An API Gateway based on Spring Cloud Gateway with integration with Open Policy Agent for ContentGrid projects.
You can run the gateway locally using the following Gradle tasks:
./gradlew bootRun
will start the gateway locally with a minimalbootRun
profile../gradlew runtimeBootRun
will start the gateway locally with thebootRun
+runtime
profiles../gradlew keycloakBootRun
will start the gateway locally with thebootRun
+keycloak
profiles.
This profile is intended for local development from your IDE.
It applies the following changes:
-
starts the application on port
:9080
-
bootstraps test users:
alice
/alice
with a singleemployer
authoritybob
/bob
with twoemployer
and threecustomer
authoritiesadmin
/admin
with theadmin
authority
-
sets up a redirect from
/
to/me
, displaying profile information.
This profile is intended to configure the gateway as a ContentGrid Runtime Platform Gateway:
- enables Kubernetes API discovery for:
- discovering ContentGrid applications from Kubernetes services
- discovering ContentGrid application configuration (hostnames, cors, ...) from Kubernetes ConfigMaps
- discovering ContentGrid application secrets (Keycloak) from Kubernetes Secrets
- dynamic routing to ContentGrid application deployments
- configures Thunx to with a dynamic authorization query
This profile is intended to integrate the gateway with a Keycloak container running on http://172.17.0.1:8090/
.
Use this to set up all required services in containers:
docker-compose \
-f docker-compose/docker-compose.yml \
-f docker-compose/docker-compose-keycloak.yml \
up -d opa keycloak
And, after verifying the keycloak container is listening, use ./gradlew keycloakBootRun
to start the gateway with the keycloak profile.
This profile applies the following changes:
- Register a local keycloak as OIDC provider
ContentGrid Gateway is driven by a number of Spring properties. Examples of how to set these properties can be found in docker-compose.yml
and application-bootRun.yml
.
Example for bootstrapping users:
testing:
bootstrap:
enable: true
users:
- username: alice
authorities: '{"someGroups": ["a", "b"], someValue: "foobar"}'
- username: admin
authorities: '{"admin": "true"}'
These users get bootstrapped into Spring with their password equal to their username. The authorities
field must contain a json object with the different authority fields mapping to a string or list of strings. You can use the /me
endpoint to test whether this got parsed how you expected it to.
Example integration with Open Policy Agent:
opa:
service:
url: http://opa:8181
query: "data.gateway.example.allow == true"
This is used for pointing out how the gateway can reach OPA, as well as what query it should try to evaluate for user requests. Generally, this depends on the .rego file that is loaded into OPA. In this example, the .rego file describes the package gateway.example
wherein the rules are set for the allow
variable.