Home > Blockchain >  Where to store sensitive information in kong api-gateway declarative mode
Where to store sensitive information in kong api-gateway declarative mode

Time:05-09

I am trying to use key-auth and acl plugins of kong in a db-less declarative manner.

In kong.yml I have:

_format_version: "2.1"
_transform: true

services:
  - name: gamma-live
    host: gamma
    port: 8000
    protocol: http
    path: /live
    plugins:
      - name: key-auth
        config:
          key_names:
            - kong-key-auth
          key_in_body: false
          key_in_header: true
          key_in_query: false
          hide_credentials: true
          run_on_preflight: true
      - name: acl
        config:
          allow:
            - group1

    routes:
      - name: gamma-live
        methods:
          - GET
        paths:
          - /gamma/live
        strip_path: true

consumers:
  - username: mars
    keyauth_credentials:
      - key: mars-key
  - username: zeus
    keyauth_credentials:
      - key: zeus-key

acls:
  - consumer: mars
    group: group1

As you see, I have two consumers: mars and zeus

And their credentials are mars-key and zeus-key

And I use git version control so I push it to the remote repository which I want to avoid!

How should I do this?

Note that I run the gamma service and kong each on a docker container of its own.

CodePudding user response:

There is several way to do this:

You can use a secret manager ( the best is Vault by Hashicorp )

You can use, for your case docker secrets ( cf https://docs.docker.com/engine/swarm/secrets/#:~:text=About secrets,in your application's source code. )

I recommend you to begin using kubernetes (containers orchestrator, the best but you must know this) to deploy your containers and you could use then the kubernetes secret, that are unfortunately natively encoded in base64 but there is a lot of way to connect them to vault ( to make k8s fetch the secret from vault - cf vault-injector) of use things like kubeseal etc.

However, every enterprise should use Vault by Hashicorp ( or something equivalent, but again Vault has a very large number of implementation plugins)

CodePudding user response:

but again Vault has a very large number of implementation plugins

Agree! And Apache APISIX supports Vault as well, check https://apisix.apache.org/blog/2022/01/21/apisix-hashicorp-vault-integration/

  • Related