►
Description
In this week's episode, Kat Morgan walks through Kong Gateway on #Redhat #OpenShift with special guest Casey Wylie, Principal Solutions Engineer from Red Hat!
Kong Builders is a livestream series that takes our developer-focused toolsets and puts them on display in the best venue possible – building applications and connecting workloads.
#KongBuilders #developer #livestream #livecoding
A
A
Actually
casey,
I
will
work
on
that
if
you
actually
want
to
go
ahead
and
just
kind
of
go
ahead
and
kick
it
off,
I
know
you
have
the
reins
ready.
I
will
share
your
screen
and
let
you
take
it
away
until
I
can
get
audio
on
my
side
too.
Cool.
B
Okay,
all
right
so
kat.
Thank
you
so
much
it's
a
it's
a
real
pleasure
to
be
here
and
kong
and
red
hat
are
our
partners.
So
essentially,
what
we
do
together
is
is
work
together.
To
kind
of
you
know,
make
sure
our
mutually
shared
customers
are
having
the
best
experience
possible.
B
Looking
for
you
know,
small
improvements
and
efficiencies
that
we
can
do
together
to
to
kind
of
make
improvements
all
around,
and
this
has
been
just
a
very
mutually
beneficial
relationship
over
the
past
three
months,
just
really
digging
into
kong,
kong
gateway,
khan,
mesh
and
kuma,
and
it
just
so
happens
that
today
we're
going
to
be
talking
about
kong
gateway.
B
So
what
I've
prepared
for
you
all
today
is
essentially
we're
going
to
be
installing
the
kong
gateway.
B
So,
let's,
let's
jump
into
it
here
we
go
so
I'm
going
to
essentially
just
click
here
right,
I'm
going
to
do
the
prerequisites
so
first
foremost,
most
importantly
create
the
namespace.com
yeah.
A
So
here
we
go.
I
created
that
namespace
when
I
was
testing
the
the
binary
earlier
today.
Also
my
audio's
back,
I
switched
headsets
and
things
just
worked.
So
that's
good
great
thanks
for
carrying
the
show
how
I
was
working
that
out
for
everyone
following
along
I'm
gonna,
go
ahead
and
drop
a
link
that
actually
has
some
of
these
notes.
That
casey
is
basing
his
work
off
today.
A
And,
of
course,
while
we're
going
through
this,
if
anyone
has
specific
questions
or
you're
curious
to
talk
a
little
bit
more
in
depth
about
any
given
step
along
the
way
that
we're
going
through,
feel
free
to
call
that
out
in
the
chat,
we'll
watch
and
kind
of
triage
and
make
sure
we
include
some
of
those
talking
points
as
we
go
along.
B
And
one
talking
point
that
I
should
have
brought
up
is
I
keep
you're
seeing
this
k
command?
I
did
alias
k
equals
coupe
cuddle
before
we
started
so
chaos
all
right.
So
essentially,
what
what
have?
What
have
I
done
so
far
so
cat
made
the
name
space.
I
just
created
the
generic
secret
for
the
license
key
from
a
file.
So
basically
this
is
essential.
This
is
important
for
using
kong
gateway
enterprise.
B
A
Yeah,
so
in
the
chat,
while
you're
going
through
some
of
those
steps,
I'm
going
to
cover
some
some
of
the
questions
in
the
chat.
We
have
a
question
about
what
is
kong's
gateway
and
actually
that's
a
really
good
question,
because
I
know
that
we
have
a
lot
of
openshift
people
who
are
maybe
new
to
kong
or
haven't
come
across
kong
before
kong
offers
a
few
different
products.
A
A
Multiple
proxies
from
that
centralized
gateway
to
include
plugins
to
centralize
your
authentication
configuration
so
if
you're,
using
oidc,
integrating
with
auth0
or
key
cloak
or
other
oidc
providers,
you're
going
to
see
a
lot
of
features
for
rate,
limiting
or
advanced
rate,
limiting,
caching
and
the
opportunity
to
write
your
own
custom
plugins,
which
we
frequently
do
with
our
customers,
to
make
sure
that
we
can
support
unique
ways
of
handling
traffic
based
on
headers
or
all
kind
of
session
cookies
and
all
kinds
of
other
logic
to
control
what
traffic
you're
sending
where
when
and
how?
A
A
A
Yeah
so
before
the
stream
today,
I
built
an
instance
that
we're
using
as
a
bastion
host
in
aws,
and
then
I
built
an
openshift
4.10
cluster.
So
that's
what
casey's
working
on
today.
B
Yeah,
so
so
cat
was
talking
about
the
the
khan
gateway
right,
and
one
thing
we
want
to
really
kind
of
call
into
attention
here
is
that
gateways
are
north
and
south
traffic
right
and
and
what
does
that
mean?
That
means
from
the
user
into
essentially
the
ingress
of
the
cluster
and
best
practice
nowadays
right.
This
is
a
100
best
practice
for
essentially
each
name
space,
each
application.
You
should
have
a
gateway
right
because
you
want
to
have
essentially
what's
called
failure,
domains
like
whether
that
be
physical
or
logical.
B
So
in
order
to
have
everything
kind
of
in
its
own
realm
and
decoupled,
each
kind
of
application
needs
its
own
gateway.
So
you
could
technically
have
10
gateways
right.
So,
let's
talk
really
quick.
What's
just
happened
because
now
we're
gonna
our
next
step
is
to
install
the
control
plane
and
we're
all
chatting.
So
here's
what's
transpired,
so
we've
created
the
private
key
in
the
in
the
cert
right
for
the
kong
gateway,
and
then
we
created
this
tls
secret,
which
the
gateway
will
use
called
the
khan
cluster
cert.
B
Next,
we
created
a
password
for
the
kong
manager.
We
probably
or
you
know,
depending
on
what
cap
says,
we
may
or
may
not
go
into
the
kong
manager
today.
If
we
don't
go
into
it
today,
I
highly
encourage
you
to
check
it
out.
It's
a
really
really
good
ui,
it's
very
helpful
too,
and
then
basically,
the
the
very
last
step
is
we're
preparing
ourselves
to
detroit,
deploy
the
control
plane.
