Skip to content

Commit

Permalink
APIGOV-26780 - acl plugin changes (#50)
Browse files Browse the repository at this point in the history
* acl plugin changes

* MR issues

* MR fixes (by actually following the ticket this time)

* gitignore change

* readme updates

* MR issues + config fix + default discovery yaml

* readme updates

* extra readme update

* helm fixes + rename disabled + MR issues

* remove hasACL

* change info to debug

* traceability helm update

* remove discovery yaml file
  • Loading branch information
dgghinea authored Dec 8, 2023
1 parent af42a02 commit 8077354
Show file tree
Hide file tree
Showing 12 changed files with 170 additions and 80 deletions.
4 changes: 2 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ bin/
.run/
*.log

**/kong_discovery_agent.yml
/kong_traceability_agent.yml
pkg/discovery/main/kong_discovery_agent.yml
pkg/traceability/main/kong_traceability_agent.yml

specs/
data/
Expand Down
20 changes: 11 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The Kong agents are used to discover, provision access to, and track usages of K

## Discovery process

On startup the Kong discovery agent first validates that it is able to connect to all required services. Once connected to Kong the agent begins looking at the Plugins configured, as the ACL plugin is required for handling Amplify Central provisioning events. Then the agent will determine, from the plugins, which credential types the Kong Gateway has configured and create the Central representation of those types.
On startup the Kong discovery agent first validates that it is able to connect to all required services. Once connected to Kong the agent begins looking at the Plugins configured, more specifically for the ACL. The default option is to require having it. This can be changed from the config by disabling this check. By having the check disabled, it is assumed that access is allowed for everyone. Then the agent will determine, from the plugins, which credential types the Kong Gateway has configured and create the Central representation of those types.

After that initial startup process the discovery agent begins running its main discovery loop. In this loop the agent first gets a list of all Gateway Services. With each service the agent looks for all configured routes. The agent then looks to gather the specification file, see [Specification discovery methods](#specification-discovery-methods), if found the process continues. Using the route the agent checks for plugins to determine the types of credentials to associate with it. After gathering all of this information the agent creates a new API service with the specification file and linking the appropriate credentials. The endpoints associated to the API service are constructed using the **KONG_PROXY_HOST**, **KONG_PROXY_PORTS_HTTP**, and **KONG_PROXY_PORTS_HTTPS** settings.

Expand All @@ -52,15 +52,15 @@ A Marketplace application is created by a Marketplace user. When a resource with

### Access request

When a Marketplace user requests access to a resource, within the Kong environment, Central will create an AccessRequest resource in the same Kong environment. The agent receives this event and makes several changes within Kong. First the agent will add, or update, an ACL configuration on the Route being requested. This ACL will allow the Group ID created during the handling of the [Marketplace application](#marketplace-application) access to the route. Additionally, if a quota for this route has been set in Central in the product being handled the agent will add a Rate limiting plugin to reflect the quota that was set in Central for that product. Note: Quotas in Central can have a Weekly amount, this is not supported by Kong and the agent will reject the Access Request.
(Note: if the ACL plugin is not required, access request is skipped altogether). When a Marketplace user requests access to a resource, within the Kong environment, Central will create an AccessRequest resource in the same Kong environment. The agent receives this event and makes several changes within Kong. First the agent will add, or update, an ACL configuration on the Route being requested. This ACL will allow the Group ID created during the handling of the [Marketplace application](#marketplace-application) access to the route. Additionally, if a quota for this route has been set in Central in the product being handled the agent will add a Rate limiting plugin to reflect the quota that was set in Central for that product. Note: Quotas in Central can have a Weekly amount, this is not supported by Kong and the agent will reject the Access Request.

### Credential

Finally, when a Marketplace user requests a credential, within the Kong environment, Central will create a Credential resource in the same Kong environment. The agent receives this event and creates the proper credential type for the Consumer that the [Marketplace application](#marketplace-application) handling created. After successfully creating this credential the necessary details are returned back to the Central to be viewed and used by the Marketplace user.

## Traceability process

On startup the Kong traceability agent first validates that it is able to connect to all required services. Once validation is complete the agent begins listening for log events to be sent to it. The agent receives these events and iterates through them to determine if any of the events should be sampled. If it is to be sampled the agent creates a transaction summary and leg sending that the Amplify Central. Regardless of the event being set for sampling the agent will update the proper API Metric and Usage details to be sent to Amplify Central on the interval configured. See [Usage](https://docs.axway.com/bundle/amplify-central/page/docs/connect_manage_environ/connected_agent_common_reference/traceability_usage/index.html).
On startup the Kong traceability agent first validates that it is able to connect to all required services. Once validation is complete the agent begins listening for log events to be sent to it. The agent receives these events and iterates through them to determine if any of the events should be sampled. If it is to be sampled the agent creates a transaction summary and leg sending that the Amplify Central. Regardless of the event being set for sampling the agent will update the proper API Metric and Usage details to be sent to Amplify Central on the interval configured. See [Usage](https://docs.axway.com/bundle/amplify-central/page/docs/connect_manage_environ/connected_agent_common_reference/traceability_usage/index.html). Note: if the ACL plugin is not required, the traceability agent cannot associate API traffic with a consumer application.

