MR issues + config fix + default discovery yaml

Axway · Dec 8, 2023 · 32d3c16 · 32d3c16
1 parent bcf3101
commit 32d3c16
Show file tree

Hide file tree

Showing 9 changed files with 152 additions and 73 deletions.
diff --git a/build/discovery/kong_discovery_agent.yml b/build/discovery/kong_discovery_agent.yml
@@ -0,0 +1,78 @@
+# Settings for Kong Discovery Agent
+kong:
+  acl:
+    disabled: ${KONG_ACL_DISABLED:""}
+  admin:
+    url: ${KONG_ADMIN_URL:""}
+    auth:
+      basicauth:
+        username: ${KONG_ADMIN_AUTH_BASICAUTH_USERNAME:""}
+        password: ${KONG_ADMIN_AUTH_BASICAUTH_USERNAME:""}
+      apiKey:
+        header: ${KONG_ADMIN_AUTH_APIKEY_HEADER:""}
+        value: ${KONG_ADMIN_AUTH_APIKEY_VALUE:""}
+  proxy:
+    host: ${KONG_PROXY_HOST:""}
+    ports:
+      http:
+        value: ${KONG_PROXY_PORTS_HTTP_VALUE:""}
+        disabled: ${KONG_PROXY_PORTS_HTTP_DISABLED:""}
+      https:
+        value: ${KONG_PROXY_PORTS_HTTPS_VALUE:""}
+        disabled: ${KONG_PROXY_PORTS_HTTPS_DISABLED:""}
+    basePath: ${KONG_PROXY_BASEPATH:""}
+  spec:
+    urlPaths: ${KONG_SPEC_URLPATHS:""}
+    localPath: ${KONG_SPEC_LOCALPATH:""}
+    filter: ${KONG_SPEC_FILTER:""}
+    devPortalEnabled: ${KONG_SPEC_DEVPORTALENABLED:""}
+  # Settings for connecting to Amplify Central
+
+central:
+  url: ${CENTRAL_URL:https://apicentral.axway.com}
+  organizationID: ${CENTRAL_ORGANIZATIONID:""}
+  team: ${CENTRAL_TEAM:""}
+  deployment: ${CENTRAL_DEPLOYMENT:prod}
+  environment: ${CENTRAL_ENVIRONMENT:""}
+  environmentID: ${CENTRAL_ENVIRONMENTID} # only required when CENTRAL_USAGEREPORTING_OFFLINE=true
+  agentName: ${CENTRAL_AGENTNAME:""}
+  platformURL: ${CENTRAL_PLATFORMURL:https://platform.axway.com}
+  reportActivityFrequency: ${CENTRAL_REPORTACTIVITYFREQUENCY:5m}
+  usageReporting:
+    publish: ${CENTRAL_USAGEREPORTING_PUBLISH}
+    publishMetric: ${CENTRAL_USAGEREPORTING_PUBLISHMETRIC}
+    interval: ${CENTRAL_USAGEREPORTING_INTERVAL}
+    usageSchedule: ${CENTRAL_USAGEREPORTING_USAGESCHEDULE}
+    offline: ${CENTRAL_USAGEREPORTING_OFFLINE}
+    offlineSchedule: ${CENTRAL_USAGEREPORTING_OFFLINESCHEDULE}
+  auth:
+    url: ${CENTRAL_AUTH_URL:https://login.axway.com/auth}
+    realm: ${CENTRAL_AUTH_REALM:Broker}
+    clientId: ${CENTRAL_AUTH_CLIENTID:""}
+    privateKey: ${CENTRAL_AUTH_PRIVATEKEY:./private_key.pem}
+    publicKey: ${CENTRAL_AUTH_PUBLICKEY:./public_key.pem}
+    keyPassword: ${CENTRAL_AUTH_KEYPASSWORD:""}
+    timeout: 10s
+  grpc:
+    enabled: ${CENTRAL_GRPC_ENABLED}
+    host: ${CENTRAL_GRPC_HOST}
+    port: ${CENTRAL_GRPC_PORT}
+  proxyUrl: ${CENTRAL_PROXYURL:""}
+  clientTimeout: ${CENTRAL_CLIENTTIMEOUT:60s}
+agentFeatures:
+  persistCache: ${AGENTFEATURES_PERSISTCACHE}
+  marketplaceProvisioning: ${AGENTFEATURES_MARKETPLACEPROVISIONING}
+  versionChecker: ${AGENTFEATURES_VERSIONCHECKER}
+  processSystemSignals: ${AGENTFEATURES_PROCESSSYSTEMSIGNALS}
+  connectToCentral: ${AGENTFEATURES_CONNECTTOCENTRAL}
+status:
+  port: ${STATUS_PORT:8990}
+  healthCheckPeriod: ${STATUS_HEALTHCHECKPERIOD:3m}
+  healthCheckInterval: ${STATUS_HEALTHCHECKINTERVAL:30s}
+log:
+  level: ${LOG_LEVEL:info}
+  format: ${LOG_FORMAT:json}
+  output: ${LOG_OUTPUT:stdout}
+  file:
+    name: ${LOG_FILE_NAME:traceability_agent.log}
+    path: ${LOG_FILE_PATH:logs}
diff --git a/build/traceability/kong_traceability_agent.yml b/build/traceability/kong_traceability_agent.yml
@@ -5,7 +5,7 @@ kong_traceability_agent:
       http:
         path: ${KONG_LOGS_HTTP_PATH}
         port: ${KONG_LOGS_HTTP_PORT}
-  # Settings for connecting to Amplify Centralddd
+  # Settings for connecting to Amplify Central
   central:
     url: ${CENTRAL_URL:https://apicentral.axway.com}
     organizationID: ${CENTRAL_ORGANIZATIONID:""}

