AWS API Gateway as Ingress Controller Advanced settings — Part 02

In my previous blog[1] I mentioned about the features I added to the API GW Ingress Controller in the first cut. But as our project evolved I included few more cool features and this time I am going to talk about them.

Separating out Ingress rules and API resources published via API GW.

Ingress controller was earlier defining APIs based on ingress rules. So it was difficult to define API resources and methods that were exposed publicly and keep some resources private. And also it was difficult to expose certain methods as ingress rules cannot define methods.

So I came up with a solution of an annotation which can be use to define the public APIs. With this we can define which resource and which method is exposed publicly and everything else will be private.

Annotation to define public api resources is as below.

apigateway.ingress.kubernetes.io/public-resources

Here is a sample json value that you can provide. Its an array and you can define any number of resources. And you should minify the json and add it to ingress configuration.

[
   {
      "path":"/api/v1/foobar",
      "caching_enabled":true,
      "method":[
         "GET",
         "POST"
      ]
   }
]

And if you have path, query or header params and if you want to proxy them that also can be added to the same configuration. And also you can add constant path query or header params also which will be passed to the backend. Here is the api resource path struct looks like. So you can define mentioned properties within above json. Use json property names mentioned before the property name.

type APIResource struct { 
  Path              string          `json:"path"` 
  CachingEnabled    bool            `json:"caching_enabled"` 
  Methods           []Method        `json:"method"` 
  PathParams        []ConstantParam `json:"cons_path_params"` 
  QueryParams       []ConstantParam `json:"cons_query_params"` 
  HeaderParams      []ConstantParam `json:"cons_header_params"` 
  ProxyPathParams   []Param         `json:"path_params"` 
  ProxyQueryParams  []Param         `json:"query_params"` 
  ProxyHeaderParams []Param         `json:"header_params"`
}
type Param struct { 
  Param    string `json:"param"` 
  Required bool   `json:"required"`
} 
type ConstantParam struct { 
  Key   string `json:"key"` 
  Value string `json:"value"`
}

Allowing to create multiple APIs in APIGW with its own api resources, authorizers and usage plans.

This can be named as the most cool feature I added. Lets say you have multiple APIs you want to create. You can definitely create multiple ingresses. But the problem with that is it will create multiple VPC links multiple NLBs and so on. But those can be shared with the APIs when we use same backend. So idea here is to let share everything else other than APIGW resources. And apart from this I added the capability to provide the authorizer configs here also. Different apis can have different authorizer configs, resources and usage plan configs.

I defined an ingress annotation to define this as below.

apigateway.ingress.kubernetes.io/aws-api-configs

Input is again a json and its an array. Following are the two new structs I added to support this feature. Input to the above annotation should be an array of AWSAPIDefinition type.

type AWSAPIDefinition struct { 
  Name                  string             `json:"name,omitempty"` 
  Context               string             `json:"context"` 
  AuthenticationEnabled bool               `json:"authentication_enabled"` 
  APIKeyEnabled         bool               `json:"api_key_enabled"` 
  Authorization_Enabled bool               `json:"authorization_enabled"` 
  UsagePlans            []UsagePlan        `json:"usage_plans"` 
  Authorizers           []AWSAPIAuthorizer `json:"authorizers"` 
  APIs                  []APIResource      `json:"apis"` 
  BinaryMediaTypes      []string           `json:"binary_media_types"`
} 
type AWSAPIAuthorizer struct { 
  IdentitySource               string   `json:"id_source"` 
  AuthorizerType               string   `json:"authorizer_type,omitempty"` //can be TOKEN, COGNITO_USER_POOLS or REQUEST 
  AuthorizerAuthType           string   `json:"authorizer_auth_type"` 
  AuthorizerName               string   `json:"authorizer_name"` 
  IdentityValidationExpression string   `json:"id_validation_exp"` 
  AuthorizerResultTtlInSeconds int      `json:"authorizer_result_ttl_secs"` 
  AuthorizerUri                string   `json:"lambda_arn"` 
  ProviderARNs                 []string `json:"provider_arns"`
}

Other feature additions to enable Gateway Cache, Request timeout, Enabling request compression and allowing to configure TLS policy to the custom domain.

Few more minor feature additions are done which are not included in previous cut and not mentioned in the previous blog entry and related annotations can be found in README with some sample values.

Hope this helps. Good luck !!!

References

[1] https://blog.usejournal.com/api-gateway-as-ingress-controller-advanced-settings-cfda5ce06d41

[2] https://github.com/danushkaf/amazon-apigateway-ingress-controller

[3] https://github.com/danushkaf/amazon-apigateway-ingress-controller/blob/master/README.md#example

[4] https://github.com/danushkaf/amazon-apigateway-ingress-controller/blob/master/pkg/cloudformation/types.go