## Environment variables

Expand All @@ -69,17 +69,19 @@ All Kong specific environment variables available are listed below
| Name | Description |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| Discovery Agent Variables | |
| **KONG_ACL_DISABLE** | Set to true to disable the check for a globally enabled ACL plugin on Kong. False by default. |
| **KONG_ADMIN_URL** | The Kong admin API URL that the agent will query against |
| **KONG_ADMIN_AUTH_APIKEY_HEADER** | The API Key header name the agent will use when authenticating |
| **KONG_ADMIN_AUTH_APIKEY_VALUE** | The API Key value the agent will use when authenticating |
| **KONG_ADMIN_AUTH_BASICAUTH_USERNAME** | The HTTP Basic username that the agent will use when authenticating |
| **KONG_ADMIN_AUTH_BASICAUTH_PASSWORD** | The HTTP Basic password that the agent will use when authenticating |
| **KONG_PROXY_HOST** | The proxy host that the agent will use in API Services when the Kong route does not specify hosts |
| **KONG_PROXY_PORTS_HTTP** | The HTTP port number that the agent will set for discovered APIS |
| **KONG_PROXY_PORTS_HTTPS** | The HTTPs port number that the agent will set for discovered APIS |
| **KONG_PROXY_PORTS_HTTP_DISABLE** | Set to true if the agent should ignore routes that serve over HTTP |
| **KONG_PROXY_PORTS_HTTPS_DISABLE** | Set to true if the agent should ignore routes that serve over HTTPs |
| **KONG_PROXY_PORTS_HTTP_VALUE** | The HTTP port value that the agent will set for discovered APIS |
| **KONG_PROXY_PORTS_HTTPS_VALUE** | The HTTPs port value that the agent will set for discovered APIS |
| **KONG_PROXY_PORTS_HTTP_DISABLE** | Set to true if the agent should ignore routes that serve over HTTP |
| **KONG_PROXY_PORTS_HTTPS_DISABLE** | Set to true if the agent should ignore routes that serve over HTTPs |
| **KONG_PROXY_BASEPATH** | The proxy base path that will be added between the proxy host and Kong route path when building endpoints |
| **KONG_SPEC_FILTER** | The Agent SDK specific filter format for filtering out specific Kong services |
| **KONG_SPEC_LOCALPATH** | The local path that the agent will look in for API definitions |
| **KONG_SPEC_URLPATHS** | The URL paths that the agent will query on the gateway service for API definitions |
| **KONG_SPEC_DEVPORTALENABLED** | Set to true if the agent should look for spec files in the Kong Dev Portal (default: `false`) |
Expand Down Expand Up @@ -294,8 +296,8 @@ KONG_ADMIN_URL=https://kong.url.com:8444
KONG_ADMIN_AUTH_APIKEY_HEADER="apikey"
KONG_ADMIN_AUTH_APIKEY_VALUE=123456789abcdefghijkl098765432109
KONG_PROXY_HOST=kong.proxy.endpoint.com
KONG_PROXY_PORTS_HTTP=8000
KONG_PROXY_PORTS_HTTPS=8443
KONG_PROXY_PORTS_HTTP_VALUE=8000
KONG_PROXY_PORTS_HTTPS_VALUE=8443
KONG_SPEC_LOCALPATH=/specs

