- 22 Nov 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Kong Konnect
- Updated on 22 Nov 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Kong Konnect is a powerful, cloud-native API management solution designed to simplify and secure the deployment of APIs and microservices. By integrating Kong Konnect with Traceable, organizations can enhance API security, gain end-to-end visibility, leverage advanced threat detection, and optimize API performance. Integrating Kong Konnect with Traceable enhances API security, providing traffic monitoring to detect threats like malicious calls and data exfiltration. It also offers end-to-end visibility into API interactions across environments and advanced machine-learning-based threat detection to identify sophisticated threats proactively.
Before you begin
Make a note of the following points before proceeding with deployment steps:
Access to Kong Konnect and Kong Gateway Deployment: Ensure Kong Konnect and Kong Gateway are set up.
Download Tools: You’ll need
curl
andluarocks
.Traceable Platform agent: Ensure the Traceable Platform agent (TPA) is installed. For more information, see Installation.
Traceable API Access: Ensure the Traceable Platform Agent (TPA) is reachable from Kong Gateway.
Namespace Details: If using Kubernetes, confirm the Kong namespace.
Deployment steps
Step 1: Download and Unpack the Traceable Kong Plugin
Download the plugin from LuaRocks:
curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
Unpack the downloaded plugin:
luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock
Step 2: Upload the Plugin Schema to Kong Konnect
Navigate in Kong Konnect:
Gateway Manager → [Select a Gateway] → Plugins → New Plugin
Select Custom Plugins tab → Create under Custom Plugin.
Upload the
schema.lua
file from the Traceable plugin → Save.To enable and configure the plugin:
Go back to Plugins → Enable on the Traceable plugin.
Configure the plugin options on the configuration page using the following settings:
Field | Description |
---|---|
Global vs Scoped | Global will apply to all services on the gateway, while Scoped allows granular control over which APIs send traffic to the Traceable plugin. |
Allow on Failure | Only used in |
Buffer Request Body | Only used in |
Ext Cap Endpoint | TPA Host, which must be reachable from the Kong gateway. |
Mode |
|
Timeout | Connection timeout from Kong plugin to TPA, specified in milliseconds. |
Service Name | Name that will appear in the Traceable UI. |
Step 3: Add the Plugin to Kong Gateway Deployment
Option 1 — VM deployment
If you are running Kong on virtual machines (VMs), you can install the plugin using the following LuaRocks command:
luarocks install kong-plugin-traceable
Option 2 — Custom Docker Images
If using custom Kong Docker images, you can copy the kong plugin sound code and set the KONG_PLUGINS
environment variable as shown below:
FROM kong/kong-gateway:latest
USER root
# Copy the unpacked plugin
COPY kong-plugin-traceable-2.1.0-1/kong/plugins/traceable /usr/local/share/lua/5.1/kong/plugins/traceable
# Set KONG_PLUGINS to include traceable
ENV KONG_PLUGINS=bundled,traceable
USER kong
ENTRYPOINT ["/entrypoint.sh"]
EXPOSE 8000 8443 8001 8444
STOPSIGNAL SIGQUIT
HEALTHCHECK --interval=10s --timeout=10s --retries=10 CMD kong health
CMD ["kong", "docker-start"]
Option 3 — Official Docker Images (Volume Mount)
If you are using the official Kong Docker images and do not build custom Kong images, you can add the Traceable plugin by attaching a volume and setting the required environment variables. Use the following configuration:
version: "3.8"
services:
kong:
image: kong/kong-gateway:latest
environment:
- KONG_PLUGINS=bundled,traceable
- KONG_LUA_PACKAGE_PATH="/opt/?.lua;;"
volumes:
- ./kong-plugin-traceable:/opt/kong/plugins/traceable
Note
The exact steps for adding the plugin may vary depending on the platform where your Kong containers are deployed. For platform-specific guidance, contact Traceable Support and discuss with your Customer Success representative to ensure proper configuration.
Option 4 — Kubernetes with Helm
If you are deploying Kong in Kubernetes with Helm, you can deploy the Traceable plugin source code as a ConfigMap.
Download the Plugin:
curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
Unpack the Plugin:
luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock
Create the ConfigMap Replace
-n kong
with your specific namespace if different:kubectl create configmap -n kong kong-plugin-traceable --from-file=./kong-plugin-traceable-2.1.0-1/kong-plugin-traceable-2.1.0/kong/plugins/traceable/
Update the Helm
values.yaml
file for Kong:gateway: plugins: configMaps: - name: kong-plugin-traceable pluginName: traceable
Option 5 — Kubernetes without Helm
If you are deploying Kong in Kubernetes without Helm, you can apply a strategic deployment patch to add the plugin volume. Follow these steps:
Download the Plugin:
curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
Unpack the Plugin:
luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock
Create the ConfigMap Replace
-n kong
with your specific namespace if different:kubectl create configmap -n kong kong-plugin-traceable --from-file=./kong-plugin-traceable-2.1.0-1/kong-plugin-traceable-2.1.0/kong/plugins/traceable/
Create a Deployment Patch File: Save the following YAML content in a file named
kong-traceable-patch.yml
. Replace<replace with your metadata name>
and<replace with your namespace>
with your actual deployment name and namespace:apiVersion: apps/v1 kind: Deployment metadata: name: <replace with your metadata name> namespace: <replace with your namespace> spec: template: spec: containers: - name: proxy env: - name: KONG_PLUGINS value: bundled,traceable - name: KONG_LUA_PACKAGE_PATH value: "/opt/?.lua;;" volumeMounts: - name: kong-plugin-traceable mountPath: /opt/kong/plugins/traceable volumes: - name: kong-plugin-traceable configMap: name: kong-plugin-traceable
Apply the Deployment Patch: Apply the patch to your Kong deployment using the following command. Make sure to replace
<replace with deployment name>
with the actual name of your Kong deployment:kubectl patch deployments.apps --type strategic -n kong <replace with deployment name> --patch-file kong-traceable-patch.yml
Note
Since this patch only updates specific values, ensure that
--type strategic
is used to overwrite only the specified fields without affecting other parts of the deployment configuration.