You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

API Gateway: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Hnowlan
(Bare bones info about the service.)
imported>Hnowlan
(Expanding documentation, adding more sections for improvement.)
Line 1: Line 1:
The API Gateway is a service that runs in [[Kubernetes]] based on [[Envoy]]. The service implements many features central to serving the unified API and the API portal.  
The API Gateway is a service that runs in [[Kubernetes]] based on [[Envoy]]. The service implements many features central to serving the unified API and the API portal.  
=Features=
 
==Rate limiting==
== What it does ==
The API Gateway serves pages for [https://api.wikimedia.org api.wikimedia.org]. It does this by rewriting requests for the unified API to URIs that are understood by the respective APIs on the application servers, and also by serving pages for the API Portal wiki in the same way other wikis would be served. The API Gateway also uses metadata from [[:en:JSON_Web_Token|JSON Web Tokens]] (JWTs) to apply rate limits to clients using the APIs.
 
==How it works ==
Envoy is more or less functioning as any other API router/reverse proxy does. The proxy answers requests for the configured domain, does some selective manipulation and then asks appservers via their LVS endpoint for page content. 
 
===Rate limiting===
The API Gateway applies rate limits to clients based upon the JWT provided (or not) by the client. During beta unauthenticated clients are currently limited to 500 requests an hour, and authenticated clients that pass a valid JWT are limited to 5000 requests. These values are entirely temporary and will be changed as the platform moves towards general release. Clients issue JWTs by requesting OAuth 2.0 clients on [https://meta.wikimedia.org Meta] and in future, on the [https://api.wikimedia.org/ API Portal].
The API Gateway applies rate limits to clients based upon the JWT provided (or not) by the client. During beta unauthenticated clients are currently limited to 500 requests an hour, and authenticated clients that pass a valid JWT are limited to 5000 requests. These values are entirely temporary and will be changed as the platform moves towards general release. Clients issue JWTs by requesting OAuth 2.0 clients on [https://meta.wikimedia.org Meta] and in future, on the [https://api.wikimedia.org/ API Portal].


==Routing==
===Routing===
The API Gateway maps API URIs passed to the Gateway's hostname (api.wikimedia.org) to the relevant APIs understood by the application servers. For example, https://api.wikimedia.org/core/v1/wikipedia/en/page/pizza is mapped to https://en.wikipedia.org/w/rest.php/v1/page/pizza by the Gateway's [[phab:source/operations-deployment-charts/browse/master/charts/api-gateway/values.yaml$83|configuration language]]. As of September 2020, it is required to use a relatively complex rewriting method using Lua and multiple definitions of URL patterns seen in the values.yaml file, but this will be fixed in Envoy 1.16.0.  
The API Gateway maps API URIs passed to the Gateway's hostname (api.wikimedia.org) to the relevant APIs understood by the application servers. For example, https://api.wikimedia.org/core/v1/wikipedia/en/page/pizza is mapped to https://en.wikipedia.org/w/rest.php/v1/page/pizza by the Gateway's [[phab:source/operations-deployment-charts/browse/master/charts/api-gateway/values.yaml$83|configuration language]]. As of September 2020, it is required to use a relatively complex rewriting method using Lua and multiple definitions of URL patterns seen in the values.yaml file, but this will be fixed in Envoy 1.16.0.  


==JWT==
=== JSON Web Tokens ===
=Configuration=
The API Gateway verifies the signatures of JWT Authorisation headers included alongside requests. If a JWT is valid, a different limit is applied. This limit can be configured via the Helm values file per environment (<code>Values.main_app.ratelimiter.default_limit.unit</code> for valid JWTs and <code>Values.main_app.ratelimiter.anon_limit.unit</code> for anonymous users). 
=Administration=
==Where it runs==
=Monitoring=
The API Gateway runs in [[Kubernetes]] in staging, eqiad and codfw. The instance in staging does not receive external traffic but can be accessed internally at https://api-gateway.svc.eqiad.wmnet:8087. Changes should be deployed to staging and tested via curl on this endpoint.
 
== How it's configured ==
The API Gateway uses the reserved port 8087 internally and is registered in [[Service ports]].
 
