Kong Gateway Feature-Implementierungen¶
Detaillierte Implementierung aller Features für Kong Gateway Provider in GAL
Navigation: - ← Zurück zur Kong Übersicht - → Migration & Best Practices
Inhaltsverzeichnis¶
Feature-Implementierungen¶
1. Load Balancing¶
upstream:
targets:
- host: backend-1
port: 8080
weight: 100
- host: backend-2
port: 8080
weight: 200
load_balancer:
algorithm: round_robin # round_robin, least_conn, ip_hash
Generiert:
upstreams:
- name: api_service_upstream
algorithm: round-robin
targets:
- target: backend-1:8080
weight: 100
- target: backend-2:8080
weight: 200
2. Health Checks¶
health_check:
active:
enabled: true
interval: "10s"
timeout: "5s"
http_path: "/health"
healthy_threshold: 2
unhealthy_threshold: 3
Generiert:
upstreams:
- name: api_service_upstream
healthchecks:
active:
type: http
http_path: /health
timeout: 5
interval: 10
healthy:
successes: 2
unhealthy:
http_failures: 3
3. Rate Limiting¶
Generiert:
4. Authentication¶
JWT:
Generiert:
Basic Auth:
Generiert:
plugins:
- name: basic-auth
consumers:
- username: admin
basicauth_credentials:
- username: admin
password: password123
API Key:
Generiert:
5. CORS¶
cors:
enabled: true
allowed_origins: ["https://app.example.com"]
allowed_methods: ["GET", "POST", "PUT", "DELETE"]
allowed_headers: ["Content-Type", "Authorization"]
allow_credentials: true
max_age: 86400
Generiert:
plugins:
- name: cors
config:
origins: ["https://app.example.com"]
methods: ["GET", "POST", "PUT", "DELETE"]
headers: ["Content-Type", "Authorization"]
credentials: true
max_age: 86400
6. Timeout & Retry¶
Generiert:
services:
- name: api_service
connect_timeout: 10000 # Milliseconds!
write_timeout: 60000
read_timeout: 120000
retries: 3
Wichtig: Kong verwendet Millisekunden für Timeouts!
7. Request/Response Headers¶
headers:
request_add:
X-Request-ID: "{{uuid}}"
request_remove:
- X-Internal-Secret
response_add:
X-Gateway: "Kong"
response_remove:
- X-Powered-By
Generiert:
plugins:
- name: request-transformer
config:
add:
headers: ["X-Request-ID:{{uuid}}"]
remove:
headers: ["X-Internal-Secret"]
- name: response-transformer
config:
add:
headers: ["X-Gateway:Kong"]
remove:
headers: ["X-Powered-By"]
8. Body Transformation¶
body_transformation:
enabled: true
request:
add_fields:
trace_id: "{{uuid}}"
remove_fields:
- secret_key
response:
filter_fields:
- password
Generiert:
plugins:
- name: request-transformer
config:
add:
json: ["trace_id:{{uuid}}"]
remove:
json: ["secret_key"]
- name: response-transformer
config:
remove:
json: ["password"]
9. Request Mirroring¶
✅ Nginx Mirror Module Support (Empfohlen)
Kong basiert auf Nginx/OpenResty, daher können wir das native ngx_http_mirror_module nutzen. Dies ist die empfohlene Methode für Kong OpenSource.