CENTRAL_ORGANIZATIONID=123456789
Expand Down
2 changes: 1 addition & 1 deletion build/traceability/kong_traceability_agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ kong_traceability_agent:
http:
path: ${KONG_LOGS_HTTP_PATH}
port: ${KONG_LOGS_HTTP_PORT}
# Settings for connecting to Amplify Centralddd
# Settings for connecting to Amplify Central
central:
url: ${CENTRAL_URL:https://apicentral.axway.com}
organizationID: ${CENTRAL_ORGANIZATIONID:""}
Expand Down
13 changes: 8 additions & 5 deletions helm/kong-agents/templates/discovery-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,13 @@ spec:
env:
- name: KONG_PROXY_HOST
value: "{{ .Values.kong.proxy.host }}"
- name: KONG_ACL_DISABLE
value: "{{ .Values.kong.acl.disable }}"
- name: KONG_PROXY_BASEPATH
value: "{{ .Values.kong.proxy.basePath }}"
- name: KONG_PROXY_PORTS_HTTP
- name: KONG_PROXY_PORTS_HTTP_VALUE
value: "{{ .Values.kong.proxy.ports.http.value }}"
- name: KONG_PROXY_PORTS_HTTPS
- name: KONG_PROXY_PORTS_HTTPS_VALUE
value: "{{ .Values.kong.proxy.ports.https.value }}"
- name: KONG_PROXY_PORTS_HTTP_DISABLE
value: "{{ .Values.kong.proxy.ports.http.disable }}"
Expand Down Expand Up @@ -120,15 +122,16 @@ spec:
{{- range $key, $value := . }}
{{- if and (not (eq (toString $value) ""))
(not (eq (toString $key) ""))
(not (has (toString $key) (list "KONG_ADMIN_URL"
(not (has (toString $key) (list "KONG_ACL_DISABLE"
"KONG_ADMIN_URL"
"KONG_ADMIN_AUTH_APIKEY_HEADER"
"KONG_ADMIN_AUTH_APIKEY_VALUE"
"KONG_ADMIN_AUTH_BASICAUTH_USERNAME"
"KONG_ADMIN_AUTH_BASICAUTH_PASSWORD"
"KONG_PROXY_HOST"
"KONG_PROXY_BASEPATH"
"KONG_PROXY_PORTS_HTTP"
"KONG_PROXY_PORTS_HTTPS"
"KONG_PROXY_PORTS_HTTP_VALUE"
"KONG_PROXY_PORTS_HTTPS_VALUE"
"KONG_PROXY_PORTS_HTTP_DISABLE"
"KONG_PROXY_PORTS_HTTPS_DISABLE"
"KONG_SPEC_LOCALPATH"
Expand Down
7 changes: 4 additions & 3 deletions helm/kong-agents/templates/traceability-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -78,15 +78,16 @@ spec:
{{- range $key, $value := . }}
{{- if and (not (eq (toString $value) ""))
(not (eq (toString $key) ""))
(not (has (toString $key) (list "KONG_ADMIN_URL"
(not (has (toString $key) (list "KONG_ACL_DISABLE"
"KONG_ADMIN_URL"
"KONG_ADMIN_AUTH_APIKEY_HEADER"
"KONG_ADMIN_AUTH_APIKEY_VALUE"
"KONG_ADMIN_AUTH_BASICAUTH_USERNAME"
"KONG_ADMIN_AUTH_BASICAUTH_PASSWORD"
"KONG_PROXY_HOST"
"KONG_PROXY_BASEPATH"
"KONG_PROXY_PORTS_HTTP"
"KONG_PROXY_PORTS_HTTPS"
"KONG_PROXY_PORTS_HTTP_VALUE"
"KONG_PROXY_PORTS_HTTPS_VALUE"
"KONG_PROXY_PORTS_HTTP_DISABLE"
"KONG_PROXY_PORTS_HTTPS_DISABLE"
"KONG_SPEC_LOCALPATH"
Expand Down
2 changes: 2 additions & 0 deletions helm/kong-agents/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ fullnameOverride: ""
statusPort: 8989

kong:
acl:
disable: false
enable:
traceability: false
admin:
Expand Down
50 changes: 30 additions & 20 deletions pkg/discovery/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,34 +21,36 @@ type props interface {
}

const (
cfgKongAdminUrl = "kong.admin.url"
cfgKongAdminAPIKey = "kong.admin.auth.apiKey.value"
cfgKongAdminAPIKeyHeader = "kong.admin.auth.apiKey.header"
cfgKongAdminBasicUsername = "kong.admin.auth.basicauth.username"
cfgKongAdminBasicPassword = "kong.admin.auth.basicauth.password"
cfgKongProxyHost = "kong.proxy.host"
cfgKongProxyPortHttp = "kong.proxy.ports.http"
cfgKongProxyPortHttpDisabled = "kong.proxy.ports.http.disabled"
cfgKongProxyPortHttps = "kong.proxy.ports.https"
cfgKongProxyPortHttpsDisabled = "kong.proxy.ports.https.disabled"
cfgKongProxyBasePath = "kong.proxy.basePath"
cfgKongSpecURLPaths = "kong.spec.urlPaths"
cfgKongSpecLocalPath = "kong.spec.localPath"
cfgKongSpecFilter = "kong.spec.filter"
cfgKongSpecDevPortal = "kong.spec.devPortalEnabled"
cfgKongACLDisable = "kong.acl.disable"
cfgKongAdminUrl = "kong.admin.url"
cfgKongAdminAPIKey = "kong.admin.auth.apiKey.value"
cfgKongAdminAPIKeyHeader = "kong.admin.auth.apiKey.header"
cfgKongAdminBasicUsername = "kong.admin.auth.basicauth.username"
cfgKongAdminBasicPassword = "kong.admin.auth.basicauth.password"
cfgKongProxyHost = "kong.proxy.host"
cfgKongProxyPortHttp = "kong.proxy.ports.http.value"
cfgKongProxyPortHttpDisable = "kong.proxy.ports.http.disable"
cfgKongProxyPortHttps = "kong.proxy.ports.https.value"
cfgKongProxyPortHttpsDisable = "kong.proxy.ports.https.disable"
cfgKongProxyBasePath = "kong.proxy.basePath"
cfgKongSpecURLPaths = "kong.spec.urlPaths"
cfgKongSpecLocalPath = "kong.spec.localPath"
cfgKongSpecFilter = "kong.spec.filter"
cfgKongSpecDevPortal = "kong.spec.devPortalEnabled"
)

