Automate Admin API access (#22)

mars · web-flow · commit b487cf1a4c1c · 2018-09-13T10:42:51.000-07:00
diff --git a/ADMIN.md b/ADMIN.md
@@ -0,0 +1,84 @@
+Admin Console for Kong on Heroku
+================================
+Console access is primarily useful for performing `kong` CLI commands against the deployed app. Most administrative features do not require console access and instead are available through the [Kong Admin API](README.md#user-content-admin-api).
+
+### Admin console
+
+Use Kong CLI and the Admin API in a [one-off dyno](https://devcenter.heroku.com/articles/one-off-dynos):
+
+✏️ *Replace `$APP_NAME` with the Heroku app name.*
+
+```bash
+heroku run bash --app $APP_NAME
+
+# Run Kong in the background of the one-off dyno:
+~ $ bin/background-start
+
+# Then, use `curl` to issue Admin API commands
+# and `jq` to format the output:
+# (Note: the `$KONG_ADMIN_LISTEN` variable is already defined)
+~ $ curl http://$KONG_ADMIN_LISTEN | jq .
+
+# Example CLI commands:
+# (Note: some commands require the config file and others the prefix)
+# (Note: the `$KONG_CONF` variable is already defined)
+~ $ kong migrations list -c $KONG_CONF
+~ $ kong health -p /app/.heroku
+```
+
+### Proxy & protect the Admin API
+Kong's Admin API has no built-in authentication. Its exposure must be limited to a restricted, private network. For Kong on Heroku, the Admin API listens privately on `localhost:8001`.
+
+To make Kong Admin accessible from other locations, let's setup Kong itself to proxy its Admin API with key authentication, HTTPS-enforcement, and request rate & size limiting.
+
+⚠️ **This [Admin API proxy is generated automatically](README.md#user-content-admin-api) during the initial deployment's release**, if the `KONG_HEROKU_ADMIN_KEY` config var is set, such as when [using the automated app setup](README.md#user-content-deploy).
+
+From the [admin console](#user-content-admin-console):
+```bash
+# Create the authenticated `/kong-admin` API, targeting the localhost port:
+curl http://localhost:8001/services/ -i -X POST \
+  --data 'name=kong-admin' \
+  --data 'protocol=http' \
+  --data 'port=8001' \
+  --data 'host=localhost'
+# Note the Service ID returned in previous response, use it in place of `$SERVICE_ID`.
+curl http://localhost:8001/plugins/ -i -X POST \
+  --data 'name=request-size-limiting' \
+  --data "config.allowed_payload_size=8" \
+  --data "service_id=$SERVICE_ID"
+curl http://localhost:8001/plugins/ -i -X POST \
+  --data 'name=rate-limiting' \
+  --data "config.minute=5" \
+  --data "service_id=$SERVICE_ID"
+curl http://localhost:8001/plugins/ -i -X POST \
+  --data 'name=key-auth' \
+  --data "config.hide_credentials=true" \
+  --data "service_id=$SERVICE_ID"
+curl http://localhost:8001/plugins/ -i -X POST \
+  --data 'name=acl' \
+  --data "config.whitelist=kong-admin" \
+  --data "service_id=$SERVICE_ID"
+curl http://localhost:8001/routes/ -i -X POST \
+  --data 'paths[]=/kong-admin' \
+  --data 'protocols[]=https' \
+  --data "service.id=$SERVICE_ID"
+
+# Create a consumer with username and authentication credentials:
+curl http://localhost:8001/consumers/ -i -X POST \
+  --data 'username=heroku-admin'
+curl http://localhost:8001/consumers/heroku-admin/acls -i -X POST \
+  --data 'group=kong-admin'
+curl http://localhost:8001/consumers/heroku-admin/key-auth -i -X POST -d ''
+# …this response contains the `"key"`, use it for `$ADMIN_KEY` below.
+```
+
+Now, access Kong's Admin API via the protected, public-facing proxy:
+
+✏️ *Replace variables such as `$APP_NAME` with values for your unique deployment.*
+
+```bash
+# Set the request header:
+curl -H "apikey: $ADMIN_KEY" https://$APP_NAME.herokuapp.com/kong-admin/status
+# or use query params:
+curl https://$APP_NAME.herokuapp.com/kong-admin/status?apikey=$ADMIN_KEY
+```
diff --git a/README.md b/README.md
@@ -13,6 +13,10 @@ Deploy [Kong 0.14 Community Edition](https://konghq.com/kong-community-edition/)
   * [Deploy](#user-content-deploy)
   * [Connect local to Heroku app](#user-content-connect-local-to-heroku-app)
   * [Admin console](#user-content-admin-console)
+  * [Admin API](#user-content-admin-api)
+    * [The API Key](#user-content-admin-api-key)
+    * [Accessing](#user-content-accessing-the-external-admin-api)
+    * [Disabling](#user-content-disabling-the-external-admin-api)
   * [Proxy & protect the Admin API](#user-content-proxy--protect-the-admin-api)
   * [Upgrade guide](#user-content-upgrade-guide)
 * [Customization](#user-content-customization)
@@ -55,7 +59,7 @@ Use the deploy button to create a Kong app in your Heroku account:
 