The core configuration for the API Gateway helm chart is documented in the [[phab:source/operations-deployment-charts/browse/master/charts/api-gateway/values.yaml|default values.yaml]] file. Note that there are configuration overrides for [[phab:source/operations-deployment-charts/browse/master/helmfile.d/services/api-gateway/values-production.yaml|production in general]], and also for [[phab:source/operations-deployment-charts/browse/master/helmfile.d/services/api-gateway/values-eqiad.yaml|eqiad]] and [[phab:source/operations-deployment-charts/browse/master/helmfile.d/services/api-gateway/values-codfw.yaml|codfw]] specifically (and [[phab:source/operations-deployment-charts/browse/master/helmfile.d/services/api-gateway/values-staging.yaml|staging]], which does not serve public requests).
 
== How to deploy changes ==
 
== How to test changes ==
 
== How to debug it ==
 
==How to monitor it==
There is a [https://grafana.wikimedia.org/d/UOH-5IDMz/api-gateway? Grafana dashboard available] that monitors many features of the API Gateway.
There is a [https://grafana.wikimedia.org/d/UOH-5IDMz/api-gateway? Grafana dashboard available] that monitors many features of the API Gateway.
== Known issues ==
* An issue has been seen where occasionally users will see <code>{"httpCode":503,"httpReason":"upstream connect error or disconnect/reset before headers. reset reason: connection termination"}</code> instead of being served the API portal. This issue could relate to connection reuse or TLS termination issues within Envoy itself, it's not clear. However, a fix limiting the amount and length of connection reuse when connecting to upstream hosts in Envoy has limited the impact. For more details see [[phab:T262490|T262490]].
== Related ==

Revision as of 13:25, 21 September 2020

The API Gateway is a service that runs in Kubernetes based on Envoy. The service implements many features central to serving the unified API and the API portal.

What it does

The API Gateway serves pages for api.wikimedia.org. It does this by rewriting requests for the unified API to URIs that are understood by the respective APIs on the application servers, and also by serving pages for the API Portal wiki in the same way other wikis would be served. The API Gateway also uses metadata from JSON Web Tokens (JWTs) to apply rate limits to clients using the APIs.

How it works

Envoy is more or less functioning as any other API router/reverse proxy does. The proxy answers requests for the configured domain, does some selective manipulation and then asks appservers via their LVS endpoint for page content.

Rate limiting

The API Gateway applies rate limits to clients based upon the JWT provided (or not) by the client. During beta unauthenticated clients are currently limited to 500 requests an hour, and authenticated clients that pass a valid JWT are limited to 5000 requests. These values are entirely temporary and will be changed as the platform moves towards general release. Clients issue JWTs by requesting OAuth 2.0 clients on Meta and in future, on the API Portal.

Routing

The API Gateway maps API URIs passed to the Gateway's hostname (api.wikimedia.org) to the relevant APIs understood by the application servers. For example, https://api.wikimedia.org/core/v1/wikipedia/en/page/pizza is mapped to https://en.wikipedia.org/w/rest.php/v1/page/pizza by the Gateway's configuration language. As of September 2020, it is required to use a relatively complex rewriting method using Lua and multiple definitions of URL patterns seen in the values.yaml file, but this will be fixed in Envoy 1.16.0.

JSON Web Tokens

The API Gateway verifies the signatures of JWT Authorisation headers included alongside requests. If a JWT is valid, a different limit is applied. This limit can be configured via the Helm values file per environment (Values.main_app.ratelimiter.default_limit.unit for valid JWTs and Values.main_app.ratelimiter.anon_limit.unit for anonymous users).

Where it runs

The API Gateway runs in Kubernetes in staging, eqiad and codfw. The instance in staging does not receive external traffic but can be accessed internally at https://api-gateway.svc.eqiad.wmnet:8087. Changes should be deployed to staging and tested via curl on this endpoint.

How it's configured

The API Gateway uses the reserved port 8087 internally and is registered in Service ports.

The core configuration for the API Gateway helm chart is documented in the default values.yaml file. Note that there are configuration overrides for production in general, and also for eqiad and codfw specifically (and staging, which does not serve public requests).

How to deploy changes

How to test changes

How to debug it

How to monitor it

There is a Grafana dashboard available that monitors many features of the API Gateway.

Known issues

  • An issue has been seen where occasionally users will see {"httpCode":503,"httpReason":"upstream connect error or disconnect/reset before headers. reset reason: connection termination"} instead of being served the API portal. This issue could relate to connection reuse or TLS termination issues within Envoy itself, it's not clear. However, a fix limiting the amount and length of connection reuse when connecting to upstream hosts in Envoy has limited the impact. For more details see T262490.

Related