Kong Enterprise – the service control platform

No Comments

The previous blog posts about Kong from last year were about the API Gateway, which is provided as an open source product. Since the end of September / beginning of October 2019, codecentric has been a Go-To-Market Partner in EMEA, but especially in the DACH region. As a Go-To-Market Partner we also have a focus on Kong Enterprise, a platform that supports the entire life cycle of APIs and services.

The product consists of several components, which I would like to address in a new blog post series. The first component is already familiar to us from previous blog posts: the gateway. It is currently (end of May 2020) shipped with version number 1.5 at Kong Enterprise. This number reveals a big difference to the open source product, which has been available in version 2.0 since March 2020. At the same time, it shows how important the enterprise product is for Kong as a manufacturer, because new features of the open source product first need to reach a certain level of maturity before they become part of the enterprise product. The following diagram shows the individual components schematically.

kong enterprise
(c) Kong Inc

In contrast to the Kong Gateway as an open source product, the first thing that stands out is the possibility of role-based access control (RBAC) for the administration of the gateway. Although the teams of an organization can share the same Kong cluster, it is possible to divide the cluster into logical groups with restricted access. These workspaces enable clearer segmentation of traffic and entities. Each team’s access can be restricted to its own workspace, supporting the principle of least privilege.

Besides the open source plugins, Kong Enterprise also offers “Enterprise Plugins”. These will be introduced in future blog posts along with corresponding use cases.

The component “Kong Manager” represents the graphical user interface of the platform. Here, various metrics can be viewed directly through Kong Vitals.

Last but not least, a developer portal is also part of the functional scope of Kong Enterprise. The portal enables developers to find, access, and use services.

The two modules “Brain” and “Immunity” are still to be considered separately, since they are not directly part of Kong Enterprise. With Brain, creating API and service documentation can be automated. Supported by machine learning, Immunity helps fanalyze traffic patterns to increase the security of the gateway.

Setting up a secure development environment

After reviewing some of the components of Kong Enterprise, I will now show how to create a secure local environment. Through automation, the configuration can be transferred to a productive environment later.

The foundation of our local environments is a docker-compose-file, just like in earlier posts on the Kong Gateway.

version: “3”

networks: 
  kong-ent-net:
    driver: bridge

services: 

  api-service:
    build: ./api-service
    ports: 
      - 80:80

  kong-database:
    image: postgres:9.6
    restart: always
    networks: 
    - kong-ent-net
    container_name: kong-database
    environment:
    - POSTGRES_USER=kong
    - POSTGRES_PASSWORD=kong
    - POSTGRES_DB=kong
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "postgres"]
      interval: 10s
      timeout: 5s
      retries: 5

  kong-migration:
    image: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
    command: kong migrations bootstrap
    networks: 
      - kong-ent-net
    container_name: kong-migration
    restart: on-failure
    environment: 
    - KONG_PG_HOST=kong-database
    - KONG_PG_PASSWORD=kong
    - KONG_DATABASE=postgres
    - KONG_PG_DATABASE=kong
    - 'KONG_LICENSE_DATA=${KONG_LICENSE_DATA}'
    - KONG_PASSWORD=${KONG_PASSWORD}
    links:
      - kong-database
    depends_on: 
      - kong-database
  
  kong-ent:
    image: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
    container_name: kong-ent
    depends_on:
      - kong-migration
      - kong-database
    restart: always
    networks:
      - kong-ent-net
    ports:
    - 8000:8000
    - 8001:8001
    - 8002:8002
    - 8003:8003 
    - 8004:8004
    - 8443:8443
    - 8444:8444
    - 8445:8445
    - 8446:8446
    - 8447:8447
    environment:
    - KONG_ENFORCE_RBAC=on
    - KONG_ADMIN_GUI_AUTH=basic-auth
    - KONG_ADMIN_GUI_SESSION_CONF=${KONG_ADMIN_GUI_SESSION_CONF}
    - KONG_AUDIT_LOG=on
    - KONG_LOG_LEVEL=debug
    - KONG_PORTAL_GUI_HOST=localhost:8003
    - KONG_PORTAL_GUI_PROTOCOL=http
    - KONG_PORTAL=on
    - KONG_PORTAL_AUTH=basic-auth
    - KONG_PORTAL_SESSION_CONF=${KONG_PORTAL_SESSION_CONF}
    - KONG_ADMIN_GUI_URL=http://localhost:8002
    - KONG_DATABASE=postgres
    - KONG_PG_PASSWORD=kong
    - KONG_PG_HOST=kong-database
    - KONG_PG_DATABASE=kong
    - 'KONG_LICENSE_DATA=${KONG_LICENSE_DATA}'
    - KONG_VITALS=on
    - KONG_ANONYMOUS_REPORTS=off
    - KONG_PROXY_ACCESS_LOG=/dev/stdout
    - KONG_ADMIN_ACCESS_LOG=/dev/stdout
    - KONG_PROXY_ERROR_LOG=/dev/stderr
    - KONG_ADMIN_ERROR_LOG=/dev/stderr
    - KONG_PROXY_LISTEN=0.0.0.1:8000, 0.0.0.1:8443 ssl
    - KONG_ADMIN_LISTEN=0.0.0.1:8001, 0.0.0.1:8444 ssl
    - KONG_ADMIN_GUI_LISTEN=0.0.0.0:8002, 0.0.0.0:8445 ssl
    - KONG_PORTAL_GUI_LISTEN=0.0.0.0:8003, 0.0.0.0:8446 ssl
    - KONG_PORTAL_API_LISTEN=0.0.0.0:8004, 0.0.0.0:8447 ssl
    healthcheck:
      test: ["CMD-SHELL","kong","health"]
      interval: 5s
      retries: 10

The corresponding Docker image of Kong Enterprise can be downloaded via a customer-specific bintray access. Additionally, a license key is required. This only needs to be stored in an .env file.

KONG_PASSWORD=CodeCentric2020!

KONG_ADMIN_GUI_SESSION_CONF={"secret":"secret","storage":"kong","cookie_secure":false}

KONG_PORTAL_SESSION_CONF={"cookie_name":"$cc2020k","secret":"super-secret","storage":"kong","cookie_secure":false}

KONG_LICENSE_DATA={}

By using KONG_PASSWORD, the built-in super-admin account is activated, which, among other things, ensures that every call to the REST admin API additionally requires the Kong admin token as a parameter. We have already secured our development environment in this relatively simple way. And this is now the starting point for the following blog posts.

Further information on our partnership with Kong is outlined here.

Tags

Daniel Kocot

Daniel has been a member of the codecentric team in Solingen since October 2016. Since the beginning of the 2000s he has dedicated himself to the topic of Digital Transformation. In addition to his current focus on API Management, Application Lifecycle Management Tooling, Continuous Documentation and Voice UI, he is also an expert in the use of product information systems (PIM) and database publishing using rendering technologies.

Comment

Your email address will not be published. Required fields are marked *