First, I have experience with configuring Kong using PostgreSQL database.
I’m now learning about Kong Ingress Controller (KIC) on Kubernetes, I’ve got Kong deployed on my cluster, services and routes configured, key-auth plugin added, it’s all working - so far so good.
This is all clear and good for learning, but I assume this is not how it’s done at larger scale or in production, is it? What is the proper way to manage API keys at scale?
@JohnWilliams Yes, running Kong with traditional mode (i.e. with database) does indeed support auto-generating of API keys, and it works fine with Kong Manager as well as curl-ed requests to the Admin API. Although it is useful for testing and learning Kong, it does not answer my need for KIC.
As you suggested, I currently use Kubernetes secrets importing API keys managed and stored in external vault, but I’m interested in what are best practices used in production.
I am also curious if the CRDs can just create some random string and store in kubernetes secret.
For now, we are using Terraform to create random string and store on AWS secret manager, and we use externalSecret operator to move the secret from AWS to kubernetes.
@chi_ding As you see, my question received no informative responses.
I used to use Terraform to generate values for secrets stored in Azure Key Vault and read by Kubernetes, but I have switched to use https://external-secrets.io for all the purposes: