Automating digital transformation API deployments can help speed time to market and minimize the resources required for the deployments — if developers can be assured that the automated process meets all necessary security requirements.
It's a topic that Kong Senior CustomerExperience Manager Peggy Guyott and Kong Senior Solutions Engineer Ned Harris discussed on a recent webinar as part of the Destination: Automation 2021 digital event. Guyott and Harris explained how the Kong Developer Portal, Kong's Inso (CLI) command line interface offering and other tools can give developers the ability to complete API deployments in an automated and secure manner.
"The great news is that with APIOps, security testing and performance testing is frequent, continuous and guaranteed because you're going to publish it in each and every API across the business," observed Guyott.
Kong defines APIOps as "end-to-end automation throughout the API lifecycle."
Using this approach makes deployments more consistent and predictable, Guyott and Harris explained.
Harris walked webinar attendees through a hypothetical automated API deployment using the Kong Developer Portal. The demo used what Harris called a "spec-first" approach, but he noted that other approaches also are supported.
"That spec is going to become that source of truth for all of our configuration, including our documentation and even how the gateway is configured," he explained.
The demo also assumed the API would be deployed in two Kubernetes clusters - a development cluster and a QA (quality assurance) cluster. The idea was to deploy the configuration to a development cluster for testing to make sure it was compliant before sending it to the QA cluster.
In addition, the demo assumed there was an open API spec already set up in Insomnia, the open source GraphQL and REST client designed to make testing and debugging APIs easier.
The documentation was tied to Git Repo, a tool built on top of Git, the free and open source distributed version control system. Git Repo helps manage Git repositories, handles the uploads to revision control systems and automates part of the development workflow.
In the demo, the API didn't pass the testing in the development cluster because it did not support the required rate limiting policy or OpenID Connect (OIDC) policy.
Kong, however, offers a variety of plug-ins that can enforce policies such as OIDC and rate limiting. By declaring these plug-ins in the OpenAPI Specification, Harris was then able to do a pull request to advise collaborators about the changes, and had this been a real-world deployment rather than a demo, he could have reviewed any needed changes with the colleagues before the changes were finalized.
In the demo, Harris pushed the plug-ins needed to implement OIDC and rate limiting through to GitHub Actions, a tool designed to automate software workflows and to enable developers to build, test and deploy code directly from GitHub, the cloud native API gateway.
In the demo, the API was deployed to development but not to QA because it failed the policy test. Because it was deployed to development, it was possible to run commands and get results back, however, as Harris demonstrated.
Before the API could be deployed to QA, Harris had to finalize the addition of the rate limiting and OIDC plug-ins, which he did through a merge-to-master using continuous integration/continuous delivery (CI/CD).
He also could have used Insomnia to enable the OpenAPI Spec to generate "Kong config" for a Kubernetes deployment or, alternatively, for a "dec declarative" configuration.
"This is the magic that Inso is doing," said Harris. "It's taking that OpenAPI Spec, turning that into configuration and then taking that configuration and basically putting it into the GitHub Action so it can ultimately deploy it to those clusters."
As part of the demo, Harris installed the Insomnia CLI tool using Node Package Manager, a tool that automates software installation and dependencies, simplifying the task of incorporating existing code into a project. The package manager fetches the code from a library and includes it in the project.
Once the tool was installed, Harris was able to export the OpenAPI Spec and essentially convert it to a Kong configuration. This in turn, enabled that configuration to be deployed to the development environment and when the required tests were run, the spec was able to pass all the tests because the necessary policies had been added.
While the demo involved rate limiting and OICD policies, Kong offers a wide range of plug-ins, including other security plugins.
As Harris put it, "Really, the sky's the limit. It's really up to what your organization needs."
Attacks estimated to surge 996% by 2030 — with the cost per breach rising to $14.5 million APIs have revolutionized every industry. They fuel digital transformation and power the web, making up more than 83% of global internet traffic. And API adop
If you could clone yourself, you could get your work done a lot faster, right? And that would free up time for you to pursue new projects and advance your career. It's an idea that Kong Vice President of Products Reza Shafii discussed recently as
The Challenge: Securing Distributed Systems Netflix operates over 1,000 microservices handling two billion daily requests (Microservices architecture: from Netflix to APIs). One security gap can trigger cascading breaches. Traditional perimeter sec
The challenge: A disconnected world Consider the typical enterprise architecture in a relatively mature organization, an API management layer defines and deploys services to an API gateway, an Identity Provider (IDP) manages human user identities, a
Feed Agents (and humans, too) with *all* of your APIs While multi-gateway vendor deployments have been found to be lacking as a long-term strategy, the reality is that every large organization is — at some point — going to struggle with trying to wr
The myth of the silver bullet The conventional wisdom that API security can be solved with a single tool or approach isn't just misguided — it's dangerous. This mindset has led many organizations down a path of false security, believing that deployi
Ever feel like you're fighting an uphill battle with your API strategy? You're building APIs faster than ever, but somehow everything feels harder. Wasn’t API-first supposed to make all this easier? Well, you're not alone. And now industry analys