Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kong / APISecOps ROSA and Kong Konnect in the Red Hat Openshift / 31 Jan 2023
Kong / APISecOps ROSA and Kong Konnect in the Red Hat Openshift / 31 Jan 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Part 3/8 - Review + Config 8-Part APISecOps Tutorial ROSA and Kong Konnect in the Red Hat Openshift

Description

APISecOps - Insomnia, Kong Konnect, Tekton - on ROSA

Part 3 of 8 Kong Partner Engineering's APISecOps Tutorial ROSA and Kong Konnect in the Red Hat Openshift Ecosystem: Getting Started p2 - Review of Sandboxes and Clusters + ROSA and Konnect Configuration

In part 3 we continue with Part 2 of "Getting Started" post Playbook completion, starting with collecting output information that will be used throughout the demo.

In in the following part of tutorial in part 4, we will begin diving into Insomnia and starting the first step in API design.

Follow along in GitHub: https://github.com/Kong/kong-apisecops-redhat#introduction

Getting Started

ROSA and Konnect Configuration

Execute the install ansible playbook. The play will do the following:

Cert Manager Operator - install and create Konnect DP self-signed certs
Openshift Pipelines Operator - install
Gitea - install and configure
Konnect
create and/or configure runtime groups (Default and Dev)
create konnect gateways (runtime instances)
APIOps - create namespaces, install tekton pipelines and create tekton pipelineruns
Disputes Sample App - create namespace and deploy

Infrastructure
Konnect

Two Runtime Groups will be either created or at least checked that it exists - Default, and Dev.

Each runtime group will be provisioned 1 runtime instance (also referred to as a Gateway, Dataplane, or Proxy), each one will be in their own namespace, kong-sandbox, and kong-dev. These Gateways are exposed via loadbalancers, and are where API Consumers will call the protected backend services.

Openshift Pipelines/Tekton

The three pipelines to be executed will be in the namespaces disputes-apispec and apiops-gateway. The separation between namespaces is to demonstrate how pipelines belonging to different personas (Dev Teams vs. Governance and API Operator teams) can be managed in a more secure fashion.

Gitea (Self-hosted Git service)

Gitea is a self-hosted Git service. It is stood up in the cluster in the gitea namespace. The two git repos required to run the demo are imported, and any dummy passwords needed for the demo are seeded in the projects and provided to the user. Details on the two repositories:

acmebank-disputes-apispec: Contains the .insomnia design disputes API Design doc.
acmebank-apiops-gateway: Contains the governance rules, deck and apispec files version controlled.
Disputes Sample Application

The sample application is deployed in disputes-dev namespace. It is a very small JBoss EAP application server.

Find all the resources you need in our self-paced demo on GitHub: https://github.com/Kong/kong-apisecops-redhat#introduction

A

Okay, so when the Playbook is finished, roommates it's finished successfully. What you're gonna see is the last task is going to be print demo, facts and what this is just going to be an output of any important information that you may need to run it to run that you're going to use throughout the demo. So it'll come up like right. We're right here: we've got gitty we're gonna use con Dev and con sandbox facts for uh for insomnia.

A

Now, if you lose track of these, it's okay, because if you navigate into the ansible directory you'll, see there's a demo underscore fax dot Json file, and this has all the facts for you as well all right. So let's go ahead and make sure we're logged into cluster and we will uh we'll navigate. Let's go ahead and navigate open shifts and see what we've deployed.

A

So, first, let's take a look at the projects we that we've got running. So let's do OC get projects spell.

A

Wow, it's super slow and, let's see what we got so we we created a Gateway or an API Ops Gateway namespace as well as disputes API, spec namespace. These namespaces are for running our Pipelines.

A

Then we've got disputes Dev. This is where we're going to have. This is where the disputes microsurface is actually running. Giti is for the Getty self-hosted git Repository namespace, and then the last two important ones are con Dev and Cog sandbox. This is where our gateways are running, so let's go ahead and navigate into cogs fan box to see. What's in there.

