Fix status results (#14)

ikethecoder · web-flow · commit 9d4a3f3973ad · 2020-12-02T16:55:19.000-08:00
diff --git a/USER-JOURNEY.md b/USER-JOURNEY.md
@@ -55,6 +55,8 @@ services:
 
 To view optional plugin examples go [here](/docs/samples/service-plugins).
 
+> **Declarative Config** Behind the scenes, DecK is used to sync your configuration with Kong.  For reference: https://docs.konghq.com/deck/overview/
+
 > **Splitting Your Config:** A namespace `tag` with the format `ns.$NS` is mandatory for each service/route/plugin.  But if you have separate pipelines for your environments (i.e./ dev, test and prod), you can split your configuration and update the `tags` with the qualifier.  So for example, you can use a tag `ns.$NS.dev` to sync Kong configuration for `dev` Service and Routes only.
 
 > **Upstream Services on OCP4:** If your service is running on OCP4, you should specify the Kubernetes Service in the `Service.host`.  It must have the format: `<name>.<ocp-namespace>.svc` The Network Security Policies (NSP) will be setup automatically on the API Gateway side.  You will need to create an NSP on your side looking something like this to allow the Gateway's test and prod environments to route traffic to your API:
@@ -69,13 +71,13 @@ spec:
     allow aps gateway to route traffic to your api
   source:
     - - $namespace=264e6f-test
-      - app.kubernetes.io/name=kong
     - - $namespace=264e6f-prod
-      - app.kubernetes.io/name=kong
   destination:
     - - app.kubernetes.io/name=my-upstream-api
 ```
 
+> **Migrating from OCP3 to OCP4?** Please review the [OCP4-Migration](docs/OCP4-MIGRATION.md) instructions to help with transitioning to OCP4 and the new APS Gateway.
+
 
 ### gwa Command Line
 
@@ -101,12 +103,13 @@ The Swagger console for the `gwa-api` can be used to publish Kong Gateway config
 **Install (for Linux)**
 
 ```
-curl -L -O https://bcgov.github.io/gwa-cli/gwa_v1.0.10_linux_x64.zip
-unzip gwa_v1.0.10_linux_x64.zip
+GWA_CLI_VERSION=v1.0.14; curl -L -O https://github.com/bcgov/gwa-cli/releases/download/$GWA_CLI_VERSION/gwa-cli-linux.zip
+unzip gwa-cli-linux.zip
+mv gwa-cli-linux gwa
 ./gwa --version
 ```
 
-> MacOS or Windows? For Mac `gwa_v1.0.10_macos_x64.zip` and for Windows `gwa_v1.0.10_win_x64.zip`
+> MacOS or Windows? For Mac `gwa-cli-macos.zip` and for Windows `gwa-cli-win.exe.zip`
 
 **Configure**
 
@@ -166,6 +169,10 @@ ab -n 20 -c 2 https://${NAME}-api-gov-bc-ca.test.apsgw.xyz/headers
 
 ```
 
+To help with troubleshooting, you can use the GWA API to get a health check for each of the upstream services to verify the Gateway is connecting OK.
+
+Go to the <a href="https://gwa-api-264e6f-test.apps.silver.devops.gov.bc.ca/api/doc#/Service%20Status/get_namespaces__namespace__services">GWA API</a>, enter in the new credentials that were generated in step #2, click `Try it out`, enter your namespace and click `Execute`.  The results are returned in a JSON object.
+
 ## 6. View metrics
 
 The following metrics can be viewed in real-time for the Services that you configure on the Gateway:
@@ -183,7 +190,7 @@ You can also access the metrics from the `API Services Portal`.
 
 ## 7. Grant access to others
 
-The `acl` command provides a way to update the access for the namespace.  It expects an all-inclusive membership list, so the `--users` should have the full list of members.  Any user that is a member but not in the `--users` list will be removed from the namespace.
+The `acl` command provides a way to update the access for the namespace.  It expects an all-inclusive membership list, so if a user is not either part of the `--users` list or the `--managers` list, they will be removed from the namespace.
 
 For elevated privileges (such as managing Service Accounts), add the usernames to the `--managers` argument.
 
