APIGOV-26780 - acl plugin changes (#50)

* acl plugin changes

* MR issues

* MR fixes (by actually following the ticket this time)

* gitignore change

* readme updates

* MR issues + config fix + default discovery yaml

* readme updates

* extra readme update

* helm fixes + rename disabled + MR issues

* remove hasACL

* change info to debug

* traceability helm update

* remove discovery yaml file

.gitignore

@@ -21,8 +21,8 @@ bin/
 .run/
 *.log
 
-**/kong_discovery_agent.yml
-/kong_traceability_agent.yml
+pkg/discovery/main/kong_discovery_agent.yml
+pkg/traceability/main/kong_traceability_agent.yml
 
 specs/
 data/

README.md

@@ -38,7 +38,7 @@ The Kong agents are used to discover, provision access to, and track usages of K
 
 ## Discovery process
 
-On startup the Kong discovery agent first validates that it is able to connect to all required services. Once connected to Kong the agent begins looking at the Plugins configured, as the ACL plugin is required for handling Amplify Central provisioning events. Then the agent will determine, from the plugins, which credential types the Kong Gateway has configured and create the Central representation of those types.
+On startup the Kong discovery agent first validates that it is able to connect to all required services. Once connected to Kong the agent begins looking at the Plugins configured, more specifically for the ACL. The default option is to require having it. This can be changed from the config by disabling this check. By having the check disabled, it is assumed that access is allowed for everyone. Then the agent will determine, from the plugins, which credential types the Kong Gateway has configured and create the Central representation of those types.
 
 After that initial startup process the discovery agent begins running its main discovery loop. In this loop the agent first gets a list of all Gateway Services. With each service the agent looks for all configured routes. The agent then looks to gather the specification file, see [Specification discovery methods](#specification-discovery-methods), if found the process continues. Using the route the agent checks for plugins to determine the types of credentials to associate with it. After gathering all of this information the agent creates a new API service with the specification file and linking the appropriate credentials. The endpoints associated to the API service are constructed using the **KONG_PROXY_HOST**, **KONG_PROXY_PORTS_HTTP**, and **KONG_PROXY_PORTS_HTTPS** settings.
 
@@ -52,15 +52,15 @@ A Marketplace application is created by a Marketplace user. When a resource with
 
 ### Access request
 
-When a Marketplace user requests access to a resource, within the Kong environment, Central will create an AccessRequest resource in the same Kong environment. The agent receives this event and makes several changes within Kong. First the agent will add, or update, an ACL configuration on the Route being requested. This ACL will allow the Group ID created during the handling of the [Marketplace application](#marketplace-application) access to the route. Additionally, if a quota for this route has been set in Central in the product being handled the agent will add a Rate limiting plugin to reflect the quota that was set in Central for that product. Note: Quotas in Central can have a Weekly amount, this is not supported by Kong and the agent will reject the Access Request.
+(Note: if the ACL plugin is not required, access request is skipped altogether). When a Marketplace user requests access to a resource, within the Kong environment, Central will create an AccessRequest resource in the same Kong environment. The agent receives this event and makes several changes within Kong. First the agent will add, or update, an ACL configuration on the Route being requested. This ACL will allow the Group ID created during the handling of the [Marketplace application](#marketplace-application) access to the route. Additionally, if a quota for this route has been set in Central in the product being handled the agent will add a Rate limiting plugin to reflect the quota that was set in Central for that product. Note: Quotas in Central can have a Weekly amount, this is not supported by Kong and the agent will reject the Access Request.
 
 ### Credential
 
 Finally, when a Marketplace user requests a credential, within the Kong environment, Central will create a Credential resource in the same Kong environment. The agent receives this event and creates the proper credential type for the Consumer that the [Marketplace application](#marketplace-application) handling created. After successfully creating this credential the necessary details are returned back to the Central to be viewed and used by the Marketplace user.
 
