An API Gateway based on Spring Cloud Gateway with integration with Open Policy Agent for ContentGrid projects.

You can run the gateway locally using the following Gradle tasks:

• ./gradlew bootRun will start the gateway locally with a minimal bootRun profile.
• ./gradlew runtimeBootRun will start the gateway locally with the bootRun + runtime profiles.
• ./gradlew keycloakBootRun will start the gateway locally with the bootRun + keycloak profiles.

This profile is intended for local development from your IDE.

It applies the following changes:

• starts the application on port :9080

• bootstraps test users:

  • alice/alice with a single employer authority
  • bob/bob with two employer and three customer authorities
  • admin/admin with the admin authority

• sets up a redirect from / to /me, displaying profile information.

This profile is intended to configure the gateway as a ContentGrid Runtime Platform Gateway:

• enables Kubernetes API discovery for:
  • discovering ContentGrid applications from Kubernetes services
  • discovering ContentGrid application configuration (hostnames, cors, ...) from Kubernetes ConfigMaps
  • discovering ContentGrid application secrets (Keycloak) from Kubernetes Secrets
• dynamic routing to ContentGrid application deployments
• configures Thunx to with a dynamic authorization query

This profile is intended to integrate the gateway with a Keycloak container running on http://172.17.0.1:8090/. Use this to set up all required services in containers:

docker-compose \
    -f docker-compose/docker-compose.yml \
    -f docker-compose/docker-compose-keycloak.yml \
    up -d opa keycloak

And, after verifying the keycloak container is listening, use ./gradlew keycloakBootRun to start the gateway with the keycloak profile.

This profile applies the following changes:

• Register a local keycloak as OIDC provider

ContentGrid Gateway is driven by a number of Spring properties. Examples of how to set these properties can be found in docker-compose.yml and application-bootRun.yml.

Example for bootstrapping users:

testing:
  bootstrap:
    enable: true
    users:
    - username: alice
      authorities: '{"someGroups": ["a", "b"], someValue: "foobar"}'
    - username: admin
      authorities: '{"admin": "true"}'

These users get bootstrapped into Spring with their password equal to their username. The authorities field must contain a json object with the different authority fields mapping to a string or list of strings. You can use the /me endpoint to test whether this got parsed how you expected it to.

Example integration with Open Policy Agent:

opa:
  service:
    url: http://opa:8181
  query: "data.gateway.example.allow == true"

This is used for pointing out how the gateway can reach OPA, as well as what query it should try to evaluate for user requests. Generally, this depends on the .rego file that is loaded into OPA. In this example, the .rego file describes the package gateway.example wherein the rules are set for the allow variable.