[Proposal] Use Go Modules for Policy Distribution Instead of Policy Hub Hosting

[renuka-fernando]

Summary

This proposal replaces Policy Hub's policy hosting and distribution function with standard Go module distribution. Instead of downloading policy zip files from Policy Hub, policies will be fetched using go get from public Git repositories (e.g., github.com/wso2/gateway-controllers). This eliminates the need to host policy artifacts on Policy Hub while leveraging Go's built-in dependency management, versioning, and integrity verification.

Note: Policy Hub continues to exist as a web application for policy discovery and display. This proposal only removes its role as a policy artifact hosting service.

Motivation

Problem Statement

The current policy distribution system requires:

1. Policy hosting on Policy Hub: Policy Hub stores policy zip files, handles version resolution, and provides download URLs
2. Custom caching: The CLI implements its own cache at ~/.wso2ap/cache/policies/ with custom index files
3. Custom checksum verification: Manual SHA256 verification for downloaded zip files
4. Version resolution dependency: CLI depends on Policy Hub API for version resolution
5. Complex build flow: CLI downloads zips → extracts to workspace → mounts to gateway-builder → builder reads from filesystem

This adds complexity that can be eliminated by using Go's native module system for policy distribution.

Who Benefits

• Platform Team: Eliminates need to host and serve policy artifacts on Policy Hub
• Policy Developers: Can publish policies to any Go module repository (GitHub, GitLab, etc.)
• API Developers: Simpler manifest format, familiar Go module versioning semantics
• DevOps Engineers: Standard Go tooling for dependency management, no custom caching

Why Now

• Policy hosting on Policy Hub adds complexity to the distribution architecture
• Go modules are mature and widely adopted for dependency management
• Policies are already written in Go, making Go modules a natural fit
• Simplifies the build architecture before wider adoption

Detailed Design

Overview

The revamp moves policy resolution and download from the CLI to the gateway-builder. The CLI becomes a thin wrapper that runs Docker commands. The gateway-builder uses go get to fetch policies as Go modules, reads policy-definition.yaml from the Go module cache, generates the necessary code, and compiles the policy engine. Local policies are supported via Go module replace directives.

Architecture Comparison

Current Architecture:

flowchart TB
    M1[policy-manifest.yaml] --> CLI1[CLI]
    CLI1 -->|POST /policies/resolve| PH[Policy Hub API]
    PH -->|resolved versions + URLs| CLI1
    CLI1 -->|download zips| DL[Download & Cache]
    DL --> EX[Extract to Workspace]
    EX --> GB1[Gateway Builder]
    GB1 -->|read from filesystem| PD1[policy-definition.yaml]
    GB1 -->|manual update| GM1[go.mod with replace]
    GB1 --> REG1[Generate registry.go]
    GB1 --> COMP1[Compile]

Loading

Proposed Architecture:

flowchart TB
    M2[policy-manifest.yaml] --> CLI2[CLI]
    CLI2 -->|docker run| GB2[Gateway Builder]
    GB2 -->|go get| GOC[Go Module Cache]
    GB2 -->|go list -m| VER[Get Resolved Version]
    GB2 -->|read from cache| PD2[policy-definition.yaml]
    GB2 --> REG2[Generate registry.go]
    GB2 --> LOCK[Generate lock file]
    GB2 --> COMP2[Compile]

Loading

Build Process Flow

sequenceDiagram
    participant User
    participant CLI
    participant Docker
    participant Builder as Gateway Builder
    participant Go as Go Toolchain
    participant Cache as Module Cache

    User->>CLI: ap gateway build --image-tag v1.0.0
    CLI->>CLI: Validate manifest exists
    CLI->>Docker: docker run gateway-builder

    Docker->>Builder: Start container
    Builder->>Builder: Parse policy-manifest.yaml

    loop For each policy
        alt Has filePath (local)
            Builder->>Builder: Add replace directive to go.mod
        end
        Builder->>Go: go get <gomodule>@<version>
        Go->>Cache: Download module
        Cache-->>Go: Module cached
    end

