feat: Integrate Traefik API proxy with Aperture

integrations/traefik-config/dynamic-rule-config.yaml

@@ -0,0 +1,23 @@
+http:
+  routers:
+    Router0:
+      entryPoints:
+        - http
+      service: service-whoami
+      rule: Path(`/`)
+      middlewares:
+        - my-plugin
+
+
+  services:
+    service-whoami:
+      loadBalancer:
+        servers:
+        - url: http://localhost:8089/
+        passHostHeader: true
+
+  middlewares:
+    my-plugin:
+      plugin:
+        example:
+          ControlPoint: "awesomeFeature"

integrations/traefik-config/static-config.yaml

@@ -0,0 +1,24 @@
+# Static configuration
+
+api:
+  dashboard: true
+  insecure: true
+
+# log:
+#   level: DEBUG
+
+experimental:
+  localPlugins:
+    example:
+      moduleName: github.com/fluxninja/aperturetraefikplugin
+
+entryPoints:
+  http:
+    address: ":8000"
+    forwardedHeaders:
+      insecure: true
+
+
+providers:
+  file:
+    filename: dyanmic-rule-config.yaml

integrations/traefik-plugin/.traefik.yml

@@ -0,0 +1,11 @@
+displayName: Aperture traefik plugin
+type: middleware
+
+import: github.com/fluxninja/aperturetraefikplugin
+
+summary: 'Integrate Traefik API proxy with Aperture'
+
+testData:
+  ControlPoint: "awesomeFeature"
+  AgentHost: "localhost"
+  AgentPort: "8089"

integrations/traefik-plugin/go.mod

@@ -0,0 +1,33 @@
+module github.com/fluxninja/aperturetraefikplugin
+
+go 1.20
+
+replace github.com/fluxninja/aperture-go/v2 => /home/sachinmaurya/fluxninja/test/aperture/sdks/aperture-go/
+
+require (
+	github.com/fluxninja/aperture-go/v2 v2.0.0-00010101000000-000000000000
+	github.com/go-logr/stdr v1.2.2
+	google.golang.org/grpc v1.55.0
+)
+
+require (
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v0.10.0 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect
+	go.opentelemetry.io/otel v1.15.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1 // indirect
+	go.opentelemetry.io/otel/sdk v1.15.1 // indirect
+	go.opentelemetry.io/otel/trace v1.15.1 // indirect
+	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+)

