Author: techhadoop

Deploy routes and plugins in Kong Gateway

techhadoop Uncategorized

Here’s a minimal yet flexible Ansible playbook to deploy routes in Kong Gateway using the uri module to interact with the Admin API. This example assumes:

  • Kong Admin API is accessible (e.g. http://localhost:8001).
  • A service is already defined (or you can create one using Ansible).
  • You’re deploying a route for an existing service.

✅ Example Directory Layout

kong_routes/
├── playbook.yml
└── vars/
    └── routes.yml

📄 vars/routes.yml

kong_admin_url: "http://localhost:8001"

kong_routes:
  - name: route1
    service: example-service
    paths: ["/example"]
    methods: ["GET"]
    strip_path: true

📄 playbook.yml

- name: Deploy Routes to Kong
  hosts: localhost
  connection: local
  vars_files:
    - vars/routes.yml
  tasks:
    - name: Ensure route exists in Kong
      uri:
        url: "{{ kong_admin_url }}/routes"
        method: POST
        body_format: json
        headers:
          Content-Type: "application/json"
        body: >-
          {
            "name": "{{ item.name }}",
            "paths": {{ item.paths | to_json }},
            "methods": {{ item.methods | to_json }},
            "strip_path": {{ item.strip_path }},
            "service": { "name": "{{ item.service }}" }
          }
        status_code: 201
      loop: "{{ kong_routes }}"
      ignore_errors: true  # optional: prevents failure if route exists

✅ Optional: Create Service First

Add this before the route task if needed:

    - name: Ensure service exists
      uri:
        url: "{{ kong_admin_url }}/services"
        method: POST
        body_format: json
        headers:
          Content-Type: "application/json"
        body: >-
          {
            "name": "{{ item.service }}",
            "url": "http://mockbin.org"  # change to your backend URL
          }
        status_code: 201
      loop: "{{ kong_routes }}"
      ignore_errors: true

Would you like this to support idempotency (check if the route already exists and update it), or include support for Kong Konnect or authentication headers (e.g. RBAC tokens)?

headers:
Content-Type: “application/json”
Authorization: “Bearer {{ kong_admin_token }}”

A 401 Unauthorized error in Kong Gateway typically indicates that the request lacks valid authentication credentials required to access the resource. Here’s how you can troubleshoot and resolve this issue:

techhadoop Uncategorized , , , ,

🔍 Common Causes and Solutions

1. Missing or Invalid API Key (Key Authentication Plugin)

If you’re using the Key Authentication plugin, Kong expects a valid API key in the request.(Kong Docs)

  • Symptom: Receiving a 401 error with the message "No API key found in request" or "Invalid authentication credentials".(Turbolab Technologies)
  • Solution:
    • Create a Consumer: curl -i -X POST http://localhost:8001/consumers/ --data "username=your_username"
    • Assign an API Key to the Consumer: curl -i -X POST http://localhost:8001/consumers/your_username/key-auth --data "key=your_api_key"
    • Include the API Key in Your Request: curl -i http://lo calhost:8000/your_service \ -H "apikey: your_api_key"
    • Note: The header name (apikey) should match the key_names configured in your Key Authentication plugin.(Kong Docs)

2. Expired or Invalid JWT Token (JWT Plugin)

If you’re using the JWT plugin, ensure that the token is valid and not expired.

  • Symptom: Receiving a 401 error with the message "Invalid token" or "Token expired".
  • Solution:
    • Verify the Token: Use tools like jwt.io to decode and inspect the token.
    • Check Expiration: Ensure the exp claim has not passed.
    • Validate Signature: Confirm that the token’s signature matches the expected signing key.(Auth0 Community)

3. OpenID Connect (OIDC) Plugin Issues

When using the OIDC plugin, a 401 error can occur if the plugin’s cache is outdated after changes to the Identity Provider (IdP).(support.konghq.com)

  • Symptom: Receiving a 401 error after updating the IdP’s signing certificate.
  • Solution:
    • Clear Plugin Cache: Restart Kong or clear the plugin’s cache to fetch the updated signing keys from the IdP.
    • Verify IdP Configuration: Ensure that the IdP’s metadata URL is correctly configured in the plugin settings.

4. Plugin Configuration on Specific Routes or Services

Ensure that authentication plugins are correctly configured on the intended routes or services.

  • Symptom: Receiving a 401 error on specific endpoints.
  • Solution:
    • Check Plugin Association: Use the Admin API to list plugins associated with your routes or services. curl http://localhost:8001/plugins
    • Adjust Configuration: Ensure that the plugin is enabled and correctly configured for the desired routes or services.

🛠️ Additional Troubleshooting Steps

  • Inspect Kong Logs: Check the Kong error logs for detailed information.
  tail -f /usr/local/kong/logs/error.log
  • Use Debug Headers: Add the X-Kong-Debug: 1 header to your requests to get more insight into how Kong processes them.
  • Verify Plugin Order: Ensure that authentication plugins are executed in the correct order, especially when multiple plugins are used.