    Builder->>Go: go mod tidy

    loop For each policy
        Builder->>Go: go list -m -json <module>
        Go-->>Builder: {Version, Dir, ...}
        Builder->>Cache: Read policy-definition.yaml
        Cache-->>Builder: Policy metadata
    end

    Builder->>Builder: Generate policy-manifest-lock.yaml
    Builder->>Builder: Generate registry.go
    Builder->>Builder: Generate build_info.go
    Builder->>Go: go build
    Go-->>Builder: policy-engine binary
    Builder->>Builder: Generate Dockerfiles
    Builder-->>Docker: Exit with artifacts

    Docker-->>CLI: Build complete
    CLI->>Docker: docker build (policy-engine)
    CLI->>Docker: docker build (gateway-controller)
    CLI->>Docker: docker build (router)

    opt --push flag
        CLI->>Docker: docker push (all images)
    end

    CLI-->>User: Build complete, images ready

Loading

Policy Engine Docker Image Contents

The final policy-engine Docker image includes the following artifacts for traceability and reproducibility:

File	Location in Image	Purpose
policy-engine	/app/policy-engine	Compiled binary
go.mod	/app/go.mod	Module dependency list
go.sum	/app/go.sum	Dependency checksums for verification
policy-manifest-lock.yaml	/app/policy-manifest-lock.yaml	Resolved policy versions

This allows:

• Auditing which exact versions were included in a build
• Reproducing builds with identical dependencies
• Debugging dependency-related issues in production

Changes Required

Component	File/Area	Change Description
gateway-builder	internal/discovery/manifest.go	Parse new manifest format with gomodule field
gateway-builder	internal/discovery/gomodule.go	New file: execute go get, go list commands
gateway-builder	internal/discovery/cache.go	New file: resolve module cache paths
gateway-builder	internal/policyengine/gomod.go	Only add replace directives for local policies
gateway-builder	internal/policyengine/registry.go	Use actual module paths for imports
gateway-builder	internal/lockfile/generator.go	New file: generate lock file with resolved versions
gateway-builder	pkg/types/manifest.go	Update manifest types for new format
cli	cmd/gateway/build.go	Remove PolicyHub distribution calls, simplify to docker commands
cli	cmd/gateway/image/build.go	Simplify build steps
cli	internal/policyhub/	Remove policy download/resolve package
cli	internal/policy/hub.go	Remove PolicyHub distribution integration
cli	utils/policy_cache.go	Remove custom cache logic

API Changes

N/A - No REST API changes. This affects the build tooling only.

Configuration Changes

policy-manifest.yaml format change:

# New format
version: v1
policies:
  - name: respond
    gomodule: github.com/wso2/gateway-controllers/policies/respond@v0.1.0
  - name: rate-limit
    gomodule: github.com/wso2/gateway-controllers/policies/rate-limit@v1.2.3
  - name: custom-policy
    gomodule: github.com/myorg/custom-policy@v0.1.0
    filePath: ./my-custom-policy  # Local override

policy-manifest-lock.yaml format (generated):

version: v1
policies:
  - name: respond
    version: v0.1.2  # Actually resolved version
    gomodule: github.com/wso2/gateway-controllers/policies/respond@v0.1.0
  - name: rate-limit
    version: v1.2.3
    gomodule: github.com/wso2/gateway-controllers/policies/rate-limit@v1.2.3
  - name: custom-policy
    version: v0.1.0
    gomodule: github.com/myorg/custom-policy@v0.1.0
    filePath: ./my-custom-policy

Examples

Before (current format):

version: v1
policies:
  - name: respond
    version: v0.1.0
  - name: rate-limit
    version: v1.2.3
    versionResolution: latest

After (proposed format):

version: v1
policies:
  - name: respond
    gomodule: github.com/wso2/gateway-controllers/policies/respond@v0.1.0
  - name: rate-limit
    gomodule: github.com/wso2/gateway-controllers/policies/rate-limit@latest

Local policy example:

version: v1
policies:
  - name: respond
    gomodule: github.com/wso2/gateway-controllers/policies/respond@v0.1.0
  - name: my-custom-auth
    gomodule: github.com/mycompany/my-custom-auth@v1.0.0
    filePath: ./policies/my-custom-auth

