EUREKA-789 - POC - Version-specific routes in Kong
Spike Overview
It is necessary to verify “Version-specific routes w/ MTE updating expressions upon entitlement changes” option which is mentioned at https://folio-org.atlassian.net/wiki/spaces/FOLIJET/pages/1103495197 . Identify code that should be updated. Document any potential problems, implications or risks.
Jira ticket for the spike - https://folio-org.atlassian.net/browse/EUREKA-789
Experiments with Kong route expression
Update existing route at dev rancher environment with expression and perform request to check Kong endpoint evaluation based on x-okapi-tenant header value, such expression for route is used:
(http.path == "/capabilities" && http.method == "GET" &&
(http.headers.x_okapi_tenant == "test" || http.headers.x_okapi_tenant == "college" || http.headers.x_okapi_tenant == "diku"))
Perfom request with x-okapi-tenant = university. Response with 404 error code is produced:
Options of migration to use tenants in route expressions
In scope of https://folio-org.atlassian.net/browse/MGRENTITLE-92 Kong routes management logic was removed from mgr-tenant-entitlements:
https://github.com/folio-org/mgr-tenant-entitlements/pull/178
At this moment routes are created in the mgr-applications:
Challenges
mgr-tenant-entitlements knows about tenants but does not know about routes and at same time mgr-applications creates routes but does not have any information about entitlements and tenants. In that case mgr-tenant-entitlements should be responsible for updating routes or it should notify mgr-applications to update routes expression by tenant value during entitlement process.
In above scenarios multiple tenants entitlements and updates the same routes expression at same time is a reason for a race condition that occurs during the "read-modify-write" cycle, there is a risk to save route expression with inconsistent state.
Kong does not have optimistic locking mechanism to avoid simultaneous updates of same routes. Verifying this by opening UI of Kong admin for route configuration in separate browsers windows and saving expressions with different values.
Proposed solutions
Option 1 : mgr-tenant-entitlements is responsible for updating routes
The updates should be done using spring based event publishing logic ( org.springframework.context.ApplicationEventPublisher), all events to update routes expression will be processed one by one.
New event publisher should be introduced and included in FolioModuleEntitleFlowFactory.
Updates will be done in scope of one application.
Limited to a single instance of mgr-tenant-entitlements.
Blurs the lines between entitlement logic and route management.
Option 2: mgr-applications is responsible for updating routes
Update of routes expression should be done in mgr-applications based on listening Kafka events one by one.
New Kafka event publisher should be introduced in mgr-tenants-entitlements and included in FolioModuleEntitleFlowFactory.
Several instances of mgr-tenant-entitlements could be used.
Each service retains a single, clear responsibility.
Code changes should be done in scope of several applications: mgr-tenant-entitlements, mgr-applications.
Changes when application updated/uninstalled
The tenant information for route can be changed, so updates of FolioModuleUpgradeFlowFactory, FolioModuleRevokeFlowFactory will be require to publish events about changes for application updates/uninstall.
Potential problems
The solution is based on including in Kong route expression the tenant value check. According documentation https://developer.konghq.com/gateway/routing/expressions/#priority-matching :
Expressions routes are always evaluated in the descending priority order they were defined. Therefore, it is helpful to put more likely matched routes before (as in, higher priority) less frequently matched routes.
Eureka cluster can have module with version for which route expression is not updated because there is no tenant which requires particular modules version. In that case that route expression will be evaluated with other routes that were updated based on tenants value. And as it has less strict rules the issues described in https://folio-org.atlassian.net/browse/EUREKA-778 may appear.
Disable checking tenant in route expression
Kong route expression provides option to use regular expression. Update route expression with value:
http.headers.x_okapi_tenant ~ r#".*"#
It possible to use any tenant as value of x-okapi-tenant header. In the request test tenant is used, it does not mentioned in routes expression:
Regular expression that allow any tenant can be added by responsible component(mgr-applications) using feature flag when routes are created.