@kumori.systems/components-apisix 0.0.1

package/kumori.systems/components/apisix/@0.0.1/README.adoc

@@ -0,0 +1,130 @@
+= APISIX Component
+:note-number: 0.0.1
+:revnumber: {note-number}
+:api-version: 1.0-rc1
+:icons: font
+:toclevels: 4
+:icons: font
+:sectanchors:
+:sectlinks:
+:sectnums:
+:imagesdir: ./assets/images
+:toc-title: Contents
+:toc:
+
+== Overview
+This component configures and manages the Apache APISIX API gateway, including integration with OpenID Connect (OIDC) for authentication, and various other custom routes, services, and plugins. It provides an API gateway solution that handles routing, authentication, and session management for the CMC services.
+
+== Usage
+
+=== Configuration
+The configuration of the compontent itself is pretty minimal. It publishes a single server channel and N client channels where services can be connected.
+
+This component expects three input parameters two of them being optional:
+
+* `channelsCount`: Sets the number of client channels that must be generated. Defaults to 10.
+* `apisixSettings`: This is the base configuration of APISIX where by default we tell it to run in standlone mode (does not need any etcd) and that the configuration of the routes/services/plugins will be done by configuration file.
+* `apisixStandalone`: This is the configuration file that defines how requests are handled. Currently it expects a CUE structure that then will be converted into a yaml file. Below there is a summary of the configuration file used in the CMC service.
+** Example configuration in CUE:
+```
+apisix_config: {
+  routes: [
+    {
+      uri: "/my_route/*"
+      upstream: {
+        nodes: {
+          "0.service_0:80": 1
+        }
+      }
+    }
+  ]
+}
+```
+
+To understand how routing/plugins works it's better to read the documentation from APISIX itself:
+
+* https://apisix.apache.org/docs/apisix/deployment-modes/#standalone
+* https://apisix.apache.org/docs/apisix/plugins/openid-connect/
+* https://apisix.apache.org/docs/apisix/plugins/serverless/
+
+==== Routes
+
+Here are the configured routes for the APISIX component in the context of the CMC service:
+
+. **/idp/**: 
+   * **Description**: Public route. Routes traffic to Dex for identity management.
+   * **Upstream**: Dex service at `0.dex_channel_name:80`.
+
+. **/platform, /platformdeprecated, /docs***:
+   * **Description**: Public routes. Routes traffic to the KSDS server, handling platform and documentation requests.
+   * **Upstream**: KSDS server at `0.cmc_channel_name:80`.
+
+. **/api/**:
+   * **Description**: Protected route. Main API route, secured by OpenID Connect for authentication.
+   * **Upstream**: KSDS server at `0.cmc_channel_name:80`.
+   * **Plugins**: 
+   ** `openid-connect`: Handles authentication with OpenID Connect.
+   *** **Action for unauthenticated requests: `deny`**.
+
+. **/api/**:
+   * **Description**: Protected route. Main API route, secured by Client Certificate authentication. It expects to receive the `X-FORWARDED-CLIENT-CERT` header set by the inbound of the cluster when a client presents its certifcate. Then a custom plugin transforms the certificate in the header into a JWT token that KSDS is able to understand.
+   * **Upstream**: KSDS server at `0.cmc_channel_name:80`.
+   * **Plugins**: 
+   ** `serverless-post-function`: Transforms the content of `X-FORWARDED-CLIENT-CERT` header into a JWT that KSDS can understand.
+
+. [.line-through]#**/api/**:# (Might be added in the near future)
+   * [.line-through]#**Description**: Protected route. Main API route, secured by deployment tokens generated by the KSDS server. It expects to receive a token in the `X-API-TOKEN` header.#
+   * [.line-through]#**Plugins**:#
+   ** [.line-through]#`serverless-post-function`: Validates the token presented in the requests, it must be signed with the same secret as the signing secret in the KSDS and not expired. If the validation succeeds then the token is rewriten in the `Authorization` header son the KSDS server can perform further authorization.#
+
+. **/tokens**:
+   * **Description**: Protected route. Show the current user token.
+   * **Upstream**: N/A.
+   * **Plugins**: 
+   ** `openid-connect`: Handles authentication.
+   ** `serverless-post-function`: Executes token extraction.
+
+. **/tokens**:
+   * **Description**: Protected route. Show the current user token.
+   * **Upstream**: N/A.
+   * **Plugins**: 
+   ** `serverless-post-function`: Transforms the content of `X-FORWARDED-CLIENT-CERT` header into a JWT that KSDS can understand.
+   ** `serverless-post-function`: Executes token extraction.
+
+. **/* (WUI Route)**:
+   * **Description**: Protected route. Handles general traffic routed to the Web User Interface (WUI).
+   * **Upstream**: WUI service at `0.wui_channel_name:80`.
+   * **Plugins**: 
+   ** `openid-connect`: Ensures authentication via OIDC.
+   *** **Action for unauthenticated requests: `auth` (redirect the user to the login page)**.
+
+. **/* (WUI Route)**:
+   * **Description**: Protected route. Handles general traffic routed to the Web User Interface (WUI). It expects to receive the `X-FORWARDED-CLIENT-CERT` header set by the inbound of the cluster when a client presents its certifcate.
+   * **Upstream**: WUI service at `0.wui_channel_name:80`.
+   * **Plugins**: 
+   ** `serverless-post-function`: Transforms the content of `X-FORWARDED-CLIENT-CERT` header into a JWT that KSDS can understand.
+
+=== Execution
+Once configured, you can run the APISIX component by deploying it with the appropriate manifests or through a Kubernetes setup, if integrated.
+
+== Architecture
+The APISIX component is built on top of the Apache APISIX API Gateway, integrating various upstream services such as Dex (for identity management), KSDS, and WUI. The architecture incorporates multiple plugins to enable OpenID Connect-based authentication, certificate validation, and route management for multiple microservices.
+
+image::routing_diagram.png[Routing Diagram]
+
+== Tree
+The repository structure is as follows:
+```plaintext
+.
+├── README.adoc                # Documentation for the APISIX component.
+├── componentref.cue           # Auto-generated component reference.
+├── kmodule.cue                # Module details for the APISIX component.
+├── manifest.cue               # Configuration manifest for the APISIX component.
+├── openid-connect.cue         # Lua script for handling OpenID Connect. (Temporal fix, solved in newer version of APISIX)
+├── serviceref.cue             # Auto-generated service reference.
+└── settings/                  # Configuration folder for APISIX.
+    ├── apisix_settings.cue    # Main configuration file for APISIX.
+    └── types/                 # Type definitions for services, plugins, routes.
+```
+
+== License

