Kong Konnect
  • 06 Nov 2024
  • 4 Minutes to read
  • PDF

Kong Konnect

  • PDF

Article summary

Kong Konnect is a powerful, cloud-native API management solution designed to simplify and secure the deployment of APIs and microservices. By integrating Kong Konnect with Traceable, organizations can enhance API security, gain end-to-end visibility, leverage advanced threat detection, and optimize API performance. Integrating Kong Konnect with Traceable enhances API security, providing traffic monitoring to detect threats like malicious calls and data exfiltration. It also offers end-to-end visibility into API interactions across environments and advanced machine-learning-based threat detection to identify sophisticated threats proactively.


Before you begin

Make a note of the following points before proceeding with deployment steps:

  • Access to Kong Konnect and Kong Gateway Deployment: Ensure Kong Konnect and Kong Gateway are set up.

  • Download Tools: You’ll need curl and luarocks.

  • Traceable Platform agent: Ensure the Traceable Platform agent (TPA) is installed. For more information, see Installation.

  • Traceable API Access: Ensure the Traceable Platform Agent (TPA) is reachable from Kong Gateway.

  • Namespace Details: If using Kubernetes, confirm the Kong namespace.


Deployment steps

Step 1: Download and Unpack the Traceable Kong Plugin

  1. Download the plugin from LuaRocks:

    curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
  2. Unpack the downloaded plugin:

    luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock

Step 2: Upload the Plugin Schema to Kong Konnect

  1. Navigate in Kong Konnect:

    • Gateway Manager[Select a Gateway]PluginsNew Plugin

  2. Select Custom Plugins tab → Create under Custom Plugin.

  3. Upload the schema.lua file from the Traceable plugin → Save.

  4. To enable and configure the plugin:

    • Go back to PluginsEnable on the Traceable plugin.

    • Configure the plugin options on the configuration page using the following settings:

Field

Description

Global vs Scoped

Global will apply to all services on the gateway, while Scoped allows granular control over which APIs send traffic to the Traceable plugin.

Allow on Failure

Only used in sync mode; will block a request if communication to TPA fails.

Buffer Request Body

Only used in async mode, to buffer the request body for async export.

Ext Cap Endpoint

TPA Host, which must be reachable from the Kong gateway.

Mode

  • sync: Supports inline blocking; requires TME on the same Kong host.

  • async: Does not support blocking and is asynchronous.

Timeout

Connection timeout from Kong plugin to TPA, specified in milliseconds.

Service Name

Name that will appear in the Traceable UI.


Step 3: Add the Plugin to Kong Gateway Deployment

Option 1 — VM deployment

If you are running Kong on virtual machines (VMs), you can install the plugin using the following LuaRocks command:

luarocks install kong-plugin-traceable

Option 2 — Custom Docker Images

If using custom Kong Docker images, you can copy the kong plugin sound code and set the KONG_PLUGINS environment variable as shown below:

FROM kong/kong-gateway:latest
USER root

# Copy the unpacked plugin
COPY kong-plugin-traceable-2.1.0-1/kong/plugins/traceable /usr/local/share/lua/5.1/kong/plugins/traceable
# Set KONG_PLUGINS to include traceable
ENV KONG_PLUGINS=bundled,traceable

USER kong
ENTRYPOINT ["/entrypoint.sh"]
EXPOSE 8000 8443 8001 8444
STOPSIGNAL SIGQUIT
HEALTHCHECK --interval=10s --timeout=10s --retries=10 CMD kong health
CMD ["kong", "docker-start"]

Option 3 — Official Docker Images (Volume Mount)

If you are using the official Kong Docker images and do not build custom Kong images, you can add the Traceable plugin by attaching a volume and setting the required environment variables. Use the following configuration:

version: "3.8"
services:
  kong:
    image: kong/kong-gateway:latest
    environment:
      - KONG_PLUGINS=bundled,traceable
      - KONG_LUA_PACKAGE_PATH=/opt/kong/plugins/traceable/?.lua;;
    volumes:
      - ./kong-plugin-traceable:/opt/kong/plugins/traceable

Note

The exact steps for adding the plugin may vary depending on the platform where your Kong containers are deployed. For platform-specific guidance, contact Traceable Support and discuss with your Customer Success representative to ensure proper configuration.


Option 4 — Kubernetes with Helm

If you are deploying Kong in Kubernetes with Helm, you can deploy the Traceable plugin source code as a ConfigMap.

  1. Download the Plugin:

    curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
  2. Unpack the Plugin:

    luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock
  3. Create the ConfigMap Replace -n kong with your specific namespace if different:

    kubectl create configmap -n kong kong-plugin-traceable --from-file=./kong-plugin-traceable-2.1.0-1/kong-plugin-traceable-2.1.0/kong/plugins/traceable/
  4. Update the Helm values.yaml file for Kong:

    gateway:
      plugins:
        configMaps:
        - name: kong-plugin-traceable
          pluginName: traceable

Option 5 — Kubernetes without Helm

If you are deploying Kong in Kubernetes without Helm, you can apply a strategic deployment patch to add the plugin volume. Follow these steps:

  1. Download the Plugin:

    curl -LO https://luarocks.org/manifests/traceableai/kong-plugin-traceable-2.1.0-1.src.rock
  2. Unpack the Plugin:

    luarocks unpack kong-plugin-traceable-2.1.0-1.src.rock
  3. Create the ConfigMap Replace -n kong with your specific namespace if different:

    kubectl create configmap -n kong kong-plugin-traceable --from-file=./kong-plugin-traceable-2.1.0-1/kong-plugin-traceable-2.1.0/kong/plugins/traceable/
  4. Create a Deployment Patch File: Save the following YAML content in a file named kong-traceable-patch.yml. Replace <replace with your metadata name> and <replace with your namespace> with your actual deployment name and namespace:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: <replace with your metadata name>
      namespace: <replace with your namespace>
    spec:
      template:
        spec:
          containers:
          - name: proxy
            env:
            - name: KONG_PLUGINS
              value: bundled,traceable
            - name: KONG_LUA_PACKAGE_PATH
              value: "/opt/kong/plugins/traceable/?.lua;;"
            volumeMounts:
            - name: kong-plugin-traceable
              mountPath: /opt/kong/plugins/traceable
          volumes:
          - name: kong-plugin-traceable
            configMap:
              name: kong-plugin-traceable
  5. Apply the Deployment Patch: Apply the patch to your Kong deployment using the following command. Make sure to replace <replace with deployment name> with the actual name of your Kong deployment:

    kubectl patch deployments.apps --type strategic -n kong <replace with deployment name> --patch-file kong-traceable-patch.yml

Note

Since this patch only updates specific values, ensure that --type strategic is used to overwrite only the specified fields without affecting other parts of the deployment configuration.


Was this article helpful?

What's Next