So
we've
added
the
kong
repo
through
helm
and
then
we
just
updated
our
helm.
B
So
here
is
where
we
start
kind
of
getting
in
to
the
bits
a
little
bit
more
and
seeing
some
of
the
power
of
kong.
So
we
have
our
kong
name
space.
So
we're
going
to
be
installing
this
release
called
kong
from
the
kong
helm
chart.
B
We
are
essentially
going
to
be
deploying
a
postgres
database,
so
this
is
what's
going
to
how
kong's
going
to
handle
the
configuration
and
you
can
configure
users.
You
have
a
lot
of
configuration
that
you
can
do
right,
because,
while
this
is
a
you
know,
it's
an
api
gateway,
that's
minimal
and
lightweight.
It
has
a
lot
of
functionality.
So
that's
essentially
the
reason
behind
this
postgres
database
behind
here.
A
Yeah,
if
I
can
actually
cover
some
of
the
postgres
and
why
that's
valid
here,
so
kong
has
the
ability
to
run
with
as
a
dv
api
gateway
and
what
that
equates
to
is
running
purely
from
memory.
But
some
of
the
power
and
value
that
a
lot
of
companies
find
in
kong
gateway
is
the
rbac
control
so
being
able
to
separate
different
developer
teams
by
like
logical
groupings
of
roles.
A
What
apis
they
have
access
to
and
maintain
possibly
separating
internal
corporate
developers
from
external
api
developers
who
might
need
access
to
your
apis
to
develop
new
features
or
consume
those
apis
and
all
of
those
like
logical
groupings
fall
under
the
rbac
or
role-based
access
control
feature
anything
that
requires
that
rbac
capability.
B
B
I'm
going
to
give
you
a
very
oversimplified
version
of
what
this
is.
Let's
just
say
it's
it's
a
way
to
expose
the
service
to
so
that
you
can
hit
it
from
the
ingress.
So
essentially
what
we
have
here
so,
let's
say,
k,
get
sbc
and
com,
so
we're
going
to
look
at
our
control,
plane,
services,
essentially
right,
now
see
if
we
can
make
that
a
little
better,
see
in
the
comments
all
right.
So
it's
a
little
small,
but
we
can
get
that
just
here.
So
currently
we
have
this.
B
This
kong
admin
service,
the
kong
cluster
service,
which
is
this,
is
very
useful
if
you're
going
to
go
multi-cluster
and
I'll
actually
point
out
how
to
do
that
as
soon
as
we
install
the
data
plane,
but
essentially
this
would
be
exposed
as
like
a
as
a
load.
Balancer
would
be.
You
know
my
choice,
but
I'm
sure
you
could
do
it
as
a
node
port
and
basically
just
hit
the
ip
of
the
node.
B
The
cluster
telemetry
url,
essentially
we're
going
to
make
these
accessible
from
the
outside
using
this
notion
of
the
openshift
route
and
that's
the
next
command
here,
exposing
services
as
routes
those
are
exposed.
Now
we
can
get
the
routes
in
and
we're
going
to
see,
there's
actually
urls
pointed
to
them.
It
shows
which
service
they're
pointing
to
it
actually
shows
the
port
on
which
these
services
are
exposed.
B
B
A
So
if
you
do
a
helm,
update
or
take
some
other
update
step
in
in
the
life
cycle
of
your
kong
gateway,
you'll
see
some
of
those
pods
hitting
the
database
and
that's
just
making
sure
that
schemas
that
updated
are
converted
properly
in
the
database
and
handling
maintenance
of
the
lifecycle
of
the
database
over
time.
B
Thank
you
so
yeah,
essentially
we're
just
waiting
on
those
jobs.
To
finish
you,
you
don't
want
to
rush
it.
If
you
try
to
start
doing
steps
out
of
order,
you
you're
surely
going
to
kind
of
fall
into
a
problem,
and
this
kind
of
really
goes
into
the
whole
get
ops
workflow.
So
we
noticed
when
we
were
actually
installing
the
control
plane.
There
is
a
ton
of
configuration
there
that
is
needed.
B
That's
like
that's
necessary
because
you
want
to
configure
every
single
thing
in
as
few
steps
as
possible
in
case
you're,
throwing
this
in
argo,
cd
or
some
kind
of
get
ops
engine.
You
want
it
to
be
almost
as
configured
as
possible
before
you
kind
of
move
on
to
the
next
step.
You
don't
want
to
be
patching
things,
for
instance,
if
you
don't
have
to.
A
Yeah,
absolutely
that
imperative
versus
declarative
model.
Actually,
while
we're
waiting
for
this
to
come
up
or
if,
before
we
move
on
to
the
next
step,
we
have
a
question
about
how
to
install
it
in
openshift.
If
it's
an
operator,
if
we're
using
helm
or
what
our
opera
options
are
there
and
that's
a
really
good
question,
because
there
are
a
few
different
ways
to
go
about
that,
you
can
forego
the
helm,
install
path
we
are
using
helm
today,
but
think
things
like
customize
are
fully
supported.
A
If
you're
looking
at
going
the
the
route
of
argo,
cd
or
advanced
cluster
manager,
you're
going
to
see
an
option
for
writing
out
all
of
your
manifests
directly
or
also
using
the
helm
chart
at
that
point
and
then,
as
far
as
a
a
peak
into
the
future,
there
is
an
operator
in
the
works.
It
is,
you
know,
pre-released
right
now.
A
I
think
it's
at
least
some
versions
of
it
are
in
the
operator
hub
now,
but
we're
looking
at
the
kong
3.0
or
later
release
for
actually
bringing
that
operator
to
production
ready
and
what
that
operator
is
going
to
do
is
actually
remove
a
lot
of
the
like
human
in
the
loop.
So
like
casey
you're
saying
you
know
you,
you
want
to
wait
until
a
task
is
completed
while
deploying
the
control
plane
before
we
move
on
to
data
plane
tasks
and
other
steps
like
that.
B
Right
so
now
we
are
going
to
actually
validate
that
our
control
plane
is
installed
by
curling
for
the
version
so
since
you're
here
and
how
are
we
doing
this
right
so
that
this
is
a
very
important
part.
