I am trying to use key-auth and acl plugins of kong in a db-less declarative manner.
In kong.yml I have:
_format_version: "2.1"
_transform: true
services:
- name: gamma-live
host: gamma
port: 8000
protocol: http
path: /live
plugins:
- name: key-auth
config:
key_names:
- kong-key-auth
key_in_body: false
key_in_header: true
key_in_query: false
hide_credentials: true
run_on_preflight: true
- name: acl
config:
allow:
- group1
routes:
- name: gamma-live
methods:
- GET
paths:
- /gamma/live
strip_path: true
consumers:
- username: mars
keyauth_credentials:
- key: mars-key
- username: zeus
keyauth_credentials:
- key: zeus-key
acls:
- consumer: mars
group: group1
As you see, I have two consumers: mars and zeus
And their credentials are mars-key and zeus-key
And I use git version control so I push it to the remote repository which I want to avoid!
How should I do this?
Note that I run the gamma service and kong each on a docker container of its own.
CodePudding user response:
There is several way to do this:
You can use a secret manager ( the best is Vault by Hashicorp )
You can use, for your case docker secrets ( cf https://docs.docker.com/engine/swarm/secrets/#:~:text=About secrets,in your application's source code. )
I recommend you to begin using kubernetes (containers orchestrator, the best but you must know this) to deploy your containers and you could use then the kubernetes secret, that are unfortunately natively encoded in base64 but there is a lot of way to connect them to vault ( to make k8s fetch the secret from vault - cf vault-injector) of use things like kubeseal etc.
However, every enterprise should use Vault by Hashicorp ( or something equivalent, but again Vault has a very large number of implementation plugins)
CodePudding user response:
but again Vault has a very large number of implementation plugins
Agree! And Apache APISIX supports Vault as well, check https://apisix.apache.org/blog/2022/01/21/apisix-hashicorp-vault-integration/