If you can provide more details about your setup—such as the authentication plugins in use, specific routes or services affected, and sample requests—I can offer more targeted assistance.

Deploy services in KONG

techhadoop Uncategorized

To export a Kong service with its route(s) and plugin(s) and re-deploy it via Ansible, follow this structured approach:

Step 1: Export Kong Configuration (Service + Route + Plugins)

Use Kong’s Admin API or deck (Kong’s declarative configuration tool).

Option A: Use deck

deck dump –select-tag my-service-tag –output-file exported.yaml

🔹 Tagging helps isolate what to export (tag services, routes, plugins with my-service-tag beforehand).
🔹 You can also export the full config with deck dump.

Option B: Use cURL (for manual/scripted extraction)

# Get service

curl -s http://<KONG_ADMIN&gt;:8001/services/my-service > service.json

# Get route(s) for the service

curl -s http://<KONG_ADMIN&gt;:8001/services/my-service/routes > routes.json

# Get plugins for the service

curl -s http://<KONG_ADMIN&gt;:8001/services/my-service/plugins > plugins.json

 Step 2: Transform into Ansible-compatible format

Create a folder structure:

kong/

├── files/

│   └── exported.yaml  # if using deck

├── templates/

│   └── service.json.j2

│   └── routes.json.j2

│   └── plugins.json.j2

└── tasks/

    └── deploy-kong.yml

✅ Step 3: Create Ansible Playbook

If using deck:

# tasks/deploy-kong.yml

– name: Deploy config to Kong via deck

  ansible.builtin.command:

    cmd: “deck sync –state exported.yaml”

  args:

    chdir: “{{ playbook_dir }}/files”

If using cURL approach (raw API):

- name: Create service in Kong
  uri:
    url: "http://{{ kong_admin_host }}:8001/services"
    method: POST
    body: "{{ lookup('file', 'templates/service.json.j2') | from_json }}"
    body_format: json
    status_code: [201, 409]  # 409 = already exists
    headers:
      Content-Type: "application/json"

- name: Create route for the service
  uri:
    url: "http://{{ kong_admin_host }}:8001/services/{{ service_name }}/routes"
    method: POST
    body: "{{ lookup('file', 'templates/routes.json.j2') | from_json }}"
    body_format: json
    status_code: [201, 409]
    headers:
      Content-Type: "application/json"

- name: Add plugins to service
  uri:
    url: "http://{{ kong_admin_host }}:8001/services/{{ service_name }}/plugins"
    method: POST
    body: "{{ lookup('file', 'templates/plugins.json.j2') | from_json }}"
    body_format: json
    status_code: [201, 409]
    headers:
      Content-Type: "application/json"

   

Step 4: Run Playbook

ansible-playbook deploy-kong.yml -e “kong_admin_host=your.kong.gateway”

 Optional: Use Tags to Scope with deck

Tag services during creation to support selective dumps later:

curl -X PATCH http://localhost:8001/services/my-service \

  –data “tags=my-service-tag”

example of j2

{
  "name": "my-service",
  "host": "example.internal",
  "port": 8080,
  "protocol": "http",
  "path": "/api",
  "connect_timeout": 60000,
  "write_timeout": 60000,
  "read_timeout": 60000,
  "retries": 5,
  "tags": ["exported", "my-tag"]
}

Full ansible playbook 

---
- name: Deploy Kong service with routes and plugins
  hosts: kong
  gather_facts: no
  vars:
    kong_admin_url: "{{ kong_admin_host | default('http://localhost:8001') }}"
  tasks:

    - name: Load service JSON
      set_fact:
        service_payload: "{{ lookup('file', 'templates/service.json.j2') | from_json }}"

    - name: Create service
      uri:
        url: "{{ kong_admin_url }}/services"
        method: POST
        body: "{{ service_payload }}"
        body_format: json
        status_code: [201, 409]
        headers:
          Content-Type: "application/json"

    - name: Load routes JSON (could be a single or multiple routes)
      set_fact:
        routes_payload: "{{ lookup('file', 'templates/routes.json.j2') | from_json }}"

    - name: Create route(s) for the service
      uri:
        url: "{{ kong_admin_url }}/services/{{ service_payload.name }}/routes"
        method: POST
        body: "{{ item }}"
        body_format: json
        status_code: [201, 409]
        headers:
          Content-Type: "application/json"
      loop: "{{ routes_payload | type_debug == 'list' | ternary(routes_payload, [routes_payload]) }}"

    - name: Load plugins JSON
      set_fact:
        plugins_payload: "{{ lookup('file', 'templates/plugins.json.j2') | from_json }}"

    - name: Add plugin(s) to the service
      uri:
        url: "{{ kong_admin_url }}/services/{{ service_payload.name }}/plugins"
        method: POST
        body: "{{ item }}"
        body_format: json
        status_code: [201, 409]
        headers:
          Content-Type: "application/json"
      loop: "{{ plugins_payload }}"

Deploy AWX (Rancher )

techhadoop Uncategorized , , , ,

If you turn on (start/deploy) cattle-system pods (especially cattle-cluster-agent) and it crashes your cluster,
it means the Rancher agents are broken or misconfigured and are overloading, blocking, or breaking Kubernetes internally.

