fix: update transports to rely on one session from openziti. remove r…

…edundant config entries Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com>
edgexfoundry · Mar 21, 2024 · b48ae02 · b48ae02
1 parent 547b16f
commit b48ae02
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 45 deletions.
diff --git a/cmd/edgex-ui-server/res/configuration.yaml b/cmd/edgex-ui-server/res/configuration.yaml
@@ -2,7 +2,7 @@ Writable:
     LogLevel: INFO
 Service:
     Host: localhost
-    Port: 4000
+    Port: 4444
     ServerBindAddr: ''
     StartupMsg: edgex-ui-go service started
     HealthCheckInterval: 10s
@@ -11,15 +11,7 @@ Service:
     SecurityOptions:
         Mode: ""
         OpenZitiController: "openziti:1280"
-        OpenZitiServiceName: "edgex.ui"
-    CORSConfiguration:
-        EnableCORS: true
-        CORSAllowCredentials: false
-        CORSAllowedOrigin: "https://*.edgex.ziti"
-        CORSAllowedMethods: "GET, POST, PUT, PATCH, DELETE"
-        CORSAllowedHeaders: "Authorization, Accept, Accept-Language, Content-Language, Content-Type, X-Correlation-ID"
-        CORSExposeHeaders: "Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma, X-Correlation-ID"
-        CORSMaxAge: 3600
+
 Clients:
     core-data:
         Protocol: http
@@ -28,47 +20,41 @@ Clients:
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-data"
     core-metadata:
         Protocol: http
         Host: localhost
-        Port: 59881
+        Port: 80
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-metadata"
     core-command:
         Protocol: http
         Host: localhost
         Port: 59882
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-command"
     support-notifications:
         Protocol: http
         Host: localhost
         Port: 59860
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.support-notifications"
     support-scheduler:
         Protocol: http
         Host: localhost
         Port: 59861
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.support-scheduler"
     rules-engine:
         Protocol: http
         Host: localhost
         Port: 59720
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.rules-engine"
 Registry:
     Host: localhost
     Port: 8500

diff --git a/cmd/edgex-ui-server/res/docker/configuration.yaml b/cmd/edgex-ui-server/res/docker/configuration.yaml
@@ -11,7 +11,6 @@ Service:
     SecurityOptions:
         Mode: ""
         OpenZitiController: "openziti:1280"
-        OpenZitiServiceName: "edgex.core-command"
 Clients:
     core-data:
         Protocol: http
@@ -20,47 +19,41 @@ Clients:
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-data"
     core-metadata:
         Protocol: http
         Host: edgex-core-metadata
         Port: 59881
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-metadata"
     core-command:
         Protocol: http
         Host: edgex-core-command
         Port: 59882
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.core-command"
     support-notifications:
         Protocol: http
         Host: edgex-support-notifications
         Port: 59860
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.support-notifications"
     support-scheduler:
         Protocol: http
         Host: edgex-support-scheduler
         Port: 59861
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.support-scheduler"
     rules-engine:
         Protocol: http
         Host: edgex-kuiper
         Port: 59720
         SecurityOptions:
             Mode: ""
             OpenZitiController: "openziti:1280"
-            OpenZitiServiceName: "edgex.rules-engine"
 Registry:
     Host: edgex-core-consul
     Port: 8500

diff --git a/internal/application.go b/internal/application.go
@@ -51,10 +51,7 @@ type Client struct {
 	transport http.RoundTripper
 }
 
