AI Traffic Management with Kong API Gateway

Question

Pulumi · Accepted Answer

To manage API traffic with Kong API Gateway, you can use Pulumi to programmatically set up the infrastructure needed to deploy and configure Kong. In this example, we'll create a Kong API Gateway on Kubernetes. We'll configure a Kong `Service` which represents an external upstream API you want to expose and a `Route` for clients to access that service.

Kong Gateway is an open-source, lightweight API Gateway, optimized for microservices, delivering unparalleled latency performance and scalability. Pulumi can help set up Kong in a repeatable and automated way, instead of manually configuring it.

The process involves the following steps:
1. Setting up a Kubernetes cluster (we'll assume this is already in place for this example).
2. Installing the Kong Gateway on Kubernetes.
3. Configuring the Kong Gateway with a `Service` and a `Route`.

Here is how you would use Pulumi with Python to accomplish this:

```python
import pulumi
import pulumi_kubernetes as k8s

# Define the Kong Service Deployment
kong_service = k8s.helm.v3.Release("kong-service",
    args=k8s.helm.v3.ReleaseArgs(
        chart="kong",
        repository_opts=k8s.helm.v3.RepositoryOptsArgs(
            repo="https://charts.konghq.com",
        ),
        version="1.15.0",
        namespace="kong",
        create_namespace=True,
    )
)

# Assuming you have an upstream service that you want Kong to manage,
# replace 'httpbin.org' with the address of your actual service and
# set the service port accordingly.
kong_upstream_service = k8s.core.v1.Service("kong-upstream-service",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="httpbin-service",
    ),
    spec=k8s.core.v1.ServiceSpecArgs(
        type="ExternalName",
        external_name="httpbin.org",
        ports=[k8s.core.v1.ServicePortArgs(
            port=80,
            protocol="TCP",
        )],
    ))

# Create a Kong Service through the Pulumi Kong provider
# The Kong Service requires a host that points to our upstream service created above.
kong_httpbin_service = kong.Service("kong-httpbin-service",
    name="httpbin-service",
    protocol="http",
    host=kong_upstream_service.metadata.apply(lambda metadata: metadata.name),
    port=80
)

# Create a Kong Route for the service.
# The route specifies paths that are to be proxied to the Kong Service.
# You can specify other options such as methods, hosts, headers, etc.
kong_httpbin_route = kong.Route("kong-httpbin-route",
    protocols=["http"],
    methods=["GET", "POST"],
    hosts=["example.com"], # Replace with your preferred domain
    paths=["/"],
    service_id=kong_httpbin_service.id
)

# Export the Kong Gateway service's load balancer IP or hostname to access it externally
gateway_lb = k8s.core.v1.Service.get("kong-gateway-lb",
    pulumi.Output.concat(kong_service.namespace, "/", "kong-proxy")
).status.apply(lambda status: status.load_balancer.ingress[0].ip or status.load_balancer.ingress[0].hostname)

pulumi.export("gateway_url", gateway_lb)
```

### Explanation:
- First, we install Kong Gateway on Kubernetes using the Helm chart. This sets up Kong in the specified namespace and ensures that the necessary deployments and services are created in Kubernetes.
- An external upstream service, in this case, [`httpbin.org`](http://httpbin.org/), is represented as a Kubernetes `Service` of type `ExternalName`. It allows Kubernetes services to alias external DNS names.
- We then use the `pulumi_kong` package to create a Kong `Service`, which specifies how to access the upstream service (the `host` and `port`), and the protocol (`http`) for communication.
- The `kong.Route` resource defines how the service is accessed from the outside (`hosts`, `methods`, and `paths`). These patterns will be matched against incoming requests to the Kong Gateway, and traffic will be directed appropriately.
- Finally, we grab the IP address or hostname from the Kong Gateway's LoadBalancer service so we can connect from outside the cluster.

With this basic configuration, your Kong API Gateway is now able to manage the traffic going to the `httpbin.org` service. Any requests coming to `example.com` at the root path (`/`) using `GET` or `POST` will be proxied through Kong to `httpbin.org`.

To adapt this to your environment, you would replace `httpbin.org` and `example.com` with your internal service addresses and desired exposed hostnames.