Setup Key Auth Plugin in Kong API Gateway on Kubernetes (Minikube)
In this article we will be setting up the Key Auth plugin in the Kong API Gateway which is running on Kubernetes. For the purpose of this article we will be using Minikube to run the kubernetes cluster on our local machine.
Following are the prerequisites to keep up with the article. Make sure that they are installed in your system.
- minikube : minikube is local Kubernetes, focusing on making it easy to learn and develop for Kubernetes.
- kubectl : Kubernetes provides a command line tool for communicating with a Kubernetes cluster’s control plane, using the Kubernetes API. This tool is named kubectl.
- helm : Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application.
Now that we have everything installed in our system it’s time to do some work. First we will need a kubernetes cluster. For that we will be using minikube. Run the following command in the terminal to spin up a cluster in the machine.
minikube start
Check that the cluster is up and running with the following command.
kubectl cluster-info
For this article we will be using kong/httpbin as a demo application. Which is a simple HTTP Request & Response Service.
Create a file deploy.yaml and copy paste the following content to it. This is a deployment for the kubernetes.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- name: httpbin
image: kong/httpbin:0.1.0
ports:
- containerPort: 80
Apply the file to the kubernetes cluster bu running the following command.
kubectl apply -f deploy.yaml
# deployment.apps/httpbin created
When applied, it will create a Deployment and a pod in the kubernetes cluster. You can check that by running the following commands in the terminal.
kubectl get deployment
# NAME READY UP-TO-DATE AVAILABLE AGE
# httpbin 1/1 1 1 108s
kubectl get pods
# NAME READY STATUS RESTARTS AGE
# httpbin-574d58d46d-p2sdj 1/1 Running 0 3m5s
Now that we have a Deployment ready and a Pod running on the cluster for our httpbin application we need to create a Service in the cluster. A Service is a method of exposing network application that is running as one or more Pods in the cluster. You can learn more about the Service in kuberneter from here.
Create a new file and name it service.yaml. Put the following content in that file.
---
apiVersion: v1
kind: Service
metadata:
name: httpbin-app
labels:
app: httpbin-app
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: httpbin
Apply the file to the cluster using the following command.
kubectl apply -f service.yaml
# service/httpbin-app created
This will create a service in the cluster which you can check by running the following command.
kubectl get service
# NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
# httpbin-app NodePort 10.101.129.189 <none> 80:31268/TCP 4m8s
# kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 35m
We have all the required Deployment, Service and Pods running on the cluster. Now we will install Kong API Gateway in our cluster. We will be using helm for this purpose.
helm repo add kong https://charts.konghq.com
helm repo update
helm install kong kong/ingress -n kong --create-namespace
Run the above three commands in you terminal. The first command will add helm chart repository for Kong in your local helm configuration. The second command will update the local cache of charts from all repositores. And the third command will deploy the kong/ingress helm chart into our kubernetes cluster. Helm will take the chart, process it and applies the resulting kubernetes resources into the cluster. To know more about helm charts follow this link.
While installing the Kong using the helm command we have passed -n kong --create-namespace parameter. We can specify a namespace using the -n option, in our case we set in to kong namespace. In case there is no namespace found with the name kong, --create-namespace will create one for us.
Check all the resources created by the kong helm chart in your kubernetes cluster passing the namespace kong as follow.
➜ kubectl get pods -n kong
# NAME READY STATUS RESTARTS AGE
# kong-controller-998d5b9f7-cn5x6 0/1 Running 2 (25s ago) 102s
# kong-gateway-5f764bcd8b-hpgs5 0/1 Running 0 102s
➜ kubectl get deployment -n kong
# NAME READY UP-TO-DATE AVAILABLE AGE
# kong-controller 1/1 1 1 118s
# kong-gateway 1/1 1 1 118s
➜ kubectl get service -n kong
# NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
# kong-controller-metrics ClusterIP 10.99.86.41 <none> 10255/TCP,10254/TCP 2m25s
# kong-controller-validation-webhook ClusterIP 10.104.30.215 <none> 443/TCP 2m25s
# kong-gateway-admin ClusterIP None <none> 8444/TCP 2m25s
# kong-gateway-manager NodePort 10.101.23.4 <none> 8002:32008/TCP,8445:32265/TCP 2m25s
# kong-gateway-proxy LoadBalancer 10.107.229.161 <pending> 80:31087/TCP,443:31741/TCP 2m25s
Now that we have kong installed in our kubernetes cluster, we will configure the kong routes that will point to the httpbin app we deployed earlier.