So
the
khan
control
plane
has
this
kong
and
min
service
right,
and
this
kong
and
men
service
is
essentially
responsible
for
handling
the
control
plane
configuration
so
we're
going
to
actually
curl
this
to
see
which
version
we're
on
and
we
expect
to
see
2.8
point
something
enterprise.
B
A
So
there's
different
ways
to
interact
with
the
api
right
now
we're
on
a
pretty
new
instance
in
aws.
So
I
don't
think
we've
installed
everything
that
we're
used
to
having
handy
curl,
hdt
pi
they're,
both
cli
tools
for
interacting
directly
with
an.
B
A
Might
need
to
update
reposit
the
repo
list
before.
A
B
Okay,
cool.
Thank
you
all
right,
so
essentially
we're
just
checking
against
this
kong
and
min
route
and
we're
essentially
looking
for
the
version,
as
you
all
saw
earlier.
This
is
now
protected
by
a
token,
so
we
want
to
just
make
sure
that
only
authenticated
users
are
essentially
talking
to
the
control
plane,
the
users
that
we
want
to
be
talking
to
the
control
plane.
B
So
essentially
earlier
I
said
we
were
hoping
to
get
that
2.8.0
enterprise
edition
back
and
that's
exactly
what
we
got
so
we're
moving
on
so
for
the
kong
manager.
Ui
actually
needs
to
be
patched
and
it
doesn't
always
need
to
be
patched.
It
needs
to
be
patched
kind
of
in
open
shifts
because
we
want
to
tell
we
want
to
tell
essentially
the
control
plane.
Where
is
this
route?
So
where
do
I
look
for
the
api
url
and
we're
saying
you
look
at
this
route,
and
this
is
where
it
is.
B
Now
you
know
every
time
I
do
anything:
it's
validation,
validation,
validation.
So
I'm
just
going
to
actually
look
at
that
deployment
and
I'm
going
to
look
at
the
containers
grepping
for
that
environmental
variable
on
the
pod,
just
to
make
sure
that
routes
showing
right
here,
which
it
is
so
that's
good.
B
B
On
a
vm
I
mean
the
deployment
options
are,
are
fast,
almost
endless
right
and
that's
a
really
great
thing
about
calm
right,
because
you
can
offload
workloads
on
vms,
so
it
kind
of
caters
to
the
hybrid
cloud
which
is
essentially
red,
hat's
mission
too.
So
it's
kind
of
a
match
made
in
heaven,
I
guess-
or
just
a
great
match
made
I
like
to
think
so.
A
So
yeah
this
is
a
separate
home
release.
So
what
we?
What
we
deployed
earlier
was
just
that
control,
plane
piece
and
then
this
is
one
of.
However
many
diff
separate
data
planes
you
want
to
deploy.
You
can
actually
separate
it
out
by
different
name
spaces
and
isolate
those
data
planes
to
those
individual
namespaces.
A
B
B
Here
it
is
this
con
con
cluster
service,
so
here
when
we're
connecting
the
control
plane
to
the
data
plane,
we're
actually
going
to
reference.
This
url
right
here
through
this
environmental
variable,
this
just
as
easily
could
be
in
a
separate
cluster
and
this
url.
So
this
is
a
local
cluster
dns.
This
would
be
the
the
url,
for
instance,
of
a
load
balancer
and
likewise
with
the
telemetry
right.
B
This
is
the
exact
same
host
just
once:
port
8005,
one
port
8006,
so
essentially
what
you
do
to
go
multi-cluster
immediately
and
just
put
these
two
things
on
two
separate
concerns.
Essentially
now
you
have
two
different
failure:
domains
that
are
not
coupled
right.
So,
if
you
think
about
kind
of
resiliency,
that's
that's
the
way
you're
starting
to
go
when
you
do
things
like
this,
but
yeah
simply
just
expose
this
service.
B
A
Yeah,
just
kind
of
adding
to
the
idea
of
multi-cluster
with
a
centralized
control
plane,
one
of
the
really
fun
new
things
that
kong
just
released
last
week
actually
is
the
connect
cloud.
So
it
takes
that
paradigm
of
a
separate
global
control
plane
and
we
offer
that
control
plane
as
a
sas.
A
So
one
of
the
most
complex
parts
of
kong
is
actually
deploying
and
maintaining
that
control
plane
component
and
then
the
data
planes
from
there
that
you
deploy
out
are
relatively
simple
in
comparison
and
so
that
sas
connect
product
where
kong
hosts
the
control
plane.
For
you
gives
you
that
global
pane
of
glass
in
the
cloud
and
then
you
connect
data
planes
all
around
the
world
in
multiple
clusters
in
cloud
clusters
or
on-prem.
A
And
then
you
have
that
single
unified
view
in
the
cloud
for
actually
connecting
up.
This
is
that,
of
course,
self-hosted
control,
plane.
B
B
We
then
curled
the
data
plane
proxy
directly,
and
it
said,
maybe
confusingly-
maybe
not
confusingly-
hey
no
route
match
with
those
values.
So
I
can't
go
to
forward
slash
on
the
data
plane
proxy
and
expected
to
do
something.
Why?
Well?
Because
we
don't
we,
we
haven't
created
an
ingress
yet
and
there's
another
way
to
do
this,
like
you,
can
actually
essentially
configure
the
kong
control
plane
through
rest.
B
So
there's
a
lot
of
ways
to
configure
it
at
this
moment
we
just
haven't
configured
it
yet
and
that's
the
next
steps,
but
that's
why
we're
getting
that
no
route
matched-
and
this
is
our
next
step-
we're
essentially
going
to
check
the
clustering
status.
So
this
is
kind
of
kong's
way
of
telling
you
hey
the
control
plane
and
the
data
plane
are
in
communication
and
they're
in
sync.
B
So
let's
go
ahead
and
check
this
just
to
make
sure
we're
in
sync,
as
as
we
expect
to
be
right
now,
and
we
are
so
we
can
see.
This
is
actually
our
data
plane
host
and
we're
good
and
we're
talking
and
and
that's
it
for
the
control,
plane
and
data
plane
installations.
Now
we're
going
to
start
with
the
app
scaffolding
and
then
start
doing
things
with
the
gateway.
