I have a bunch of rest services. I want to have a kong api gateway implemented at the front. I dont want to go into kong admin api and manually add all the exposed api.
Can i take help of any service discovery implementation like eureka or consul to autoconfigure my apis to Kong.
I'm afraid not.
Kong's configurations are stored in postgres and updated through the admin API, you can write your own program to import.
Related
I have developed my microservices in springboot, want to implement API gateway in it.
My frontend is Angular.
Read in detail from here:
https://spring.io/guides/gs/gateway/
(All about how to create and config gateway in spring-boot.)
I deployed Swagger APIs in an ec2 instance working with port number. Then, I want to integrate with API gateway for reverse proxy and cors policy. How can I do that? Can any one help on this?
i am able to combine all swagger apis in api gateway.Import the swagger json file in apigateway and add the integration methods according to the requirement either lambda or html or aws services and deploy the api.
So I have a very small micro service architecture built using Eureka service discovery. The problem I am facing right now is that I only want my service endpoints to accept request from my api gateway, as it is right now you can just make a request straight to the service and hit that service endpoint. Is this a problem Kubernetes would solve? Or Is there a more practical way of doing this?
You should be using network policies to control the traffic between the services.
In kubernetes the services you want to expose internally use service type ClusterIP. This is default anyway which means services are accessible within cluster only. your api gateway is exposed as load balancer service type which then takes traffic from external world and talks to services internally. Depending on your cloud provider you can use firewall in front of load balancer since you can compromise security by simply exposing load balancer. e.g. azure kubernetes you could use application gateway. You can also replace the api gateway with ingress controller. it's very powerful reverse proxy controller which you can expose directly to traffic and that would talk to your services internally.
You really need to understand concepts so i would recommend following links
https://kubernetes.io/docs/concepts/services-networking/service/
https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d
The setup:
I have a set of Spring Boot based microservices that are fronted by Spring Cloud Gateway, meaning every request that comes from UI or external API client first comes to Spring Cloud Gateway and is then forwarded to appropriate microservice.
The routes are configured in Consul, and Spring Cloud Gateway communicates with Consul to get the routes accordingly.
Requirement:
There is a need of some microservices communicating with each other with REST APIs. I would prefer this communication to happen via the Spring Cloud Gateway as well. This will help in reducing multiple services going to Consul for getting other service's details.
This means every service should know Gateway's detail at least. And there can be multiple instances of Gateways as well. How is this dealt with in bigger architectures?
Any example that I look up contains one service using Consul, or Gateway using the consul with one microservice. Couldn't understand how to extrapolate that design to a bigger system.
I'm wondering what to do with an API Endpoint when using a API Gateway. For example when you following the tutorial here: https://wiredcraft.com/blog/securing-components-in-a-microservice-context
You are using keycloak and kong (api-gateway) to secure the api. With kong you're getting an new Endpoint under http://localhost:8000/data. But the "original" express Server is still listening on http://localhost:3001/data.
That means that when a user/attacker knows the url of the "orignal" service and doesn't use the kong url (port 8000) he/she can still work with the api.
So my question is about the strategy and what to do with the original api? How could that be secured. Shall we implement the keycloak request on the api as well? But where are the benefits of kong then?
Your API gateway gives you a single entrypoint that simplifies how client applications access your services. You could add keycloak security on the gateway and not on the services behind - perhaps if you've a setup where you can block network access for clients to any services except the gateway. But even then you might still want the gateway and keycloak on the services behind.
The reason you might put keycloak on the services behind is because they are likely to need to know the identity of the user making the request. If they are going to read the token anyway then it might be most straightforward to add keycloak to them. And you'd still want the gateway to simplify life for clients. You'd then also want the gateway to forward the token to the services behind the gateway. (We're using keycloak and spring cloud gateway on the Activiti Cloud project and this is essentially how we decided to secure the services themselves with keycloak and have the gateway forward the token to them.)