Deploy API-Gateway in Kato

Api-Gateway is a microservice architecture that protects the real business service components through Kong (a mature implementation of Api-Gateway). Through a wealth of plug-ins, Kong can provide comprehensive protection and governance for back-end business components, including ACL access control, authentication mechanisms such as Basic Auth Oauth2, Rate Limiting and other excellent functions. How to deploy Kong on Kato and briefly introduce the configuration of Service and Route is the subject of the current document.

This document is suitable for developers and operation and maintenance personnel who intend to deploy and use Api Gateway (Kong) on ​​Kato.

The suitable scenario for this document is to understand how to deploy Kong on Kato through demonstration use cases, and to represent the existing test business.

Prerequisites

The Kong application template already exists in the local shared library. You can download the API-Gateway offline package Import

Steps

Through the one-click installation of the shared library, you can deploy Kong, newinfo, and WebsService (Kong is the implementation of Api Gateway, and newinfo and WebsService are included test services) to your Kato environment.

Installation and Deployment

Install API-Gateway demo use case

Running Result

Placement Konga

In this link, Kong’s management panel will be configured, which is based on Konga and can manage Kong graphically.

Registration

Visit konga’s external services and follow the instructions to complete the administrator registration

Connect to Kong

After the registration is complete, configure the connection address of Kong according to the instructions, enter the custom name of the Kong instance, and the connection address: http://127.0.0.1:8001.

Configure WebService

In this link, you will configure Service and Route for the WebService test service in Konga. After the configuration is completed, you can access the test service through Kong.

The WebService test business component is a web page written based on the Java language, and the listening port is 5000. When using the Kong proxy, you need to configure two services for itself and the static resources it uses, as well as the Route corresponding to each service.

Configure the WebService

In Konga, select SERVEICES and click ADD NEW SERVICE.

Fill in the content:

Option nameFill in contentDescription
NameWebServiceFill in the custom Service name to facilitate the corresponding upstream business
ProtocolhttpUpstream Service Agreement
Host127.0.0.1The upstream service address, because of the dependency of Kato, it is 127.0.0.1
Port5000Upstream service listening address
Path/Upstream service access path

Enter the created WebService page, select Routes, and click ADD ROUTE.

Fill in the content:

Option nameFill in contentDescription
NameWebService_routeFill in the custom Route name to facilitate the corresponding upstream business
ProtocolsLeave blank by defaultAccess protocol, both http and https are used by default
HostsLeave blank by defaultAccess address, when left blank, use Kong’s 8000 port external service address, you can bind the domain name and fill it in
MethodsLeave blank by defaultHttp method, you can fill in GET, POST and other methods according to your needs, the default is unlimited
Path/webCustom access path, which is proxied to upstream service /

It should be noted that after adding the Path, you need to press Enter to take effect. Continue to configure the proxy for the Static resource. The static page part of the WebService needs a separate proxy.

Configure for Static Resources

In Konga, select SERVEICES and click ADD NEW SERVICE.

Fill in the content:

Option nameFill in contentDescription
NameWebStaticFill in the custom Service name to facilitate the corresponding upstream business
ProtocolhttpUpstream Service Agreement
Host127.0.0.1The upstream service address, because of the dependency of Kato, it is 127.0.0.1
Port5000Upstream service listening address
Path/staticUpstream service static resource access path

Enter the created WebStatic page, select Routes, and click ADD ROUTE.

Fill in the content:

Option nameFill in contentDescription
NameWebStatic_routeFill in the custom Route name to facilitate the corresponding upstream business
ProtocolsLeave blank by defaultAccess protocol, both http and https are used by default
HostsLeave blank by defaultAccess address, when left blank, use Kong’s 8000 port external service address, you can bind the domain name and fill it in
MethodsLeave blank by defaultHttp method, you can fill in GET, POST and other methods according to your needs, the default is unlimited
Path/staticFixed access path, which is proxied to /static of the upstream service

After the configuration is complete, access the /web path of the external service of the Kong service component port 8000, and you can access the complete WebService test service.

Configure Newinfo

In this link, Service and Route will be configured for the newinfo test service in Konga. After the configuration is completed, the API test service can be accessed through Kong.

The newinfo test business component is an API written in Golang language. When a GET request is made, it will get data and return from the mysql it depends on, and the listening port is 8080.

Configure for Newinfo

In Konga, select SERVEICES and click ADD NEW SERVICE.