A

um Sandbox already on it, oh yeah.

A

And so what we can see here is that we've got one pod. It's called connect, DPT, blah blah blah and we've got a service. This is actually a type load balancer.

A

So this is uh this: is an external load balancer running in our AWS infrastructure right now and if we were navigate to the other uh to the other project, Cog Dev you'd see something pretty similar, so this is good because we want to be able to see these pods up in Connect and this load balancer is when we actually call our Gateway when we call our back end services or doing the testing. This is actually the end point we're going to be calling this the load balancer itself.

A

Okay, so let's go ahead up to connect and see. What's going on up there, I'm just going to log in real quick to my connect instance.

A

And I am deposited immediately into the runtime managers. So if you go ahead and navigate to runtime manager- and you should see two runtime groups- uh one is called default. This comes with your default account and we created a second one called Dev.

A

You can see it's very clear that you've got the API sackops description on there, so go ahead and click on the default runtime group we'll see what's going on in there, and the first thing that you'll see is that you should have a runtime instance with the same pod name as that we saw in Kong sand or in Kong sandbox namespace. So this pod allows aligns to the pod in COG sandbox, and we can also see it's connected seems like it's healthy and it's compatible.

A

uh Next, let's go down to Consumers, so throughout the automation we just didn't, we didn't just um configure and connect data planes or those gateways to your to the connect control plan. We actually also did a deck sync. It did some Global configuration for you as well, so a part of that we created a consumer chain.

A

You can see where Jane does have some credentials. It's got. A Jane has a auth token called connect, so we'll be using that we also did some plug-in configurations, so we set of rate limiting and cores AS Global plug-ins. So any EPA request that goes through this runtime group is going to have rate limited. It's going to rate limiting and course attached.

A

Next, let's go over to the dev runtime group. Do the same thing: let's see what's going on, we can see. We've got a single pod, it's connected. It's in sync, go into consumers. We've got Jane is still there. She's still a consumer in Dev and Jane has some uh has an API key.

A

And so they're like, let's look at plugins again, we can see, we've got the rate limiting and the chorus plug-in enabled.

A

So that's for connect. We can see. We've got. We saw the data plans running and two namespaces an openshift and how they correspond to runtime groups up in the connect control plan portal.

A

Next, let's go over to openshift and see what's going on, so we do have some pipelines. Where are those um if you've logged into the cluster?

A

First of all, if you don't know how to log in and the console a quick sneaky cheaty way is I, do OC get routes in namespace, openshift console and it punches out the URLs for https, so it punches out the URL that you need and then you log in with the same credentials that you used on the CLI.

A

So when you're logged in, on the left hand, panel navigate to Pipelines, select pipelines again and if you are on all projects, go ahead and pick uh pick. Api pick disputes API spec project first, and this is the first pipeline that we're going to be running.

A

The other two pipelines are going to be located in aprop's Gateway, so we can take a quick look at those there's a Sandbox pipeline and we've got the dev pipeline.

A

Now, let's go over to get T and see what's up in the gate, Repository so for gitsy, you need to blog in facts. You can go ahead and copy the URL from your demo facts file, I'm, going to copy this out and then just commit to memory, but the username password or get to the openshift we're going to have to log in so let's go over Getty I'm actually going to uh sign out start from scratch, I'm going to go ahead and sign in okay.

A

There we go and then we can see. We've got two repositories here. This bottom repository is for the development team, and this is where they manage and do internal review of their API spec before they want to submit it. You know, send it out for review. So this is where they have it version controlled.

A

And then the second repository is where the governance keeps their security rules and where operations will be storing any uh deck connect. Deck configurations, as well as anything needed for the dev portal, is stored in the Acme Bank apops Gateway Repository.

A

Okay, and with that that really gives us the purview of all the resources we've got deployed on openshift and how we've got connect configured in the next tutorial. We will actually open up insomnia and start up with the first step of API design. So I will see you over there.