Version specifier examples:

policies:
  # Exact version
  - name: policy-a
    gomodule: github.com/wso2/policies/a@v1.2.3

  # Latest version
  - name: policy-b
    gomodule: github.com/wso2/policies/b@latest

  # Latest v1.x.x
  - name: policy-c
    gomodule: github.com/wso2/policies/c@v1

  # Specific branch
  - name: policy-d
    gomodule: github.com/wso2/policies/d@main

  # Specific commit
  - name: policy-e
    gomodule: github.com/wso2/policies/e@abc1234

Drawbacks

• Breaking change: Existing policy-manifest.yaml files must be updated to new format
• Go module hosting: Policies must be hosted in Go module compatible repositories
• Private repos complexity: Private policy repos require GOPRIVATE environment variable, or alternatively clone the repo locally and use filePath

Compatibility

Question	Answer	Details
Backwards compatible?	No	Manifest format changes completely
Requires migration?	Yes	Existing manifests must be updated to new format
Breaking changes?	Yes	Old name/version format no longer supported

Migration Steps

1. Update policy-manifest.yaml to new format:
   • Add gomodule field with full module path and version
   • Keep name field for identification
   • Add filePath for any local policies
2. Remove policy-manifest-lock.yaml (will be regenerated)
3. Clear old cache: rm -rf ~/.wso2ap/cache/policies/
4. Update CLI to latest version
5. Run ap gateway build - new lock file will be generated

Example migration:

# Before
version: v1
policies:
  - name: basic-auth
    version: v1.0.0
  - name: rate-limit
    version: v2.0.0

# After
version: v1
policies:
  - name: basic-auth
    gomodule: github.com/wso2/gateway-controllers/policies/basic-auth@v1.0.0
  - name: rate-limit
    gomodule: github.com/wso2/gateway-controllers/policies/rate-limit@v2.0.0

References

• GitHub Discussion #516: Building Gateway Image with Policies - Original Policy Hub design
• Go Modules Reference - Official Go modules documentation
• go get command - go get documentation
• go list command - go list documentation

[renuka-fernando]

Implementation Plan

Gateway-Builder Implementation

Gateway-Builder Tasks

Phase 1: Types & Parsing

Task	File	Description
GB-1.1	pkg/types/manifest.go	Add GoModule and FilePath fields to ManifestEntry
GB-1.2	internal/discovery/manifest.go	Update LoadManifest() to parse gomodule field
GB-1.3	internal/discovery/manifest.go	Add validation: require gomodule for all policies

Phase 2: Go Module Integration

Task	File	Description
GB-2.1	internal/discovery/gomodule.go	Create GoModuleExecutor struct
GB-2.2	internal/discovery/gomodule.go	Implement GetModule(gomodule string) error - runs go get
GB-2.3	internal/discovery/gomodule.go	Implement GetModuleInfo(module string) (*ModuleInfo, error) - runs go list -m -json
GB-2.4	internal/discovery/gomodule.go	Implement GetModuleDir(module string) (string, error) - runs go list -m -f '{{.Dir}}'
GB-2.5	internal/discovery/gomodule.go	Parse gomodule string to extract module path and version
GB-2.6	internal/discovery/cache.go	Implement ReadPolicyDefinition(moduleDir string) (*PolicyDefinition, error)

Phase 3: Code Generation Updates

Task	File	Description
GB-3.1	internal/policyengine/gomod.go	Modify to only add replace directives when FilePath is present
GB-3.2	internal/policyengine/gomod.go	Remove logic that generates fake import paths
GB-3.3	internal/policyengine/registry.go	Update generateImportPath() to use actual module path
GB-3.4	internal/policyengine/registry.go	Update import alias generation for arbitrary module paths
GB-3.5	internal/lockfile/generator.go	Create new file for lock file generation
GB-3.6	internal/lockfile/generator.go	Implement GenerateLockFile(policies, resolvedVersions)

Phase 4: Build Flow Integration

Task	File	Description
GB-4.1	cmd/builder/main.go	Update discovery phase to use new GoModuleExecutor
GB-4.2	cmd/builder/main.go	Add lock file generation after discovery
GB-4.3	cmd/builder/main.go	Update phase ordering: parse → go get → go list → discover → generate
GB-4.4	internal/discovery/discovery.go	Refactor DiscoverPolicies() to read from module cache