package/kumori.systems/components/apisix/@0.0.1/componentref.cue

@@ -0,0 +1,26 @@
+
+// Automatically generated file. Do not edit.
+package component
+
+import (
+  k  "kumori.systems/kumori/@1.1.6:kumori"
+  m  "...:kmodule"
+)
+
+
+
+#Artifact: k.#Artifact & {
+  spec: m.spec
+  ref: {
+    version: m.version
+    if m.prerelease != _|_ {
+      prerelease: m.prerelease
+    }
+    if m.buildmetadata != _|_ {
+      buildmetadata: m.buildmetadata
+    }
+    domain: m.domain
+    module: m.module
+    kind: "component"
+  }
+}

package/kumori.systems/components/apisix/@0.0.1/cue.mod/module.cue

@@ -0,0 +1 @@
+module: kumori.systems/components/apisix/@0.0.1

package/kumori.systems/components/apisix/@0.0.1/kmodule.cue

@@ -0,0 +1,30 @@
+package kmodule
+
+{
+	domain: "kumori.systems"
+	module: "components/apisix"
+	cue:    "0.4.2"
+	version: [
+		0,
+		0,
+		1,
+	]
+	dependencies: {
+		"kumori.systems/kumori": {
+			target: "kumori.systems/kumori/@1.1.6"
+			query:  "1.1.6"
+		}
+		"kumori.systems/builtins/inbound": {
+			target: "kumori.systems/builtins/inbound/@1.3.0"
+			query:  "1.3.0"
+		}
+	}
+	sums: {
+		"kumori.systems/kumori/@1.1.6":           "jsXEYdYtlen2UgwDYbUCGWULqQIigC6HmkexXkyp/Mo="
+		"kumori.systems/builtins/inbound/@1.3.0": "F3nipPPUCZ4YpsAh+Xnh9t8W1Tu98eX6SHRVM3BbRYs="
+	}
+	spec: [
+		1,
+		0,
+	]
+}

