A tool for Kong to allow declarative configuration.
Simply define your list of APIs and consumers in json and then run kongfig to ensure that your Kong is configured correctly.
We recommend installing Kongfig globally
npm install -g kongfig
Use our Puppet-Kongfig module to install and configure Kongfig
puppet module install mybuilder-kongfig
You can follow the quick start to get going in 5 minutes.
You can have your config in json, yaml, or js if you need to support multiple environments.
kongfig apply --path config.yml --host localhost:8001
You can dump the existing configuration to a file or view it on a screen
kongfig dump --host localhost:8001 > config.yml
You can omit the
--hostoption if kong is onlocalhost:8001as this is the default value
You can specify the desired format by giving --format option with possible options of json, yaml, or screen that prints the config with colours.
kongfig dump --format screenFor APIs which uses custom consumer credential plugins, specify plugin and id name in : format with --credential-schema option.
kongfig apply --path config.yml --host localhost:8001 --credential-schema custom_jwt:key
For multiple plugins use --credential-schema as many as necessary
kongfig apply --path config.yml --host localhost:8001 --credential-schema "custom_jwt:key" --credential-schema "custom_oauth2:client_id"
Note: If you change the name of an API/Plugin/Consumer and want to ensure the old one is removed automatically, do not delete or modify the old API/Plugin/Consumer section, other than to add the ensure: "removed" flag. Examples shown below.
Notice the
attributes.usernameconfig parameter below, this is used to map given username to consumer uuid
Api schema:
apis:
- name: mockbin # unique api name
ensure: "present" # Set to "removed" to have Kongfig ensure the API is removed. Default is present.
attributes:
upstream_url: string # (required)
hosts: [string]
uris: [string]
methods: ["POST", "GET"]
strip_uri: bool
preserve_host: bool
retries: int
upstream_connect_timeout: int
upstream_read_timeout: int
upstream_send_timeout: int
https_only: bool # (required)
http_if_terminated: bool
Api plugin schema:
apis:
- name: mockbin # unique api name
attributes: # ...
plugins:
- name: rate-limiting # kong plugin name
ensure: "present" # Set to "removed" to have Kongfig ensure the plugin is removed. Default is present.
attributes: # the plugin attributes
username: # optional, to reference a consumer, same as consumer_id in kong documentation
config:
Global plugin schema:
plugins:
- name: cors
attributes:
username: # optional, to reference a consumer, same as consumer_id in kong documentation
enabled: true
config:
credentials: false
preflight_continue: false
max_age: 7000All of the kong plugins should be supported if you find one that doesn't work please add an issue.
Consumer schema:
consumers:
- username: iphone-app
custom_id: foobar-1234 # optionalConsumer credential schema:
consumers:
- username: iphone-app
credentials:
- name: key-auth
attributes: # credential config attributesConsumer ACL schema:
consumers:
- username: iphone-app
acls:
- group: acl-group-nameNotice the
anonymous_usernameconfig parameter below, this is used to map username to consumer uuid
apis:
- name: mockbin # unique api name
attributes: # ...
plugins:
- name: key-auth
attributes:
config:
anonymous_username: # optional, same as just anonymous in kong api, maps given username to consumer uuid
key_names:
hide_credentials:
consumers:
- username: iphone-app
credentials:
- name: key-auth
attributes:
key: # requiredapis:
- name: mockbin
attributes: # ...
plugins:
- name: basic-auth
attributes:
config:
hide_credentials:
consumers:
- username: iphone-app
credentials:
- name: basic-auth
attributes:
username: # required
password:apis:
- name: mockbin
attributes: # ...
plugins:
- name: oauth2
attributes:
config:
scopes:
mandatory_scope:
token_expiration:
enable_authorization_code:
enable_client_credentials:
enable_implicit_grant:
enable_password_grant:
hide_credentials:
consumers:
- username: iphone-app
credentials:
- name: oauth2
attributes:
name:
client_id: # required
client_secret:
redirect_uri: string | [string] # required by kongapis:
- name: mockbin
attributes: # ...
plugins:
- name: hmac-auth
attributes:
config:
hide_credentials:
clock_skew:
consumers:
- username: iphone-app
credentials:
- name: hmac-auth
attributes:
username: # required
secret:apis:
- name: mockbin
attributes: # ...
plugins:
- name: jwt
attributes:
config:
uri_param_names:
claims_to_verify:
consumers:
- username: iphone-app
credentials:
- name: jwt
attributes:
key: # required
secret:It is possible to work with custom consumer credential plugins.
apis:
- name: mockbin
attributes: # ...
plugins:
- name: custom_jwt
attributes:
config:
uri_param_names:
claims_to_verify:
consumers:
- username: iphone-app
credentials:
- name: custom_jwt
attributes:
key: # required
secret:
credentialSchema:
custom_jwt:
id: "key" # credential id nameapis:
- name: mockbin
attributes: # ...
plugins:
- name: "acl"
ensure: "present"
attributes:
config.whitelist: "foo-group"
consumers:
- username: "some-username"
ensure: "present"
acls:
- group: "foo-group"
ensure: "present"
- group: "bar-group"
ensure: "present"Kong Upstream Load Balancing Reference
upstreams:
- name: "mockbinUpstream"
ensure: "present"
targets:
- target: "server1.mockbin:3001"
attributes:
weight: 50
- target: "server2.mockbin:3001"
attributes:
weight: 50
attributes:
slots: 100A certificate object represents a public certificate/private key pair for an SSL certificate. These objects are used by Kong to handle SSL/TLS termination for encrypted requests. Certificates are optionally associated with SNI objects to tie a cert/key pair to one or more hostnames.
Kong Certificate Object Reference
An SNI object represents a many-to-one mapping of hostnames to a certificate. That is, a certificate object can have many hostnames associated with it; when Kong receives an SSL request, it uses the SNI field in the Client Hello to lookup the certificate object based on the SNI associated with the certificate.
certificates:
- ensure: present
cert: >-
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIJAPgRdnOdnX/SMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
....
key: >-
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAo5BpOQY2AV/1L2QEdSip75rHh3Khs2knNtMLIrP26MHyidtX
....
snis:
- name: example.com
ensure: present
- name: www.example.com
ensure: presentNotice that SNIs are an list of object e.g.
{ name: example.com, ensure: present }different Kong api itself where it is a list of hostnames
kongfig translates pre >=0.10 kong config files automatically when applying them.
So you can export your config from <=0.9 kong instance by running:
kongfig dump --host kong_9:8001 > config.v9.ymlThen apply it to kong 0.10 instance
kongfig apply --path config.v9.yml --host kong_10:8001apis endpoint changed between <=0.9 and >=0.10:
request_host: stringtohosts: [string]request_path: stringtouris: [string]strip_request_path: bool->strip_uri: bool- Adds
methods,retries,upstream_connect_timeout,upstream_read_timeout,upstream_send_timeout,https_only,http_if_terminated
Created by MyBuilder - Check out our blog for more information and our other open-source projects.
We are very grateful for any contributions you can make to the project.
Visit the Contributing documentation for submission guidelines.