Phase 5: Error Handling

Task	File	Description
GB-5.1	internal/discovery/gomodule.go	User-friendly error for module not found
GB-5.2	internal/discovery/gomodule.go	User-friendly error for version not found
GB-5.3	internal/discovery/gomodule.go	User-friendly error for network failures
GB-5.4	internal/discovery/cache.go	Fail build with clear error when policy-definition.yaml missing from module

---

CLI Implementation

CLI Tasks

Phase 1: Remove PolicyHub Distribution Integration

Task	File	Description
CLI-1.1	cmd/gateway/build.go	Remove stepResolvePolicies() - no PolicyHub resolve call
CLI-1.2	cmd/gateway/build.go	Remove stepDownloadPolicies() - no zip download from PolicyHub
CLI-1.3	cmd/gateway/image/build.go	Remove steps 5 (Resolve Hub Policies)
CLI-1.4	cmd/gateway/image/build.go	Remove steps 4 (Process Local Policies)
CLI-1.5	internal/policy/hub.go	Remove PolicyHub download/resolve integration

Phase 2: Simplify Build Flow

Task	File	Description
CLI-2.1	cmd/gateway/build.go	New flow: validate manifest → run gateway-builder → build images
CLI-2.2	cmd/gateway/image/build.go	Simplify to 4 steps: validate → run builder → build images → (push)
CLI-2.3	internal/gateway/docker_build.go	Update RunGatewayBuilder() to pass manifest directly
CLI-2.4	internal/gateway/docker_build.go	Pass GOPRIVATE environment variable to gateway-builder container
CLI-2.5	internal/gateway/docker_build.go	Remove workspace policy extraction logic
CLI-2.6	cmd/gateway/build.go	Keep --push flag functionality

Phase 3: Update Manifest Handling

Task	File	Description
CLI-3.1	internal/policy/manifest.go	Update ManifestPolicy struct with GoModule field
CLI-3.2	internal/policy/manifest.go	Update validation to require gomodule field
CLI-3.3	internal/policy/types.go	Remove versionResolution field (Go handles this)
CLI-3.4	internal/policy/local.go	Update local policy handling for new format

Phase 4: Cleanup Unused Code

Task	File	Description
CLI-4.1	internal/policyhub/	Delete policy distribution package
CLI-4.2	internal/policy/hub.go	Delete PolicyHub distribution integration
CLI-4.3	internal/policy/offline.go	Delete file (no offline mode)
CLI-4.4	utils/policy_cache.go	Delete file
CLI-4.5	utils/policy_utils.go	Remove policy distribution utilities

Phase 5: Update Tests

Task	File	Description
CLI-5.1	cmd/gateway/build_test.go	Update tests for new simplified flow
CLI-5.2	internal/policy/manifest_test.go	Update tests for new manifest format
CLI-5.3	Remove PolicyHub mock tests	Delete obsolete test files

---

Definition of Done

• Gateway-builder parses new manifest format with gomodule field
• Gateway-builder uses go get to fetch policies
• Gateway-builder uses go list to get resolved versions and module paths
• Gateway-builder reads policy-definition.yaml from Go module cache
• Gateway-builder fails build with clear error if policy-definition.yaml is missing from a module
• Gateway-builder generates policy-manifest-lock.yaml with resolved versions
• Gateway-builder only adds replace directives for local policies (with filePath)
• Gateway-builder generates registry.go with actual module import paths
• CLI removes PolicyHub distribution integration code (download, resolve APIs)
• CLI simplifies to: validate → run gateway-builder → build images → (push)
• CLI passes GOPRIVATE environment variable to gateway-builder container
• Policy-engine Docker image includes go.mod, go.sum, and policy-manifest-lock.yaml
• All version specifiers work: @v1.2.3, @latest, @v1, @main, @commit
• Local policies with filePath work correctly
• Error messages are user-friendly for common failures
• Unit tests updated for new implementation
• Integration tests pass end-to-end
• Documentation updated with new manifest format

[piyumaldk]

Issue to track the final implementation: #763

[renuka-fernando]

This is completed.