package/kumori.systems/components/apisix/@0.0.1/manifest.cue

@@ -0,0 +1,159 @@
+package component
+
+import (
+  Settings  ".../settings"
+  k  "kumori.systems/kumori/@1.1.6:kumori"
+)
+
+
+
+// #openid_connect_lua: _
+
+#Artifact: {
+  ref: name: ""
+  description: {
+    srv: {
+
+      server: {
+        http: { protocol: "tcp", port: 9080 }
+      }
+
+      client: {
+        // _cfgp.channelsCount channels are created with generic names
+        for k, v in [0] * _cfgp.channelsCount {
+          "service_\(k)": _
+        }
+      }
+
+      duplex: {}
+
+    }
+
+    let _cfgp = config.parameter
+
+    config: {
+      parameter: {
+        channelsCount: *10 | int // The number of client channels to create
+
+        apisixSettings: {
+          Settings.#ApisixConfig
+          nginx_config: envs: [
+            "ABW_DEPLOYMENT_TOKENS_SECRET",
+            "IDP_CLIENT_ID",
+            "IDP_CLIENT_SECRET",
+          ]
+        }
+        apisixStandalone: Settings.#ApisixStandalone
+
+        instance_size: {
+          bandwidth:      *1000 | number
+          container_size: k.#ContainerSize | *{
+            memory: {size: 2000, unit: "M"}
+            cpu: {size: 2000, unit: "m"}
+            mincpu: 1000
+          }
+        }
+      }
+      resource: {
+        abw_deployment_tokens_secret: k.#Secret
+        idp_client_id: k.#Secret
+        idp_client_secret: k.#Secret
+      }
+    }
+
+
+    size: {
+      bandwidth: {
+        size: _cfgp.instance_size.bandwidth
+        unit: "M"
+      }
+    }
+
+    probe: apisix_standalone: {
+
+      liveness: {
+
+        protocol: tcp: port: srv.server.http.port
+
+        startupGraceWindow: {
+          unit: "ms",
+          duration: 60000,
+          probe: true
+        }
+
+        frequency: "medium"
+        timeout: 30000
+      }
+
+
+      readiness: {
+        protocol: tcp: port: srv.server.http.port
+        frequency: "medium"
+        timeout: 30000
+      }
+
+    }
+
+    code: {
+
+      apisix_standalone: {
+        name: "apisix_standalone"
+
+        image: {
+          hub: {
+            name: "docker.io"
+            secret: ""
+          }
+          tag: "apache/apisix:3.9.1-debian"
+        }
+
+        entrypoint: ["/bin/entrypoint.sh"]
+
+        user: {
+          userid:  0
+          groupid: 0
+        }
+
+        mapping: {
+          filesystem: {
+            "/bin/entrypoint.sh": {
+              data: value: Settings.#Entrypoint
+              mode: 0o755
+              rebootOnUpdate: true
+            }
+
+            "/usr/local/apisix/conf/config.yaml": {
+              data: value: _cfgp.apisixSettings
+              rebootOnUpdate: true
+              format: "yaml"
+            }
+
+            "/usr/local/apisix/apisix/plugins/openid-connect.lua": {
+              data: value: #openid_connect_lua
+              rebootOnUpdate: true
+              format: "text"
+            }
+
+            "/tmp/apisix.yaml": {
+              data: value: _cfgp.apisixStandalone
+              format: "yaml"
+            }
+          }
+
+          env: {
+            GATEWAY_PORT: value: "9080"
+
+            // Access tokens signing secret
+            ABW_DEPLOYMENT_TOKENS_SECRET: secret: "abw_deployment_tokens_secret"
+
+            IDP_CLIENT_ID: secret: "idp_client_id"
+            IDP_CLIENT_SECRET: secret: "idp_client_secret"
+          }
+        }
+
+        size: _cfgp.instance_size.container_size
+      }
+
+    }
+  }
+}