Balancing Innovation and Security With API Automation

Automating digital transformation API deployments can help speed time to market and minimize the resources required for the deployments — if developers can be assured that the automated process meets all necessary security requirements.

It's a topic that Kong Senior CustomerExperience Manager Peggy Guyott and Kong Senior Solutions Engineer Ned Harris discussed on a recent webinar as part of the Destination: Automation 2021 digital event. Guyott and Harris explained how the Kong Developer Portal, Kong's Inso (CLI) command line interface offering and other tools can give developers the ability to complete API deployments in an automated and secure manner.

"The great news is that with APIOps, security testing and performance testing is frequent, continuous and guaranteed because you're going to publish it in each and every API across the business," observed Guyott.

Kong defines APIOps as "end-to-end automation throughout the API lifecycle."

Using this approach makes deployments more consistent and predictable, Guyott and Harris explained.

API Deployment Demo

Harris walked webinar attendees through a hypothetical automated API deployment using the Kong Developer Portal. The demo used what Harris called a "spec-first" approach, but he noted that other approaches also are supported.

"That spec is going to become that source of truth for all of our configuration, including our documentation and even how the gateway is configured," he explained.

The demo also assumed the API would be deployed in two Kubernetes clusters - a development cluster and a QA (quality assurance) cluster. The idea was to deploy the configuration to a development cluster for testing to make sure it was compliant before sending it to the QA cluster.

In addition, the demo assumed there was an open API spec already set up in Insomnia, the open source GraphQL and REST client designed to make testing and debugging APIs easier.

The documentation was tied to Git Repo, a tool built on top of Git, the free and open source distributed version control system. Git Repo helps manage Git repositories, handles the uploads to revision control systems and automates part of the development workflow.

OpenID Connect

In the demo, the API didn't pass the testing in the development cluster because it did not support the required rate limiting policy or OpenID Connect (OIDC) policy.

Kong, however, offers a variety of plug-ins that can enforce policies such as OIDC and rate limiting. By declaring these plug-ins in the OpenAPI Specification, Harris was then able to do a pull request to advise collaborators about the changes, and had this been a real-world deployment rather than a demo, he could have reviewed any needed changes with the colleagues before the changes were finalized.

In the demo, Harris pushed the plug-ins needed to implement OIDC and rate limiting through to GitHub Actions, a tool designed to automate software workflows and to enable developers to build, test and deploy code directly from GitHub, the cloud native API gateway.

Continuous Integration/Continuous Delivery

In the demo, the API was deployed to development but not to QA because it failed the policy test. Because it was deployed to development, it was possible to run commands and get results back, however, as Harris demonstrated.

Before the API could be deployed to QA, Harris had to finalize the addition of the rate limiting and OIDC plug-ins, which he did through a merge-to-master using continuous integration/continuous delivery (CI/CD).

He also could have used Insomnia to enable the OpenAPI Spec to generate "Kong config" for a Kubernetes deployment or, alternatively, for a "dec declarative" configuration.

"This is the magic that Inso is doing," said Harris. "It's taking that OpenAPI Spec, turning that into configuration and then taking that configuration and basically putting it into the GitHub Action so it can ultimately deploy it to those clusters."

As part of the demo, Harris installed the Insomnia CLI tool using Node Package Manager, a tool that automates software installation and dependencies, simplifying the task of incorporating existing code into a project. The package manager fetches the code from a library and includes it in the project.

Once the tool was installed, Harris was able to export the OpenAPI Spec and essentially convert it to a Kong configuration. This in turn, enabled that configuration to be deployed to the development environment and when the required tests were run, the spec was able to pass all the tests because the necessary policies had been added.

While the demo involved rate limiting and OICD policies, Kong offers a wide range of plug-ins, including other security plugins.

As Harris put it, "Really, the sky's the limit. It's really up to what your organization needs."