 ### Connect local to Heroku app
 
-To use Admin console on a freshly-deployed app, clone and connect this repo (or your own fork) to the Heroku app:
+To make changes to the Kong app's source, clone and connect this repo (or your own fork) to the Heroku app:
 
 ```bash
 git clone https://github.com/heroku/heroku-kong.git
@@ -68,77 +72,60 @@ heroku info
 
 ### Admin console
 
-Use Kong CLI and the Admin API in a [one-off dyno](https://devcenter.heroku.com/articles/one-off-dynos):
+To gain local console access to Kong deployed on Heroku, see [ADMIN](ADMIN.md).
 
-```bash
-heroku run bash
+Console access is primarily useful for performing `kong` CLI commands against the deployed app. Most administrative features do not require console access and instead are available through the Kong Admin API.
+
+### Admin API
+
+When this app is deployed to Heroku, it automatically provisions a protected, external-facing proxy to [Kong's Admin API](https://docs.konghq.com/0.14.x/admin-api/), secured by the `KONG_HEROKU_ADMIN_KEY` config var.
+
+#### Admin API key
 
-# Run Kong in the background of the one-off dyno:
-~ $ bin/background-start
+`KONG_HEROKU_ADMIN_KEY` is generated automatically when this app is [deployed using the automated app setup](#user-content-deploy).
 
-# Then, use `curl` to issue Admin API commands
-# and `jq` to format the output:
-~ $ curl http://$KONG_ADMIN_LISTEN | jq .
+You can explicitly set a new admin key value:
 
-# Example CLI commands:
-# (note some commands require the config file and others the prefix)
-~ $ kong migrations list -c $KONG_CONF
-~ $ kong health -p /app/.heroku
+```bash
+heroku config:set KONG_HEROKU_ADMIN_KEY=xxxxx
+git commit --allow-empty -m 'deploy to set new admin key'
+git push heroku master
 ```
 
-### Proxy & protect the Admin API
-Kong's Admin API has no built-in authentication. Its exposure must be limited to a restricted, private network. For Kong on Heroku, the Admin API listens privately on `localhost:8001`.
+⚠️ **Always set a unique, cryptographically strong key value.** A weak admin key may result in the proxy being compromised and abused by malicious actors.
+
+#### Accessing the external Admin API
+
+Make HTTPS requests using a tool like [`curl`](https://curl.haxx.se) or [Paw.cloud](https://paw.cloud):
 
-To make Kong Admin accessible from other locations, let's setup Kong itself to proxy its Admin API with key authentication, HTTPS-enforcement, and request rate & size limiting.
+1. Base URL of the app's [Kong Admin API](https://docs.konghq.com/0.14.x/admin-api/) is `https://$APP_NAME.herokuapp.com/kong-admin`
+2. Set the current [admin key](#user-content-admin-api-key) in the `apikey` HTTP header
+
+For example, set the current admin key into a local shell variable:
 
