The last post in our series on Reedelk was about implementing an ETL process that can be triggered by a rest endpoint. Now this service should be made available to the “outside world” in a secured way. But how can services in modernization projects be secured in a simple way? In this case it makes sense to think about using an API Gateway. What an API Gateway is and how it works has already been discussed in several posts on our blog. With regard to the enterprise context in which the project is moving, the project coincides with the already known Kong Enterprise, which is currently available in version 2.1. If only the pure gateway would be discussed here, Kong could also be used in the Community Edition.
The Encounter of Elk and Gruce
The basis of all following considerations and corresponding implementations is again the “API first” approach. In the previous post, the API specification was used to create the integration service in basis. Now the spec is intended to promote the service at the gateway and also to make it known to users, i.e. developers, via a so-called developer portal. First of all the Docker Compose file will be extended by Kong Enterprise and another PostgreSQL.
test: [ "CMD", "pg_isready", "-U", "postgres" ]
test: ["CMD", "pg_isready", "-U", "postgres"]
command: kong migrations bootstrap
- KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 ssl
- KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl
- KONG_ADMIN_GUI_LISTEN=0.0.0.0:8002, 0.0.0.0:8445 ssl
- KONG_PORTAL_GUI_LISTEN=0.0.0.0:8003, 0.0.0.0:8446 ssl
- KONG_PORTAL_API_LISTEN=0.0.0.0:8004, 0.0.0.0:8447 ssl
Now the following architecture is available:
From OpenAPI spec to configuration as code
To promote the integration service at the gateway, the first step is to use Insomnia Designer. Through the “Kong Bundle” plugin, Insomnia Designer is able to create a configuration for the Kong gateway based on an OpenAPI specification. By adding an OpenAPI extension (x-), configuration parameters for services can be included in the API specification. To keep the demo YAML file simple, the plugin configuration is located directly on the server level to provide a security configuration for the whole service.
title: Bookings API
description: API for Bookings
- url: http://host.docker.internal:8484/
key_names: [api_key, apikey]
Now in Insomnia Designer, the declarative configuration can be created with a single click and must then be manually copied to a corresponding file in the repository. Also a new workspace is created in Kong Enterprise.
http :8001/workspaces name=ccPlayground Kong-Admin-Token:<needstobesetinenvfile>
deck dump --workspace ccPlayground --skip-workspace-crud --headers kong-admin-token:<needstobesetinenvfile>
By using DecK, a configuration tool for the Kong Gateway, the configuration is synchronized and can be used directly.
deck sync --workspace ccPlayground --skip-workspace-crud --headers kong-admin-token:<needstobesetinenvfile>
The service created with Reedelk is registered at the gateway. Calling the service route
http :8001/services Kong-Admin-Token: <needstobesetinenvfile> returns
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Tue, 15 Sep 2020 09:55:45 GMT
The service with its end points is now behind the gateway. To use the KeyAuth plugin, a consumer must still be created. For this consumer a key will be created as well.
http POST :8001/ccPlayground/consumers username=bookings Kong-Admin-Token:<needstobesetinenvfile>
http POST :8001/ccPlayground/consumers/bookings/key-auth Kong-Admin-Token:<needstobesetinenvfile>
The key (visible in the lower code block) can now be used for the call via the gateway.
HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8
Date: Tue, 15 Sep 2020 14:03:16 GMT
Calling the route
http :8000/bookings/00002D apikey:S0llbYJjebrNoCG4PURHyjNPUK2Yv9Ds on the gateway now returns the following response.
HTTP/1.1 200 OK
"book_date": "2017-05-20 15:45:00.0",
Adding some developer experience
After the Booking Integration Service has been granted an authorization, the main focus will be on the developer portal. For this purpose it will be activated via the Admin Rest API of Kong Enterprise.
http PATCH :8001/workspaces/ccPlayground Kong-Admin-Token:<needstobesetinenvfile> config.portal=true -f
Subsequently, Insomnia Designer is used to deploy the API spec to the existing portal.
With the portal one wants to deliver an improved user experience (UX), in particular a developer experience (DX) for APIs. The simplest form, more precisely the entry page of such a portal is the catalog of all available APIs, as shown in the picture.
Kong Enterprise is able to create a developer portal for each workspace, either via the Admin Rest API or the Kong Manager. Through workspaces, current APIs can be grouped according to individual categorization. This can also be a first step towards API as a Product. Each portal can be completely customized to individual needs. For the developer of a possible client, supported by the plugin “Application Registration”, the DX can be improved even further.
http POST :8001/ccPlayground/services/Bookings_API/plugins name=application-registration Kong-Admin-Token:<needstobesetinenvfile> config.auto_approve=false config.description="All about bookings" config.display_name=Bookings config.show_issuer=false -f
With the help of the plugin, client applications can now be registered directly via the portal and coupled with the corresponding services.
This form of self-service helps enormously to further promote the distribution and use of the APIs created.
With these few steps, the integration service has now been secured by a gateway, in particular Kong Enterprise, and at the same time access for APIs has been improved through a developer portal. The use of API first, Kong’s Admin Rest API and Configuration as Code also shows which steps can be automated in terms of a CI/CD pipeline.
This is now a way to integrate Reedelk with Kong. In a following blogpost I would like to introduce the Kong Reedelk Transformer plugin, which is another approach to integrate the two components. The sources for the demo project are available at GitHub.