Add separate subdomains for the Platform components?

altinnadmin commented 3 years ago

Description

Currently all our Platform microservices lives in https://platform.altinn.no/

This means that it will be difficult to host our microservices in different infrastructures without affecting external systems, f.ex. some in AWS, some in Azure and some on-prem.

To solve this we could introduce separate subdomains for each Platform component, for example:

https://storage.platform.altinn.no https://profile.platform.altinn.no etc.

This will be like our app clusters: https://digdir.apps.altinn.no https://ssb.apps.altinn.no etc.

In scope

What's in scope of this analysis?

Out of scope

What's out of scope for this analysis?

Constraints

If we should do this it should be done early. When too many orgs star using Altinn 3 this will be very hard to change.

Analysis

Conclusion

Short summary of the proposed solution.

Tasks

[ ] Is this issue labeled with a correct area label?
[ ] QA has been done

SandGrainOne commented 3 years ago

@altinnadmin The Altinn 3 infrastructure already has an abstraction layer in API Management. API Management can already prevent any backend changes from affecting external users of the Platform API.

With that being said, I have actually suggested (internal link) something similar to this for the hostnames of the API in backend. The reason was the content of the OpenAPI specifications that each API would generate. They can't be imported into API Management without changes. We now have a small PowerShell script that does the necessary changes.

Please note that my suggestion requires changes not only in hostname but also in how the application itself include its name. eg: https://platform.altinn.no/profile/v1 -> https://profile.platform.altinn.no/v1

altinnadmin commented 3 years ago

@SandGrainOne Thanks for the feedback!

The layer in API Management is not "good enough", since that implies a dependency on Azure. If, for example, we wanted to host Storage on-prem, we probably would not want all data to flow through Azure API Management. ref. Schrems II. That means Storage would need a separate IP-address and also exposing the subdomain externally.

Agree, changing the name in the URL also makes sense if we do this.

SandGrainOne commented 3 years ago

@altinnadmin My assumption is that any APIM product would have the same capability. There are also other reverse proxy products that can do similar "URL rewrites". We are already using NGINX and Treafik at other points in our infrastructure.

altinnadmin commented 3 years ago

Does not matter :) The point here is that we should be able to NOT use APIM for one microservice if we so desire, or use APIM in AWS instead for one microservice.

annerisbakk commented 3 years ago

Lagt inn i TFS https://tfs.ai-dev.brreg.no/Altinn/Altinn/_workitems/edit/50896 Trenger tilbakemelding fra dere når infrastruktur skal kobles på

annerisbakk commented 8 months ago

@SandGrainOne Bør det opprettes et nytt issus for det som evt gjenstår, og lukke denne?

SandGrainOne commented 8 months ago

Maybe @altinnadmin can pitch in whether anything has changed or if this still stands.

altinnadmin commented 7 months ago

I guess our current push towards moving to independent infrastructures for each product indirectly solves my original concern, since those products then can be hosted anywhere on any domain.

And the decision to use a common APIM across products and move towards a "unified" api.altinn.no domain for external APIs, also makes this issue less relevant as it stands.

So perhaps this just should be closed. Agree @SandGrainOne ?

SandGrainOne commented 7 months ago

Enig. Lukkes.

Altinn / altinn-platform