diff --git a/pkg/discovery/config/config.go b/pkg/discovery/config/config.go
@@ -21,16 +21,16 @@ type props interface {
 }
 
 const (
-  cfgKongACLRequired            = "kong.acl.required"
+	cfgKongACLDisabled            = "kong.acl.disabled"
 	cfgKongAdminUrl               = "kong.admin.url"
 	cfgKongAdminAPIKey            = "kong.admin.auth.apiKey.value"
 	cfgKongAdminAPIKeyHeader      = "kong.admin.auth.apiKey.header"
 	cfgKongAdminBasicUsername     = "kong.admin.auth.basicauth.username"
 	cfgKongAdminBasicPassword     = "kong.admin.auth.basicauth.password"
 	cfgKongProxyHost              = "kong.proxy.host"
-	cfgKongProxyPortHttp          = "kong.proxy.ports.http"
+	cfgKongProxyPortHttp          = "kong.proxy.ports.http.value"
 	cfgKongProxyPortHttpDisabled  = "kong.proxy.ports.http.disabled"
-	cfgKongProxyPortHttps         = "kong.proxy.ports.https"
+	cfgKongProxyPortHttps         = "kong.proxy.ports.https.value"
 	cfgKongProxyPortHttpsDisabled = "kong.proxy.ports.https.disabled"
 	cfgKongProxyBasePath          = "kong.proxy.basePath"
 	cfgKongSpecURLPaths           = "kong.spec.urlPaths"
@@ -40,7 +40,7 @@ const (
 )
 
 func AddKongProperties(rootProps props) {
-  rootProps.AddBoolProperty(cfgKongACLRequired, false, "Whether or not an ACL plugin on Kong is required. False by default.")
+	rootProps.AddBoolProperty(cfgKongACLDisabled, false, "Disable the check for a globally enabled ACL plugin on Kong. False by default.")
 	rootProps.AddStringProperty(cfgKongAdminUrl, "", "The Admin API url")
 	rootProps.AddStringProperty(cfgKongAdminAPIKey, "", "API Key value to authenticate with Kong Gateway")
 	rootProps.AddStringProperty(cfgKongAdminAPIKeyHeader, "", "API Key header to authenticate with Kong Gateway")
@@ -108,7 +108,7 @@ type KongSpecConfig struct {
 }
 
 type KongACLConfig struct {
-	Required bool `config:"required"`
+	Disabled bool `config:"disabled"`
 }
 
 // KongGatewayConfig - represents the config for gateway
@@ -220,7 +220,7 @@ func ParseProperties(rootProps props) *KongGatewayConfig {
 
 	return &KongGatewayConfig{
 		ACL: KongACLConfig{
-			Required: rootProps.BoolPropertyValue(cfgKongACLRequired),
+			Disabled: rootProps.BoolPropertyValue(cfgKongACLDisabled),
 		},
 		Admin: KongAdminConfig{
 			Url: rootProps.StringPropertyValue(cfgKongAdminUrl),

diff --git a/pkg/discovery/config/config_test.go b/pkg/discovery/config/config_test.go
@@ -120,6 +120,7 @@ func TestKongProperties(t *testing.T) {
 
