Giters

guardian / bonobo

Key management for Kong

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

production

bonobo

Self serve key management for Kong

Bonobo provides the interface for the general public to request Content API keys and Guardian staff to manage them.

ie.

https://open-platform.theguardian.com/access/
https://bonobo.capi.gutools.co.uk/register/developer

Bonobo manages the keys in Kong via the Kong API.

Prerequisites for development

Bonobo needs an instance of Kong to connect to, so you will need Kong and it's PostgreSQL running somewhere. We recommend running them in Docker containers. See instructions below on how to set this up.

To run locally using Docker - INTEL-BASED MACHINE

  • Ensure Docker Desktop is running.
  • Ensure you have Content API developer credentials (from Janus)
  • Ensure you're compiling and running the application using Java 8. (It is best to run the application in an sbt shell that uses JDK 1.8)
  1. Run the configure-docker.sh script:
cd scripts
./configure-docker.sh

If this fails with the following error message;

ERROR: Network kong-net declared as external, but could not be found. Please create the network manually using `docker network create kong-net` and try again.

Just run the command it suggests (docker network create kong-net) and start ./configure-docker.sh again

This will create two containers for Kong and it's PostgreSQL/ It will run Kong's database migration scripts to setup the schema. Then it will add an API in Kong with the key-auth plugin enabled.

  1. Edit conf/application.conf to point kong.apiAddress at your Kong cluster (in this example: http://192.168.99.100:8001). In the same file you should configure aws.dynamo.usersTableName, aws.dynamo.keysTableName and aws.dynamo.labelsTableName to point to the DynamoDB tables you are going to use. You do not need to change the play.http.secret.key to run the app locally.

Note: In CODE and PROD the app does NOT use the configurations in the conf/application.conf file. Instead, it pulls its configurations from a bonobo.conf file which you can find on the live instance(s).

  1. Then start the Play app:
$ sbt run

It should now be running at http://localhost:9000/

You will need a Guardian Google account in order to login.

To run locally using Docker - APPLE SILICON / ARM

The current Kong version we are using is not supported at all on Arm hardware. Version 1.5 can run on Arm via amd64 emulation but that changes a couple of parameter names which makes the code incompatible with the existing CODE and PROD environments (upgrade work is in progress).

For the time being, if you need to develop Bonobo locally on Apple silicon you have two options:

  1. Do nothing, just run without any Kong. The app will work but you won't be able to test creating users, updating keys etc.
  2. Point your local instance to the CODE deployment of Kong. This is as simple as editing the kong.apiAddress line in application.conf and setting it to the URL of the CODE Kong internal load-balancer.
  3. You can find the URL of the CODE Kong internal load-balancer in the AWS Console.
    1. Go to "Cloudformation"
    2. Find the stack content-api-kong-{x}-CODE ({x} is either 'a' or 'b')
    3. Go to the "Resources" tab and search for "Loadbalancer"
    4. You'll see InternalLoadBalancer and InternalLoadBalancer. You want the first.
    5. Click the link under "Physical ID" to jump to the load balancer configuration page in EC2
    6. Find the field "DNS Name" listed in the load balancer configuration.
    7. Copy this value and paste it into you application.conf. Pre-pend https:// to make it a URI.
  4. Now you should be able to work as if you are in the CODE environment.

To run the integration tests

The integration tests rely on Docker to run Kong.

Make sure you have completed step 1 and 2 from the previous section and then run:

$ sbt it:test

Developer Tier

Keys issued under the Developer tier can be periodically deleted by Gibbons. Therefore, if an API key is intended to be used by a service, it should not be issued under the Developer tier.

DB Backups

Bonobo table backups are handled using DynamoDB's Point In Time Recovery.

More info on restoring a table to a certain point in time can be found here.

The AWS Data Pipeline 'bonobo-PROD-backup-to-s3', which handled backing up Bonobo tables to an S3 bucket, is deactivated and no longer in use.

About

Key management for Kong

production

Languages

Language:Scala 70.2%Language:HTML 16.3%Language:JavaScript 6.6%Language:Python 2.1%Language:CSS 1.6%Language:Shell 1.6%Language:Ruby 1.5%