-var (
-	//clientName:clientHost
-	clientsMapping map[string]Client
-)
+var clientsMapping map[string]Client
 
 type Application struct {
 	config *config.ConfigurationStruct
@@ -64,7 +61,7 @@ func initClientsMapping(config *config.ConfigurationStruct, dic *di.Container) {
 	lc := bootstrapContainer.LoggingClientFrom(dic.Get)
 
 	clientsMapping = make(map[string]Client, 10)
-	zitiTransports := make(map[string]http.RoundTripper, 10)
+	var zitiRoundTripper http.RoundTripper
 
 	for clientName, clientInfo := range config.Clients {
 		addr := fmt.Sprintf("%s://%s:%d", clientInfo.Protocol, clientInfo.Host, clientInfo.Port)
@@ -76,24 +73,29 @@ func initClientsMapping(config *config.ConfigurationStruct, dic *di.Container) {
 		listenMode := strings.ToLower(clientInfo.SecurityOptions[bootstrapConfig.SecurityModeKey])
 		switch listenMode {
 		case zerotrust.ZeroTrustMode:
-			lc.Infof("zero trust client for: %s", clientName)
-			secretProvider := bootstrapContainer.SecretProviderExtFrom(dic.Get)
-			if secretProvider == nil {
-				panic("zero trust mode activated yet no secret provider?")
+			scheme := "http"
+			if origin, err := url.Parse(client.addr); err != nil {
+				panic(fmt.Errorf("could not parse url for %s: %s", clientName, addr))
+			} else {
+				scheme = origin.Scheme
 			}
 
-			ozToken, jwtErr := secretProvider.GetSelfJWT()
-			if jwtErr != nil {
-				panic(fmt.Errorf("could not load jwt: %v", jwtErr))
-			}
+			client.addr = scheme + "://" + clientName + ".edgex.ziti"
+			lc.Infof("overriding url and port for zero trust client %s from %s to %s", clientName, addr, client.addr)
 
-			if zitiRoundTripper, ok := zitiTransports[ozToken]; ok {
+			if zitiRoundTripper != nil {
 				//reuse the existing context
-				if zitiRoundTripper == nil {
-					panic("unexpected. transport should not be nil")
-				}
 				client.transport = zitiRoundTripper
 			} else {
+				secretProvider := bootstrapContainer.SecretProviderExtFrom(dic.Get)
+				if secretProvider == nil {
+					panic("zero trust mode activated yet no secret provider?")
+				}
+
+				ozToken, jwtErr := secretProvider.GetSelfJWT()
+				if jwtErr != nil {
+					panic(fmt.Errorf("could not load jwt: %v", jwtErr))
+				}
 				ozUrl := clientInfo.SecurityOptions["OpenZitiController"]
 				ctx, authErr := zerotrust.AuthToOpenZiti(ozUrl, ozToken)
 				if authErr != nil {
@@ -108,8 +110,8 @@ func initClientsMapping(config *config.ConfigurationStruct, dic *di.Container) {
 					dialer := zitiContexts.NewDialer()
 					return dialer.Dial(network, addr)
 				}
-				zitiTransports[ozToken] = zitiTransport
-				client.transport = zitiTransport
+				zitiRoundTripper = zitiTransport
+				client.transport = zitiRoundTripper
 			}
 
 		case "http":
@@ -169,7 +171,10 @@ func (app *Application) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 func (app *Application) secure(w http.ResponseWriter, r *http.Request, originalPath string, client Client) {
 	defer r.Body.Close()
-	origin, _ := url.Parse(client.addr)
+	origin, err := url.Parse(client.addr)
+	if err != nil {
+		panic(fmt.Errorf("could not parse url? %s", err))
+	}
 	director := func(req *http.Request) {
 		req.Header.Add(ForwardedHostReqHeader, req.Host)
 		req.Header.Add(OriginHostReqHeader, origin.Host)
@@ -183,7 +188,10 @@ func (app *Application) secure(w http.ResponseWriter, r *http.Request, originalP
 
 func insecure(w http.ResponseWriter, r *http.Request, originalPath string, client Client) {
 	defer r.Body.Close()
-	origin, _ := url.Parse(client.addr)
+	origin, err := url.Parse(client.addr)
+	if err != nil {
+		panic(fmt.Errorf("could not parse url? %s", err))
+	}
 	director := func(req *http.Request) {
 		req.Header.Add(ForwardedHostReqHeader, req.Host)
 		req.Header.Add(OriginHostReqHeader, origin.Host)