Page Comparison

• What challenges can we think of ?
• Is this viable or are there red flags ?
• How will/can Sys Ops handle this ?

Links / Infos (further reading):

Latest news: the FOLIO Architectural PoC Review Feedback is out ! This will serve as a mechanism to provide feedback and questions!

https://docs.konghq.com/gateway/latest/get-started/

and more:

"folio-kong" is an "LOC module": /wiki/spaces/DQA/pages/36962480 , https://github.com/folio-org/folio-kong (A Kong plugin that will add Authorization header from a cookie.)

Some reported API calls which will "break on the new platform": MODSIDECAR-13: Options for handling modules which call OKAPI

Looking at architectural proof-of-concept:

• Keyclock - replace home-grown auth. https://www.keycloak.org/guides ,  Guides set-up via Kubernetes or Docker environments.
• Kong Gateway - https://docs.konghq.com/gateway/latest/get-started/, create service not in Kubernetes, existing Helm charts.

Is this the right way to proceed?

• One person from SysOps look at Keyclock with Kubernetes and Docker
• Another person from SysOps look at Kong with Kubernetes and Docker

Proof-of-Concept:

• Logging out doesn't work
• Software version using Applications/modules/interfaces, Keyclock is in platform complete.
• Didn't change code in existing modules.
• Has a platform minimal as well.
• New feature of Roles-based access controls replacement of permissions/permissionsSets
• Okapi doesn't exist, all using Kong, can use

Thoughts?

• Use POC to investigate
• Any documentation on this specific implementation, how is Kong interacting with FOLIO? Not much documentation available for us to review. We have to figure how to get Kong working, very concerning.
• From Jason Root's comment in chat:
  My biggest concern here is how does one interact with the Kong Gateway API to do system administration tasks like we are familiar with in Okapi? That will likely take a lot of code change and retooling for integrations, and deployment scripts/jobs for upgrading the system.
• From Tod Olson comment in chat:
  On the subject of KeyCloak, it supports both SAML and OIDC. If this means we no longer need to support mod-login-saml and we get more options for authentication, I think this will be a good thing.
• Folio-kong doesn't have a README, only the authorization part
• Florian Kreft - concern that external scripts integrations are not fully compatible with existing Okapi.
• From Tod Olson comment in chat:
  I believe that these technologies were chosen, at least in part, to meet stricter government security requirements.
  I'm not certain that's part of Kong, but it is part of KeyCloak and and the work on roles.
• Not sure Kong is a drop-in replacement for Okapi
• Florian Gleixner - replace open-source with freemium version for Kong? What are the costs? Costs by institution and/or by users? No information about licensing, only if you are willing to talk with Sales. Don't want to bring software that costs millions a year?
• Julian Ladisch - Libraries would need to commercial version
• Florian Kreft - What is the reasoning for replacing Okapi with Kong?
• Okapi's responsibilities have been distributed over multiple technologies Keyclock, Kong, and module side-cars. Tenant endpoint not part of Kong. Kong only a API gateway, doesn't replace all of Okapi.
• Not sure where Module sidecars code exists? Maybe in module, sidecars with different images, run next to module, in Kubernetes run along side of modules. Different images run in the same scope, keep original module the same but another container that is directly linked to the module. Inventory and Inventory-storage modules, makes sense to but does these sidecars replace Kafka?
• Manager components - application administration
• From Julian Ladisch in chat:
  mod-login-saml is based on PAC4J that supports OAuth, OpenID Connect (OIDC), and many other authentication mechanisms: https://github.com/folio-org/mod-login-saml?tab=readme-ov-file#other-documentation
• Not in scope, revisiting application boundaries

How to proceed for SysOps?

• Is there someone to tell use how Kong and other technologies replace Okapi? Keyclock is not a problem, help us to bind identity managements to FOLIO, Kong as a replacement for Okapi, not open-source have to pay for Kong. Direct communication of modules? Not sure that is right way as it closely couples modules together. Maybe combine modules? Module boundaries maybe wrong
• No examples of module sidecars? Very vague. Need more information. More information on Kubernetes side cars https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
• Why do we want to replace Okapi with Kong? Why
• Security concerns makes more sense with Keyclock, not certain about Kong.
• A non-free okapi replacement would really go against the last o in folio
• Keyclock replacement part not as big change as changing to Kong
• How to use sidecars if not using Kubernetes? Could still use sidecars when using Docker in the same context.
• Need more details on module sidecars? What exactly is the problem that sidecars are solving?
• Don't really understand direct module-to-module communication? Sidecar would need HTTP communication forward that to the connect module. Not sure of the purpose?
• Kong Enterprise license based on the number of users https://www.xlsoft.com/en/products/kong/price.html AWS offer for Kong Gateway Enterprise is per server and hour: https://aws.amazon.com/marketplace/pp/prodview-qwksr2wun4awo#pdp-pricing
• Need clarification on module sidecars and why Kong is better than Okapi? Considering it is not free and not cheap or open.
• Any documentations on why or analysis for these changes?
• Not sure we have enough information to assess these changes without more information.

• Kong plan Plus: API Requests $34.25 per 1M requests

A few exciting updates to share for WOLFcon 2024:Call for Proposals Now Open: Got ideas about open-source to share? Talk about it at WOLFcon. Submit a presentation, panel, short talk, or pre-conference workshop. The deadline for submissions is March 31, 2024. Submit a session here.Early Bird Registration Now Open: Join us at Senate House, University of London. September 24-26, 2024. Register now through July 31, 2024 for an early bird discounted rate.Learn more about WOLFcon 2024: Want to learn more about the Open Library Foundation and WOLFcon? Be sure to visit our website where you can learn more about the foundation, members projects, communities, and the annual conference.

Submissions for SysOps presentation, panel, short talk or pre-conference workshop? Have a SysOps session or talk, could be hybrid.

Topics for SysOps?

• Next week look at topics before March 31 2024, deadline SysOps for is March 22.
• Architectural POC summary?

Meet next week to discuss WOLFcon proposals and Architectural POC assessment