Scribd
Upload
96 views48 pages

01 Kong Gateway Installation 1

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views48 pages

01 Kong Gateway Installation 1

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

THE CLOUD

CONNECTIVITY COMPANY

Kong Gateway Operations


Kong Gateway Installation

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 1
Course Agenda
1. Kong Gateway Installation 6. Advanced Plugins Review
2. Upgrading Kong Gateway 7. Troubleshooting
3. Securing Kong 8. Monitoring / Observability
4. Securing Services on Kong 9. Administering Kong Gateway
using Deck
5. OIDC Plugin

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 2
Learning Objectives
1. Understand Kong Gateway deployment alternatives
2. List deployment sizing and scaling considerations
3. Install Kong Gateway
4. Be able to run sample post installation smoke tests

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 3
Installation Overview

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 4
Component Parts - What needs to be Installed?
There are a number of key components to the Kong Gateway
infrastructure

● Kong Gateway - Brokers API requests across all


upstream services

● Kong Manager - Browser-based UI for monitoring and


managing Kong Gateway

● Kong Developer Portal - Build a service catalog to


simplify discovery & re-use of APIs

These are logical components and part of the same binary.


Additionally in most installations a database is also required

● Database - Stores configured entities such as Routes,


Services, and Plugins (Can be Postgres or Cassandra)

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 5
Deployment Considerations

Listed below are factors to consider before installing the Kong Gateway:

● Resource Sizing Guidelines

● Default Ports

● DNS Considerations

● Network & Firewall

● Security and Certificates

● Licensing

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 6
Kong Gateway: Installation Options

Kong Gateway can be installed on many types of systems:

Install Packages (BM/VM) Container Images Kubernetes


➔ Alpine ➔ Debian (prod) ➔ YAML Manifests
➔ Debian ➔ RHEL (prod) ➔ Helm Charts
➔ Ubuntu ➔ Alpine (dev/tst) ➔ OpenShift
➔ RedHat
➔ Amazon Linux 2
➔ MacOS

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 7
Kong Gateway: Deployment Topologies
Kong Gateway can be deployed to support four different topologies:

Konnect - it is a hybrid Kong Gateway deployment with Kong hosting the control plane
(Cloud) and customer hosting the data planes (Cloud or On-prem).
Hybrid - it is a hybrid Kong Gateway deployment with separate control plane and data
plane implementations controlled and managed by an organization.
Traditional (or Classic) - the Kong Gateway deployed requires a database to store
configured entities.
DB-less - the Kong Gateway deployed has the configured entities stored in-memory on
the node and is maintained by a declarative configuration approach.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 8
Traditional Deployment

● A Kong Gateway node is backed by a


database
● Supports single or multi-node Kong Gateway
clusters
● All plugins have access to the database
● Custom plugins can access the database to
read and write entities

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 9
DB-less Deployment

● Kong Gateway runs without a central database


○ Configuration is specified in a declarative configuration file (YAML or JSON)

● Plugin limitations
○ Plugins requiring a central database for coordination are not compatible with
DB-less deployments

● Compatibility
○ Some plugins are partially compatible using static credentials specified in the
declarative config file

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 10
Hybrid Deployment

● Kong Gateway nodes are split into


Control Plane (CP) and Data Plane (DP)
roles
○ Only the CP has access to the database
○ Custom plugins should be installed on
both CP and DP and running the same
version

● Plugin limitations
○ DPs cannot access the Admin API and
hence plugins using the admin API have
limitations in hybrid mode

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 11
Admin API : 8001 (HTTP) / 8444 (HTTPS)
Kong Manager: 8002 (HTTP) / 8445 (HTTPS)
Dev Portal: 8003 (HTTP) / 8446 (HTTPS)
Admin Dev Portal API : 8004 (HTTP) / 8447 (HTTPS)

443 (HTTPS)
Kong Control plane
ALB

8005 (mTLS, WSS)


Kong Control plane
8006 (mTLS, WSS)

API Consumers 8000 (HTTP)


8443 (HTTPS)
Kong dataplane 5432

443 (HTTPS)
NLB
Kong dataplane

Kong dataplane Replication


Replica
Master DB DB

Redis
6379 (Default TCP)

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 12
Konnect Deployment
● Kong Gateway nodes are split into a SaaS
managed Control Plane (CP) and
customer managed Data Plane (DP) roles
○ The CP has access to the database and
is managed by Kong with our Konnect
SaaS cloud offering
○ DP’s are implemented by customers
either on-premise or in a cloud provider

● Plugin limitations
○ Konnect supports a separate set of the
core plugins
○ DPs cannot access the full Konnect API’s
this means plugins using the capabilities
not exposed by the Konnect API’s have
limitations in a Konnect deployment

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 13
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Bandwidth
● Default Ports ● Performance - Latency & Throughput
● CPU & RAM
● DNS Considerations ● Database Resources
● Scaling Dimensions
● Network & Firewall ● Memory Cache size

● Security and Certificates

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 14
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Proxy Ports (HTTP/HTTPS)
● Default Ports ● Admin API (HTTP/HTTPS)
● Kong Manager (GUI) (HTTP/HTTPS)
● DNS Considerations ● Dev Portal (HTTP/HTTPS)

● Network & Firewall

● Security and Certificates

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 15
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Kong Manager & Admin API hostnames
● Default Ports ● Portal API and Dev Portal hostnames
● Cross-Origin Resource Sharing (CORS)
● DNS Considerations implications in the context of Kong
● Cookie management
● Network & Firewall

● Security and Certificates

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 16
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Firewall settings
● Default Ports ● Transparent proxying
● Proxying TCP/TLS streams
● DNS Considerations ● Opening ports to clients

● Network & Firewall

● Security and Certificates

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 17
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Securing the Admin API
● Default Ports ● Kong API Loopback
● Data Encryption/Decryption
● DNS Considerations ● RSA Key Pair Management
● Certificate Management
● Network & Firewall ● Secrets Management (HashiCorp Vault
Integration)
● Security and Certificates ● Kong Configuration (enforce_rbac)

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 18
Deployment Considerations

There are a number of factors to consider before installing the Kong Gateway relating to

● Resource Sizing Guidelines


● Deploying the license file
● Default Ports ● License expiration

● DNS Considerations

● Network & Firewall

● Security and Certificates

● Licensing

Please refer to Kong documentation for detailed deployment guidelines

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 19
Installation Lab

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 20
Lab: Installing Kong Gateway
The purpose of this lab is to give you practical experience of installing the Kong Gateway

Kong can be installed on many platforms, and each has its own set of requirements. For
the purposes of this course we will be installing it using containerized Docker Compose.

The steps we will go through are as follows

1. View Docker Compose and SSL Configuration


2. Start the Kong containers
3. Verify Installation
4. Upload a license
5. Save/Load a configuration
6. Configure Developer Portal

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 21
Lab Progress: Installing Kong Gateway
1. View Docker Compose and SSL Configuration

2. Start the Kong containers

3. Verify Installation

4. Upload a license

5. Save/Load a configuration

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 22
SSL Certificates

To be ultra secure you should create custom SSL Certificates for each component

However for our training lab we will use two certificates

1. A 'wildcard' certificate for Admin API, Kong Manager GUI, Dev Portal GUI, and Dev Portal API

2. A 'hybrid' certificate for intra-cluster communications

The docker-compose file expects to find the SSL certificate/key pairs in the
/srv/shared/ssl-certs directory

We will pull these certificate/key pairs from a github repo

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 23
Lab: Kong Gateway Installation

To set up your lab environment for this lesson, run the 'setup' command, then select option '1'

$ setup
1) Kong Gateway Installation
2) Upgrading Kong Gateway
3) Securing Kong Gateway
4) Securing Services on Kong
5) OIDC Plugin
6) Kong Vitals
7) Advanced Plugins Review
8) Troubleshooting
9) Reset Virtual Machine
10) Quit
Please select the lesson you wish to set up: 1

Setting up for lesson '1 Kong Gateway Installation'


...
THE CLOUD CONNECTIVITY COMPANY
Kong Confidential 24
Task: Peruse Kong Gateway Configuration
Take a few minutes to read through the docker-compose.yaml file

$ yq docker-compose.yaml

You can see this compose file will deploy a number of containers including:
● Kong Data Plane - kong-dp
● Kong Control Plane - kong-cp
● Database - db
● An email SMTP server - smtp-server
The 'smtp-server' container is used by the Dev Portal to send emails to Kong admins
and developers
These services are bound to the network `kong-edu-net`

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 25
Task: View SSL Certificates
For our training lab we will use two certificates, generated for our lab at boot time:
● A server.crt certificate for Admin API, Kong Manager UI, Dev Portal UI, and Dev Portal API
● A cluster.crt certificate for intra-cluster communications
The docker-compose file expects to find the SSL certificate/key pairs in /etc/kong/ssl/
and are mounted in the running container under /srv/shared/ssl

$ ls -l /etc/kong/ssl/
-r--r--r-- 1 root root 525 Mar 26 11:53 cluster.crt
-r--r--r-- 1 root root 305 Mar 26 11:53 cluster.key
-r--r--r-- 1 root root 4234 Mar 26 11:53 server.crt
-r--r--r-- 1 root root 227 Mar 26 11:53 server.key

$ yq .services.kong-cp.volumes docker-compose.yaml
...
volumes:
- /etc/kong/ssl:/srv/shared/ssl

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 26
Lab Progress: Installing Kong Gateway
1. View Docker Compose and SSL Configuration

2. Start the Kong containers

3. Verify Installation

4. Upload a license

5. Save/Load a configuration

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 27
Deploying with Docker

We are now ready to start the containers to deploy Kong

For the purposes of this course we will deploy Kong using docker compose

You can see this compose file will deploy a number of containers including:

● Kong Data Plane - kong-dp


● Kong Control Plane - kong-cp
● Database - db
● An email SMTP server - smtp-server
○ Used by the Dev Portal to send emails to Kong admins and developers

These services are bound to the network kong-edu-net.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 28
Task: Instantiate log files and deploy Kong

$ docker compose up -d

[+] Running 13/13


⠿ Container grafana Removed 0.7s
⠿ Network kong-edu-net Created 0.1s
⠿ Container keycloak Started 1.8s
⠿ Container redis Started 2.0s
⠿ Container postgres Started 1.6s
⠿ Container smtp Started 2.0s
⠿ Container prometheus Started 1.8s
⠿ Container mockbin Started 1.8s
...

You can ignore the warning about the licence. Although the license can be set in
docker-compose.yaml, or through an environment variable, we will apply later via Admin API.
THE CLOUD CONNECTIVITY COMPANY
Kong Confidential 29
Lab Progress: Installing Kong Gateway
1. View Docker Compose and SSL Configuration

2. Start the Kong containers

3. Verify Installation

4. Upload a license

5. Save/Load a configuration

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 30
Task: Verify Admin API
In our lab environment we can access our Kong Admin API on localhost:8001
$ http --headers GET localhost:8001

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin:
https://z6tuimtfyrqxrumfw-64381bea22c8f6a4e5a0bb56.labs.strigo.io:8445
Connection: keep-alive
Content-Length: 22440
Content-Type: application/json; charset=utf-8
Date: Fri, 14 Apr 2023 17:41:57 GMT
Server: kong/3.2.2.0-enterprise-edition
X-Kong-Admin-Latency: 6
X-Kong-Admin-Request-ID: PnYElM0cIdGNjGThgPPH2sQe6Cc49aKu
vary: Origin

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 31
Task: Verify Kong Manager

Click on 'Kong Manager' at top of the screen

You'll notice you did not need to log into Kong


Manager - that's because RBAC Authentication has
not yet been enabled. We will enable RBAC in a later
lesson.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 32
Lab Progress: Installing Kong Gateway
1. View Docker Compose and SSL Configuration

2. Start the Kong containers

3. Verify Installation

4. Upload a license

5. Save/Load a configuration

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 33
Kong License
In traditional deployments with no separate control plane, a license must be deployed to each node
running Kong Gateway.

There are multiple methods to configure a license file on a Kong Gateway node. These are defined
below, in the order in which they are checked by Kong:
1. If present, the contents of the environment variable KONG_LICENSE_DATA is used
2. Kong will search in the default location /etc/kong/license.json
3. If present, the contents of the file defined by the environment variable KONG_LICENSE_PATH is used
4. Directly deploy a license using the /licenses Admin API endpoint
In hybrid deployments, applying the license to CP using method 4 will result in distribution of the
license from CP to DP. Otherwise methods 1/2/3 should be used on each DP node.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 34
Applying Kong Licence
For the purposes of this course we will deploy a license using the Admin API endpoint

We will perform the following specific tasks:

1. Apply the license


2. Restart the Control Plane and and Review the License

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 35
Task: Apply and review the licence
$ http -h POST localhost:8001/licenses payload=@/etc/kong/license.json

HTTP/1.1 201 Created

$ http GET localhost:8001/license/report

You can get further details on the deployed license from the license file itself:

$ jq . /etc/kong/license.json

"admin_seats": "Unlimited",
"dataplanes": "0",
"license_expiration_date": "2023-06-30",
"license_key": "0011K000022IA3HQAW_a1V1K0000099iyaUAA"
}
}
}

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 36
Task: Recreate/Restart the CP to enable EE features
Even though the license is applied with the POST method, some features such as the developer portal
are not available env is not able to be used until the CP is restarted.

