Enabling Kong as API Gateway for IBM Cloud Pak® for Multicloud Management

IBM Cloud Pak® for Multicloud Management can use Kong as API gateway to handle API traffic centrally and consistently.

Overview

Kong is an open source and lightweight API gateway for microservices. It delivers unparalleled latency performance and scalability. Use Kong to secure, manage, and orchestrate microservice APIs. For more information, see Kong.

Installation

When you install IBM Cloud Pak® for Multicloud Management, Kong is installed by default as a fundamental service.

Note: Kong can be used as API gateway for only Linux® x86_64 clusters.

Configuring kubectl or oc to access API server through Kong

The kubectl or oc command can be used to control the hub cluster of IBM Cloud Pak® for Multicloud Management. The commands can communicate with the API server that runs on the hub cluster based on the API server address configuration in the kubeconfig file.

By default, the API server address in the kubeconfig file is not the one that is proxied by Kong API gateway. If you want the kubectl or oc command to access the API server through Kong, you need to update the API server address to be the Kong API gateway address in the kubeconfig file by running the following command:

oc config set-cluster <cluster_name> --server=https://apis.${<OPENSHIFT_ROUTER_BASE_DOMAIN>}

Notes:

• <cluster_name> is the name of the cluster that is being used by the kubectl or oc command. You can run the oc config view command to find which cluster is being used.

• <OPENSHIFT_ROUTER_BASE_DOMAIN> can be found by running the following command.

   OPENSHIFT_ROUTER_BASE_DOMAIN=$(oc -n kube-public get configmap ibmcloud-cluster-info -o jsonpath='{.data.openshift_router_base_domain})'
  

Importing a cluster and designating Kong as API gateway

Sometimes you want to import a cluster from different Kubernetes cloud providers so that the imported cluster can be managed by the IBM Cloud Pak® for Multicloud Management hub cluster. If you want to use Kong as API gateway for the imported cluster, you need to update the API server address to be the Kong API gateway address in the cluster-import.yaml file.

Follow the steps to import a cluster and designate Kong as API gateway:

1. Before you run component API commands, retrieve the authentication tokens by running the following command.

   curl -k -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=password&username=admin&password=$<PASSWORD>&scope=openid" https://<Cluster Master Host>:<Cluster Master API Port>/idprovider/v1/auth/identitytoken
   

   where <Cluster Master Host> and <Cluster Master API Port> are defined in Master endpoints, and the <PASSWORD> can be retrieved by running this command:

   PASSWORD=$(oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d && echo)
   

2. Store the access token in a variable by running the following command.

   export ACCESS_TOKEN=<Access token>
   

   where <Access token> is the curl command result in the last step.

   Note: Ensure that the full contents of the access token are stored, including the Bearer value.

3. Create the configuration template file cluster-import-config.yaml by running the following command.

   curl -s -kLX GET  "https://<Cluster Master Host>:<Cluster_Master API Port>/rcm/v1/import.yaml?namespace=<namespace-name>&name=<name>" > cluster-import-config.yaml
   

   where <name> is the name of the cluster resource on the hub, and <namespace-name> is the namespace of the cluster resources on the hub.

4. Create a cluster resource by running the following command.

   curl -s -kLX POST "https://<Cluster Master Host>:<Cluster Master API Port>/rcm/v1/clusters" \
   -H "Authorization:Bearer $ACCESS_TOKEN" \
   --data-binary "@cluster-import-config.yaml"
   

   Note: When you create the cluster resource, you create a namespace, a service account, a secret, and a cluster registry automatically in the hub cluster.

5. Create the file cluster-import.yaml by running the following command.

   curl -s -kLX GET "https://<Cluster Master Host>:<Cluster Master API Port>/rcm/v1/clusters/<namespace-name>/<name>/import.yaml?kubeURL=https://apis.${<OPENSHIFT_ROUTER_BASE_DOMAIN>}" -H "Authorization:Bearer $ACCESS_TOKEN" > cluster-import.yaml
   

   where:

   • <Cluster Master Host> and <Cluster Master API Port> are defined in Master endpoints.
   • <name> is the name of the cluster resource on the hub.
   • <namespace-name> is the namespace of the cluster resources on the hub.

   • <OPENSHIFT_ROUTER_BASE_DOMAIN> can be found by running the following command.

      OPENSHIFT_ROUTER_BASE_DOMAIN=$(oc -n kube-public get configmap ibmcloud-cluster-info -o jsonpath='{.data.openshift_router_base_domain})'
     

6. Import the cluster by following the steps in the Importing the cluster section.

Troubleshooting

Adding sufficient privileges to the namespace kube-system

If Kong cannot be deployed in the specified namespace kube-system, you need to run the following command to add sufficient privileges.

oc adm policy add-scc-to-group anyuid system:serviceaccounts:kube-system

Renewing the certificate for Kong if it is expired

After you run the kubectl or oc command, you might receive the error Unable to connect to the server: x509: certificate has expired or is not yet valid. In this case, you need to renew the certificate for Kong.

1. Log in to Red Hat® OpenShift® console with an admin account, and click the username.

2. Go to Copy Login Command > Display Token, and use the command under the Log in with this token section to log in to Red Hat® OpenShift® command line.

3. Update the secret in the openshift-config namespace.

   kubectl get secret router-certs-default \
   --namespace=openshift-ingress \
   --export -o yaml 2>/dev/nlll| \
   kubectl replace \
   --namespace=openshift-config \
   -f -