 	// validate add props
 	AddKongProperties(newProps)
+	assert.Contains(t, newProps.props, cfgKongACLDisabled)
 	assert.Contains(t, newProps.props, cfgKongAdminUrl)
 	assert.Contains(t, newProps.props, cfgKongAdminAPIKey)
 	assert.Contains(t, newProps.props, cfgKongAdminAPIKeyHeader)
@@ -138,6 +139,7 @@ func TestKongProperties(t *testing.T) {
 
 	// validate defaults
 	cfg := ParseProperties(newProps)
+	assert.Equal(t, false, cfg.ACL.Disabled)
 	assert.Equal(t, "", cfg.Admin.Url)
 	assert.Equal(t, "", cfg.Admin.Auth.APIKey.Value)
 	assert.Equal(t, "", cfg.Admin.Auth.APIKey.Header)
@@ -155,6 +157,7 @@ func TestKongProperties(t *testing.T) {
 	assert.Equal(t, false, cfg.Spec.DevPortalEnabled)
 
 	// validate changed values
+	newProps.props[cfgKongACLDisabled] = propData{"bool", "", true}
 	newProps.props[cfgKongAdminUrl] = propData{"string", "", "http://host:port/path"}
 	newProps.props[cfgKongAdminAPIKey] = propData{"string", "", "apikey"}
 	newProps.props[cfgKongAdminAPIKeyHeader] = propData{"string", "", "header"}
@@ -169,6 +172,7 @@ func TestKongProperties(t *testing.T) {
 	newProps.props[cfgKongSpecFilter] = propData{"string", "", "tag_filter"}
 	newProps.props[cfgKongSpecDevPortal] = propData{"bool", "", true}
 	cfg = ParseProperties(newProps)
+	assert.Equal(t, true, cfg.ACL.Disabled)
 	assert.Equal(t, "http://host:port/path", cfg.Admin.Url)
 	assert.Equal(t, "apikey", cfg.Admin.Auth.APIKey.Value)
 	assert.Equal(t, "header", cfg.Admin.Auth.APIKey.Header)

diff --git a/pkg/discovery/gateway/client.go b/pkg/discovery/gateway/client.go
@@ -49,21 +49,17 @@ func NewClient(agentConfig config.AgentConfig) (*Client, error) {
 		return nil, err
 	}
 
-	hasACL := "false"
-	err = hasGlobalACLEnabledInPlugins(plugins)
-	if err != nil && agentConfig.KongGatewayCfg.ACL.Required {
+	if err = hasGlobalACLEnabledInPlugins(logger, plugins, agentConfig.KongGatewayCfg.ACL.Disabled); err != nil {
 		logger.WithError(err).Error("ACL Plugin configured as required, but none found in Kong plugins.")
 		return nil, err
 	}
-	if err == nil && agentConfig.KongGatewayCfg.ACL.Required {
-		hasACL = "true"
-	}
-	if !agentConfig.KongGatewayCfg.ACL.Required {
-		logger.Warn("ACL Plugin not required. Assuming global access is allowed for all services.")
-	}
 
 	provisionLogger := log.NewFieldLogger().WithComponent("provision").WithPackage("kong")
-	subscription.NewProvisioner(kongClient, provisionLogger)
+	opts := []subscription.ProvisionerOption{}
+	if agentConfig.KongGatewayCfg.ACL.Disabled {
+		opts = append(opts, subscription.WithACLDisabled())
+	}
+	subscription.NewProvisioner(kongClient, provisionLogger, opts...)
 
 	return &Client{
 		logger:         logger,
@@ -73,7 +69,7 @@ func NewClient(agentConfig config.AgentConfig) (*Client, error) {
 		cache:          daCache,
 		mode:           common.Marketplace,
 		filter:         discoveryFilter,
-		hasACL:         hasACL,
+		aclDisabled:    fmt.Sprint(agentConfig.KongGatewayCfg.ACL.Disabled),
 	}, nil
 }
 