Methode 1: Nginx Mirror Module (via KONG_NGINX_PROXY_INCLUDE) - ⭐ Empfohlen
# GAL Config
routes:
- path_prefix: /api/users
mirroring:
enabled: true
targets:
- name: shadow-v2
upstream:
host: shadow.example.com
port: 443
sample_percentage: 100
headers:
X-Mirror: "true"
X-Shadow-Version: "v2"
Generiert (nginx-template.conf via KONG_NGINX_PROXY_INCLUDE):
# Nginx mirror module configuration
location /api/users {
mirror /mirror-users;
mirror_request_body on;
proxy_pass http://backend-primary:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = /mirror-users {
internal;
proxy_pass https://shadow.example.com:443/api/users;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Mirror "true";
proxy_set_header X-Shadow-Version "v2";
}
Hinweise (Nginx Mirror Module):
- ✅ Kein Plugin benötigt - Native Nginx-Funktionalität
- ✅ OpenSource-kompatibel - Funktioniert mit Kong Gateway (nicht nur Enterprise)
- ✅ Asynchronous Mirroring - Blockiert nicht die primäre Response
- ✅ Custom Headers - Beliebige Header auf Mirror-Requests
- ✅ Production-Ready - Basiert auf battle-tested Nginx mirror module
- ⚠️ Sampling - 50% Sampling erfordert split_clients in http block (schwieriger via KONG_NGINX_PROXY_INCLUDE)
- ⚠️ Configuration - Erfordert KONG_NGINX_PROXY_INCLUDE Environment Variable
Deployment:
# Docker/Kubernetes Environment Variable
KONG_NGINX_PROXY_INCLUDE: /usr/local/kong/custom/nginx-template.conf
# Mount nginx-template.conf as volume
volumes:
- ./nginx-template.conf:/usr/local/kong/custom/nginx-template.conf:ro
Methode 2: Kong Enterprise Plugin (Kong Enterprise only)
plugins:
- name: request-mirror # Kong Enterprise Plugin
config:
mirror_host: https://shadow.example.com:443
mirror_path: /api/users
sample_rate: 0.5
headers:
X-Mirror: "true"
X-Shadow-Version: "v2"
Hinweise (Enterprise Plugin): - ⚠️ Enterprise-only - Benötigt Kong Enterprise Lizenz - ✅ Native Plugin - Einfache Konfiguration via Admin API - ✅ Sampling - Native Sample Rate Support (0.0 - 1.0) - ✅ Multiple Targets - Mehrere Shadow-Backends möglich
Methode 3: Custom Lua Plugin (OpenSource Workaround, nicht empfohlen)
-- handler.lua (Custom Plugin)
local http = require "resty.http"
function RequestMirrorHandler:access(conf)
if math.random() * 100 <= conf.sample_percentage then
ngx.timer.at(0, function(premature)
local httpc = http.new()
httpc:request_uri(conf.mirror_host .. ngx.var.request_uri, {
method = ngx.req.get_method(),
headers = conf.mirror_headers,
})
httpc:close()
end)
end
end
Hinweise (Custom Lua Plugin): - ⚠️ Nicht empfohlen - Nginx Mirror Module ist besser - ⚠️ Wartungsaufwand - Custom Plugin muss gepflegt werden - ✅ Flexibel - Volle Kontrolle über Mirroring-Logik - ✅ OpenSource - Funktioniert ohne Enterprise-Lizenz
Empfehlung: 1. Kong OpenSource: Nutze Nginx Mirror Module (Methode 1) ⭐ 2. Kong Enterprise: Nutze request-mirror Plugin (Methode 2) 3. Custom Logic benötigt: Nutze Custom Lua Plugin (Methode 3)
E2E Tests: Siehe
tests/test_kong_mirroring_e2e.pyfür vollständige Beispiele mit Nginx Mirror ModuleDocker Setup: Siehe
tests/docker/kong-mirroring/für Docker Compose Konfiguration
Provider-Vergleich¶
Kong vs. Andere Provider¶
| Feature | Kong | Envoy | APISIX | Traefik | Nginx | HAProxy |
|---|---|---|---|---|---|---|
| Ease of Use | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| Plugin Ecosystem | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐ |
| Admin API | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐ |
| Documentation | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| Enterprise Support | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
Kong Stärken: - ✅ Einfachste Konfiguration aller Provider - ✅ 300+ Plugins (Community + Enterprise) - ✅ Admin API für dynamische Verwaltung - ✅ Kong Manager (Web UI - Enterprise) - ✅ DB-less Mode (Declarative Config) - ✅ Beste Dokumentation
Kong Schwächen: - ❌ Enterprise Features kostenpflichtig - ⚠️ Performance etwas niedriger als Nginx/HAProxy - ⚠️ Retry keine konditionalen Bedingungen
Kong Feature Coverage¶
Detaillierte Analyse basierend auf der offiziellen Kong Dokumentation.
