diff --git a/README.md b/README.md index 1fa86dc..8056508 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ Kong as a Heroku app ==================== -Deploy [Kong 1.0](https://konghq.com/blog/kong-1-0-ga/) clusters to Heroku Common Runtime and Private Spaces using the [Kong buildpack](https://github.com/heroku/heroku-buildpack-kong/). +Deploy [Kong 1.1.0rc2](https://discuss.konghq.com/t/kong-1-1-0rc2-available-for-testing/3016) clusters to Heroku Common Runtime and Private Spaces using the [Kong buildpack, 1.1.0 branch](https://github.com/heroku/heroku-buildpack-kong/tree/kong-1.1.0). ⏫ **Upgrading from an earlier version?** See [Upgrade Guide](#user-content-upgrade-guide). diff --git a/app.json b/app.json index 4052fcd..1cd0434 100644 --- a/app.json +++ b/app.json @@ -11,10 +11,9 @@ ], "website": "https://getkong.org/", "repository": "https://github.com/heroku/heroku-kong.git", - "success_url": "https://github.com/heroku/heroku-kong/blob/master/README.md#user-content-usage", "stack": "heroku-18", "buildpacks": [{ - "url": "https://github.com/heroku/heroku-buildpack-kong.git" + "url": "https://github.com/heroku/heroku-buildpack-kong.git#kong-1.1.0" }], "addons": [ "heroku-postgresql" diff --git a/bin/postrelease b/bin/postrelease new file mode 100755 index 0000000..fa2ae65 --- /dev/null +++ b/bin/postrelease @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +set -eu + +# Admin key is empty when the var is unset. +KONG_HEROKU_ADMIN_KEY="${KONG_HEROKU_ADMIN_KEY:-}" + +if [ -n "$KONG_HEROKU_ADMIN_KEY" ] +then + echo "Setting up external Admin API secured by KONG_HEROKU_ADMIN_KEY" + + # Replace environment variables with their values. + # Example: `$VAR` or `${VAR}` will be replaced with value of `VAR`. + eval "cat < config/secure-admin-api-rendered.yml + + # Kong needs to be running for import. + bin/background-start + sleep 1 + # Import config to Kong 1.1+ + kong config db_import \ + -c "${KONG_CONF:-config/kong.conf}" \ + "config/secure-admin-api-rendered.yml" +fi diff --git a/bin/prerelease b/bin/prerelease deleted file mode 100755 index 91d518f..0000000 --- a/bin/prerelease +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash -set -u -set +e - -# Only run this if Kong's tables have not be initialized. -psql $DATABASE_URL -c "SELECT 1 FROM consumers" -data_exists=$? - -# Admin key is empty when the var is unset. -admin_key="${KONG_HEROKU_ADMIN_KEY:-}" - -if [ ! $data_exists -eq 0 ] && [ -n "$admin_key" ] -then - echo "Loading base Kong config to enable secure proxy to Admin API" - pg_restore --verbose --clean --no-acl --no-owner -d "$DATABASE_URL" $HOME/config/pg-heroku-admin.dump -fi - -set -e - -if [ -n "$admin_key" ] -then - echo "Setting Admin API key to value of KONG_HEROKU_ADMIN_KEY" - # This `id` matches the "kong-admin" keyauth_credentials record contained in "config/pg-heroku-admin.dump" - psql "$DATABASE_URL" -c "UPDATE keyauth_credentials SET key='${admin_key}' WHERE id='8e4b1774-0b0f-463f-bab1-6468d1fdc5c3';" -fi diff --git a/config/pg-heroku-admin.dump b/config/pg-heroku-admin.dump deleted file mode 100644 index ea2b1d3..0000000 Binary files a/config/pg-heroku-admin.dump and /dev/null differ diff --git a/config/secure-admin-api.yml b/config/secure-admin-api.yml new file mode 100644 index 0000000..99210e0 --- /dev/null +++ b/config/secure-admin-api.yml @@ -0,0 +1,40 @@ +# Kong declarative config +# https://discuss.konghq.com/t/rfc-kong-native-declarative-config-format/2719 + +# Metadata fields start with an underscore (_) +# Fields that do not start with an underscore represent Kong entities and attributes + +# Matches Kong minimum version that supports the format +_format_version: "1.1" +_comment: This configures a protected, external-facing loopback proxy to Kong's Admin API, secured by the KONG_HEROKU_ADMIN_KEY config var. This config is preprocessed by the bin/postrelease script to expand shell-style interpolations, such as variables. + +services: +- name: kong-admin + url: http://localhost:8001 + routes: + - name: kong-admin + protocols: + - https + paths: + - /kong-admin + plugins: + - name: request-size-limiting + config: + allowed_payload_size: 8 + - name: rate-limiting + config: + minute: 1000 + - name: key-auth + config: + hide_credentials: true + - name: acl + config: + whitelist: + - kong-admin + +consumers: +- username: heroku-admin + acls: + - group: kong-admin + keyauth_credentials: + - key: ${KONG_HEROKU_ADMIN_KEY}