 ## Traceability process
 
-On startup the Kong traceability agent first validates that it is able to connect to all required services. Once validation is complete the agent begins listening for log events to be sent to it. The agent receives these events and iterates through them to determine if any of the events should be sampled. If it is to be sampled the agent creates a transaction summary and leg sending that the Amplify Central. Regardless of the event being set for sampling the agent will update the proper API Metric and Usage details to be sent to Amplify Central on the interval configured. See [Usage](https://docs.axway.com/bundle/amplify-central/page/docs/connect_manage_environ/connected_agent_common_reference/traceability_usage/index.html).
+On startup the Kong traceability agent first validates that it is able to connect to all required services. Once validation is complete the agent begins listening for log events to be sent to it. The agent receives these events and iterates through them to determine if any of the events should be sampled. If it is to be sampled the agent creates a transaction summary and leg sending that the Amplify Central. Regardless of the event being set for sampling the agent will update the proper API Metric and Usage details to be sent to Amplify Central on the interval configured. See [Usage](https://docs.axway.com/bundle/amplify-central/page/docs/connect_manage_environ/connected_agent_common_reference/traceability_usage/index.html). Note: if the ACL plugin is not required, the traceability agent cannot associate API traffic with a consumer application.
 
 ## Environment variables
 
@@ -69,17 +69,19 @@ All Kong specific environment variables available are listed below
 | Name                                   | Description                                                                                               |
 | -------------------------------------- | --------------------------------------------------------------------------------------------------------- |
 | Discovery Agent Variables              |                                                                                                           |
+| **KONG_ACL_DISABLE**                   | Set to true to disable the check for a globally enabled ACL plugin on Kong. False by default.             |
 | **KONG_ADMIN_URL**                     | The Kong admin API URL that the agent will query against                                                  |
 | **KONG_ADMIN_AUTH_APIKEY_HEADER**      | The API Key header name the agent will use when authenticating                                            |
 | **KONG_ADMIN_AUTH_APIKEY_VALUE**       | The API Key value the agent will use when authenticating                                                  |
 | **KONG_ADMIN_AUTH_BASICAUTH_USERNAME** | The HTTP Basic username that the agent will use when authenticating                                       |
 | **KONG_ADMIN_AUTH_BASICAUTH_PASSWORD** | The HTTP Basic password that the agent will use when authenticating                                       |
 | **KONG_PROXY_HOST**                    | The proxy host that the agent will use in API Services when the Kong route does not specify hosts         |
-| **KONG_PROXY_PORTS_HTTP**              | The HTTP port number that the agent will set for discovered APIS                                          |
-| **KONG_PROXY_PORTS_HTTPS**             | The HTTPs port number that the agent will set for discovered APIS                                         |
-| **KONG_PROXY_PORTS_HTTP_DISABLE**      | Set to true if the agent should ignore routes that serve over HTTP                                       |
-| **KONG_PROXY_PORTS_HTTPS_DISABLE**     | Set to true if the agent should ignore routes that serve over HTTPs                                      |
+| **KONG_PROXY_PORTS_HTTP_VALUE**        | The HTTP port value that the agent will set for discovered APIS                                           |
+| **KONG_PROXY_PORTS_HTTPS_VALUE**       | The HTTPs port value that the agent will set for discovered APIS                                          |
+| **KONG_PROXY_PORTS_HTTP_DISABLE**      | Set to true if the agent should ignore routes that serve over HTTP                                        |
+| **KONG_PROXY_PORTS_HTTPS_DISABLE**     | Set to true if the agent should ignore routes that serve over HTTPs                                       |
 | **KONG_PROXY_BASEPATH**                | The proxy base path that will be added between the proxy host and Kong route path when building endpoints |
+| **KONG_SPEC_FILTER**                   | The Agent SDK specific filter format for filtering out specific Kong services                             |
 | **KONG_SPEC_LOCALPATH**                | The local path that the agent will look in for API definitions                                            |
 | **KONG_SPEC_URLPATHS**                 | The URL paths that the agent will query on the gateway service for API definitions                        |
 | **KONG_SPEC_DEVPORTALENABLED**         | Set to true if the agent should look for spec files in the Kong Dev Portal (default: `false`)             |
@@ -294,8 +296,8 @@ KONG_ADMIN_URL=https://kong.url.com:8444
 KONG_ADMIN_AUTH_APIKEY_HEADER="apikey"
 KONG_ADMIN_AUTH_APIKEY_VALUE=123456789abcdefghijkl098765432109
 KONG_PROXY_HOST=kong.proxy.endpoint.com
-KONG_PROXY_PORTS_HTTP=8000
-KONG_PROXY_PORTS_HTTPS=8443
+KONG_PROXY_PORTS_HTTP_VALUE=8000
+KONG_PROXY_PORTS_HTTPS_VALUE=8443
 KONG_SPEC_LOCALPATH=/specs
 
