Replies: 4 comments 3 replies
-
I think there's a chicken and egg problem here. In the diagram above, step (4) shows the link from forward proxy to Lighthouse as being via At minimum I think the more accurate thing would be to say that step (4) routes to Lighthouse at the configured upstream for the forward proxy, which is My question is - my understanding is that Apigee is intended as the public API gateway for external-to-VA Lighthouse clients. But vets-api is not really one of these - it's an internal-to-VA client. So what is the URL/route that internal Lighthouse clients are meant to use? Is such thing deployed yet, and can we point from vets-api->fwdproxy-> ? Otherwise, we need to be clear on the risk of bypassing Kong. |
Beta Was this translation helpful? Give feedback.
-
@patrickvinograd I've changed step 4 in the diagram to correctly use the url configured in the fwd proxy, which is |
Beta Was this translation helpful? Give feedback.
-
Moved to #39993 |
Beta Was this translation helpful? Give feedback.
-
RFCs have been moved to: https://github.com/department-of-veterans-affairs/va.gov-platform-architecture |
Beta Was this translation helpful? Give feedback.
-
Summary
The Kong API gateway is currently an integral part of the overall
dsvagovcloud
AWS architecture. The Lighthouse team is planning to retire Kong by migrating to a new Apigee gateway hosted on GCP. The idea is that the domainapi.va.gov
will be routed to Apigee, and a new domainplatform-api.va.gov
will expose the API endpoints of thevets-api
. The major users of this new domain are the va.gov website and the mobile app and they will need to adjust their API calls accordingly.Our thinking is that in the first phase of the new
dsvagovcloud
architecture we will no longer need an API gateway, since Kong's main role was to funnel traffic to the vets-api and Lighthouse, respectively. Most requests to the new domain will need to go directly tovets-api
. It is our opinion, therefore, that a reverse proxy would be sufficient to handle incoming traffic at this stage. (Further down the road, we may need to introduce an API gateway component to better support the migration of thevets-api
from a monolithic Rails app to a more microservices-based system.)This RFC is about one of Kong's current functions of handling cases in which Lighthouse APIs are used as an upstream dependency of
vets-api
. These types of requests first go (either via Kong or via the current revproxy) tovets-api
, and then back through Kong and a forward proxy to Lighthouse. Once Kong is removed,vets-api
would need to make those requests directly to Lighthouse via the forward proxy.This RFC outlines the hurdles and intricacies of removing Kong as an intermediary between the
vets-api
and Lighthouse and kicks off the discussion on our approach.Motivation
We're inviting comments on our initial investigation into what needs to be taken into account in removing Kong. The overall benefit of removing Kong is to achieve a simpler architecture with a more straightforward request flow. By investigating and exposing potential pitfalls in the removal of Kong, we can make the path to the new architecture smoother. Our initial research and your input will save our team development time and prevent us going down avenues that would have to be abandoned.
Use-cases:
vets-api
that make secondary API calls to Lighthouse under the hoodExpected outcome:
dsvagovcloud
account and API calls tovets-api
that use Lighthouse as an upstream dependency will continue to work as they doDetailed design
Example
To better illustrate the problem domain, consider how a web request from the Find VA locations page currently travels.
Once the website determines the lat and long of a location entered by a user, it composes a API request to
https://api.va.gov/facilities_api/v1/va
sending lat and long as parameters. The current reverse proxy solution, Openresty, parses the path and forwards this type of request directly to thevets-api
backend.To actually obtain a list of nearby locations,
vets-api
makes a request to Lighthouse, using a different urlhttps://api.va.gov/services/va_facilities/v0/facilities
. According to redirect rules set up in Openresty, this second request will be directed to Kong, that is configured to handle all requests that have/services
or/internal
as a prefix.Kong recognizes this request as one destined for Lighthouse and sends it to HAProxy, our forward proxy, which finally transmits it on to LH.
In the new architecture, this scenario is greatly simplified. Notice the new domain names involved.
Preliminary experiments with
curl
-ing the fwd proxy address directly verifies that this plan is in theory viable:Here is an excerpt from the response:
How do we get there?
In order to remove Kong as intermediary between
vets-api
and the forward proxy, we need to address the following:Identify the instances in which vets-api uses Lighthouse API as an upstream dependency
Currently, LH upstream dependencies in the
vets-api
are not exhaustively documented. It is, however, important to have a comprehensive list of these occurrences in order to ensure those requests are routed to the forward proxy rather than toapi.va.gov
.Preliminary research based on examining the
config/settings.yml
file invets-api
, some instances have been identified, but there are likely more:/services/va_facilities/
Settings.lighthouse.facilities
/services/fhir/
Settings.lighthouse.veterans_health.url
andSettings.lighthouse_health_immunization.api_url
/services/appeals/
Settings.virtual_agent.lighthouse_api_uri
andSettings.decision_review.url
andSettings.virtual_agent.lighthouse_api_uri
services/pgd/
Settings.hqva_mobile.lighthouse.pgd_path
/services/va_forms/
Settings.forms.url
Please comment with any ideas on how best to amass a complete list. One idea that came up was to parse the forward proxy logs for calls to the Lighthouse API. This Google sheet is the result of obtaining a day's worth of API requests logs that go to LH through the forward proxy. Overall, there were 15k+ unique urls. To remove the noise, the ones where the uniqueness is based on an ID are represented with an example, e.g.
/clinical-fhir/v0/r4/Patient/1015864945V516423
Identify Kong's role in forwarding LH requests from the vets-api to the forward proxy
Besides sending select traffic to the forward proxy, Kong uses several plugins to perform additional request manipulation common to API gateways:
/services/pgd/v0
vets-api
The Lighthouse team confirmed that this functionality will be replicated in Apigee, so it stands to reason that there will be no intervention needed in the travel between
vets-api
and the forward proxy:Before:
vets-api --> Kong --> fwd proxy --> LH
with Kong doing things like rate limitingAfter:
vets-api --> fwd proxy --> Apigee --> LH
with Apigee replacing all Kong functionalityChanges required to the forward proxy congfiguration
Currently, the forward proxy is configured to listen for Lighthouse traffic on port 4451 and send that traffic to
blue.production.lighthouse.va.gov
.The backend configuration will clearly need to change, but other than that, we think that the forward proxy can be used without too much modification. Let us know if you can think of any issues we might have missed.
Coordinating the removal of Kong with the Lighthouse team
The traffic from
vets-api
that is intended for LH will need to have been routed reliably and exhaustively to the forward proxy before Kong can be taken out of the picture. This will require some careful planning to come up with a phased, environment-based approach.Alternatives
An alternative would be to leave Kong in place and continue to rely on its capabilities to route traffic. This would still require some work to change the current configuration but would leave Kong as an architectural unit intact. While this might sound like less work, and also lessen risk, we believe that greater benefit would be realized in simplifying the overall architecture.
Beta Was this translation helpful? Give feedback.
All reactions