API Gateway

keycloak setup

• create a client in our custom realm for the API (
  • CDOGS_APS
  • confidential

Our API deployment configuration on OpenShift:

• created PR deployemnt of CDOGS (in DEV namespace)
• for app, use keycloak client ID and password for CDOGS_APS (update deployment config)

Configure services in APS

• log in to the API Services Portal APS
• create namespace (csst1)
• give the rest of our team Access
• create Service Account for managing our managingf our gatreway config
• create auth profile (cdogs-profile-1)
  • 'client credentials flow'
  • managed - CDOGS_APS, <secret>
• create a Product and link the auth profile

Gateway Service Configuration:

• install gwa
  • connect to your namespace from local machine (Use access token to connect to your namespace)

gwa init -P --api-version=2 --namespace=csst1 \
  --client-id=sa-csst1-ca853245-dd0d006dd0d5 \
  --client-secret=5fbc5e1b-317b-421e-9514-b4e684cfa778

(this creates a .env file in your cur Directory)

• create a yaml file (sample.yaml) that includes:

services:
- name: cdogs-service-1
  host: cdogs-app-pr-88.2250c5-dev.svc
  tags: [ ns.csst1.dev ]
  port: 3000
  protocol: http
  retries: 0
  routes:
  - name: cdogs-service-1-route
    tags: [ ns.csst1.dev ]
    hosts:
    - cdogs.api.gov.bc.ca
    paths:
    - /api/v2/health
    methods:
    - GET
    strip_path: false
    https_redirect_status_code: 426
    path_handling: v0
    plugins:
    - name: jwt-keycloak
      tags: [ ns.csst1.dev ]
      enabled: true
      config:
        algorithm: RS256
        well_known_template: https://dev.oidc.gov.bc.ca/auth/realms/jbd6rnxw/.well-known/openid-configuration
        allowed_iss:
        - https://dev.oidc.gov.bc.ca/auth/realms/jbd6rnxw
        run_on_preflight: true
        iss_key_grace_period: 10
        maximum_expiration: 0
        claims_to_verify:
        - exp
        uri_param_names:
        - jwt
        cookie_names: []
        scope: null
        roles: null
        realm_roles: null
        client_roles: null
        anonymous: null
        consumer_match: true
        consumer_match_claim: azp
        consumer_match_claim_custom_id: true
        consumer_match_ignore_not_found: false

(see ocp specifics) you can convert your openapi spec to the service config

• Publish your configuration: gwa pg --dry-run sample.yaml

add NSP on OpenShift to allow traffic from api gateway to our API

spec:
  podSelector:
    matchLabels:
      app: cdogs-pr-88
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              environment: test
              name: 264e6f
    - from:
        - namespaceSelector:
            matchLabels:
              environment: prod
              name: 264e6f
  policyTypes:
    - Ingress

• support mTLS (sharing of SSL certs) - optional

verify routes:

curl https://cdogs.api.gov.bc.ca/api/v2/health/headers

add a draft Dataset

• use Directory API: https://api.gov.bc.ca/ds/api/v2/console/#/API%20Directory/put-dataset
  • get token:
    • https://authz.apps.gov.bc.ca/auth/realms/aps/protocol/openid-connect/token
    • (basic auth using SA above)
    • body:

{
    "name": "cdogs_dataset",
    "license_title": "Open Government Licence - British Columbia",
    "security_class": "PUBLIC",
    "view_audience": "Public",
    "download_audience": "Public",
    "record_publish_date": "2022-10-20",
    "title": "Common Document Generation Service",
    "notes": "Common Document Generation Service (CDOGS) is a common hosted service (API) for generating documents from templates, data documents, and assets.",
    "tags": [
        "CDOGS",
        "document",
        "document generation"
    ],
    "organization": "ministry-of-environment-and-climate-change-strategy",
    "organizationUnit": "information-innovation-and-technology"
}

Update Product with Dataset

Seems easiest to use the swagger console again

• GET product GET /namespaces/{ns}/products
• Update product with dataset

body:

  {
    "name": "CDOGS",
    "appId": "E06D07AACD77",
    "dataset": "cdogs_dataset",
    "environments": [
      {
        "name": "dev",
        "active": false,
        "approval": true,
        "flow": "client-credentials",
        "additionalDetailsToRequest": "Optional instructions for requester here..",
        "appId": "72625E37",
        "services": [
          "cdogs-service-1"
        ],
        "legal": "terms-of-use-for-api-gateway-1",
        "credentialIssuer": "cdogs-auth-profile-1"
      }
    ]
  }

Product will now show in Preview Mode in APS

Request CDOGS access - API Consumer workflow:

• Go to API Directory: https://api.gov.bc.ca/devportal/api-directory or BC Data catalog (?)
• click request access
• add app
• choose environment
• note credentials

Grant access - API Provider workflow

• receive email notification
• can do auto-grant
• log in to APS and grant access
  • seems to be an error unless done from the alert banner
  • can add labels to identify consumers
  • add rate-limiting and IP restrictions
  • revoke access

---

Conclusions

• Overall the API gateway works as advertised.
• After initial understanding it's relatively quick to set up the required resources for a service
• Only minimal configuration tested (that I expect to be viable).
  • Not using Client JWT Audience Mappers / Resource Scopes
    • Roles are no longer required in CDOGS or CHES
    • I turned off 'verify audience' and 'use resource role mapping' in CDOGS instance
    • are we ok with any client in KC realm having access to API?
• API Clients will switch to a random client ID which is not recognizable in our logs / data
  • This will affect statistics for CHES in Metabase
  • We could update the Client ID after it has been created (as part of the onboarding workflow)