Versions Compared

Version Old Version 3 New Version 4
Changes made by

Dima Tkachenko

Dima Tkachenko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Route all timer request (for regular and system interfaces) through Kong, but in the case of system interfaces, allow requests coming from the internal sub-net only and block any calls to system interfaces from the outside. This type of barrier can be enforced with custom Kong plugin, let’s call it Private Resource Access (PRA) plugin.

The plugin should be aware of network boundaries where Eureka cluster with Folio modules is deployed. How exactly this information can provided to the plugin is TBD. With that knowledge requests to system interfaces can be filtered by requestor’s IP address:

...

Folio modules and their sidecars are deployed inside a cluster with predefined private network (marked as Intranet on the diagram). Among other modules the deployment contains mod-scheduler, to run scheduled jobs, and an arbitrary some business module, named “Module A” on the diagram. Module A provides regular interface /regular-url-A along with _timer interface /timer-url-A. Detailed information about Module A interfaces contained as usual in its Module Descriptor.

  1. At first Tenant Entitlement manager (MTE) enables an application with Module A for a tenant. During this process MTE gets Module Descriptor of Module A and

a. creates routes in Kong for all module’s public interfaces from "provides" section of Module Descriptor

b. creates routes in Kong for _timer interfaces. Each newly created route marked with a special tag “private“ (or “internal“, or “system“) to identify interface as internally available only

...

c. creates (via Kafka) scheduled jobs for Module A _timer endpoints in mod-scheduler

  1. scheduled job is triggered for /timer-url-A endpoint. Request goes from mod-scheduler to its sidecar, which in turns forwards the request to Kong, since the request URL is not registered inside sidecar’s egress routing table

    1. Kong receives the request and searches for known routes associated with the given URL and method. Once the route is found, PRA plugin checks if it has “private“ tag assigned, in case of scheduler

Pros

  • Mod-scheduler and the mod-sidecar remain unchanged

...