A
So,
yeah
that
that
no
route
found
was
failed
successfully
right.
B
Yeah
yep
exactly
yeah,
I
should
have
got
the
the
status
code
on
there
to
make
it
even
even
simpler
right.
B
So
there
is
this
really
genius
app
book
info
and
it-
and
I
say
that
not
as
a
joke,
because
I
love
book
info,
it's
a
great
app
and
you'll
see
why?
Because
it's
so
good
for
teaching
so
good
for
doing
multi-cluster,
you
can
do
canary
releases
with
it.
You
can
do
blue-green
deployments
with
it.
It's
just
a
tool,
it's
a
great
tool,
and
you
know
in
kubernetes,
kubernetes
and
cloud
native
hybrid
cloud.
You
need
to
have
separation
of
our
separation
of
concerns.
You
need
to
separate
failure,
domains.
B
One
very
small,
logical
domain
is
by
namespaces,
so
anytime
we're
doing
a
new
app.
We
put
it
in
its
own
namespace.
So
this
is
the
book
info.
Namespace
we're
having
it's
its
own.
You
know
app.
One
thing
about
openshift
openshift
is
what
we
call
secure
by
defaults.
B
So
if
you're
familiar
with
validating
admission,
controllers,
validating
and
mutating
admission
controllers,
the
admission
controller
is
essentially
what
sits
up
at
the
very
front
of
the
proxy
and
accepts
the
requests
as
they
come
in.
These
are
are
the
requests
basically
coming
in
from
like
your
coupe
cuddle
client.
B
It
wants
to
see
a
very,
very
secure,
manifest
right
and
if
it's
not
secure,
for
instance,
if
you're
running
as
roots
or
if
you're
running
with
like
an
fs
group
or
if
you're
running
as
user,
you
know
less
than
like.
You
know,
I
don't
know
the
exact
number,
but
if
you're
running
as
a
low
user,
with
a
lot
of
permissions
or
you're
running
as
a
group
that
needs
a
lot
of
permissions.
B
It's
not
going
to
like
that
right,
and
why
is
it
not
going
to
like
that
because
you
can
technically,
if
you
have
enough
permissions,
if
you
can
escalate
privileges,
you
can
reverse
out
of
your
shell
and
get
onto
the
host
machine,
and
you
could
really
do
some
damage
right.
You
could
do
a
ton
of
damage.
You
get
the
aws
creds.
A
Yeah,
so
one
of
the
things
about
openshift
that
sometimes
gets
a
bad
rap
is
the
fact
that
some
of
that
security
contact
stuff
can
feel
like
it's
really
getting
in
the
way
of
being
able
to
accomplish
something
successfully.
But
when
you
look
at
the
legitimate
risks
that
that
mitigates
in
a
production
scenario,
the
the
confidence
in
your
security
posture
that
that
brings
to
like
just
your
confidence
in
production
and
facing
the
open
internet,
it
really
is
worth
learning
understanding
and
utilizing
as
a
tool
to
prevent
crisis
in
the
future
right.
Yeah.
B
Agreed
completely
right
and
you
know
pods,
you
know
you,
you
need
a
very
powerful
kind
of
validating
controller
at
the
at
the
cluster
level,
whether
that's
like
oppa,
whether
that's
pod
security
policies,
whether
that's
exactly
how
openshift
does
it
doesn't
really
matter
what
it
is.
It
just
has
to
be
done
right.
You
have
to
have
security
and
you
also
need
network
policy
right.
You
need
to
fence
things
off,
you
need
to
say
a
can
talk
to
b,
but
there's
no
reason
for
a
to
talk
to
c
right.
They
shouldn't
even
communicate.
B
And
we
have
our
our
details:
application.
We
have
our
product
page,
our
ratings,
our
reviews
and
I'm
actually
going
to
show
everyone
a
picture
of
this
architecture,
because
this
pretty
much
means
nothing
just
looking
at
at
the
positive
namespace
right
now,
but
they
all
speak
with
each
other
in
a
microservices
way.
B
B
We
noticed
there's
like
reviews
version,
one
reviews
version
two,
and
it
would
be
nice
to
do
like
canary
rollouts
or
progressive
rollouts
and
kind
of
blue
greens,
but
it's
not
really
what
we're
doing
right
now.
So
I'm
gonna
just
delete
those.
B
B
B
So
what's
going
to
happen
here,
this
is
the
request
path.
The
request
path
lands
on
this
product
page
this
python
app.
It
doesn't
even
matter
what
it's
written
in
right,
it's
all
microservice
architecture,
so
it
doesn't
even
matter
what
it's
written
in
product
page
talks
to
reviews
right.
So
basically
it's
just
got.
It's
got
two
panels.
It's
got
this
book
reviews
that
says
like
hey.
This
book
was
great
and
then
reviews
talks
to
ratings
and
the
rating
shows
the
number
of
stars
the
book
has
and
then
also
in
that
product
page
on
the
left.
B
A
Actually
wanted
to
ask
you
a
little
bit
about
how
you
went
about
designing
this
networking
path,
so
in
openshift,
a
lot
of
applications
go
directly
through
the
openshift
router
before
they
reach
any
services
right,
yes,
and
when
you're
adding
another
layer
like
an
api
gateway,
you
have
the
option
of
serving
that
api
gateway,
which
is
that
data
plane
proxy
component
directly
to
the
internet,
behind
a
load
balancer
or
like
a
glb,
or
something
like
that.
A
A
B
B
I
want
rate
limiting,
because
I
want
to
protect
my
critical
infrastructure.
So
you
know
that
probably
didn't
really
answer
your
your
question,
but
it
was
just
the
easiest
way
for
me
to
to
do.
It
is.
B
I'm
sorry,
I'm
going
to
say
kong
in
the
con
control
plane.
So
essentially
we
do
have
our
our
proxy
right
here.
You
can
see
it.
It
is
a
load
balancer.
So
it's
it's
directly
connected
out
to
some
infrastructure
but
yeah,
all
right,
okay,
so
product
page
right,
I
keep
talking
about
it.