For that create a new file kong-routes.yaml and fill it with the following content.
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kong-routes
annotations:
konghq.com/strip-path: "true"
konghq.com/plugins: key-auth
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /httpbin
pathType: ImplementationSpecific
backend:
service:
name: httpbin-app
port:
number: 80
Apply the routes in the kubernetes cluster using the following command.
kubectl apply -f kong-routes.yaml
# ingress.networking.k8s.io/kong-routes created
In this stage we have everything setup in our kubernetes cluster. We have deployed out httpbin app in the cluster, we have created the service in the cluster, we have also installed kong gateway in out cluster and also configured the routes.
Now we will check if our application is running. For that we will open a tunnel between the service and our local machine. Run the following command in your terminal.
minikube service kong-gateway-proxy -n kong
Note that, kong-gateway-proxy is a service created by helm chart for kong earlier.
After running the command you should see some output like following in your terminal.
[kong kong-gateway-proxy http://127.0.0.1:65185
http://127.0.0.1:65186]
Open the first address http://127.0.0.1:65185 in your favorate browser and you will see something like following.
This is because we haven’t configured anything on the root path in the kong routes. As we have configured our httpbin app to the /httpbin path, so we will hit the http://127.0.0.1:65185/httpbin in the browser And you should see something like the following.
At this point we have successfully deployed out app on kubernetes cluster and it is working. Now we will setup the key-auth plugin in the kong gateway. To do that we have to deploy a KongPlugin, Secret and KongConsumer in our cluster.
Create a new file auth.yaml and insert following content in it.
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: key-auth
annotations:
kubernetes.io/ingress.class: kong
plugin: key-auth
config:
key_names:
- apikey
hide_credentials: true
---
apiVersion: v1
kind: Secret
metadata:
name: api-key-secret
labels:
konghq.com/credential: key-auth
type: Opaque
stringData:
kongCredType: key-auth
key: secret
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: consumer
annotations:
kubernetes.io/ingress.class: kong
username: username
custom_id: "1234"
credentials:
- api-key-secret
Run the following command to deploy it into the kubernetes cluster.
kubectl apply -f auth.yaml
# kongplugin.configuration.konghq.com/key-auth created
# secret/api-key-secret created
# kongconsumer.configuration.konghq.com/consumer created
Above we have deployed the KongPlugin for the key-auth where we specified the key name as “apikey”. We have to pass this key while makeing a request to our httpbin app. Then we have deployed the Secret that contains the secret value for the api key which is in our case secret. We have to pass this secret as the value for the api key in the header. And finally we have deployed the KongConsumer into the cluster.
Now try to access the httpbin app by hitting http://127.0.0.1:65185/httpbin from your browser.
As you can see we are getting a message saying that API key is not found in the request. We have to pass the API key in the header like this “apikey: secret”
We will use curl command line tool to make the call this time. You can see that we got the html document from the httpbin app.
curl -H "apikey: secret" http://127.0.0.1:65185/httpbin
# <!DOCTYPE html>
# <html lang="en">
# <head>
# <meta charset="UTF-8">
# <title>httpbin.org</title>
# <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700"
# rel="stylesheet">
# <link rel="stylesheet" type="text/css" href="/flasgger_static/swagger-ui.css">
# <link rel="icon" type="image/png" href="/static/favicon.ico" sizes="64x64 32x32 16x16" />
# <style>
# html {
# box-sizing: border-box;
# overflow: -moz-scrollbars-vertical;
# overflow-y: scroll;
# }
Conclusion
In this article we have deployed an app in the kubernetes cluster. Then we have installed Kong API Gateway in it. And finally setup the key-auth plugin in the Kong for the authentication. We have also utilized the tools minikube, kubectl and helm to do that. Hope you have learned something new from this article.
The full code of this article can be found in this repository.
Recent posts
- Understanding Comprehensions in Python
- Special Attributes of Python Class
- Stream Data to S3 Using `mongoexport` Tool
- Essential Special Methods for Object Creation
- Special Attributes of Python Module