func AddKongProperties(rootProps props) {
rootProps.AddBoolProperty(cfgKongACLDisable, false, "Disable the check for a globally enabled ACL plugin on Kong. False by default.")
rootProps.AddStringProperty(cfgKongAdminUrl, "", "The Admin API url")
rootProps.AddStringProperty(cfgKongAdminAPIKey, "", "API Key value to authenticate with Kong Gateway")
rootProps.AddStringProperty(cfgKongAdminAPIKeyHeader, "", "API Key header to authenticate with Kong Gateway")
rootProps.AddStringProperty(cfgKongAdminBasicUsername, "", "Username for basic auth to authenticate with Kong Admin API")
rootProps.AddStringProperty(cfgKongAdminBasicPassword, "", "Password for basic auth to authenticate with Kong Admin API")
rootProps.AddStringProperty(cfgKongProxyHost, "", "The Kong proxy endpoint")
rootProps.AddIntProperty(cfgKongProxyPortHttp, 80, "The Kong proxy http port")
rootProps.AddBoolProperty(cfgKongProxyPortHttpDisabled, false, "Set to true to disable adding an http endpoint to discovered routes")
rootProps.AddBoolProperty(cfgKongProxyPortHttpDisable, false, "Set to true to disable adding an http endpoint to discovered routes")
rootProps.AddIntProperty(cfgKongProxyPortHttps, 443, "The Kong proxy https port")
rootProps.AddBoolProperty(cfgKongProxyPortHttpsDisabled, false, "Set to true to disable adding an https endpoint to discovered routes")
rootProps.AddBoolProperty(cfgKongProxyPortHttpsDisable, false, "Set to true to disable adding an https endpoint to discovered routes")
rootProps.AddStringProperty(cfgKongProxyBasePath, "", "The base path for the Kong proxy endpoint")
rootProps.AddStringSliceProperty(cfgKongSpecURLPaths, []string{}, "URL paths that the agent will look in for spec files")
rootProps.AddStringProperty(cfgKongSpecLocalPath, "", "Local paths where the agent will look for spec files")
Expand Down Expand Up @@ -95,7 +97,7 @@ type KongPortConfig struct {

type KongPortSettingsConfig struct {
Value int `config:"value"`
Disable bool `config:"disabled"`
Disable bool `config:"disable"`
}

type KongSpecConfig struct {
Expand All @@ -105,12 +107,17 @@ type KongSpecConfig struct {
Filter string `config:"filter"`
}

type KongACLConfig struct {
Disable bool `config:"disable"`
}

// KongGatewayConfig - represents the config for gateway
type KongGatewayConfig struct {
corecfg.IConfigValidator
Admin KongAdminConfig `config:"admin"`
Proxy KongProxyConfig `config:"proxy"`
Spec KongSpecConfig `config:"spec"`
ACL KongACLConfig `config:"acl"`
}

const (
Expand Down Expand Up @@ -196,22 +203,25 @@ func invalidCredentialConfig(c *KongGatewayConfig) bool {
func ParseProperties(rootProps props) *KongGatewayConfig {
// Parse the config from bound properties and setup gateway config
httpPortConf := KongPortSettingsConfig{
Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpDisabled),
Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpDisable),
Value: rootProps.IntPropertyValue(cfgKongProxyPortHttp),
}
if httpPortConf.Disable {
httpPortConf.Value = 0
}

httpsPortConf := KongPortSettingsConfig{
Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpsDisabled),
Disable: rootProps.BoolPropertyValue(cfgKongProxyPortHttpsDisable),
Value: rootProps.IntPropertyValue(cfgKongProxyPortHttps),
}
if httpsPortConf.Disable {
httpsPortConf.Value = 0
}

return &KongGatewayConfig{
ACL: KongACLConfig{
Disable: rootProps.BoolPropertyValue(cfgKongACLDisable),
},
Admin: KongAdminConfig{
Url: rootProps.StringPropertyValue(cfgKongAdminUrl),
Auth: KongAdminAuthConfig{
Expand Down
Loading

0 comments on commit 8077354

Please sign in to comment.