B
I'm
eating
around
the
bush,
because
I
don't
know
exactly
how
to
share
this,
because
I
want
to
show
you
the
internet,
when
I
port
forward
to
this,
but
here's
what
we're
going
to
do,
I'm
going
to
go
ahead
and
make
an
ingress
here
right
so
in
kubernetes,
making
it
ingress
is
very,
very
actually
very
simple
right.
You
say:
okay
create
name
of
the
ink.
Then
you
have
a
rule
and
then
you
say
basically
creating
ingress.
We
have
a
rule,
so
this
is
the
actual
host
name.
B
Do
I
do
I
want
my
host
name
to
be
google.com.
Do
I
want
it
to
be
kong.com
or
whatever
right?
Then
we
have
our
routes
in
this
case.
It's
just
a
forward
slash!
It's
not
forward
slash
product
page,
it's
just
a
forward
slash
and
then
we
have
the
service.
So
this
is
the
service
in
its
own
namespace,
because
ingresses
are
namespace
scopes
at
any
time.
B
You
don't
know
what
is
and
is
not
namespace
scoped,
you
can
say
cuddle
api
resources,
space
namespace
equals
true
or
false,
and
then
you
can
kind
of
grab
for
a
given
resource,
but
but
that's
why
ingressas
are
are
so
powerful
and
they
belong
in
their
own
namespaces
for
their
own
things
that
they're
concerned
about.
So
this
book
info
ingress
is
concerned
with
book
info
right
now
in
order
to
hit
book
info
you're
going
to
have
to
send
a
request
with
the
actual
host
name
being
asterisk
dot.
Co
we're
going
to
change
that.
B
Now
we're
going
to
do
some
more
kong,
specific
stuff,
because
kong
is
has
a
very
powerful
ingress
controller
called
kick
or
kong
ingress
controller
and
we're
going
to
go
ahead
and
annotate
this
this
ingress
to
strip
the
path
for
true.
B
Then
next
we're
going
to-
and
this
is
the
100
essential
right-
we
would
be
able
to
get
by
just
fine
without
stripping
the
path.
This
is
a
nice
to
have,
but
we
do
need
an
ingress
class
and
if
we
want
to
use
kong,
ingress
gateway
right,
so
we're
going
to
actually
patch
our
ingress
and
we're
going
to
do
basically
an
op
patch,
we're
going
to
add
the
ingress
class
name
as
as
kong,
we're
going
to
remove
that
host.
There's.
B
Just
simply
no
reason
I
mean
you
can
have
a
host
you,
don't
you
don't
need
a
host.
If
this
was
you
know
in
production,
I'd
have
like
actual
tls
and
then
in
my
my
like
google
domains,
I
would
be
pointing
to
the
actual
ip
address
of
that
column,
proxy,
and
so
basically,
so
I
could
say
in
google
domains
hey
route
when
I
say
caseywiley.com
routed
its
ip
address,
that's
kind
of
too
long,
too
short
didn't
read,
but
that's
what
we're
doing
here.
We
are
essentially
creating
an
ingress.
B
We
are
catching
it
to
include
the
ingress
class
name
of
kong
and
we're
adding
this
annotation
to
strip
the
path
and
now
essentially,
what
we're
going
to
do
is
we're
going
to
test
this
ingress
and
let's
do
it.
So
this
is
all
I'm
doing.
Right
now
is
actually
getting
the
ingress.
Oh,
I
don't
have
pb
coffee
because
again
this
is
running
on
ubuntu
but
pb
copy
for
you
mac
folks
out.
There
is
just
the
way
to
copy
from
the
terminal
all
right,
so
I'm
going
to
cat.
So
can
I
share
another
screen.
A
B
B
B
Is
our
application
right?
This
is
the
good
old,
reliable
trusty
book
info
application
where
we're.
Essentially,
we
have
the
details
application.
This
is
this
micro
service
details.
This
is
reviews
and
these
little
stars
are
ratings.
So
essentially
the
requests
are
propagated
through
the
the
cluster
and
all
the
kind
of
information
is
piped
back
and
eventually
product
page.
Has
this
information
right
somehow
product
page?
Has
it
and
really
interesting
piece
of
information
here,
so
the
amount
of
traffic-
that's
north
south,
so
from
the
user
into
your
cluster
versus
the
amount
of
traffic?
B
That's
east
west,
so
I
log
in
I
get
a
session
and
then
all
these
microservices
are
talking.
It's
like
you
know,
maybe
up
to
four
orders
of
magnitudes
greater
than
the
north
south
traffic.
So
essentially
the
user
sends
one
request,
but
then
these
microservices
architectures
have
to
do
a
lot
more
things
for
that
actually
happen
and
get
the
information
back
to
the
user
all
right.
So
we
are
going
to
now
go
back
to
the
console.
B
And
so
you
know,
I
was
talking
a
lot
about
what
happened
there.
We
just
exposed
the
application
that
we
deployed
book
info
through
an
ingress
right
and
we're
using
kong
to
do
that.
A
Yeah,
so
so
that's
that's
actually
really
fun
to
stop
and
look
at
what
we're
looking
at.
If
you
look
at
those
first,
two
lines
of
the
cml
object
is
the
api
version,
and
you
can
see
that
that's
pointing
at
a
kong
api,
which
of
course,
is
this
one
of
the
crdd
that
defines
what
kong
can
do
and
the
kind
is
the
kong
plugin.
A
So
kong
has
a
lot
of
an
entire
storefront
of
plugins
that
are
pre-built
and
ready
to
add
features
to
your
kong
deployment,
and
this
one,
of
course,
is
the
basic
rate
limiting
plug-in
right.
Yep.
B
A
B
A
Hey
cat
cat,
I
need
this.
I
want
this
right
as
the
oldest.
It
often
fell
to
me
to
go
ahead
and
like
step
in
and
save
the
day
or
whatever
and
up
to
a
point
that
can
be
great,
but
when
it
happens
too
much
you,
you
want
to
give
each
consumer
right
each
each
person
coming
to
that
front
door
a
limit
of
how
many
times
they
can
knock
on
the
door.
