This is the Avature's Kong API Gateway docker-compose distribution
- kong: Kong 2.1.4 API Gateway
- konga: Konga Kong's UI (latest version)
- db: PostgreSQL 9.5 Database
- nginx: Nginx (latest nginx docker image version) Proxy pass that exposes gateway, admin, and konga subdomains in a secured and unified way.
- startup: Startup script that sets up the admin API loopback and plugins configuration in an automated way.
It also includes the following custom Kong plugins, pre-built and included in the docker-compose project:
-
This plugin allows the server to emit x509 certificates signed off by the server's CA certificate.
-
This plugin allows the server to validate headers and json payload information against authenticated consumer This helps in use cases where we need to assure some configurations done to services and routes are only done by a particular consumer.
-
ensure that the path ''/usr/local/bin'' exists. If not, create it with
sudo mkdir -p /usr/local/bin
-
install curl if not installed
sudo apt-get install curl
-
install docker ->
apt install docker.io
More info: https://docs.docker.com/install/linux/docker-ce/ubuntu/
-
configure docker to execute without sudo ->
sudo usermod -aG docker $USER
More info: https://docs.docker.com/install/linux/linux-postinstall/
-
install docker-compose ->
sudo curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
More info: https://docs.docker.com/compose/install/#install-compose-on-linux-systems
-
Clone the repo to your $HOME with:
git clone https://this-repo-url/CustomAPIs/kong-docker-compose
-
To start the Platform run: ./startDev.sh
-
After that Konga UI must be up and running on the default URL: https://konga.kong-server.com
-
Username: admin, Password: adminadminadmin
-
To login with BASH into KONG after startup (See logs, adjust configs: ./startBash.sh)
-
Refer to the Client-Auth section to know how to use the mTLS authentication
Install these dependencies:
- fakeroot v1.22
- debhelper (>= 9),
- dh-exec
cd kong-docker-compose
./buildDebian.sh
To install the debian package run:
dpkg -i ../kong-docker-compose_X.Y.Z_all.deb
Then run start or startDev script (according to your needs):
./{start, startDev}.sh
After installing, copy the .env.example file:
cp .env.example .env
And modify it according to your needs.
- If when you run start this error appears:
Creating network "kong_kong-net" with the default driver
ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network
Issue the following container-destructive commands:
yes | docker network prune
yes | docker system prune
sudo ip link delete tun0
- If when you run start this error appears:
genrsa: Can't open "certs/server-ca-key.key" for writing, No such file or directory
Can't open certs/server-ca-key.key for reading, No such file or directory
139896872256512:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('certs/server-ca-key.key','r')
You can run the certificates creation script with sudo:
sudo ./createCerts.sh -ssl
The connection between Kong's admin API and its clients must be done via mutual TLS client authentication using client certificates signed by the kong distribution server's CA.
To hit the secured admin API using mTLS you must first create a consumer using the register endpoint /instances/register provided by the mtls certs manager plugin, example call to create a consumer:
{
"csr": "Certificate sign request data",
"instance": {
"name": "test-instance.ourdomain.org", "description": "A description for the instance"
}
}
Where:
- Certificate sign request data:
Is the content of a certificate signing request (including the markers of start and end) that can be generated with openssl command.
- test-instance.ourdomain.org:
Is the hostname of the consumer instance that will be client for the admin API of Kong.
- A description for the instance:
Is a string used to describe the client that will be added as a consumer for Kong that will be stored as a tag in the Kong's consumer table.
The certificates can be signed off by the mtls certs manager kong plugin via instances/register API endpoint.
For more details about client auth workflow click here
For contract tests run this command:
cd test && PACT_BROKER_URL=https://pact-broker.yourserver.com ./test_admin_api_contracts
Repleace the environment variable with your pact-broker deployment.
-
The recommended dev environment is VS Code with Python and LUA addons.
-
The major parts of the application are dockerized so the environment leans mainly on docker and docker-compose.
- The active boolean flag in the konga_kong_nodes table of the Konga DB isn't true by default which forces the user to manually "activate" the connection to the Kong server after setup (this could be automated some way)