Exploring Advanced Kong Ingress Controller Plugins on EKS

Exploring Advanced Kong Ingress Controller Plugins on EKS

Introduction

In this blog post, we will explore how to configure and use advanced plugins with the Kong Ingress Controller (KIC) on an Amazon EKS cluster. Specifically, we will delve into JWT Token, Request Transform, and AWS Lambda plugins. These plugins enhance the functionality of your services by adding security, transformation, and integration capabilities.

Prerequisites

Before we begin, ensure you have the following prerequisites:

  • An AWS account

  • An EKS cluster set up and running

  • Kong Ingress Controller installed

You can follow the detailed steps to install KIC from the Kong documentation.

Additionally, deploy any test service and configure an ingress resource. For simplicity, we will skip the Gateway API. Refer to the Kong documentation for more details.

Plugins

We will configure the below plugins:

  1. Rate Limiting

  2. Proxy Caching

  3. Key Authentication

  4. JWT Token

  5. Request Transform

  6. AWS Lambda

In this article, we will focus on the last three plugins. The first three have been documented in detail by Kong.

JWT Token

JWT (JSON Web Token) Token is used for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. In this section, we will create a JWT token and configure it with Kong.

  1. First, create a secret and key using base64 encoding:

     echo -n 'jwtkey' | base64 #key
     echo -n 'jwtsecret' | base64 #secret
    
  2. Create Kubernetes secret

     apiVersion: v1
     kind: Secret
     metadata:
       name: alex-jwt
       namespace: default
       labels:
         konghq.com/credential: jwt  
     stringData:
       algorithm: HS256
       secret: and0c2VjcmV0  # base64 for 'jwtsecret'
       key: and0a2V5  # base64 for 'jwtkey'
    
  3. Create kong consumer resource

     apiVersion: configuration.konghq.com/v1
     kind: KongConsumer
     metadata:
       name: alex-consumer
       namespace: default
     username: alex
     credentials:
     - alex-jwt  #secret-name
    
  4. Create the plugin

     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: jwt-plugin
       namespace: default
     plugin: jwt
    
  5. Annotate ingress or service resource

      kubectl annotate ingress echo konghq.com/plugins=jwt-plugin
    
  6. Use jwt.io to create a JWT token. In the CLI, run:

    •   date +%s
        echo $((1697539200 + 3600)) # use this as the value for “exp” in the payload
      
    • The payload will be:

        {
          "iss": "and0a2V5", # key
          "sub": "1234567890",
          "name": "alex",
          "iat": 1516239022,
          "exp": 1697539200  # Example expiration time
        }
      
    • For the signature, paste the secret encoded value from step 1.

  7. Test Using the Token

     curl $PROXY_IP/echo?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhbmQwYTJWNSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiYWxleCIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoxNzI5MTg0NjA1fQ.mmQVyqBNpOCJogpioHEqTTciUbPWQm56ipwaMKyseT4
    

    Note:

    export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Request Transform

Request Transform plugin allows you to modify requests before they reach your upstream services. You can add, remove, or replace headers and other request properties.

  1. Create the Plugin

     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: request-transformer
     config:
       add:
         headers:
           - "x-added-header:added-value"
       remove:
         headers:
           - "x-remove-header"
       replace:
         headers:
           - "x-replace-header:replaced-value"
     plugin: request-transformer
    
  2. Annotate ingress

      kubectl annotate ingress echo konghq.com/plugins=request-transformer
     # we can annotate multiple plugins eg. 
     #  kubectl annotate ingress echo konghq.com/plugins=jwt-plugin,request-transformer --overwrite
    
  3. Test curl -i -H "x-remove-header: to-be-removed" -H "x-replace-header: old-value" $PROXY_IP/echo

AWS Lambda

AWS Lambda plugin allows you to invoke AWS Lambda functions from within Kong. This is useful for integrating serverless functions into your API gateway.

  1. Follow the steps described in the AWS Lambda Plugin documentation.

  2. Create the plugin

     apiVersion: configuration.konghq.com/v1
     kind: KongPlugin
     metadata:
       name: aws-lambda-example
     plugin: aws-lambda
     config:
       aws_region: "us-east-2"
       function_name: "MyLambda" #required
    
  3. Annotate ingress

      kubectl annotate ingress echo konghq.com/plugins=aws-lambda-example
    
  4. Test curl -i $PROXY_IP/echo

Conclusion

In this blog post, we explored how to configure and use advanced plugins with the Kong Ingress Controller on an Amazon EKS cluster. We covered the JWT Token, Request Transform, and AWS Lambda plugins, which enhance your services by adding security, transformation, and integration capabilities. By leveraging these plugins, you can significantly improve the functionality and flexibility of your API gateway.

Feel free to experiment with these plugins and explore other capabilities offered by Kong. Happy configuring!