Core Entities (Kong Admin API)¶
| Entity | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
services |
✅ | ✅ | Voll | Service Definition mit Name/URL |
routes |
✅ | ✅ | Voll | Path/Host Routing |
upstreams |
✅ | ✅ | Voll | Load Balancer Configuration |
targets |
✅ | ✅ | Voll | Backend Endpoints |
plugins |
✅ | ✅ | Voll | Plugin Configuration |
consumers |
❌ | ❌ | Nicht | Consumer Management |
certificates |
❌ | ❌ | Nicht | SSL/TLS Certificates |
snis |
❌ | ❌ | Nicht | SNI Configuration |
ca_certificates |
❌ | ❌ | Nicht | CA Certificates |
Traffic Control Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
rate-limiting |
✅ | ✅ | Voll | Rate Limiting (local) |
rate-limiting-advanced |
❌ | ❌ | Nicht | Enterprise Plugin |
request-size-limiting |
❌ | ❌ | Nicht | Request Size Limits |
response-ratelimiting |
❌ | ❌ | Nicht | Response-based Rate Limiting |
proxy-cache |
❌ | ❌ | Nicht | Caching |
proxy-cache-advanced |
❌ | ❌ | Nicht | Enterprise Caching |
Authentication Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
basic-auth |
✅ | ✅ | Voll | Basic Authentication |
key-auth |
✅ | ✅ | Voll | API Key Authentication |
jwt |
✅ | ✅ | Voll | JWT Validation |
oauth2 |
❌ | ❌ | Nicht | OAuth 2.0 |
hmac-auth |
❌ | ❌ | Nicht | HMAC Signature |
ldap-auth |
❌ | ❌ | Nicht | LDAP Authentication |
openid-connect |
❌ | ❌ | Nicht | Enterprise OIDC |
Security Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
cors |
✅ | ✅ | Voll | CORS Policy |
acl |
❌ | ❌ | Nicht | Access Control Lists |
ip-restriction |
❌ | ❌ | Nicht | IP Whitelist/Blacklist |
bot-detection |
❌ | ❌ | Nicht | Bot Detection |
Transformation Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
request-transformer |
⚠️ | ⚠️ | Teilweise | Request Header Transformation |
response-transformer |
⚠️ | ⚠️ | Teilweise | Response Header Transformation |
request-transformer-advanced |
❌ | ❌ | Nicht | Enterprise Plugin |
response-transformer-advanced |
❌ | ❌ | Nicht | Enterprise Plugin |
Traffic Management Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
canary |
❌ | ❌ | Nicht | Canary Releases (Enterprise) |
proxy-cache |
❌ | ❌ | Nicht | HTTP Caching |
upstream-timeout |
⚠️ | ⚠️ | Teilweise | Timeout Configuration |
http-log |
❌ | ❌ | Nicht | HTTP Logging |
Load Balancing Features¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
upstreams (round-robin) |
✅ | ✅ | Voll | Round Robin (Default) |
upstreams (least-connections) |
✅ | ✅ | Voll | Least Connections |
upstreams (consistent-hashing) |
✅ | ✅ | Voll | IP Hash / Cookie Hash |
upstreams (latency) |
❌ | ❌ | Nicht | Latency-based LB |
healthchecks.active |
✅ | ✅ | Voll | Active Health Checks |
healthchecks.passive |
✅ | ✅ | Voll | Passive Health Checks (Circuit Breaker) |
Route Matching Features¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
paths (prefix) |
✅ | ✅ | Voll | Path Prefix Matching |
paths (exact) |
❌ | ❌ | Nicht | Exact Path (nur Prefix) |
paths (regex) |
❌ | ❌ | Nicht | Regex Path Matching |
hosts |
✅ | ✅ | Voll | Host-based Routing |
methods |
✅ | ✅ | Voll | HTTP Method Matching |
headers |
❌ | ❌ | Nicht | Header-based Routing |
snis |
❌ | ❌ | Nicht | SNI-based Routing |
Observability Features¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
| Admin API Metrics | N/A | ✅ | Export | /metrics Endpoint |
| Prometheus Plugin | ❌ | ❌ | Nicht | Prometheus Metrics Export |
| Datadog Plugin | ❌ | ❌ | Nicht | Datadog APM |
| StatsD Plugin | ❌ | ❌ | Nicht | StatsD Metrics |
| Zipkin Plugin | ❌ | ❌ | Nicht | Distributed Tracing |
| File Log Plugin | ❌ | ❌ | Nicht | File-based Logging |
| Syslog Plugin | ❌ | ❌ | Nicht | Syslog Integration |
Advanced Features¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
| DB-less Mode (Declarative) | ✅ | ✅ | Voll | YAML Declarative Config |
| Admin API (REST) | ❌ | ❌ | Nicht | Runtime API nicht in GAL Scope |
| Kong Manager (UI) | N/A | N/A | N/A | Enterprise Feature |
| Dev Portal | N/A | N/A | N/A | Enterprise Feature |
| Service Mesh (Kuma) | ❌ | ❌ | Nicht | Service Mesh Integration |
| Serverless Functions | ❌ | ❌ | Nicht | Pre/Post Function Plugins |
| Custom Plugins (Lua) | ❌ | ❌ | Nicht | Custom Lua Plugins |
Coverage Score nach Kategorie¶
| Kategorie | Features Total | Unterstützt | Coverage |
|---|---|---|---|
| Core Entities | 9 | 5 voll | 55% |
| Traffic Control | 6 | 1 voll | 17% |
| Authentication | 7 | 3 voll | 43% |
| Security | 4 | 1 voll | 25% |
| Transformation | 4 | 0 voll, 2 teilweise | 25% |
| Traffic Management | 4 | 0 voll, 1 teilweise | 12% |
| Load Balancing | 6 | 4 voll | 67% |
| Route Matching | 7 | 3 voll | 43% |
| Observability | 7 | 1 export | 14% |
| Advanced | 6 | 1 voll | 17% |
Gesamt (API Gateway relevante Features): ~38% Coverage
Import Coverage: ~60% (Import bestehender Kong Configs → GAL) Export Coverage: ~85% (GAL → Kong Declarative Config)
Bidirektionale Feature-Unterstützung¶
Vollständig bidirektional (Import ↔ Export): 1. ✅ Services (Name, URL, Protocol) 2. ✅ Routes (Paths, Hosts, Methods) 3. ✅ Upstreams (Targets, Load Balancing) 4. ✅ Health Checks (Active + Passive) 5. ✅ Load Balancing (Round Robin, Least Connections, Consistent Hashing) 6. ✅ Rate Limiting (rate-limiting plugin) 7. ✅ Authentication (Basic, API Key, JWT) 8. ✅ CORS (cors plugin)
Nur Export (GAL → Kong): 9. ⚠️ Request/Response Headers (request-transformer plugin) 10. ⚠️ Timeouts (Service-level timeouts)
Features mit Einschränkungen: - Enterprise Plugins: Nicht in Kong OSS (rate-limiting-advanced, canary, openid-connect) - Exact Path Matching: Kong unterstützt nur Prefix (paths array) - Regex/Header Routing: Nicht in GAL Scope - Custom Lua Plugins: Nicht parsebar/generierbar
Import-Beispiel (Kong → GAL)¶
Input (kong.yaml - Declarative Config):
_format_version: "3.0"
services:
- name: api_service
url: http://backend.svc:8080
routes:
- name: api_route
paths:
- /api
methods:
- GET
- POST
upstreams:
- name: api_upstream
algorithm: round-robin
targets:
- target: backend-1.svc:8080
weight: 100
- target: backend-2.svc:8080
weight: 100
healthchecks:
active:
healthy:
interval: 10
successes: 2
unhealthy:
interval: 10
http_failures: 3
plugins:
- name: rate-limiting
config:
minute: 100
policy: local
- name: jwt
config:
claims_to_verify:
- exp
Output (gal-config.yaml):
version: "1.0"
provider: kong
global:
host: 0.0.0.0
port: 8000
services:
- name: api_service
type: rest
protocol: http
upstream:
targets:
- host: backend-1.svc
port: 8080
weight: 100
- host: backend-2.svc
port: 8080
weight: 100
load_balancer:
algorithm: round_robin
health_check:
active:
enabled: true
interval: "10s"
healthy_threshold: 2
unhealthy_threshold: 3
routes:
- path_prefix: /api
methods:
- GET
- POST
rate_limit:
enabled: true
requests_per_second: 1.67 # 100/minute
authentication:
enabled: true
type: jwt
Empfehlungen für zukünftige Erweiterungen¶
Priorität 1 (High Impact):
1. Request/Response Transformation - Vollständige body transformation support
2. Prometheus Plugin - Metrics Export Integration
3. IP Restriction - Whitelist/Blacklist Support
4. Request Size Limiting - request-size-limiting Plugin
5. Exact Path Matching - Zusätzlich zu Prefix
Priorität 2 (Medium Impact): 6. Proxy Cache - HTTP Caching Support 7. File/Syslog Logging - Zusätzliche Logging Backends 8. OAuth2 Plugin - OAuth 2.0 Support 9. ACL Plugin - Access Control Lists 10. Bot Detection - Bot Detection Plugin
