since esp.v2_resolve_allow_unregistered was not set in the mixer_dev.yaml file and calling the /v2/resolve api did NOT throw a 401.

[gemini-code-assist]

Summary of Changes

Hello @clincoln8, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances security for the /v2/resolve API endpoint in development and autopush environments by enabling dynamic configuration of API key requirements through Helm chart values. It ensures that unauthenticated calls to this endpoint are blocked in these specific environments, while production and staging remain unaffected due to existing Apigee configurations. Additionally, the PR improves clarity in Cloud Build configurations with new documentation and provides more flexibility for manual image pushes by introducing custom tag support.

Highlights

• API Key Enforcement for /v2/resolve: Introduced conditional logic in scripts/deploy_cloud_esp.sh to enforce API key authentication for the /v2/resolve endpoint in autopush and dev environments. This is achieved by reading the esp.v2_resolve_allow_unregistered value from Helm charts and setting allow_unregistered_calls accordingly in endpoints.yaml.
• Cloud Build Documentation Improvements: Added clarifying doc comments to build/ci/cloudbuild.push.yaml (official CI/CD) and build/ci/cloudbuild.push_image.yaml (manual push) to better explain their respective purposes and usage.
• Flexible Image Tagging for Manual Pushes: Modified tools/script_runner/cloudbuild.push_image.yaml to use a _TAG_NAME substitution variable, allowing users to specify custom image tags (e.g., dev-username) for manual pushes. The README.md for the script runner was updated with a warning against using the latest tag for development and an example of how to use the new substitution.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to enforce API key authentication for the /v2/resolve endpoint based on Helm chart configurations, a valuable security improvement, and enhances the development workflow by parameterizing image tags and adding documentation. However, a critical security concern has been identified in scripts/deploy_cloud_esp.sh due to unquoted variables, which could lead to argument injection or script failure. Additionally, suggestions are provided to improve the robustness of the shell script logic, increase the safety of the manual image push process by addressing a risky default tag in cloudbuild.push_image.yaml, and fix a minor typo in tools/script_runner/README.md.

[keyurva]

Thanks for the detailed PR desc and doing it so carefully!

[keyurva]

nit: Perhaps add TODO to remove this (and the corresponding mixer helm files) once we switch to always requiring keys everywhere.

[clincoln8]

added here and in datacommonsorg/mixer#1731 using the same TODO(/v2/resolve cleanup) prefix