Kong API Gateway on Kubernetes with Pulumi
The Kong Laboratory – Kong API Gateway
The quest for resilience and agility has driven us into the modern age of microservices. Bringing services to market on a microservice architecture demands the utilization of sprawling technology offerings and tooling. While daunting at first glance, we can break down the process into 3 major categories:
- Infrastructure Orchestration
- Application Deployment
- Service Publishing
In this hands-on series, we will use:
- Kubernetes-in-Docker (Kind) as our infrastructure platform.
- Pulumi to orchestrate our supporting infrastructure and deploy our applications.
- And finally, Kong API Gateway for publishing the services that we have deployed.
Key Concepts
Kong API Gateway is an API Gateway and Ingress Controller. At its core, Kong is a reverse proxy that allows an organization to offer APIs as a product to internal and external clients via a centralized ingress point. An API Gateway truly begins to shine when leveraged to consolidate capabilities such as authentication, RBAC, session handling, rate limiting, request & response transformation, redirection, load balancing, traffic monitoring, and logging. These advanced routing features offload enforcement, maintenance, and visibility from the application teams, improving their agility and consolidating this functional ownership into a central location for improved global consistency and visibility.
Pulumi is an Infrastructure as Code (IaC) or Infrastructure as Software (IaS) cloud engineering platform. Pulumi supports IaC/IaS patterns using popular programming languages including Python, JavaScript, TypeScript, Golang, and .NET/C#. At it's heart, the Pulumi ecosystem is a cloud engineering platform and SDK offering that brings together developer, operations, and security teams through a unified software engineering process to accelerate innovation with more confidence via a full suite of OpenGitOps compliant tools.
Host Setup
This article is designed for you to follow along with your MacOS or Linux laptop. Before starting, please check that you have installed all dependencies.
Okay, now that you have your dependencies, let's grab the code and get your system ready to build the lab platform.
- Write Hosts File Entries to resolve your lab domain names locally
# Set ADDRESS to your host IP if you plan to use Keycloak
export ADDRESS=127.0.0.1
cat <<EOF | sudo tee -a /etc/hosts
${ADDRESS} apps.kind.home.arpa
${ADDRESS} portal.kong.kind.home.arpa
${ADDRESS} manager.kong.kind.home.arpa
${ADDRESS} keycloak.apps.kind.home.arpa
${ADDRESS} podinfo.apps.kind.home.arpa
EOF
- Create docker volumes for persistent local container image caching
docker volume create worker1
docker volume create controlplane1
- Clone TheKongLaboratory git repo
cd ~
git clone --depth 1 --branch v2.8.0 https://github.com/kong/TheKongLaboratory
cd ~/TheKongLaboratory
Pulumi Infrastructure as Code
Great! Reviewing our checklist, we now have:
- ✓ Installed all dependencies.
- ✓ Configured
/etc/hosts
to resolve our domain names to our local IP. - ✓ Created local cache volumes for kind node images.
- ✓ Cloned the demo repo codebase.
Your system is ready to run the lab and we have the code! Next, before we can deploy the Kong API Gateway we need to initialize the Pulumi codebase and configure a Stack.
- Configure Pulumi local state provider
# Set a Pulumi local state login password
export PULUMI_CONFIG_PASSPHRASE=mypassword
# Run pulumi login --help for more state backend and login information
pulumi login --local
- Initialize & Select Pulumi Stack
# Download npm packages for Pulumi typescript IaC
npm install
# Initialize and select your pulumi stack
pulumi stack init thekonglaboratory
pulumi stack select thekonglaboratory
- Set Pulumi Stack Configuration Variables
# Set Kong Enterprise License, an empty license enables free mode
pulumi config set --secret kong:license "'{}'"
# Set enterprise to true if deploying with an enterprise license
pulumi config set kong:enterprise false
Deploy Kong API Gateway
Reviewing our checklist again, we now have:
- ✓ Installed all dependencies.
- ✓ Configured
/etc/hosts
to resolve our domain names to our local IP. - ✓ Created local cache volumes for kind node images.
- ✓ Cloned the demo repo codebase.
- ✓ Initialized & Configured your Pulumi Stack
Now, it is time to start your Kind cluster and deploy Kong to it!
- Deploy Kong Gateway Stack
# Start Kind Kubernetes Cluster
kind create cluster --config hack/kind/config.yml
# Pulumi Deploy Kong Gateway & Dependencies
pulumi up -y
- Go ahead and open up the Kong Manager UI !!
>> https://manager.kong.kind.home.arpa/
Deploy a Sample App
Let's go ahead and test our new Kong API Gateway by deploying Podinfo as a sample application to experiment with.
- Deploy a simple Podinfo Sample application.
# change directory to Podinfo App
cd ~/TheKongLaboratory/doc/gateway-s01e01-simple-app
# Set a Pulumi local state login password
export PULUMI_CONFIG_PASSPHRASE=mypassword
# Run pulumi login --help for more state backend and login information
pulumi login --local
# Download npm packages for Pulumi typescript IaC
npm install
# Initialize and select your pulumi stack
pulumi stack init podinfo
pulumi stack select podinfo
# Deploy Podinfo Sample App
pulumi up -y
- Now go check out your Podinfo app at:
>> https://podinfo.apps.kind.home.arpa/
Conclusion
Congratulations! In roughly 1000 lines of TypeScript code, we have deployed a working Kong API Gateway and all supporting services with Pulumi! For transparency, I want to briefly list the scope of what you just deployed.
- Kubernetes:
- Namespaces:
- ✓ The namespace for Kong
- ✓ The namespace for Cert Manager
- Certificates:
- ✓ Chain of Trust for a Cert Manager Self Signed Issuer
- ✓ Default certificate for Kong API Gateway services & proxy
- ✓ Kong controlplane <> dataplane mTLS certificate
- Secrets:
- ✓ Postgres database credentials
- ✓ Kong Manager GUI session configuration
- ✓ Kong API Gateway admin credentials
- ✓ Kong Enterprise License
- Helm Charts:
Now that you have Kong installed and ready to use, this will be the foundation for future posts in the DevMyOps series and is also a great way to get started with Kong for evaluation and local development purposes.
From here you can continue with configuring Kong Manager and Kong plugins, or you can start using the Kong Ingress Controller to publish services on your kind cluster via Kong.
Appendix
Dependencies
DependencyInstallation DocsCleanup
When you are finished with your local deployment you can clean up all lab artifacts in this order:
- Destroy Kong Pulumi Stack
- Delete Kind Cluster
- Remove Docker Volumes
- Remove TheKongLaboratory Git Repo
- Manually cleanup
/etc/hosts
entries
- Unlock your local secret store.
cd ~/TheKongLaboratory
export PULUMI_CONFIG_PASSPHRASE=mypassword
- Destroy Kong Pulumi Stack
pulumi --stack podinfo destroy -ypulumi --stack thekonglaboratory destroy -y
- Delete Kind Cluster
kind delete cluster --name=kong
- Remove Docker Volumes
docker volume rm worker1 controlplane1
- Remove TheKongLaboratory Git Repo
pulumi --stack thekonglaboratory stack rm -y
cd ~ && rm -rf ~/TheKongLaboratory
- Open the
/etc/hosts
file and remove the following entries:
127.0.0.1 apps.kind.home.arpa
127.0.0.1 portal.kong.kind.home.arpa
127.0.0.1 manager.kong.kind.home.arpa
127.0.0.1 keycloak.apps.kind.home.arpa
127.0.0.1 podinfo.apps.kind.home.arpa