integrations/traefik-plugin/traefik.go

@@ -0,0 +1,150 @@
+package aperturetraefikplugin
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	flowcontrolhttp "github.com/fluxninja/aperture-go/v2/gen/proto/flowcontrol/checkhttp/v1"
+	"github.com/go-logr/stdr"
+
+	aperture "github.com/fluxninja/aperture-go/v2/sdk"
+	aperturemiddlewares "github.com/fluxninja/aperture-go/v2/sdk/middlewares"
+)
+
+type Config struct {
+	ControlPoint string
+	AgentHost    string
+	AgentPort    string
+}
+
+type TraefikPlugin struct {
+	next         http.Handler
+	ControlPoint string
+	AgentHost    string
+	AgentPort    string
+}
+
+func CreateConfig() *Config {
+	return &Config{}
+}
+
+func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
+	return &TraefikPlugin{
+		next:         next,
+		ControlPoint: config.ControlPoint,
+		AgentHost:    config.AgentHost,
+		AgentPort:    config.AgentPort,
+	}, nil
+}
+
+func (a TraefikPlugin) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+
+	ctx := context.Background()
+
+	apertureAgentGRPCClient, err := grpcClient(ctx, net.JoinHostPort(a.AgentHost, a.AgentPort))
+	if err != nil {
+		log.Fatalf("failed to create flow control client: %v", err)
+	}
+
+	// Initialize the logger
+	logger := stdr.New(log.Default()).WithName("aperture-traefik-plugin")
+
+	opts := aperture.Options{
+		ApertureAgentGRPCClientConn: apertureAgentGRPCClient,
+		CheckTimeout:                200 * time.Millisecond,
+		Logger:                      &logger,
+	}
+
+	//initialize Aperture Client with the provided options.
+	apertureClient, err := aperture.NewClient(ctx, opts)
+	if err != nil {
+		log.Fatalf("failed to create client: %v", err)
+	}
+
+	labels := aperture.LabelsFromCtx(r.Context())
+
+	for key, value := range r.Header {
+		if strings.HasPrefix(key, ":") {
+			continue
+		}
+		labels[key] = strings.Join(value, ",")
+	}
+
+	protocol := flowcontrolhttp.SocketAddress_TCP
+
+	sourceHost, sourcePort := aperturemiddlewares.SplitAddress(apertureClient.GetLogger(), r.RemoteAddr)
+
+	destinationPort := uint32(0)
+	destinationHost := aperturemiddlewares.GetLocalIP(apertureClient.GetLogger())
+
+	bodyBytes, err := aperturemiddlewares.ReadClonedBody(r)
+	if err != nil {
+		apertureClient.GetLogger().V(2).Info("Error reading body", "error", err)
+	}
+
+	req := &flowcontrolhttp.CheckHTTPRequest{
+		Source: &flowcontrolhttp.SocketAddress{
+			Protocol: protocol,
+			Address:  sourceHost,
+			Port:     sourcePort,
+		},
+		Destination: &flowcontrolhttp.SocketAddress{
+			Protocol: protocol,
+			Address:  destinationHost,
+			Port:     destinationPort,
+		},
+		ControlPoint: a.ControlPoint,
+		Request: &flowcontrolhttp.CheckHTTPRequest_HttpRequest{
+			Method:   r.Method,
+			Path:     r.URL.Path,
+			Host:     r.Host,
+			Headers:  labels,
+			Scheme:   r.URL.Scheme,
+			Size:     r.ContentLength,
+			Protocol: r.Proto,
+			Body:     string(bodyBytes),
+		},
+	}
+
+	flow, err := apertureClient.StartHTTPFlow(r.Context(), req)
+	if err != nil {
+		apertureClient.GetLogger().Info("Aperture flow control got error. Returned flow defaults to Allowed.", "flow.Accepted()", flow.Accepted())
+	}
+
+	if flow.Accepted() {
+		a.next.ServeHTTP(rw, r)
+		// Need to call End() on the Flow in order to provide telemetry to Aperture Agent for completing the control loop.
+		// The first argument captures whether the feature captured by the Flow was successful or resulted in an error.
+		// The second argument is error message for further diagnosis.
+		err := flow.End(aperture.OK)
+		if err != nil {
+			apertureClient.GetLogger().Info("Aperture flow control end got error.", "error", err)
+		}
+	} else {
+		resp := flow.CheckResponse().GetDeniedResponse()
+
+		if resp == nil {
+			rw.WriteHeader(http.StatusServiceUnavailable)
+		} else {
+			rw.WriteHeader(int(resp.GetStatus()))
+			for key, value := range resp.GetHeaders() {
+				rw.Header().Set(key, value)
+			}
+
+			_, err := fmt.Fprint(rw, resp.GetBody())
+			if err != nil {
+				apertureClient.GetLogger().Info("Aperture flow control respond body got an error.", "error", err)
+			}
+		}
+
+		err = flow.End(aperture.OK)
+		if err != nil {
+			apertureClient.GetLogger().Info("Aperture flow control end got error.", "error", err)
+		}
+	}
+}

integrations/traefik-plugin/utils.go

@@ -0,0 +1,23 @@
+package aperturetraefikplugin
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func grpcClient(ctx context.Context, address string) (*grpc.ClientConn, error) {
+	// creating a gRPC client connection is essential to allow the Aperture client to communicate with the Flow Control Service.
+	var grpcDialOptions []grpc.DialOption
+	grpcDialOptions = append(grpcDialOptions, grpc.WithConnectParams(grpc.ConnectParams{
+		Backoff:           backoff.DefaultConfig,
+		MinConnectTimeout: time.Second * 10,
+	}))
+	grpcDialOptions = append(grpcDialOptions, grpc.WithUserAgent("aperture-traefik-plugin"))
+	grpcDialOptions = append(grpcDialOptions, grpc.WithTransportCredentials(insecure.NewCredentials()))
+
+	return grpc.DialContext(ctx, address, grpcDialOptions...)
+}