A
A
You
might
see
something
like
ddos
right,
denial
of
service
attack,
and
that
is
where
a
nefarious
actor
right
is
knocking
on
that
front
door,
with
the
express
intention
of
overwhelming
your
traffic
handling
abilities
to
deny
everyone
else's
request,
because
if
they
knock
on
that
door,
so
many
times,
then
you're
not
gonna
see
be
able
to
to
answer
the
traffic
of
other
legitimate
requests.
A
So
that
is
one
reason
that
rate
limiting
is
really
important
to
make
sure
that
you're
treating
everyone
fairly
and
who
you
respond
to
when
and
how
often.
B
B
Yeah
yeah,
what's
up
cut
siblings,
but
so
we're
actually
respectfully
rate
limiting.
So
essentially
you
know
rate
limiting
is
protecting
your
critical
infrastructure.
You
know,
maybe
your
base
can't
handle
quite
as
much
as
your
envoy,
proxy
right.
It's
it's
different
things
have
different
throughputs
and
we're
respectfully
rate
limiting
by
ip
address,
so
punish
the
people
that
are
trying
to
attack
your
system
and
take
you
down.
Don't
punch
the
people
who
are
trying
to
use
your
system,
and
you
know.
A
A
Actually,
it
looks
like
we
have
a
question:
can
we
prioritize
requests
when
rate
limiting?
So
that's
a
bit
of
a
qos
like
quality
of
service
question?
And
yes,
there
are
ways
to
actually
identify
who
is
making
a
request
say
you
monetize
your
apis
and
you
have
different
billable
tiers
for
who
gets
more
bandwidth,
who
gets
more
a
higher
rate
limiting
ceiling,
and
things
like
that.
B
Good
explanation,
so
basically
we
are
are
leveraging
this,
this
kong
plugin
right
now
to
rate
limit
by
ip
address,
and
we've
said.
Essentially
we
only
want
this
is
a.
This
is
a
service
that
we
built
that's
terrible
right
that
we
know
can't
take
any
load,
so
we're
saying
like
after
three
requests
in
a
minute,
it's
probably
going
down
on.
B
I
essentially
just
curled
through
the
ingress
over
and
over
again
until
I
hit
this
429
and
obviously
429
means
whoa
back
off
too
many
requests.
So
basically
it's
gonna
wait
a
few
there's
like
a
back
off
period
and
probably
right
now.
I
could
probably
send
another
request
through
yeah
getting
200
back
at
the
top.
You
see
there,
but
you
know
you
do
it
too
many
times
you're
going
to
trigger
that
that
root
limit
and
there
we
are
429
all
right
so
yeah,
that's
all
about
protecting
critical
infrastructure.
B
Now
we're
going
to
talk
about
actually
protecting
your
services
and
actually
making
using
job
tokens
to
protect
your
services
through
oidc.
A
B
B
Exactly
yeah
and
if
you're
not
familiar
with
key
cloak,
it's
it's
a
red
hat
product.
It's
open
source,
it's
written
in
java,
it's
been
around
a
while,
but
it
has
a
ton
of
functionality
and
we
are
installing
key
cloak
from
the
operator
so
like
every
single
other
application
that
should
be
according
to
best
practices.
It's
in
this
other
name
space.
So
we're
going
to
create
the
name
space
column
key
cloak.
B
A
Know-It-All,
you
know
what
I
think,
you're
you're,
opening
a
can
of
worms,
because
there
are
so
many
ways.
I
mean
people
talk
about
pods
and
what
you
know,
how
how
big
should
a
pod
be?
What
all
should
live
in
a
pod,
for
example,
you
can
deploy
kong
in
with
the
control
plane,
the
data
plane,
the
developer
portal,
the
web
ui.
All
of
that
in
one
helm,
release
which
puts
it
all
in
one
pod
or
you
can
separate
it
out
into
tiny
micro
services
and
then
should
they
all
live
in
the
same
name
space.
A
B
So
you
know
first
step
since
we're
installing
this
buying
operator
operators
for
installation
you
they
use
something
called
olm,
so
we're.
Essentially,
what
we're
doing
here
is
we're
installing
an
operator
group,
the
operator
groups,
job
is
basically
to
say:
where
will
this
operator
live
and
the
subscription
is
basically
where
to
find
these
operator
manifests
these
assets
for
the
operator?
B
So
basically
we're
just
deploying
this
and
that
in
the
kong
key
club
namespace,
oh
wait.
We
already
did
that
so
and
it
came
up.
The
operator
is
actually
ready
all
right.
So
here
we
go.
B
This
is
going
to
be
kind
of
a
long
thing,
because
it's
going
to
be
a
total
configuration
so
cat
had
this
really
awesome
analogy
right,
so
we're
knocking
at
the
door
now
you
have
to
actually
have
to
have
a
key
to
get
into
the
door
right,
and
we
already
know
just
because
you
knock
a
hundred
times
in
a
row.
Basically,
the
door
is
gonna
disappear.
If
you
keep
knocking
so
now
we're
giving
we're
handing
out
keys-
hey
you
want
to
get
in.
You
can
take
this
key.
B
So
first
thing
here
this
key
clip.
This
is
an
instance
of
key
cloak,
so
this
is
an
instance
of
the
operator,
I'm
officially
now
launching
an
instance
of
key
click.
Next
I
have
a
realm.
A
realm
is
how
all
your
apps
are.
All
your
users,
it's
another
logical
separation
right.
It's
it's
not
a
physical
barrier.
It's
it's!
It's
what's
called
a
realm,
it's
how
you
do
your
logical
grouping
of
users
and
applications,
etc.
B
In
our
realm,
no
surprising
is
called
the
kong
realm.
It
could
have
been
book
info
ralph,
but
you
know
it
doesn't,
doesn't
really
matter
right,
apples,
tomatoes,
whatever
we
have
our
key
cloak
clients
and
we
have
a
redirect
url-
and
this
is
you
know,
oidc-
is
just
this
spec.
That's
this.
That
tells
you
how
to
do
things
on
on
oauth2
right,
so
you
have
to
have
this
redirect
url.
B
A
Yeah,
so
are
you
going
to
be
serving
the
the
keep
cloak
at
that
address.
