Add APISix gateway to MIT Learn #2996
Conversation
…ed secrets for the API url of mit-learn and the associated config to tell APISIX about it
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @blarghmatey, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
This pull request adds APISix gateway configuration and routing to proxy requests to the MIT Learn application running in Heroku. It introduces Kubernetes resources for managing TLS certificates, OIDC authentication, and routing. The changes also include Vault policies and configurations for managing secrets and authentication within the Kubernetes cluster. Finally, the pull request comments out some Route53 records, presumably because external-dns in the EKS cluster will handle them.
Highlights
- APISix Gateway Configuration: The pull request configures APISix as a gateway to proxy requests to the MIT Learn application. This includes setting up routes, upstreams, and plugin configurations for handling traffic.
- Kubernetes Resources: Kubernetes resources such as ApisixRoute, ApisixUpstream, ApisixPluginConfig, and Service are defined to manage the routing and external access to the MIT Learn application.
- Vault Integration: Vault policies and Kubernetes authentication roles are created to securely manage secrets and access within the Kubernetes cluster. This includes setting up OIDC authentication and managing TLS certificates.
- OIDC Authentication: The pull request configures OpenID Connect (OIDC) authentication for the MIT Learn application, allowing users to authenticate via a central identity provider.
- TLS Certificate Management: TLS certificates are managed using cert-manager to ensure secure HTTPS connections to the MIT Learn application.
Changelog
Click here to see the changelog
- src/ol_infrastructure/applications/mitlearn/main.py
- Imported pulumi_kubernetes module.
- Imported necessary modules from ol_infrastructure.lib.aws.eks_helper for Kubernetes setup.
- Imported Vault K8S related resources from ol_infrastructure.components.services.vault.
- Added stack references for network and EKS cluster.
- Defined Kubernetes namespace and labels for MIT Learn.
- Configured Vault policy and Kubernetes authentication backend role for MIT Learn.
- Created Kubernetes resources for APISix routing, TLS certificate management, and OIDC authentication.
- Commented out Route53 record creation, assuming external-dns will handle it.
- src/ol_infrastructure/applications/mitlearn/mitlearn_policy.hcl
- Created a Vault policy file to define access permissions for MIT Learn application secrets.
- src/ol_infrastructure/infrastructure/aws/eks/Pulumi.infrastructure.aws.eks.applications.QA.yaml
- Added learn.mit.edu and .learn.mit.edu to the list of domains.
- Added api.rc.learn.mit.edu to the list of apisix domains.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Did you know?
The name 'Kubernetes' originates from the Greek word κυβερνήτης, meaning 'helmsman' or 'pilot'. It's often shortened to 'K8s' because there are eight letters between the 'K' and the 's'.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
The pull request introduces APISix gateway configuration for the MIT Learn application, which is a significant step towards modernizing the infrastructure. The changes involve setting up Kubernetes resources, Vault integration, and routing configurations. Overall, the code seems well-structured, but there are a few areas that could benefit from clarification and improvement.
Summary of Findings
Merge Readiness
The pull request introduces significant infrastructure changes. Given the complexity and potential impact, I recommend a thorough review and testing in the RC environment as mentioned in the description. I am unable to approve this pull request, and recommend that others review and approve this code before merging. Ensure that all configurations are validated and that the application functions as expected with the new gateway setup. Pay close attention to the vault policies and access controls to ensure security.
There was a problem hiding this comment.
PR Overview
This PR adds configuration for APISix to route traffic to the MIT Learn application running on Heroku, updating the domain entries in the infrastructure configuration for QA.
- Added "learn.mit.edu" and ".learn.mit.edu" to the allowed domains
- Included a new API domain "api.rc.learn.mit.edu" in the APISix domain list
Reviewed Changes
| File | Description |
|---|---|
| src/ol_infrastructure/infrastructure/aws/eks/Pulumi.infrastructure.aws.eks.applications.QA.yaml | Added new domain entries to support routing for MIT Learn |
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
- Address type mismatches for priority - Fix circular reference in K8s Vault secret due to `depends_on` in resource options - Fix upstream proxying by setting the scheme and using the `Domain` type to eliminate the need for a service - Remove proxy-rewrite because apparantly APISix already passes along the right HOST header to the backend
What are the relevant tickets?
N/A
Description (What does it do?)
Adds APISix configuration and routing that will proxy to the MIT Learn application running in Heroku.
How can this be tested?
Deploy it to RC