@@ -217,26 +224,32 @@ jobs:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        
     - uses: actions/setup-node@v1
       with:
         node-version: 10
         TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - env:
-        GWA_NAMESPACE: global
+
+    - name: Get GWA Command Line
       run: |
-        curl -L -O https://bcgov.github.io/gwa-cli/gwa_v1.0.10_linux_x64.zip
-        unzip gwa_v1.0.10_linux_x64.zip
-        export PATH=$PATH:`pwd`
+        curl -L -O https://github.com/bcgov/gwa-cli/releases/download/v1.0.14/gwa-cli-linux.zip
+        unzip gwa-cli-linux.zip
+        mv gwa-cli-linux gwa
+        export PATH=`pwd`:$PATH
 
-        cd ../.gwa/{$GWA_NAMESPACE}
+    - name: Apply Namespace Configuration
+      run: |
+        export NS="platform"
+        export PATH=`pwd`:$PATH
+        cd .gwa/$NS
 
         gwa init -T \
-          --namespace=${GWA_NAMESPACE} \
-          --client-id=${{ secrets.GWA_ACCT_ID }} \
-          --client-secret=${{ secrets.GWA_ACCT_SECRET }}
+          --namespace=$NS \
+          --client-id=${{ secrets.TEST_GWA_ACCT_ID }} \
+          --client-secret=${{ secrets.TEST_GWA_ACCT_SECRET }}
 
