Closed yoomlam closed 1 year ago
I think as an engineer, it's important to understand tradeoffs and risks. I agree that VRO api serves as a security blanket, this is not without a cost. It does become a single point of failure for any dependent API's, so glad to see we have some e2e tests setup already.
Additional benefits of having a gateway: We can consolidate how we monitor API performance and get that info in a single place.
Thoughts about how to incorporate an API gateway:
api-gateway
api-gateway
Docker container, listening on ports 80 (http) and 443 (https)app
and domain-cc/python-src
to present a single merged API specapp
provides the API for Java controllers (i.e., domain-*/*-api-controller
) on ports 8080 and 8081
api-gateway
api-gateway
Docker container if they're both Java-baseddomain-cc/python-src
provides the API for domain-cc's Python-based APIReference thread for prioritization -- this is becoming a blocker for Contention Classification team's ability to publish their API spec.
LHDI has an existing Kong API Gateway in place, my understanding is that they use it for both internal and external-facing partner APIs today. Please check with them to see if their gateway satisfies our requirements.
@va-albers Who's a good Kong contact?
@yoomlam we could check with the LHDI during their Wednesday 11 AM ET office hours. Also Steven Bair mentioned a few names: "The LH project uses Kong today (hosted in VSP AWS) - we use the same instance of Kong for a team that required public availability on LHDI. There is a team (I believe it was Quokka but moved to another team) looking into what the future for API GW would look like for Lighthouse. Pam Lougheed should be able to point you in the right direction (in terms of what team is doing that research today and a good POC if desired)" "It's also used as a VA-internal GW. Beau Grantham would be a good POC if interested in using it as an LHDI tenant"
Thanks @yoomlam !
As of 5/10, while the CC API is our only use case, we decided not to solve for serving multiple APIs yet. Instead, we will temporarily point the single VRO API hostname to the CC API as the single API within VRO (decoupling it from the existing, RRD-focused VRO API). Then when we surface our next use case for having an external system call an additional API within VRO, we'll come back around to solving for serving up multiple APIs. (Further context on this decision in Slack here).
@yoomlam I'd like to either revamp this ticket to be a tech spec/tech design ticket for solving for serving up multiple APIs (either via gateway or K8s solution), or, close this ticket and reference it in a new tech spec/tech design ticket. Any preference or opinion on that?
Let's keep this ticket as is in case we do want an API Gateway as the solution, so "close this ticket and reference it in a new tech spec/tech design ticket".
Update as of 5/15, with a reduced LOE on this API gateway effort we decided to go ahead with it instead of the workaround of pointing the VRO API to the CC API mentioned above. (Slack post here)
Finally got it working in LHDI. Need to clean up the code and document on the wiki.
@yoomlam I'd like to succinctly capture the decision history on this one, namely:
Could you incorporate that into the wiki documentation you mentioned?
Created new follow-on ticket #1591 with the same ticket labels as this one.
@dianagriffin Added decision history: https://github.com/department-of-veterans-affairs/abd-vro/wiki/Software-Conventions#decision-history
Deployed and tested in all LHDI envs.
VRO currently serves up its API using Spring MVC. This constrains implementations of new APIs to be written using Spring MVC and Java. To support serving up APIs implemented in other languages (i.e., Python used by the CC Team), implement a VRO Gateway that queries for available APIs and merges them to present a single VRO API.
AC:
Reference
etcd
container, need script to import OpenAPIs (https://apisix.apache.org/docs/dashboard/modules/data_loader/openapi3/, https://apisix.apache.org/docs/dashboard/IMPORT_OPENAPI_USER_GUIDE/) and seems rather new (cannot export APIs?).Benefits of having a gateway: