The previous blog posts about Kong from last year were about the API Gateway, which is provided as an open source product. Since the end of September / beginning of October 2019, codecentric has been a Go-To-Market Partner in EMEA, but especially in the DACH region. As a Go-To-Market Partner we also have a focus on Kong Enterprise, a platform that supports the entire life cycle of APIs and services.
The product consists of several components, which I would like to address in a new blog post series. The first component is already familiar to us from previous blog posts: the gateway. It is currently (end of May 2020) shipped with version number 1.5 at Kong Enterprise. This number reveals a big difference to the open source product, which has been available in version 2.0 since March 2020. At the same time, it shows how important the enterprise product is for Kong as a manufacturer, because new features of the open source product first need to reach a certain level of maturity before they become part of the enterprise product. The following diagram shows the individual components schematically.
(c) Kong IncIn contrast to the Kong Gateway as an open source product, the first thing that stands out is the possibility of role-based access control (RBAC) for the administration of the gateway. Although the teams of an organization can share the same Kong cluster, it is possible to divide the cluster into logical groups with restricted access. These workspaces enable clearer segmentation of traffic and entities. Each team’s access can be restricted to its own workspace, supporting the principle of least privilege.
Besides the open source plugins, Kong Enterprise also offers “Enterprise Plugins”. These will be introduced in future blog posts along with corresponding use cases.
The component “Kong Manager” represents the graphical user interface of the platform. Here, various metrics can be viewed directly through Kong Vitals.
Last but not least, a developer portal is also part of the functional scope of Kong Enterprise. The portal enables developers to find, access, and use services.
The two modules “Brain” and “Immunity” are still to be considered separately, since they are not directly part of Kong Enterprise. With Brain, creating API and service documentation can be automated. Supported by machine learning, Immunity helps fanalyze traffic patterns to increase the security of the gateway.
Setting up a secure development environment
After reviewing some of the components of Kong Enterprise, I will now show how to create a secure local environment. Through automation, the configuration can be transferred to a productive environment later.
The foundation of our local environments is a docker-compose-file, just like in earlier posts on the Kong Gateway.
version: “3”
networks:
kong-ent-net:
driver: bridge
services:
api-service:
build: ./api-service
ports:
- 80:80
kong-database:
image: postgres:9.6
restart: always
networks:
- kong-ent-net
container_name: kong-database
environment:
- POSTGRES_USER=kong
- POSTGRES_PASSWORD=kong
- POSTGRES_DB=kong
healthcheck:
test: ["CMD", "pg_isready", "-U", "postgres"]
interval: 10s
timeout: 5s
retries: 5
kong-migration:
image: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
command: kong migrations bootstrap
networks:
- kong-ent-net
container_name: kong-migration
restart: on-failure
environment:
- KONG_PG_HOST=kong-database
- KONG_PG_PASSWORD=kong
- KONG_DATABASE=postgres
- KONG_PG_DATABASE=kong
- 'KONG_LICENSE_DATA=${KONG_LICENSE_DATA}'
- KONG_PASSWORD=${KONG_PASSWORD}
links:
- kong-database
depends_on:
- kong-database
kong-ent:
image: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
container_name: kong-ent
depends_on:
- kong-migration
- kong-database
restart: always
networks:
- kong-ent-net
ports:
- 8000:8000
- 8001:8001
- 8002:8002
- 8003:8003
- 8004:8004
- 8443:8443
- 8444:8444
- 8445:8445
- 8446:8446
- 8447:8447
environment:
- KONG_ENFORCE_RBAC=on
- KONG_ADMIN_GUI_AUTH=basic-auth
- KONG_ADMIN_GUI_SESSION_CONF=${KONG_ADMIN_GUI_SESSION_CONF}
- KONG_AUDIT_LOG=on
- KONG_LOG_LEVEL=debug
- KONG_PORTAL_GUI_HOST=localhost:8003
- KONG_PORTAL_GUI_PROTOCOL=http
- KONG_PORTAL=on
- KONG_PORTAL_AUTH=basic-auth
- KONG_PORTAL_SESSION_CONF=${KONG_PORTAL_SESSION_CONF}
- KONG_ADMIN_GUI_URL=http://localhost:8002
- KONG_DATABASE=postgres
- KONG_PG_PASSWORD=kong
- KONG_PG_HOST=kong-database
- KONG_PG_DATABASE=kong
- 'KONG_LICENSE_DATA=${KONG_LICENSE_DATA}'
- KONG_VITALS=on
- KONG_ANONYMOUS_REPORTS=off
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_PROXY_LISTEN=0.0.0.1:8000, 0.0.0.1:8443 ssl
- KONG_ADMIN_LISTEN=0.0.0.1:8001, 0.0.0.1:8444 ssl
- KONG_ADMIN_GUI_LISTEN=0.0.0.0:8002, 0.0.0.0:8445 ssl
- KONG_PORTAL_GUI_LISTEN=0.0.0.0:8003, 0.0.0.0:8446 ssl
- KONG_PORTAL_API_LISTEN=0.0.0.0:8004, 0.0.0.0:8447 ssl
healthcheck:
test: ["CMD-SHELL","kong","health"]
interval: 5s
retries: 10
The corresponding Docker image of Kong Enterprise can be downloaded via a customer-specific bintray access. Additionally, a license key is required. This only needs to be stored in an .env file.
KONG_PASSWORD=CodeCentric2020!
KONG_ADMIN_GUI_SESSION_CONF={"secret":"secret","storage":"kong","cookie_secure":false}
KONG_PORTAL_SESSION_CONF={"cookie_name":"$cc2020k","secret":"super-secret","storage":"kong","cookie_secure":false}
KONG_LICENSE_DATA={}
By using KONG_PASSWORD
, the built-in super-admin account is activated, which, among other things, ensures that every call to the REST admin API additionally requires the Kong admin token as a parameter. We have already secured our development environment in this relatively simple way. And this is now the starting point for the following blog posts.
Further information on our partnership with Kong is outlined here.