Comments (2)
This was a deliberate choice to not include that functionality (which its predecessor inso
did have).
There are multiple issues with it (which we're working on);
- Incorrect OAS files
- Ownership and trust
More details below. Definitely interested in thoughts about how to possibly deal with those, so feedback appreciated.
Incorrect OAS files
The input to the conversion is the OAS file that describes the API, as it lives internally in the back-end. Could be generated from code, etc.
Now if we want Kong to protect that API with basic-auth for example, then in the case of inso
we would add security
directives for that (and possibly x-kong-security-...
for Kong specifics). The resulting file can be converted using the tools and generates the Kong output.
The problem however is that the OAS file now describes an API that doesn't exist. Since the file will in its servers
block have internal hostnames, not accessible from the outside world. Yet it also describes security requirements that are not enforced on that internal service since they will be enforced by Kong (so on the external API, which probably lives on different hostnames).
So the file has become a weird mix of internal and external properties of the same service.
Ownership and trust
In large installations we typically see multiple roles or actors in the pipelines from development to production.
- platform team; operating the Kong installation, facilitating automated pipelines for developer teams to publish their APIs/services.
- developer teams (many!); build their products and continuously publish new versions on the platform.
- security team; validating configurations to ensure proper security guidelines are followed.
- product teams; requirements about API interactions and consistency between APIs
Now if the security
directives are being used, how can bad-actors be prevented from injecting bad security directives into an OAS file. If there are hundreds of dev teams publishing to the same platform, then the platform and security teams cannot trust those developer teams.
The security requirements should be delivered separately (in their own flow, with their own authorizations and approvals for changes). This also allows the security folks to review only the files that input security stuff changes, instead of having to review the OAS file every time one of those many teams publishes a change.
from deck.
Hey @Tieske thanks for the response. I actually agree with the above approach. Specifically for Incorrect OAS File I felt like this was a bit odd too me as well. Based on item number 2 Ownership and Trust I think I might break the auth plugin off into a kong declarative yaml with the OpenAPI Spec being separate.
The one recommendation I would have here is that if the deck openapi2kong
hits a security directive it throws an exception or at a minimum a warning. To let some one know that the security directives would be ignored, since that would not be the expected behavior.
from deck.
Related Issues (20)
- Konnect basic auth: fix or remove
- Selector CLI flag on file patch and file add-plugin not working when using a patch/plugin YAML file HOT 4
- Readme.md instructs to download outdated version
- unable to create rate-limit-advanced plugins at route level with deck for distributed management HOT 4
- Release Schedule?
- deck gateway sync does not work with -s option with decK v1.29.2 HOT 1
- Deck render no tag and workspace information HOT 7
- Optionally ignore some plugin configuration fields HOT 1
- deck file render - env substition does not work with string values HOT 4
- deck gateway dump with RS256 JWT consumer secrets cannot be synced without modification
- How to manage deletion of services and routes in distributed configuration HOT 2
- render adding "regex_priority" key to expression route resulting sync to fails
- deck always update rate-limiter plugin config even no changes HOT 1
- Missing Docker image for v1.36.0 HOT 1
- README update download version from 1.8 to latest
- Deck sees blacklist/whitelist in plugins as diffs when run against Kong 2.X
- Please update go version to 1.21.9 or 1.22.2
- Cannot upload new Certificate to Kong using decK
- Deck convert from 2.x to 3.x does not handle the escape characters in the regex paths HOT 3
- decK colours do not work correctly in non-tty environment
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deck.