B
Yeah,
this
is
going
to
be
my
redirect
and
it's
going
to
actually
redirect
so
basically
someone's
going
to
come
in
my
redirect,
my
key
cloak
is
going
to
push
them
back
to
the
product
page,
so,
secondly,
lastly,
I
have
my
keyglobe
user
kermit
user.
This
was
actually
this
user
was
created
by
a
person
that
was
working
with
named
ruben
romero.
That's
from
red
hat.
B
In
column,
gp,
just
to
make
myself
feel
better
yeah,
this
should
work.
Okay,
just
see
how
the
the
demo
gods
feel
about
me
today.
B
A
B
Yeah
yeah
that
yeah,
I
mean
keyboard's
a
big
one
right,
it's
written
in
java.
It's
not
exactly
like,
like
dex,
which
is
like
probably
faster,
but
yeah
has
like
a
lot
more
stuff.
A
It
does
like
it's
brokerability
and
all
of
that
it
it's
a
pretty
powerful
tool
for
sure
and
I've.
I
know
I've
used
it
with
my
customers
in
the
field
before.
B
A
A
I
just
wanted
to
recognize.
We
are
coming
up
on
on
the
hour,
which
is
normally
where
we
end
I'd
like
to
go
ahead
and
stay
on
long
enough
to
go
ahead
and
show
the
oidc
in
combination
with
the
rate
limiting
that
we
already
showed
off
here.
So
I'm
gonna
keep
this
stream
running
for
a
little
bit
while
we
we
go
over
time,
but
I
just
wanted
to
thank
everyone
who's
stuck
with
us
so
far
and
who
has
who
have
participated
with
good
questions.
A
A
Of
course,
any
additional
questions
or
comments
that
you
have
I'll
try
to
respond
to
those
in
the
next
few
minutes
before
the
top
of
that
hour,
we'll
go
into
overtime,
and
if
you
have
additional
questions
or
things
like
that,
and
you
want
to
leave
comments
in
youtube,
we
will
do
our
best
to
try
and
answer
those
things.
We
do,
of
course,
have
the
kong
channel
in
the
kubernetes
slack,
so
you
can
follow
up
with
us
there
and
and
and
then
casey.
Thank
you
for
everything
that
you
put
together
to
show
us
today.
A
I
have
had
a
blast
seeing
how
you
you
go
about
doing
this
on
openshift,
it's
been
a
little
bit
since
I
exercised
my
open
shift
muscles.
So
no
no
problem.
A
B
That's
that's
cool,
that's
cool!
My
heart
was
just
skipping
a
beat
when
you
were
talking
to
me
because
I
was
like.
Why
is
this
thing
not
coming
up
but
hey
good
old
java?
We
made
it
yes,
three
minutes
later.
All
right,
no
java
is
actually
really
awesome.
I
don't
I
don't
I'm
not
yeah,
I
mean
any
programming
language
you
want
to
use
is
perfectly
fine
with
me.
B
B
What
what
this
plug-in
does
is
it's
going
to
actually
check?
For
a
token,
if
there's
not
a
token,
it's
going
to
redirect
you
to
the
oidc
like
login
page,
it's
this
key
cloak,
login
page
and
then
you'll
get
a
token
and
it'll
redirect
you
back
to
the
application,
but
essentially
from
here
on
out
or
after
we
make
this
annotation
on
the
ingress.
B
Our
book
info
application
is
going
to
be
protected
by
oidc.
A
Actually,
I
wanted
to
add
to
that
because
the
the
question
earlier
about
prioritizing
request
traffic
based
on
different,
like
quality
of
service
rules,
and
things
like
that.
That
token
is
one
of
those
pieces
of
information
that
you
can
use
in
understanding
who
is
making
the
request
and
treating
them
based
on
specific
rules
that
you
have
established
for
either
that
user
or
that
group
that
you
can
understand
as
an
individual
consumer.
B
Okay,
so
we're
kind
of
done
for
here
for
this
moment,
so
I'm
gonna
actually
take
you
all
back
to
the
browser.
B
Well,
there's
a
checking
the
logs
in
the
back,
but
I
don't
see
any
any
errors
right
now.
A
We're
skipping
past
insecure
certificate
errors
and
things
like
that
in
a
more
mature
deployment.
Of
course,
we
could
have
used
cert
manager
or,
as
sorry,
aws
certificate
tooling
and
things
like
that
to
automate
loading
ssl
certificates
into
the
kong
gateway
based
on
service
or
creating
one
that
is
a
fallback,
possibly
wild
card
certificate.
Things
like
that,
so
the
not
secure
is
what
we're
looking
at
right
now
for
demos,
but
of
course,
that
ssl
feature
is
built
into
the
gateway
itself
too.
B
Yeah
yeah
exactly
exactly
as
cat
said,
and
I'm
sorry
about
that.
I
should
have
thought,
but
I
just
I
logged
in
through
kermit,
the
user
that
we
created,
and
then
I
just
wasn't
thinking
I
loved
and
I
just
kind
of
change:
stop
stop
sharing
my
screen.
B
For
all
intents
and
purposes
it
it
works,
it
works
just
quite
normally.
I
guess
yep
all
right,
so
we
are
done
with
key
club.
Now
we're
really
in
the
very
end
of
this
right,
we're
in
the
end
the
the
beauty
of
kong
gateway
or
or
any
powerful
gateway
in
fast
gateway
like
a
like
a
kong
or
you
know,
there's
plenty
of
gateways
out
there
that
are
also
really
good,
but
they.
B
B
B
B
Yeah,
so
this
is
good
old,
vanilla,
kubernetes.
You
have
to
have
a
network
plug-in
installed.
So,
like
I
use
calico,
you
could
use
psyllium,
there's
there's
a
lot
of
them
that
support
network
policies,
but
basically
it's
it's
more
like
on
a
on
a
very
lower
lower
level
than
like
the
kubernetes
level
and
when
you're
installing
kubernetes.
You
have
to
have
this
like
pod,
networking
solution
or
c,
and
I
believe
it's
called
present
in
the
cluster.
B
B
Totally
so
this
is
a
denial
network
policy
for
the
ingress,
so,
basically-
and
it's
in
the
book
info,
so
there's
nothing.
That's
going
to
happen
here
through
the
ingress.
