MR fixes (by actually following the ticket this time)

helm/kong-agents/templates/discovery-deployment.yaml

@@ -68,6 +68,8 @@ spec:
           env:
             - name: KONG_PROXY_HOST
               value: "{{ .Values.kong.proxy.host }}"
+            - name: KONG_ACL_REQUIRED
+              value: "{{ .Values.kong.acl.required }}"
             - name: KONG_PROXY_PORTS_HTTP
               value: "{{ .Values.kong.proxy.ports.http }}"
             - name: KONG_PROXY_PORTS_HTTPS

helm/kong-agents/values.yaml

@@ -21,6 +21,8 @@ fullnameOverride: ""
 statusPort: 8989
 
 kong:
+  acl:
+    required: false
   enable:
     traceability: false
   admin:

pkg/discovery/config/config.go

@@ -11,6 +11,7 @@ import (
 )
 
 const (
+	cfgKongACLRequired       = "kong.acl.required"
 	cfgKongProxyHost         = "kong.proxy.host"
 	cfgKongAdminUrl          = "kong.admin.url"
 	cfgKongAdminAPIKey       = "kong.admin.auth.apiKey.value"
@@ -25,6 +26,7 @@ const (
 )
 
 func AddKongProperties(rootProps properties.Properties) {
+	rootProps.AddBoolProperty(cfgKongACLRequired, false, "Whether or not an ACL plugin on Kong is required. False by default.")
 	rootProps.AddStringProperty(cfgKongAdminUrl, "", "The Admin API url")
 	rootProps.AddStringProperty(cfgKongAdminAPIKey, "", "API Key value to authenticate with Kong Gateway")
 	rootProps.AddStringProperty(cfgKongAdminAPIKeyHeader, "", "API Key header to authenticate with Kong Gateway")
@@ -81,12 +83,17 @@ type KongSpecConfig struct {
 	Filter           string   `config:"filter"`
 }
 
+type KongACLConfig struct {
+	Required bool `config:"required"`
+}
+
 // KongGatewayConfig - represents the config for gateway
 type KongGatewayConfig struct {
 	corecfg.IConfigValidator
 	Admin KongAdminConfig `config:"admin"`
 	Proxy KongProxyConfig `config:"proxy"`
 	Spec  KongSpecConfig  `config:"spec"`
+	ACL   KongACLConfig   `config:"acl"`
 }
 
 const (
@@ -156,6 +163,9 @@ func invalidCredentialConfig(c *KongGatewayConfig) bool {
 func ParseProperties(rootProps properties.Properties) *KongGatewayConfig {
 	// Parse the config from bound properties and setup gateway config
 	return &KongGatewayConfig{
+		ACL: KongACLConfig{
+			Required: rootProps.BoolPropertyValue(cfgKongACLRequired),
+		},
 		Admin: KongAdminConfig{
 			Url: rootProps.StringPropertyValue(cfgKongAdminUrl),
 			Auth: KongAdminAuthConfig{

pkg/discovery/gateway/client.go

@@ -49,10 +49,17 @@ func NewClient(agentConfig config.AgentConfig) (*Client, error) {
 		return nil, err
 	}
 
-	hasACL := "true"
-	if err := hasACLEnabledInPlugins(plugins); err != nil {
-		hasACL = "false"
-		logger.WithError(err).Warn("No ACL plugin found. Assuming global access is allowed for all services.")
+	hasACL := "false"
+	err = hasGlobalACLEnabledInPlugins(plugins)
+	if err != nil && agentConfig.KongGatewayCfg.ACL.Required {
+		logger.WithError(err).Error("ACL Plugin configured as required, but none found in Kong plugins.")
+		return nil, err
+	}
+	if err == nil && agentConfig.KongGatewayCfg.ACL.Required {
+		hasACL = "true"
+	}
+	if !agentConfig.KongGatewayCfg.ACL.Required {
+		logger.Warn("ACL Plugin not required. Assuming global access is allowed for all services.")
 	}
 
 	provisionLogger := log.NewFieldLogger().WithComponent("provision").WithPackage("kong")
@@ -70,10 +77,17 @@ func NewClient(agentConfig config.AgentConfig) (*Client, error) {
 	}, nil
 }
 
-// Returns no error in case an ACL plugin which is enabled is found
-func hasACLEnabledInPlugins(plugins []*klib.Plugin) error {
+func pluginIsGlobal(p *klib.Plugin) bool {
+	if p.Service == nil && p.Route == nil {
+		return true
+	}
+	return false
+}
+
+// Returns no error in case a global ACL plugin which is enabled is found
+func hasGlobalACLEnabledInPlugins(plugins []*klib.Plugin) error {
 	for _, plugin := range plugins {
-		if *plugin.Name == "acl" && *plugin.Enabled {
+		if *plugin.Name == "acl" && *plugin.Enabled && pluginIsGlobal(plugin) {
 			return nil
 		}
 	}