-From the [admin console](#user-content-admin-console):
 ```bash
-# Create the authenticated `/kong-admin` API, targeting the localhost port:
-curl http://localhost:8001/services/ -i -X POST \
-  --data 'name=kong-admin' \
-  --data 'protocol=http' \
-  --data 'port=8001' \
-  --data 'host=localhost'
-# Note the Service ID returned in previous response, use it in place of `$SERVICE_ID`.
-curl http://localhost:8001/plugins/ -i -X POST \
-  --data 'name=request-size-limiting' \
-  --data "config.allowed_payload_size=8" \
-  --data "service_id=$SERVICE_ID"
-curl http://localhost:8001/plugins/ -i -X POST \
-  --data 'name=rate-limiting' \
-  --data "config.minute=5" \
-  --data "service_id=$SERVICE_ID"
-curl http://localhost:8001/plugins/ -i -X POST \
-  --data 'name=key-auth' \
-  --data "config.hide_credentials=true" \
-  --data "service_id=$SERVICE_ID"
-curl http://localhost:8001/plugins/ -i -X POST \
-  --data 'name=acl' \
-  --data "config.whitelist=kong-admin" \
-  --data "service_id=$SERVICE_ID"
-curl http://localhost:8001/routes/ -i -X POST \
-  --data 'paths[]=/kong-admin' \
-  --data 'protocols[]=https' \
-  --data "service.id=$SERVICE_ID"
+KONG_HEROKU_ADMIN_KEY=`heroku config:get KONG_HEROKU_ADMIN_KEY`
+```
 
-# Create a consumer with username and authentication credentials:
-curl http://localhost:8001/consumers/ -i -X POST \
-  --data 'username=8th-wonder'
-curl http://localhost:8001/consumers/8th-wonder/acls -i -X POST \
-  --data 'group=kong-admin'
-curl http://localhost:8001/consumers/8th-wonder/key-auth -i -X POST -d ''
-# …this response contains the `"key"`, use it for `$ADMIN_KEY` below.
+Now use the following HTTP request style to interact with the [Kong's Admin API](https://docs.konghq.com/0.14.x/admin-api/):
+
+✏️ *Replace the variable `$APP_NAME` with value for your unique deployment.*
+
+```bash
+curl -H "apikey: $KONG_HEROKU_ADMIN_KEY" https://$APP_NAME.herokuapp.com/kong-admin/status
 ```
 
-Now, access Kong's Admin API via the protected, public-facing proxy:
+#### Disabling the external Admin API
 
-✏️ *Replace variables such as `$APP_NAME` with values for your unique deployment.*
+If you prefer to only use the [console-based Admin API](ADMIN.md), then this externally-facing proxy can be disabled:
 
 ```bash
-# Set the request header:
-curl -H "apikey: $ADMIN_KEY" https://$APP_NAME.herokuapp.com/kong-admin/status
-# or use query params:
-curl https://$APP_NAME.herokuapp.com/kong-admin/status?apikey=$ADMIN_KEY
+curl -H "apikey: $KONG_HEROKU_ADMIN_KEY" https://$APP_NAME.herokuapp.com/kong-admin/services/kong-admin/routes
+# For the returned Route's `id`,
+curl -H "apikey: $KONG_HEROKU_ADMIN_KEY" -X DELETE https://$APP_NAME.herokuapp.com/kong-admin/routes/$ROUTE_ID
+# Now there's no longer admin access!
+# Finally, clear out the old admin key value.
+heroku config:unset KONG_HEROKU_ADMIN_KEY
 ```
 
 ### Upgrade guide
diff --git a/app.json b/app.json
@@ -17,5 +17,11 @@
   }],
   "addons": [
     "heroku-postgresql"
-  ]
+  ],
+  "env": {
+    "KONG_HEROKU_ADMIN_KEY": {
+      "description": "A secret key for accessing Kong's Admin API via public proxy at /kong-admin",
+      "generator": "secret"
+    }
+  }
 }
diff --git a/bin/prerelease b/bin/prerelease
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -u
+
+# Only run this if Kong's tables have not be initialized.
+psql $DATABASE_URL -c "SELECT 1 FROM consumers"
+data_exists=$?
+
+if [ ! $data_exists -eq 0 ] && [ -n "$KONG_HEROKU_ADMIN_KEY" ]
+then
+  echo "Loading base Kong config to enable secure proxy to Admin API"
+  pg_restore --verbose --clean --no-acl --no-owner -d "$DATABASE_URL" $HOME/config/pg-heroku-admin.dump
+fi
+
+set -e
+
+if [ -n "$KONG_HEROKU_ADMIN_KEY" ]
+then
+  echo "Setting Admin API key to value of KONG_HEROKU_ADMIN_KEY"
+  # This `id` matches the "kong-admin" keyauth_credentials record contained in "config/pg-heroku-admin.dump"
+  psql "$DATABASE_URL" -c "UPDATE keyauth_credentials SET key='$KONG_HEROKU_ADMIN_KEY' WHERE id='ac8af1d3-377a-41ae-9fd5-dbf98c599c5c';"
+fi
diff --git a/config/pg-heroku-admin.dump b/config/pg-heroku-admin.dump