 CENTRAL_ORGANIZATIONID=123456789

build/traceability/kong_traceability_agent.yml

@@ -5,7 +5,7 @@ kong_traceability_agent:
       http:
         path: ${KONG_LOGS_HTTP_PATH}
         port: ${KONG_LOGS_HTTP_PORT}
-  # Settings for connecting to Amplify Centralddd
+  # Settings for connecting to Amplify Central
   central:
     url: ${CENTRAL_URL:https://apicentral.axway.com}
     organizationID: ${CENTRAL_ORGANIZATIONID:""}

helm/kong-agents/templates/discovery-deployment.yaml

@@ -68,11 +68,13 @@ spec:
           env:
             - name: KONG_PROXY_HOST
               value: "{{ .Values.kong.proxy.host }}"
+            - name: KONG_ACL_DISABLE
+              value: "{{ .Values.kong.acl.disable }}"
             - name: KONG_PROXY_BASEPATH
               value: "{{ .Values.kong.proxy.basePath }}"
-            - name: KONG_PROXY_PORTS_HTTP
+            - name: KONG_PROXY_PORTS_HTTP_VALUE
               value: "{{ .Values.kong.proxy.ports.http.value }}"
-            - name: KONG_PROXY_PORTS_HTTPS
+            - name: KONG_PROXY_PORTS_HTTPS_VALUE
               value: "{{ .Values.kong.proxy.ports.https.value }}"
             - name: KONG_PROXY_PORTS_HTTP_DISABLE
               value: "{{ .Values.kong.proxy.ports.http.disable }}"
@@ -120,15 +122,16 @@ spec:
           {{- range $key, $value := . }}
           {{- if and (not (eq (toString $value) ""))
                      (not (eq (toString $key) ""))
-                     (not (has (toString $key) (list "KONG_ADMIN_URL" 
+                     (not (has (toString $key) (list "KONG_ACL_DISABLE"
+                                                     "KONG_ADMIN_URL" 
                                                      "KONG_ADMIN_AUTH_APIKEY_HEADER" 
                                                      "KONG_ADMIN_AUTH_APIKEY_VALUE"
                                                      "KONG_ADMIN_AUTH_BASICAUTH_USERNAME"
                                                      "KONG_ADMIN_AUTH_BASICAUTH_PASSWORD"
                                                      "KONG_PROXY_HOST" 
                                                      "KONG_PROXY_BASEPATH" 
-                                                     "KONG_PROXY_PORTS_HTTP" 
-                                                     "KONG_PROXY_PORTS_HTTPS" 
+                                                     "KONG_PROXY_PORTS_HTTP_VALUE" 
+                                                     "KONG_PROXY_PORTS_HTTPS_VALUE" 
                                                      "KONG_PROXY_PORTS_HTTP_DISABLE" 
                                                      "KONG_PROXY_PORTS_HTTPS_DISABLE" 
                                                      "KONG_SPEC_LOCALPATH"