Basically
what
it
says
right,
don't
let
anything
happen.
No
ingresses
and
I'll
I'll
skip
this
for
right.
Now,
I'm
not
gonna.
I
don't
want
to
switch
too
many
times,
because
I'm
really
at
the
end-
and
I
don't
want
to
lose
too
many
people
all
right.
So
here's
where
we're
going
to
actually
be
able
to
see
something.
We
want
product
page
that
front
seemingly
application.
B
I
don't
know
if
it's
like
server-side
rendered
or
exactly
how
it
works
that
front-end
application
is
going
to
want
to
talk
to
now.
Oh
I'm,
sorry,
so
this
one
is
actually
ingress
to
product
page.
So
product
page
essentially
cannot
speak
to
any
other
microservices
after
this
network
policy
is
applied,
so
we
can
actually
hit
the
front
end,
but
we
can't
hit
any
other
microservice.
So
no
reviews
no
ratings
and
no
details.
A
I
know
you
are
east
coast
and
I'm
pretty
sure
I
deployed
this
in
us
west,
two
okay,
you're
going
to
say
over
so.
B
Wasn't
super
late
in
just
a
couple
seconds,
but
but
so
that
network
policy
I
just
created,
I
said
basically
product
page-
can
receive
traffic
from
any
pod.
Any
pod,
just
open
and
close
curly
braces
right,
just
generic
any
anything
can
hit
product
page
but
product
page.
Basically,
the
other
micro
services
that
are
in
book
info
are
still
locked
down.
So
product
page
can't
talk
to
reviews.
Product
page
can't
talk
to
details.
Product
page
can't
talk
to
ratings.
A
So
so
then
that
was
why
we
were
seeing,
of
course,
the
actual
errors
and
stuff
on
that
page.
Right.
B
Yeah
exactly
exactly
right.
So
the
way
the
front
end
is
written
like
it's
just
basically
going
to
say
like
can
I
query?
Can
I
not
if
I
can't
query
it's
going
to
say
sorry,
the
details
are
currently
unavailable
for
this
book.
Product
reviews
are
unavailable
because
we've
essentially
started
blocking
traffic
through
network
policy
and
product
page
isn't
allowed
to
talk
to
anyone
right
now.
B
So
let's
allow
it
to
talk
too.
You
know
product
page
has
a
best
friend
and
it
makes
me
really
happy
to
talk
about
product
page
and
it's
it's
best.
Friends,
reviews
product,
page,
loves
reviews
and
reviews
likes
product
page.
B
So
basically,
in
this
next
network
policy,
we're
going
to
say
this
is
an
address
policy
and
it's
on
the
reviews.
Microservice
and
it's
going
to
say:
okay
I'll,
accept
ingress
traffic
from
product
page,
so
reviews
has
ingress
traffic
from
pod.
Selector
match
labels
app
product
page.
So
we
should
see
at
least
one
of
those
blocks
on
the
right
side
now
becoming
populated.
After
this
network
policy
is
applied.
B
Okay,
it
looks
like
we
are
sharing
again,
okay
and
and
what
was
that
those
reviews
product
page
can
talk
to
reviews.
The
last
time
we
refreshed
we,
there
was
an
error,
fetching
the
product
reviews.
Now
we
should
be
able
to
talk
to
the
product
reviews,
but
we
shouldn't
have
any
stars.
So
we
shouldn't
have
any
ratings,
but
we
should
have
the
reviews.
B
B
All
right
so
review
ratings.
This
is
essentially
going
to
just
give
you
the
stars
right
because,
based
on
the
architecture,
it's
reviews
that
talks
directly
to
ratings
in
order
for
it
to
know
how
to
populate
those
stars.
We
are
applying
and
that's
going
to
just
give
you
the
stars.
But
let's
you
know
we're
running
over,
so
I'm
going
to
actually
give
you
that
left
side
as
well.
So
it's
saying
now
this
is
the
last
network
policy
we're
going
to
apply
and
it's
in
the
book
info
name
space.
B
It's
an
ingress
policy
type
and
it's
applied
on
the
details.
Microservice.
Basically,
the
details
can
accept
ingress
traffic
from
the
product
page.
So
now
the
product
page
is
going
to
be
able
to
reach
out
the
details
and
kind
of
see
those
details
for
a
given
book
and
after
I
apply
this
and
when
I
go
back,
we
are
going
to
be
all
done
and
that's
going
to
conclude
our
session.
So
let's
thank
you
so
much
everyone
for
being
with
me
and
thank
you
kat
for
bearing
with
me
and
inviting
me.
It's
been.
B
All
right,
our
last
time
that
we
were
looking
at
this
ratings
was
a
no-go
unavailable
kind
of
blocked
off
through
a
fence
through
this,
through
this
logical
domain
right
and
also,
we,
of
course
couldn't
talk
to
the
details
just
refresh
and
now
we're
all
good.
Thank
you.
A
All
so
much
yeah,
that's
a
fully
functioning
app
right.
There
yep
well
casey!
You
brought
a
lot
today.
I
we're
definitely
bold
and
daring
the
demo
gods
and
they
blessed.
B
A
Anyway,
so
it
was
really
fun
to
show
all
that
off.
I
know
we
covered
a
lot
of
details,
so
we
deployed
a
control
plane.
We
talked
about
different
ways
that
kong
itself
can
be
deployed
and
the
fact
that
we
were
separating
the
data
plane
and
the
control
plane.
Today
we
went
in,
we
deployed
the
data
plane,
we
added
a
rate
limiting
plugin,
we
deployed
key
cloak
and
then
configured
key
cloak
to
authenticate
in
front
of
our
application.
A
We
deployed
book
info
to
demonstrate
all
of
that
and,
of
course,
that's
a
multi-service
application,
and
then
we
went
and
we
continued
to
tempt
fate
and
applied
a
bunch
of
networking
policies
to
show
how
you
could
control
and
make
sure
that
nothing
was
talking
to
anything
else
unless
it
was
very
specifically
supposed
to
designed
to
and
allowed
to
casey.
That
was
a
great
demo.
A
A
Go
ahead
and
catch
you
on
the
flip
side,
okay,.