Secure your Your Microservices Using Kong and Kubernetes

API Key — What is an API Key?

An API key or application programming interface key is a code that gets passed in by computer applications. The program or application then calls the API or application programming interface to identify its user, developer or calling program to a website.

Application programming keys are normally used to assist in tracking and controlling how the interface is being utilized. Often, it does this to prevent abuse or malicious use of the API in question.

An API key can act as a secret authentication token as well as a unique identifier. Typically, the key will come with a set of access rights for the API that it is associated with.

When and Why to Use API Keys

API keys are used with projects, while authentication is designated for the users. Cloud Endpoints will, in many cases, handle both the authentication procedures as well as the API keys. The differentiating factor between the two is:Authentication tokens are used to identify the users, i.e., the person who is using that particular website or application.
API keys are used to identifying the project making the call. This can either be the website or the application that is making the call to the application programming interface.

Prerequisites

You’ll need a few things before we start setting up our services:

• Kubernetes cluster: You can use Minikube or a GKE cluster for the purpose of this tutorial. We run a Kubernetes cluster v 1.18.x.
• Helm: We will be using Helm to install all of our components. Tiller should be installed on your k8s cluster and helm CLI should be available on your workstation. You can follow Helm’s quickstart guide to set up helm.

Once you’ve Kubernetes and Helm setup, you’re good to proceed.

Caution: Some settings in this guide are tweaked to keep this guide simple. These settings are not meant for Production usage.

Set Up Kong

Next, we will install Kong, if you don’t already have it installed in your Kubernetes cluster.
We chose to use the Kong Ingress Controller for this purpose since it allows us to configure Kong using Kubernetes itself. You can also choose to install Kong as an application and configure it using Kong’s Admin API.

Run the following commands to create the Kong namespace and then install Kong using the helm chart:

helm install kong bitnami/kong --namespace kong --create-namespace --set ingressController.installCRDs=false   --version 3.4.5

Set Up Port Forwards

Now, we will gain access to the components we just deployed. In a production environment, you would have a Kubernetes Service with external IP or load balancer, which would allow you to access Prometheus, Grafana and Kong. For demo purposes, we will set up port-forwarding using kubectl to get access. Please do not do this in production.

Open a new terminal and execute the following commands:

kubectl port-forward svc/kong -n kong  8080:80

Use KongIngress with Ingress resource

By default, Kong will proxy the entire path to the service. This can be seen in the real path value in the above response.

We can configure Kong to strip out the part of the path defined in the Ingress rule and to only respond to GET requests for this particular rule.

To modify these behaviours, let’s first create a KongIngress resource defining the new behaviour:

echo "kind: KongIngress
apiVersion: configuration.konghq.com/v1
metadata:
  name: billing-apikey
route:
  headers:
    x-apikey-header:
      - 25f24df5-e576-469f-88a6-778baa29570f " | kubectl apply -f -

Setup Services

Now, we have all the components for monitoring setup, we will spin up some services for demo purposes and setup Ingress routing for them.

Install Services

We will setup three services: billing.
Execute the following to spin these services up:

kubectl apply -f https://bit.ly/3bnf726

Install Ingress for the Services

Next, once the services are up and running, we will create Ingress routing rules in Kubernetes. This will configure Kong to proxy traffic destined for these services correctly.

Execute the following:

echo "apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    konghq.com/strip-path: 'true'
    kubernetes.io/ingress.class: kong
    konghq.com/override: billing-apikey
  name: billing-apikey-ingresses
spec:
  rules:
    - host: localhost
      http:
        paths:
          - path: /billing-apikey
            backend:
              serviceName: billing
              servicePort: 80 " | kubectl apply -f -

without x-apikey-header

curl --location --request GET 'http://localhost:8080/billing-apikey/json'

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

with x-apikey-header

curl --location --request GET 'http://localhost:8080/billing-apikey/json' \
--header 'x-apikey-header: 25f24df5-e576-469f-88a6-778baa29570f'

{
"slideshow": {
"author": "Yours Truly",
"date": "date of publication",
"slides": [
{
"title": "Wake up to WonderWidgets!",
"type": "all"
},
{
"items": [
"Why <em>WonderWidgets</em> are great",
"Who <em>buys</em> WonderWidgets"
],
"title": "Overview",
"type": "all"
}
],
"title": "Sample Slide Show"
}
}