helm/kong-agents/templates/traceability-statefulset.yaml

@@ -78,15 +78,16 @@ spec:
           {{- range $key, $value := . }}
           {{- if and (not (eq (toString $value) ""))
                      (not (eq (toString $key) ""))
-                     (not (has (toString $key) (list "KONG_ADMIN_URL" 
+                     (not (has (toString $key) (list "KONG_ACL_DISABLE"
+                                                     "KONG_ADMIN_URL" 
                                                      "KONG_ADMIN_AUTH_APIKEY_HEADER" 
                                                      "KONG_ADMIN_AUTH_APIKEY_VALUE"
                                                      "KONG_ADMIN_AUTH_BASICAUTH_USERNAME"
                                                      "KONG_ADMIN_AUTH_BASICAUTH_PASSWORD"
                                                      "KONG_PROXY_HOST" 
                                                      "KONG_PROXY_BASEPATH" 
-                                                     "KONG_PROXY_PORTS_HTTP" 
-                                                     "KONG_PROXY_PORTS_HTTPS" 
+                                                     "KONG_PROXY_PORTS_HTTP_VALUE" 
+                                                     "KONG_PROXY_PORTS_HTTPS_VALUE" 
                                                      "KONG_PROXY_PORTS_HTTP_DISABLE" 
                                                      "KONG_PROXY_PORTS_HTTPS_DISABLE" 
                                                      "KONG_SPEC_LOCALPATH"

helm/kong-agents/values.yaml

@@ -21,6 +21,8 @@ fullnameOverride: ""
 statusPort: 8989
 
 kong:
+  acl:
+    disable: false
   enable:
     traceability: false
   admin:

pkg/discovery/config/config.go

@@ -21,34 +21,36 @@ type props interface {
 }
 
 const (
-	cfgKongAdminUrl               = "kong.admin.url"
-	cfgKongAdminAPIKey            = "kong.admin.auth.apiKey.value"
-	cfgKongAdminAPIKeyHeader      = "kong.admin.auth.apiKey.header"
-	cfgKongAdminBasicUsername     = "kong.admin.auth.basicauth.username"
-	cfgKongAdminBasicPassword     = "kong.admin.auth.basicauth.password"
-	cfgKongProxyHost              = "kong.proxy.host"
-	cfgKongProxyPortHttp          = "kong.proxy.ports.http"
-	cfgKongProxyPortHttpDisabled  = "kong.proxy.ports.http.disabled"
-	cfgKongProxyPortHttps         = "kong.proxy.ports.https"
-	cfgKongProxyPortHttpsDisabled = "kong.proxy.ports.https.disabled"
-	cfgKongProxyBasePath          = "kong.proxy.basePath"
-	cfgKongSpecURLPaths           = "kong.spec.urlPaths"
-	cfgKongSpecLocalPath          = "kong.spec.localPath"
-	cfgKongSpecFilter             = "kong.spec.filter"
-	cfgKongSpecDevPortal          = "kong.spec.devPortalEnabled"
+	cfgKongACLDisable            = "kong.acl.disable"
+	cfgKongAdminUrl              = "kong.admin.url"
+	cfgKongAdminAPIKey           = "kong.admin.auth.apiKey.value"
+	cfgKongAdminAPIKeyHeader     = "kong.admin.auth.apiKey.header"
+	cfgKongAdminBasicUsername    = "kong.admin.auth.basicauth.username"
+	cfgKongAdminBasicPassword    = "kong.admin.auth.basicauth.password"
+	cfgKongProxyHost             = "kong.proxy.host"
+	cfgKongProxyPortHttp         = "kong.proxy.ports.http.value"
+	cfgKongProxyPortHttpDisable  = "kong.proxy.ports.http.disable"
+	cfgKongProxyPortHttps        = "kong.proxy.ports.https.value"
+	cfgKongProxyPortHttpsDisable = "kong.proxy.ports.https.disable"
+	cfgKongProxyBasePath         = "kong.proxy.basePath"
+	cfgKongSpecURLPaths          = "kong.spec.urlPaths"
+	cfgKongSpecLocalPath         = "kong.spec.localPath"
+	cfgKongSpecFilter            = "kong.spec.filter"
+	cfgKongSpecDevPortal         = "kong.spec.devPortalEnabled"
 )
 
