Introduction
In early March, 2024 an architectural proof of concept was shared with the community along with a spreadsheet providing context and serving as a means for the Folio community to provide feedback/questions. Such feedback was collected for roughly a month, reviewed and captured here along with responses. We chose to put the responses on the wiki with the goal of making this information easier to find later on (e.g. via wiki searches)
First/Last Name | Summary (Short) | Description (Long) | Additional Notes | Response | |
1 | Ingolf Kuss (SysOps) | KeyCloak receives positive feedback | The use of KeyCloak receives a generally positive feedback of the SysOps group. This will allow us to better fulfil legal security requirements. Changes in administrative software / scripts are expected to be not great. | KeyCloak helps to bind identity management to FOLIO. | Agreed. |
2 | Ingolf Kuss (SysOps) | Role Bases Access Controls generally positive | The work on role based access controls is seen generally positive by SysOps SIG. It will strengthen the security of the system. | Agreed. | |
3 | Ingolf Kuss (SysOps) | Log out in test environment doesn't work | The Logout of the test environment (arch-poc) doesn't work. One stays logged-in. | Maybe this points to some issue with the new keycloak-mechanism ? | This issues is specific to Firefox. It should behave properly on Chrome. |
4 | Ingolf Kuss (SysOps) | Reason for changing to Kong | SysOps SIG don't see a reason to change from Okapi to Kong. What can Kong do that Okapi can't do ? | Replacing Okapi was not something we set out to do, but rather something we arrived at while making other enhancements. This eventually led to a choice:
Here are some of the benefits of Kong:
| |
5 | Ingolf Kuss (SysOps) | License issue with Kong | Kong would need to be run in the commercial premium version to fulfil requirements of LSP hosting for libraries. This contradicts to the o in folio. | The OSS version of Kong is sufficient for Folio’s needs and uses the Apache 2.0 license. See https://github.com/Kong/kong/blob/master/LICENSE | |
6 | Ingolf Kuss (SysOps) | Missing documentation for Kong | How does Kong interact with FOLIO ? There is no documentation for us to review. | We acknowledge that documentation for Kong in the context of Folio is still forthcoming. | |
7 | Ingolf Kuss (SysOps) | Retooling for using Kong in existing FOLIO SysOps architecture | Doing things with Kong that we are now familiar doing with Okapi will take a lot of retooling for integrations, deployment scripts and jobs for upgrading the system. | While some retooling may be required, it isn’t expected to be extensive. Direct interaction with Kong on the control plane is limited. The following manager components handle these Kong interactions for you:
| |
8 | Ingolf Kuss (SysOps) | Questions about Sidecars | SysOps: Where does the code live ? Inside or outside the module ? Missing Documentation for Sidecars. Found some documentation for Kubernetes deployment, but what about plain docker deployment scenarios ? | Need more information about the use of Sidecars in FOLIO. | Sidecar code is distinct from the module code. Modules are unaware of sidecars and for the most part remain unchanged. We acknowledge that documentation for the module sidecars is lacking but is forthcoming. Sidecars can be deployed either directly via docker, or via any container management system, e.g. AWS ECS, Kubernetes, etc. |
9 | Ingolf Kuss (SysOps) | Reasoning of Sidecars | SysOps SIG questions if this is the right approach, as it couples the modules closer together. Will Sidecars replace Kafka ? | What exactly is the problem that Sidecars are solving in FOLIO ? | Sidecars provide individual modules with authorization, which they otherwise lack. They also provide new capabilities such as direct module-to-module routing, structured transaction logging conforming to the Common Log Format, etc. Modules are unaware of the sidecars. Pairing sidecars with modules does not increase coupling between modules. Sidecars will not replace Kafka. |
10 | Jakub Skoczen (TC) | Architectural diagrams | Can you please provide detailed architectural description of the PoC that includes systems and network diagrams and outlines responsibilities and interactions (including protocols used) between components included in the POC? | We acknowledge that documentation for this is still forthcoming. | |
11 | Jakub Skoczen (TC) | Alternatives/evaluation | Has there been a process for reviewing alternative solution and components as part of the PoC that resulted in the selection of specific components? If so what evaluation criteria was used to decide on this selection (e.g. why was Kong selected) | Yes, alternative solutions/technologies were evaluated. Documentation describing the selection process will be forthcoming (e.g. as part of the RFCs). | |
12 | Jakub Skoczen (TC) | Hosting impact | Can you provide information on the impact on hosting (deployment and maintenance): e.g. is scalability impacted (has the effect been measured, if so, how), is observability (e.g. request tracking) | Deployment and maintenance - From a hosting perspective, Kong and Keycloak do not add complexity, they are fully containerized like the rest of Folio, and provide graphical administrative user interfaces. Observability - Kong and Keycloak both support observability. For Kong this is via OSS plugins, e.g. prometheus, open telemetry, datadog, etc. See https://docs.konghq.com/hub/?category=analytics-monitoring, and for Keycloak it’s supported out of the box. | |
13 | What the intention of this change? | The tools mentioned in the 'Scope' section seem to be able to replace OKAPI. Is this intended? | See above (4) | ||
14 | Why Kong Gateway? | Yes, Kong does seem to be leading the market. But the free version of the gateway is limited. | See above (4) | ||
15 | Performance | Suppose OKAPI is a bottleneck. Wouldn't mgr-applications and mgr-tenant-entitlements become the new bottleneck? | The manager components operate in the control plane (Used for system administration, e.g. creation/management of tenants, registration of applications, enabling applications for tenants, etc). The manager components are not involved in the data plane (Routing/servicing API requests at runtime) | ||
16 | Performance | Direct communication between modules may take the pressure off a centralized broker. But it comes with new costs like latency (more internal http calls) and logging issues. | The number of hops/internal calls is actually the same or less with sidecars than it is with Okapi. We are working on visualizations of these flows. Regarding logging, See above (9) | ||
17 | UX changes to user management | Is there a PO assigned to work with the user management sig to discuss changes to permissions/roles/etc. that will manifest in the UX of managing users? | This came up in the PC. meeting, PC may help with bringing the community to the discussion | AFAIK Folio does not have a dedicated Users PO. However, we did work with Kimie K. to develop UX designs. We’d be happy to present these changes to the Users management SIG. | |
18 | Gateway options/introduction | Does Kong fully replace Okapi right away or will there be a case for 'legacy' FOLIO applications to be on Okapi and new applications to have Kong? | A Folio Platform will use a single API Gateway at its core, Okapi or Kong. There is no support for a hybrid system, nor is there any reason to operate in that manner. Folio Applications are unaware of - and unconcerned with - the API Gateway in use. |