search

bcgov / gwa-api

Gateway Admin API for self-service of Kong configuration, ACL management and BCDC Catalog updates for API metadata
Apache License 2.0
6 stars 4 forks source link

Allow custom certificates to be used for routes #125

Open ikethecoder opened 2 weeks ago

ikethecoder commented 2 weeks ago

Due to the handling of 3rd party cookies in browsers, there is a requirement to allow custom domains to be configured on the Kong Gateway, as opposed to now where they have to use one of the wildcard-based certificates.

To accomplish this, we need:

  1. a way for an API Provider to register a SSL/TLS certificate
    1. API Providers are able to register SSL/TLS certificates already for the purposes of performing mTLS between Kong and the Upstream service. See: https://developer.gov.bc.ca/docs/default/component/aps-infra-platform-docs/how-to/upstream-services/#upstream-services-with-mtls
    2. confirm we can provide SNIs here
  2. to enhance the gateway API to collect the certificate details from the Kong Admin API and including them in the request that goes to the kube API
    1. need to avoid host transformation for custom domains (https://github.com/bcgov/gwa-api/blob/dev/microservices/gatewayApi/v2/routes/gateway.py#L472) 
      if is_host_custom_domain():
new_hosts.append(host)
    2. need an attribute at the route level for certificates, key value pair where the key is the host and the value is the cert (all the cert data from admin API)
    3. add cert info to the route_payload, send all the certs for the namespace (or just [])
  3. update the kube API to use the new information about custom certificates and apply the Route with the appropriate SSL/TLS details
  4. update scheduler API to gather information from the Kong Admin API and send it to the kube API for provisioning.
    1. as part of each namespace sync, get all certs for that namespace
    2. if the route ends in not api/data/app, match the SNIs from the certs
    3. if there isn't a match then throw an exception

Validation

register the *.api.gov.bc.ca cert for webapps.gov.bc.ca, curl with --resolve to Silver

A/C:

rustyjux commented 2 days ago

@ikethecoder looks like gwa apply only supports GatewayService, CredentialIssuer, DraftDataset, and Product (Environment) resources and not certificates. It would be nice to not force folks to use pg.

Let's line that up for next sprint and consider if we want to have Veenu go ahead with pg or hold off?