 func AddKongProperties(rootProps props) {
+	rootProps.AddBoolProperty(cfgKongACLDisable, false, "Disable the check for a globally enabled ACL plugin on Kong. False by default.")
 	rootProps.AddStringProperty(cfgKongAdminUrl, "", "The Admin API url")
 	rootProps.AddStringProperty(cfgKongAdminAPIKey, "", "API Key value to authenticate with Kong Gateway")
 	rootProps.AddStringProperty(cfgKongAdminAPIKeyHeader, "", "API Key header to authenticate with Kong Gateway")
 	rootProps.AddStringProperty(cfgKongAdminBasicUsername, "", "Username for basic auth to authenticate with Kong Admin API")
 	rootProps.AddStringProperty(cfgKongAdminBasicPassword, "", "Password for basic auth to authenticate with Kong Admin API")
 	rootProps.AddStringProperty(cfgKongProxyHost, "", "The Kong proxy endpoint")
 	rootProps.AddIntProperty(cfgKongProxyPortHttp, 80, "The Kong proxy http port")
-	rootProps.AddBoolProperty(cfgKongProxyPortHttpDisabled, false, "Set to true to disable adding an http endpoint to discovered routes")
+	rootProps.AddBoolProperty(cfgKongProxyPortHttpDisable, false, "Set to true to disable adding an http endpoint to discovered routes")
 	rootProps.AddIntProperty(cfgKongProxyPortHttps, 443, "The Kong proxy https port")
-	rootProps.AddBoolProperty(cfgKongProxyPortHttpsDisabled, false, "Set to true to disable adding an https endpoint to discovered routes")
+	rootProps.AddBoolProperty(cfgKongProxyPortHttpsDisable, false, "Set to true to disable adding an https endpoint to discovered routes")
 	rootProps.AddStringProperty(cfgKongProxyBasePath, "", "The base path for the Kong proxy endpoint")
 	rootProps.AddStringSliceProperty(cfgKongSpecURLPaths, []string{}, "URL paths that the agent will look in for spec files")
 	rootProps.AddStringProperty(cfgKongSpecLocalPath, "", "Local paths where the agent will look for spec files")
@@ -95,7 +97,7 @@ type KongPortConfig struct {
 
 type KongPortSettingsConfig struct {
 	Value   int  `config:"value"`
-	Disable bool `config:"disabled"`
+	Disable bool `config:"disable"`
 }
 
 type KongSpecConfig struct {
@@ -105,12 +107,17 @@ type KongSpecConfig struct {
 	Filter           string   `config:"filter"`
 }
 
+type KongACLConfig struct {
+	Disable bool `config:"disable"`
+}
+
 // KongGatewayConfig - represents the config for gateway
 type KongGatewayConfig struct {
 	corecfg.IConfigValidator
 	Admin KongAdminConfig `config:"admin"`
 	Proxy KongProxyConfig `config:"proxy"`
 	Spec  KongSpecConfig  `config:"spec"`
+	ACL   KongACLConfig   `config:"acl"`
 }
 
 const (
@@ -196,22 +203,25 @@ func invalidCredentialConfig(c *KongGatewayConfig) bool {
 func ParseProperties(rootProps props) *KongGatewayConfig {
 	// Parse the config from bound properties and setup gateway config
 	httpPortConf := KongPortSettingsConfig{
-		Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpDisabled),
+		Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpDisable),
 		Value:   rootProps.IntPropertyValue(cfgKongProxyPortHttp),
 	}
 	if httpPortConf.Disable {
 		httpPortConf.Value = 0
 	}
 
 	httpsPortConf := KongPortSettingsConfig{
-		Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpsDisabled),
+		Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpsDisable),
 		Value:   rootProps.IntPropertyValue(cfgKongProxyPortHttps),
 	}
 	if httpsPortConf.Disable {
 		httpsPortConf.Value = 0
 	}
 
 	return &KongGatewayConfig{
+		ACL: KongACLConfig{
+			Disable: rootProps.BoolPropertyValue(cfgKongACLDisable),
+		},
 		Admin: KongAdminConfig{
 			Url: rootProps.StringPropertyValue(cfgKongAdminUrl),
 			Auth: KongAdminAuthConfig{