Fill in the content:

Option nameFill in contentDescription
NameNewinfoFill in the custom Service name to facilitate the corresponding upstream business
ProtocolhttpUpstream Service Agreement
Host127.0.0.1The upstream service address, because of the dependency of Kato, it is 127.0.0.1
Port8080Upstream service listening address
Path/api/newinfosUpstream service API path

Enter the created Newinfo page, select Routes, and click ADD ROUTE.

Fill in the content:

Option nameFill in contentDescription
NameNewinfo_routeFill in the custom Route name to facilitate the corresponding upstream business
ProtocolsLeave blank by defaultAccess protocol, both http and https are used by default
HostsLeave blank by defaultAccess address, when left blank, use Kong’s 8000 port external service address, you can bind the domain name and fill it in
MethodsLeave blank by defaultHttp method, you can fill in GET, POST and other methods according to your needs, the default is unlimited
Path/infoCustom access path, which is proxied to /api/newinfos of the upstream service

After the configuration is complete, access the /info path of the external service of the Kong service component 8000 port, you can access the newinfo test service and get the return.

Verify Configuration

After all the configurations are completed, you can see the following information in the Konga panel:

Show Results

After all the configurations are completed, you can access the test service respectively by accessing the external address exposed on Kong’s port 8000 and the corresponding path.

WebService
Newinfo

Plug-in Function Expansion

Overview

Plug-ins are to Kong, just like the aop function in Spring; after the request arrives in Kong, before forwarding to the back-end application, use Kong’s built-in plug-in to process the request, identity authentication, fuse current limit, black and white list verification, log Acquisition, etc.; at the same time, you can also customize and develop your own plug-ins in accordance with Kong’s tutorial documents.

Here will demonstrate the implementation of Api-Key verification and ACL policy verification (access control) based on Kong’s plug-in mechanism.

Prerequisites

The WebService or newinfo has been proxied through the above operations

Steps

Key Auth Plugin

Add Plugin

In Konga, select PLUGINS, click ADD GLOAL PLUGINS, select Key Auth plug-in, click ADD PLUGIN;

Fill in the content

Option nameFill in contentDescription
consumerLeave blank by defaultFill in custom user name
key namesapi_keyFill in the custom key name

Note: After filling in the content of the key names, press Enter to take effect

Create User

Click Consumers, select CREATE CONSUMER, enter custom user name, click SUBIT CONUMER to submit;

Fill in api_key

Click Credentials, select API KEYS, click CREATE API KEY, fill in custom key, fill in and submit.

At this point, Api-Key verification based on the Key Auth plug-in is completed. For specific effects, refer to the effect display below.

ACL+Basic Auth Plugin

The ACL authorization strategy grouping must be based on the authentication mechanism. The prerequisite for this strategy to take effect, at least any auth authentication plug-in must be enabled in the API. Here we use the combination of ACL plug-in and Basic Auth plug-in.

Before starting, you need to disable or delete the previously activated api_key plug-in to avoid any impact

Open Authorization Strategy Grouping Plugin

In Konga, select PLUGINS, click ADD GLOAL PLUGINS, select Basic Auth plug-in, click ADD PLUGIN, no need to fill in the content, just activate;

In the same way, find Acl plugin in Seeurity and click ADD PLUGIN

Fill in the content

Option nameFill in contentDescription
consumerLeave blank by defaultFill in custom user name
whitelistopencustom whitelist
blacklistLeave blank by defaultCustom blacklist

It should be noted that after adding the black and white list, you need to press Enter to take effect

Create User

Click Consumers, select CREATE CONSUMER, enter custom user name, click SUBIT CONUMER to submit; the same operation creates two users.

Assign Authorization Policy Groups to Users

Both users need to operate

Click Groups, Add a group, and customize a group name, which needs to correspond to the black and white list

Add Basic Auth Authentication User and Password

Both users need to operate

Click Consumers, Credentials, find Basic, click CREATE CREDENTIALS, customize user name and password, which will be used in subsequent browser visits.

Show Results

Key Auth Plugin

To access the WebService or newinfo service, you must add the defined api_key to access it.

ACL+Basic Auth Plugin

To access the WebService or newinfo service, you need to fill in the user and password when accessing, and fill in the Basic Auth authentication user and password defined above. You can’t access when using black users to access, and you can access normally when using open users. Only grouped users can call the api.

Use blacklisted user access

Use open users to access normally