Try   HackMD

Design: Egress

Author: Stuart Douglas

Description (what)

Egress allows users to specify remote endpoints they need access to. FTL will provision appropriate policies to allow this access.

Goals

  • Allow the end user to specify egress in a way that is noted in schema metadata
  • Allow the engress endpoint to be configured differently in different environments
  • Allow the end user to inject the egress URI into their verbs

Non-Goals (optional)

  • The initial implementation will have the provisioning step be a no-op

Design (how)

Egress will be specified as annotation on the verb methods. For JVM languages this will be represented as parameter annotations:

@Verb
public void foo(@Egress("${target}") URI uri, @Egress("https://github.com") String github) {

}

For go this will be represented in a comment declaration that specifies the paramter names:

//ftl:verb
//ftl:egress target=${target} github=https://github.com
func Foo(ctx context.Context, github string, target *url.URL) {

}

In the schema this will be repsented as metadata on the verb decl:

verb foo(Unit) Unit
  +egress https://github.com
  +egress ${target}

An egress element will be added to the verb runtime metadata that will contain the expanded URI.

Variables are interpolated from config, so for the above deployment to succeed the 'target' config value must be set for the module. The runtime interpolated value must expand to a valid URI, including the protocol, as this information may be required by the provisioner to correctly provision resources. If the protocol is non-standard or if the user wants to ensure that no layer 7 proxying is involved you can use the tcp://host:port URI to specify that egress is in the form of a plain TCP connection.

Egress does not specify any particular protocol, however the provisioner may provision resources differently based on the procotol in the URI.

Required changes (how)

  • Add a new egress metadata type to the schema
  • Add a no-op provisioning step to the dev provisioner
  • Add support for extracting/injecting the egress annotation to the language runtimes
  • The provisioner will be modified to be able to read config from the admin service. The provisioner deployment will be modified to include the admin service URI, and the egress provisioner will make calls to the admin service to resolve any config that is required for egress.