         gwa pg
 
-        gwa acl --users acope@idir --managers acope@idir
-
+        gwa acl --managers acope@idir
+       
 ```
diff --git a/docs/OCP4-MIGRATION.md b/docs/OCP4-MIGRATION.md
@@ -0,0 +1,146 @@
+
+# Upstream Services Migrating from OCP3 to OCP4
+
+## What do I need to do to setup my Service on the new APS Gateway?
+
+### Configure the APS Gateway
+
+As part of migrating your service to OCP4, you will need to prepare the Gateway configuration for your Service. An example of what it would look like:
+
+```
+services:
+- host: <my_ocp4_service>.<my_ocp4_namespace>.svc
+  name: <my_ocp4_service>
+  port: 80
+  protocol: http
+```
+
+The routes will have a minor change by no longer using the `https` protocol as SSL termination will be performed at the `OCP4 Edge` and the traffic to the `APS Gateway` will be unencrypted:
+
+```
+services:
+- host: <my_ocp4_service>.<my_ocp4_namespace>.svc
+  name: <my_ocp4_service>
+  port: 80
+  protocol: http
+  routes:
+  - name: <my_ocp4_service>-route-get
+    hosts:
+    - kirk.data.gov.bc.ca
+    protocols:
+    - http
+    methods:
+    - GET
+    paths:
+    - "/"
+```
+
+The appropriate `tags` need to be added and optionally any `plugins` added.
+
+Apply your changes to the `APS Gateway` by running the `gwa pg` command (see the [API Provider Flow](/USER-JOURNEY.md) for detailed instructions).
+
+### Add the NetworkSecurityPolicy (NSP)
+
+The `APS Gateway` needs to be able to route to your service from within the OCP4 cluster.  To do this, add the following NSP to your OCP4 namespace (update the destination label matching based on your Pod labels):
+
+```
+kind: NetworkSecurityPolicy
+apiVersion: security.devops.gov.bc.ca/v1alpha1
+metadata:
+  name: aps-gateway-to-your-upstream-api
+spec:
+  description: |
+    allow the aps gateway to route traffic to your api
+  source:
+    - - $namespace=264e6f-test
+    - - $namespace=264e6f-prod
+  destination:
+    - - app.kubernetes.io/name=my-upstream-api
+```
+
+### Remove all Routes/Ingress
+
+In `OCP3` you most likely had routes for `*.api`, `*.data` or `*.apps`.  For `OCP4` your `Pod Service` does not need to have an external route because the `APS Gateway` is acting as the entry point for your service.
+
+You should ensure that you do not have any routes that have the host as `*.api.gov.bc.ca`, `*.data.gov.bc.ca`, or `*.apps.gov.bc.ca`.  Having routes with these hosts will conflict with the routes that the `APS Gateway` will create automatically based on your configuration.  It is ok to create routes under the `.apps.silver.devops.gov.bc.ca` domain for dev and testing.
+
+### Regression test your Service
+
+Regression testing is being performed in the `APS Gateway` test environment.  When you apply your changes in the test environment, your routing URLs are transformed into a custom vanity domain.
+
+For example, a route for `kirk.data.gov.bc.ca` results in a public route:
+
+`https://kirk-data-gov-bc-ca.test.apsgw.xyz`
+
+This is what you will use to peform your regression testing.  To find out the exact public route for your services, go to the `Services` tab on the `APS Services Portal`.
+
+
+### Switch production traffic to your OCP4 Service
+
+**APS Gateway Production Setup**
+
+When the Production instance of the `APS Gateway` is ready, communication will go out to API Owners as additional tasks will be required to enable the service on our Production environment:
+
+| Task                                                     | Responsibility | 
+| -------------------------------------------------------- | -------------- |
+| Create namespace and service account on the `APS Gateway` production instance | API Owner |
+| Apply your dev/test/prod Gateway configuration (either in your CI/CD pipeline or manually) | API Owner |
+| Update `Kong14` Service upstream host from `https://142.34.143.180` to `https://142.34.194.118` | APS Team
+| Decommission your OCP3 projects | API Owner |
+
+### Final big-bang switchover
+
+At the completion of regression testing, a big-bang switchover to the new APS Gateway will be performed by updating the DNS to point to the `OCP4 Edge`.
+
+| Task                                                     | Responsibility | 
+| -------------------------------------------------------- | -------------- |
+| Ownership of the Gateway configuration transitioned to Service teams | API Owners
+| Regression testing of services complete | API Owners
+| APS Gateway Production Setup completed | API Owners
+| **Switchover** Update DNS for *.api.gov.bc.ca, *.data.gov.bc.ca to point to 142.34.194.118       | APS Team |
+
+
+At the time of switchover, we expect that there will be a mix of upstream services running on OCP3, running on OCP4, running on DataBC Servers and running on external cloud.  But the expectation is that all the teams will have ownership of the Gateway configuration for their respective Services, and empowered to do ongoing changes.
+
+
+# Appendix
+
+## Terminology
+
+* `WAM` : Web Application Management
+* `Kong14` : The current Kong 0.14 implementation run on Data BC infrastructure (142.34.140.8, 142.34.5.17)
+* `APS Gateway` : The new Kong 2.1.x implementation run on Openshift Container Platform V4 (OCP4)
+* `OCP3 Edge` : The OCP3 Edge server (142.34.208.209, more known as *.pathfinder.gov.bc.ca, or 142.34.143.180, more known as *.pathfinder.bcgov)
+* `OCP4 Edge` : The OCP4 Edge server (142.34.194.118), more known as *.apps.silver.devops.gov.bc.ca)
+* `Pod Service` : The actual Kubernetes Service that is run within your Pod (`oc get services`)
