...
4.3 Sandboxing and API Gateway Support
At runtime, interaction between ONAP platform services and application microservices are relatively unconstrained, so interactions between Control Loop Elements for a given Control Loop Instance remain relatively unconstrained. A proposal to support access-controlled access to and between ONAP services will improve this. This can be complemented by intercepting and controlling services accesses between Control Loop Elements for Control Loop Instances for some/all Control Loop types.
API gateways such as Kong have emerged as a useful technology for sandboxing exposing and controlling service endpoint access for applications and services. For Control Loop instances, it makes sense to provide pass-through support for API gateway configuration.and services. When a Control Loop Type is onboarded, or when Control Loop Instances are created, CLAMP can configure service endpoints between Control Loop Elements to redirect through an API Gateway.
The diagram below shows the approach for configuring API Gateway access at Control Loop Instance and Control Loop Element level.
...
At design time, the Control Loop type definition specifies the type of API gateway configuration that should be supported at Control Loop and Control Loop Element levels.
At runtime, the CLAMP GUI is used to set the configuration for the API gateway at Control Loop Instance level (for all Control Loop Elements in an Control Loop Instance) can configure the API gateway to enable (or deny) interactions between Control Loop Instances and individually for each Control Loop Element.
Once the Control Loop instance is instantiated on participants, the participants configure the API gateway with the Control Loop Instance level configuration and with the specific configuration for their Control Loop Element. Therefore, a Control Loop Element will only have access to the APIs that are available over the configured API gateway.
...