$ docker compose stop kong-cp && docker compose rm -f kong-cp && docker compose up -d
kong-cp

[+] Running 1/1


⠿ Container kong-cp Stopped
7.6s
Going to remove kong-cp
[+] Running 1/0
⠿ Container kong-cp Removed
0.0s
[+] Running 4/4
⠿ Container postgres Running 0.0s
⠿ Container kong-migrations Started 0.5s
⠿ Container kong-migrations-up Started 0.8s
⠿ Container kong-cp Started 1.4s

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 37
Lab Progress: Installing Kong Gateway
1. View Docker Compose and SSL Configuration

2. Start the Kong containers

3. Verify Installation

4. Upload a license

5. Save/Load a configuration

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 38
What is decK?

decK is a command line tool for declaratively managing Kong’s configuration.

● No need to run individual API commands to Kong's admin endpoint - just define
Kong's desired state in a YAML file, covering services/routes/plugins/etc., and let
decK Sync configuration to Kong.
● Configuration can be maintained in GitHub, fostering team collaboration and
distributed workflows.
● decK can also run diffs to detect any drift or changes, and can back up your
instance’s configuration.
● decK’s state file can contain sensitive data such as private keys of certificates,
credentials, etc. It is up to the user to manage and store the state file in a secure
fashion.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 39
Task: Configure decK and Create a sample Service/Route
First lets check to ensure deck can contact the Kong Gateway

$ deck ping

Successfully connected to Kong!


Kong version: 3.2.2.0

Now we'll create a sample service/route that we could use deck to save, delete and restore.

$ http POST localhost:8001/services \


name=mockbin_service \
url=http://mockbin:8080/request

$ http -f POST localhost:8001/services/mockbin_service/routes \


name=mockbin_route \
paths=/mockbin

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 40
Task: Save/Load Kong configuration using decK
■ Backup current configuration to a YAML file we can review/restore.
$ deck dump --output-file labdump.yaml --workspace default

■ Use decK to compare the state file with the active configuration:
$ deck diff --state labdump.yaml

Summary: \ Created: 0 \ Updated: 0 \ Deleted: 0

■ Delete current configuration, resetting to default.


$ deck reset

■ Restore backup to active configuration


$ deck sync --state labdump.yaml

creating service mockbin


creating route mockbin
Summary: \ Created: 2 \ Updated: 0 \ Deleted: 0

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 41
Task: Sync updates and view config in Kong Manager
We can use ‘deck diff’ to compare active configuration to another saved state, and ‘deck sync’
to upload the reviewed saved configuration to Kong.
$ deck diff --state deck/sampledump.yaml \
--workspace default
$ deck sync --state deck/sampledump.yaml \
--workspace default

...
creating plugin udp-log for route f491db3f-7018-4197-ae6e-42f69202d6e1
creating plugin rate-limiting-advanced for route d86e9f0c-e2bc-470d-a5a9-8f523512f379
creating plugin acme (global)
creating plugin openid-connect for route 4625ebe0-8287-44a2-8cc0-27a182e5a06d
deleting route mockbin
deleting service mockbin
Summary:
Created: 56
Updated: 0
Deleted: 2
THE CLOUD CONNECTIVITY COMPANY
Kong Confidential 42
Task: View created entities in Kong Manager
You can use Kong Manager to review new entities that were created using the sync operation.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 43
Task: Restore Kong configuration using decK
Now we can restore Kong configuration from the YAML file we created earlier:
$ cat labdump.yaml

$ deck sync \
--state labdump.yaml \
--workspace default

...
deleting ca_certificate fa6e9989-86cb-4b26-bedd-b5f2f1af7f76
deleting certificate f28adba8-8a29-4f04-8cc1-0646746ac48a
deleting certificate 507cc555-5b92-496d-9e89-bfc78dfcddbe
deleting certificate f3ae1bb2-ea6a-4caf-a7a7-2f078b7842db
Summary:
Created: 2
Updated: 0
Deleted: 56

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 44
Task: Confirm Service Restoration
Now you can review the service/route in the Kong Manger to confirm it is restored. That could also be
achieved through the Admin API. Once done, let us create a request to observe functionality.
$ http GET localhost:8001/services
$ http GET localhost:8001/routes
$ http GET localhost:8000/mockbin
$ http --verify no GET https://localhost:8443/mockbin

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers:
host,connection,x-forwarded-for,x-forwarded-proto,x-forwarded-host,x-forwarded-port,x-forwarded-pa
th,x-forwarded-prefix,x-real-ip,user-agent,accept-encoding,accept
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 766
Content-Type: application/json; charset=utf-8
Date: Mon, 17 Apr 2023 09:55:17 GMT
...

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 45
Questions?

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 46
What's next?

In the next lesson we will show you how to upgrade your Kong Gateway deployment.

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 47
THE CLOUD
CONNECTIVITY COMPANY

THE CLOUD CONNECTIVITY COMPANY


Kong Confidential 48

You might also like