+* `OCP3 Route` : A Route on the OCP3 Edge that is the relationship between your Pod Service and the OCP3 Edge
+
+## How it works currently
+
+Current (Oct 2020) flow for `*.api.gov.bc.ca` and `*.data.gov.bc.ca` domains where the upstream is on OCP3, is:
+
+`Internet` -> `Kong14` -> `OCP3 Edge` -> `Pod Service`
+
+On `Kong14`, a Service example looks something like this and is administered via email to David or Craig, and they use Konga:
+
+```
+services:
+- host: 142.34.143.180
+  name: apidata-ocp-https-kirk-jobs
+  port: 443
+  protocol: https
+```
+
+With the route:
+
+```
+  routes:
+  - hosts:
+    - kirk.data.gov.bc.ca
+    protocols:
+    - http
+    - https
+```
+
+The `kirk` team is then responsible for creating an `OCP3 Route` and the `Pod Service`.
+
diff --git a/docs/samples/service-plugins/service-jwt-keycloak.yaml b/docs/samples/service-plugins/service-jwt-keycloak.yaml
@@ -0,0 +1,29 @@
+services:
+- name: MY_REST_API
+  tags: [ _NS_ ]
+  plugins:
+  - name: jwt-keycloak
+    tags: [ _NS_ ]
+    enabled: true
+    config:
+      client_roles: null
+      allowed_iss:
+      - https://authz-264e6f-dev.apps.silver.devops.gov.bc.ca/auth/realms/aps
+      run_on_preflight: true
+      iss_key_grace_period: 10
+      maximum_expiration: 0
+      claims_to_verify:
+      - exp
+      consumer_match_claim_custom_id: false
+      cookie_names: []
+      scope: null
+      uri_param_names:
+      - jwt
+      roles: null
+      consumer_match: false
+      well_known_template: https://authz-264e6f-dev.apps.silver.devops.gov.bc.ca/auth/realms/aps/.well-known/openid-configuration
+      consumer_match_ignore_not_found: false
+      anonymous: null
+      algorithm: RS256
+      realm_roles: null
+      consumer_match_claim: azp
diff --git a/microservices/gatewayApi/clients/kong.py b/microservices/gatewayApi/clients/kong.py
@@ -25,5 +25,5 @@ def recurse_get_records (result, url):
     result.extend(data)
 
     if json['next'] is not None:
-        recurse_get_routes (result, json['next'])
+        recurse_get_records (result, json['next'])
     return result
diff --git a/microservices/gatewayApi/v1/routes/gw_status.py b/microservices/gatewayApi/v1/routes/gw_status.py
@@ -4,6 +4,7 @@
 import urllib3
 import certifi
 import socket
+from urllib.parse import urlparse
 from flask import Blueprint, jsonify, request, Response, make_response, abort, g, current_app as app
 
 from v1.auth.auth import admin_jwt, enforce_authorization
@@ -32,11 +33,12 @@ def get_statuses(namespace: str) -> object:
         status = "UP"
         reason = ""
 
-
+        actual_host = None
         host = None
         for route in routes:
             if route['service']['id'] == service['id'] and 'hosts' in route:
-                host = clean_host(route['hosts'][0])
+                actual_host = route['hosts'][0]
+                host = clean_host(actual_host)
 
         try:
             addr = socket.gethostbyname(service['host'])
@@ -49,23 +51,30 @@ def get_statuses(namespace: str) -> object:
             try:
                 headers = {}
                 if host is None or service['host'].endswith('.svc'):
-                    r = requests.get(url, headers=headers, timeout=1.0)
+                    r = requests.get(url, headers=headers, timeout=3.0)
                     status_code = r.status_code
                 else:
+                    u = urlparse(url)
+
                     headers['Host'] = host
-                    log.info("GET %-30s %s" % (url, headers))
+                    log.info("GET %-30s %s" % ("%s://%s" % (u.scheme, u.netloc), headers))
 
                     urllib3.disable_warnings()
-                    pool = urllib3.HTTPSConnectionPool(
-                        service['host'],
-                        assert_hostname=host,
-                        server_hostname=host,
-                        cert_reqs='CERT_NONE',
-                        ca_certs=certifi.where()
-                    )
+                    if u.scheme == "https":
+                        pool = urllib3.HTTPSConnectionPool(
+                            "%s" % (u.netloc),
+                            assert_hostname=host,
+                            server_hostname=host,
+                            cert_reqs='CERT_NONE',
+                            ca_certs=certifi.where()
+                        )
+                    else:
+                        pool = urllib3.HTTPConnectionPool(
+                            "%s" % (u.netloc)
+                        )
                     req = pool.urlopen(
                         "GET",
-                        "/",
+                        u.path,
                         headers={"Host": host},
                         assert_same_host=False,
                         timeout=1.0,
@@ -112,14 +121,17 @@ def get_statuses(namespace: str) -> object:
                 reason = "UNKNOWN"
 
         log.info("GET %-30s %s" % (url,reason))
-        response.append({"name": service['name'], "upstream": url, "status": status, "reason": reason, "host": host})
+        response.append({"name": service['name'], "upstream": url, "status": status, "reason": reason, "host": host, "test_host": actual_host})
 
     return make_response(jsonify(response))
 
 def build_url (s):
     schema = default(s, "protocol", "http")
+    defaultPort = 80
+    if schema == "https":
+        defaultPort = 443
     host = s['host']
-    port = default(s, "port", 80)
+    port = default(s, "port", defaultPort)
     path = default(s, "path", "/")
     if 'url' in s:
         return s['url']