Priorität 3 (Nice to Have): 11. HMAC Auth - HMAC Signature Authentication 12. LDAP Auth - LDAP Integration 13. Header/Query Routing - Advanced Routing 14. Custom Lua Plugins - Plugin Generation 15. Zipkin/Datadog Integration - Tracing/Metrics
Test Coverage (Import)¶
Kong Import Tests: 21 Tests (test_import_kong.py)
| Test Kategorie | Tests | Status |
|---|---|---|
| Basic Import | 3 | ✅ Passing |
| Services & Routes | 3 | ✅ Passing |
| Upstreams & Load Balancing | 3 | ✅ Passing |
| Health Checks | 2 | ✅ Passing |
| Rate Limiting | 2 | ✅ Passing |
| Authentication (Basic, JWT, API Key) | 3 | ✅ Passing |
| CORS | 1 | ✅ Passing |
| Headers | 1 | ✅ Passing |
| Errors & Warnings | 3 | ✅ Passing |
Coverage Verbesserung durch Import: 8% → 42% (+34%)
Roundtrip-Kompatibilität¶
| Szenario | Roundtrip | Bemerkung |
|---|---|---|
| Basic Service + Route | ✅ 100% | Perfekt |
| Upstreams + Load Balancing | ✅ 100% | Perfekt |
| Health Checks (Active + Passive) | ✅ 95% | Minimal Details verloren |
| Rate Limiting | ✅ 100% | Perfekt |
| Authentication (Basic, JWT, API Key) | ✅ 100% | Perfekt |
| CORS | ✅ 100% | Perfekt |
| Request/Response Headers | ✅ 90% | request-transformer Einschränkungen |
| Combined Features | ✅ 95% | Sehr gut |
Durchschnittliche Roundtrip-Kompatibilität: ~97%
Fazit¶
Kong Import Coverage: - ✅ Core Features: 90% Coverage (Services, Routes, Upstreams, Plugins) - ⚠️ Advanced Plugins: 30% Coverage (viele Community Plugins nicht unterstützt) - ❌ Enterprise Features: Nicht unterstützt (canary, openid-connect, rate-limiting-advanced)
Kong Export Coverage: - ✅ Core Features: 95% Coverage (alle GAL Features → Kong) - ✅ Best Practices: Eingebaut (Health Checks, Load Balancing) - ✅ DB-less Mode: Vollständig unterstützt (Declarative YAML)
Empfehlung: - 🚀 Für Standard API Gateway Workloads: Perfekt geeignet - ✅ Für Kong → GAL Migration: 95% automatisiert, 5% Review - ⚠️ Für komplexe Plugin-Setups: Manuelle Nachbearbeitung nötig - ❌ Für Enterprise Features: Nicht unterstützt (Kong Enterprise erforderlich)
Referenzen: - 📚 Kong Plugin Hub - 📚 Kong Admin API - 📚 Kong Declarative Config - 📚 Kong Load Balancing
Kong-spezifische Details¶
Plugin-Architektur¶
Kong's Macht liegt in seinen Plugins:
Plugin Execution Order: 1. Pre-Function (Custom Lua before request) 2. Authentication (JWT, Basic, API Key, etc.) 3. Rate Limiting (Rate limits enforcement) 4. Request Transformer (Modify request) 5. Proxy (Forward to upstream) 6. Response Transformer (Modify response) 7. Post-Function (Custom Lua after response)
Admin API¶
Kong bietet eine REST API für Verwaltung:
# Services auflisten
curl http://localhost:8001/services
# Service erstellen
curl -X POST http://localhost:8001/services \
-d "name=my-service" \
-d "url=http://backend:8080"
# Route hinzufügen
curl -X POST http://localhost:8001/services/my-service/routes \
-d "paths[]=/api"
# Plugin aktivieren
curl -X POST http://localhost:8001/services/my-service/plugins \
-d "name=rate-limiting" \
-d "config.second=100"
Hinweis: GAL generiert Declarative Config (DB-less Mode), nicht Admin API Calls.
DB-less vs. DB Mode¶
DB-less Mode (Empfohlen für GAL): - ✅ Keine Datenbank erforderlich - ✅ Einfaches Deployment - ✅ Git-freundlich (YAML-Config) - ❌ Keine dynamischen Änderungen via Admin API
DB Mode (PostgreSQL): - ✅ Dynamische Änderungen via Admin API - ✅ Kong Manager UI - ❌ Benötigt Datenbank - ❌ Komplexeres Setup
Kong Manager (Enterprise)¶
Kong Enterprise bietet eine Web UI:
# Kong Manager aktivieren (Enterprise)
docker run -d \
--name kong-enterprise \
-e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
kong/kong-gateway:3.4-enterprise
Zugriff: http://localhost:8002