@@ -85,13 +81,18 @@ func pluginIsGlobal(p *klib.Plugin) bool {
 }
 
 // Returns no error in case a global ACL plugin which is enabled is found
-func hasGlobalACLEnabledInPlugins(plugins []*klib.Plugin) error {
+func hasGlobalACLEnabledInPlugins(logger log.FieldLogger, plugins []*klib.Plugin, aclDisabled bool) error {
+	if aclDisabled {
+		logger.Warn("ACL Plugin disabled. Assuming global access is allowed for all services.")
+		return nil
+	}
 	for _, plugin := range plugins {
 		if *plugin.Name == "acl" && *plugin.Enabled && pluginIsGlobal(plugin) {
 			return nil
 		}
 	}
-	return fmt.Errorf("failed to find acl plugin is enabled and installed")
+	return fmt.Errorf("failed to find acl plugin is enabled and installed on the Kong Gateway. " +
+		"Enable in on the Gateway or change the config to disable this check.")
 }
 
 func (gc *Client) DiscoverAPIs() error {
@@ -253,7 +254,6 @@ func (gc *Client) processKongAPI(
 		common.AttrServiceID: *service.ID,
 		common.AttrRouteID:   *route.ID,
 		common.AttrChecksum:  checksum,
-		common.AttrHasACL:    gc.hasACL,
 	}
 	kongAPI.agentDetails = agentDetails
 	serviceBody, err := kongAPI.buildServiceBody()

diff --git a/pkg/discovery/gateway/definitions.go b/pkg/discovery/gateway/definitions.go
@@ -20,7 +20,7 @@ type Client struct {
 	cache          cache.Cache
 	mode           string
 	filter         filter.Filter
-	hasACL         string
+	aclDisabled    string
 }
 
 type KongAPI struct {

diff --git a/pkg/discovery/subscription/access/access.go b/pkg/discovery/subscription/access/access.go
@@ -2,7 +2,6 @@ package access
 
 import (
 	"context"
-	"strconv"
 
 	"github.com/Axway/agent-sdk/pkg/apic/provisioning"
 	sdkUtil "github.com/Axway/agent-sdk/pkg/util"
@@ -30,34 +29,30 @@ type accessRequest interface {
 }
 
 type AccessProvisioner struct {
-	ctx     context.Context
-	logger  log.FieldLogger
-	client  accessClient
-	quota   provisioning.Quota
-	routeID string
-	appID   string
-	hasACL  bool
+	ctx         context.Context
+	logger      log.FieldLogger
+	client      accessClient
+	quota       provisioning.Quota
+	routeID     string
+	appID       string
+	aclDisabled bool
 }
 
-func NewAccessProvisioner(ctx context.Context, client accessClient, request accessRequest) AccessProvisioner {
+func NewAccessProvisioner(ctx context.Context, client accessClient, request accessRequest, aclDisabled bool) AccessProvisioner {
 	instDetails := request.GetInstanceDetails()
 	routeID := sdkUtil.ToString(instDetails[common.AttrRouteID])
 	logger := log.NewFieldLogger().
 		WithComponent("AccessProvisioner").
 		WithPackage("access")
-	hasACL, err := strconv.ParseBool(sdkUtil.ToString(instDetails[common.AttrHasACL]))
-	if err != nil {
-		logger.WithError(err).Error("Could not retrieve information for ACL from the request. Assuming ACL is disabled.")
-	}
 
 	a := AccessProvisioner{
-		ctx:     context.Background(),
-		logger:  logger,
-		client:  client,
-		quota:   request.GetQuota(),
-		routeID: routeID,
-		appID:   request.GetApplicationDetailsValue(common.AttrAppID),
-		hasACL:  hasACL,
+		ctx:         context.Background(),
+		logger:      logger,
+		client:      client,
+		quota:       request.GetQuota(),
+		routeID:     routeID,
+		appID:       request.GetApplicationDetailsValue(common.AttrAppID),
+		aclDisabled: aclDisabled,
 	}
 
 	if a.routeID != "" {
@@ -83,7 +78,7 @@ func (a AccessProvisioner) Provision() (provisioning.RequestStatus, provisioning
 		return rs.SetMessage("route ID not found").Failed(), nil
 	}
 
-	if !a.hasACL {
+	if a.aclDisabled {
 		a.logger.Info("ACL plugin is disabled or not existing for current spec. Skipping access request provisioning")
 		return rs.Success(), nil
 	}
@@ -130,7 +125,7 @@ func (a AccessProvisioner) Deprovision() provisioning.RequestStatus {
 		return rs.SetMessage("route ID not found").Failed()
 	}
 
-	if !a.hasACL {
+	if a.aclDisabled {
 		a.logger.Info("ACL plugin is disabled or not existing for current spec. Skipping access request deprovisioning")
 		return rs.Success()
 	}