Install the Kong Gateway Example Application
Be sure kubectl is configured to point to the cluster you want to use for the Kong Gateway example application.
In the Styra DAS GUI, follow the Quick Start instructions to install the Kong Gateway through the Helm method.
To configure Styra on Kong Gateway, you must copy and paste all the installation command from SYSTEMS >> Settings >> Install. This commands installs Custom Kong plugin for OPA, configures Kong plugin for OPA authorization and configure OPA to connect to DAS via Styra Local Plane (SLP).
Quick Start provides the link to install example application. It consists of the following components which should now be running in your minikube. All resources are suffixed by the SYSTEM ID to mark them as unique.
example-app: A simple HTTP web server that allows employees of a hypothetical organization to obtain salary details at the path
/finance/salary. It also exposes a path/hr/dashboardthat is only accessible by employees who are part of HR. Functionally, it is a simple echo server that returns a HTTP 200 response with a plain or text body which contains a success or error message.sample-ingress: An ingress resource which exposes HTTP route from outside the cluster to example-app service within the cluster. The Kong plugin for OPA is enabled by annotating the ingress resource with
konghq.com/plugins: kong-plugin-opa.slp: Styra Local Plane (SLP) is a service that acts as an intermediary between the OPAs and Styra DAS. OPAs are configured to retrieve bundles from SLP rather than directly from DAS. This increases availability as SLP fetches bundles from Styra DAS and persists them to disk, so policies are still available to new or restarted OPAs even if Styra DAS is unavailable.
When you run the Kong Gateway example application, the OPA sidecars will pull down the policy from DAS tenant and start enforcing it. This process takes few minutes to complete.
Figure 1 - Kong Gateway Example ApplicationConfigure Kong Plugin for HTTP
If you want to configure Kong Plugin other than the Unix Domain Socket(UDS) based plugin, then you must change the following two files:
Kong Plugin Configuration File
The Kong plugin configuration file added in the Install section, can be used to configure Unix Domain Socket (UDS) based plugin. If you want to configure HTTP based plugin, then save the following KongPlugin configuration content into a new file (suggested name kong-plugin-http-config.yaml) and execute kubectl -f apply kong-plugin-http-config.yaml command to apply the configuration.
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: kong-plugin-opa
config:
server:
host: localhost
port: 8181
policy:
decision: main/main
plugin: opa
OPA Sidecar Values YAML Configuration File
You must save the Sidecar deployment configuration into a new file (suggested name opa-sidecar-http-values.yaml), execute helm upgrade kong-quickstart kong/kong -n kong -f opa-sidecar-http-values.yaml command to apply the configuration, and finally execute kubectl get pods -n kong -w command to watch for the Pod status to appear as Running status.
# -----------------------------------------------------------------------------
# Deployment parameters for HTTP configuration
# -----------------------------------------------------------------------------
deployment:
sidecarContainers:
- image: openpolicyagent/opa:latest
name: opa
volumeMounts:
- readOnly: true
mountPath: /config
name: opa-config
env:
- name: OPA_LOG_TIMESTAMP_FORMAT
value: "2006-01-02T15:04:05.999999999Z07:00"
args:
- "run"
- "--server"
- "--config-file=/config/conf.yaml"
- "--addr=http://localhost:8181"
ports:
- containerPort: 8181
userDefinedVolumes:
- name: opa-config
configMap:
name: opa-config
plugins:
configMaps:
- name: kong-plugin-opa
pluginName: opa