Skip to main content

Install the Kong Gateway Example Application

Be sure kubectl is configured to point to the cluster you want to use for the Kong Gateway example application.

info

In the Styra DAS GUI, follow the Quick Start instructions to install the Kong Gateway through the Helm method.

To configure Styra on Kong Gateway, you must copy and paste all the installation command from SYSTEMS >> Settings >> Install. This commands installs Custom Kong plugin for OPA, configures Kong plugin for OPA authorization and configure OPA to connect to DAS via Styra Local Plane (SLP).

Quick Start provides the link to install example application. It consists of the following components which should now be running in your minikube. All resources are suffixed by the SYSTEM ID to mark them as unique.

  • example-app: A simple HTTP web server that allows employees of a hypothetical organization to obtain salary details at the path /finance/salary. It also exposes a path /hr/dashboard that is only accessible by employees who are part of HR. Functionally, it is a simple echo server that returns a HTTP 200 response with a plain or text body which contains a success or error message.

  • sample-ingress: An ingress resource which exposes HTTP route from outside the cluster to example-app service within the cluster. The Kong plugin for OPA is enabled by annotating the ingress resource with konghq.com/plugins: kong-plugin-opa.

  • slp: Styra Local Plane (SLP) is a service that acts as an intermediary between the OPAs and Styra DAS. OPAs are configured to retrieve bundles from SLP rather than directly from DAS. This increases availability as SLP fetches bundles from Styra DAS and persists them to disk, so policies are still available to new or restarted OPAs even if Styra DAS is unavailable.

When you run the Kong Gateway example application, the OPA sidecars will pull down the policy from DAS tenant and start enforcing it. This process takes few minutes to complete.

Figure 1 - Kong Gateway Example ApplicationFigure 1 - Kong Gateway Example Application

Configure Kong Plugin for HTTP

If you want to configure Kong Plugin other than the Unix Domain Socket(UDS) based plugin, then you must change the following two files:

Kong Plugin Configuration File

The Kong plugin configuration file added in the Install section, can be used to configure Unix Domain Socket (UDS) based plugin. If you want to configure HTTP based plugin, then save the following KongPlugin configuration content into a new file (suggested name kong-plugin-http-config.yaml) and execute kubectl -f apply kong-plugin-http-config.yaml command to apply the configuration.

---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: kong-plugin-opa
config:
server:
host: localhost
port: 8181
policy:
decision: main/main
plugin: opa

OPA Sidecar Values YAML Configuration File

You must save the Sidecar deployment configuration into a new file (suggested name opa-sidecar-http-values.yaml), execute helm upgrade kong-quickstart kong/kong -n kong -f opa-sidecar-http-values.yaml command to apply the configuration, and finally execute kubectl get pods -n kong -w command to watch for the Pod status to appear as Running status.

# -----------------------------------------------------------------------------
# Deployment parameters for HTTP configuration
# -----------------------------------------------------------------------------
deployment:
sidecarContainers:
- image: openpolicyagent/opa:latest
name: opa
volumeMounts:
- readOnly: true
mountPath: /config
name: opa-config
env:
- name: OPA_LOG_TIMESTAMP_FORMAT
value: "2006-01-02T15:04:05.999999999Z07:00"
args:
- "run"
- "--server"
- "--config-file=/config/conf.yaml"
- "--addr=http://localhost:8181"
ports:
- containerPort: 8181
userDefinedVolumes:
- name: opa-config
configMap:
name: opa-config

plugins:
configMaps:
- name: kong-plugin-opa
pluginName: opa