In detail, here’s why this can happen:

CauseWhat HappensWhy It Crushes the Cluster
❌ Rancher agents fail to connect and keep retryingThey flood the Kubernetes API server with reconnect attemptsAPI server gets overloaded, becomes unresponsive
❌ Wrong Rancher URL or network brokenAgents enter infinite loops trying to reach RancherNode CPU/memory gets exhausted
❌ Authentication errors (cert expired, token invalid)Agents spam auth failures on kube-apiserverAPI server becomes slow or hangs
❌ Agent version mismatchOlder agents send bad requests to newer serversAPI server rejects them violently
❌ Cluster registration issues (wrong cluster state in Rancher DB)Rancher tries to sync invalid resourcesetcd or kube-apiserver crash
❌ cattle-node-agent overloadEach node spawns bad agents, DaemonSet restarts infinitelykubelet, container runtime get overloaded

🚨 Important:

  • Rancher’s cattle-cluster-agent talks both to your Kubernetes API server and to Rancher’s API.
  • If it is broken (wrong URL, invalid token, expired cert, bad Rancher setup), it spams the cluster.
  • Symptoms you usually see:
    • kubectl get nodes hangs
    • kubectl get pods -A freezes
    • CPU of kube-apiserver jumps high
    • Cluster nodes become NotReady
    • etcd warnings appear if etcd is running locally

Proof: If you kill (scale to 0) the cattle-cluster-agent, the cluster usually becomes healthy again.
Example:

kubectl scale deployment cattle-cluster-agent -n cattle-system --replicas=0

→ Cluster becomes stable.

💬 Summary in simple words:

Rancher agents are deeply tied into your Kubernetes cluster.
If they are broken, they spam your Kubernetes system like crazy, and that overloads and crashes your cluster.

🔎 Next step: To solve it properly:

  1. Collect logs: kubectl logs -n cattle-system cattle-cluster-agent-xxxx kubectl logs -n cattle-system cattle-node-agent-xxxx
  2. Fix whatever is wrong (wrong URL, expired cert, wrong Rancher token, network broken).
  3. Then redeploy cattle-system carefully.

👉 Question for you to proceed:

  • Did you recently upgrade Rancher or move Rancher server (IP change, domain change)?
  • Did you renew SSL/TLS certificates on Rancher?
  • Or is this a new cluster registration you are trying?

Depending on your answer, I will tell you exactly how to fix it.
Would you like me to guide you step-by-step? 🚀
(If yes, tell me Rancher version too — 2.6.x, 2.7.x, 2.8.x, etc.)

This is a serious architecture conflict:

Rancher’s cattle-node-agent is destabilizing your AWX deployment.

And the reason is resource exhaustion or cluster network/messaging overload.

🔥 Why does this happen?

CauseDescriptionWhy it breaks AWX
Resource exhaustionRancher’s cattle-node-agent is heavy (especially when reconnecting or retrying). It uses a lot of CPU, memory, and bandwidth.AWX Postgres and Web pods starve for CPU/memory or lose network
Node pressureWhen 2 cattle-node-agents come alive, node CPU/mem pressure increases.Kubernetes starts evicting pods (including AWX pods)
Pod preemptionIf no resource limits are properly set, kube-scheduler kills “low-priority” pods to save critical pods.Your AWX web or postgres pod might get evicted
Flapping networkingRancher’s agents may try to reach Rancher server and overload K8s networking.AWX needs stable DNS, API server access; it breaks
PersistentVolume interruptionsIf Rancher agents cause node instability, your Postgres PVCs (storage) might get stuck or remount improperly.AWX relies heavily on Postgres; database disruptions kill it

🧠 Let’s go deep technical quickly:

If you run:

kubectl get events -n awx --sort-by='.metadata.creationTimestamp'

or

kubectl describe pod <awx-pod-name> -n awx

you will likely see:

  • Evicted messages
  • NodeAffinity errors
  • OutOfcpu
  • OutOfmemory
  • Pod sandbox changed
  • Volume mount errors
  • Postgres connection refused or file corruption

🛠 How to properly fix this

Step 1: Check Node Resources

Look at:

kubectl describe node <node-name>

Check for:

  • Allocatable CPU/memory
  • Current Usage
  • Conditions like MemoryPressure, DiskPressure

Step 2: Set Strong Resource Requests & Limits for AWX

In your AWX YAML (awx.yaml), add hard limits like this:

yamlCopyEditspec:
  web_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m
  task_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m
  postgres_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m

Step 3: Pin AWX pods to 1 specific node (optional)

If your nodes are unstable, you can force AWX to run only on the “good” node:

spec:
  node_selector:
    node-role.kubernetes.io/awx: "true"

Or use taints and tolerations.

Step 4: Fix Rancher agents

If your Rancher agents (cattle-node-agent) are going crazy (e.g., retrying, error loops):

  • Make sure nodes can reach Rancher server stably
  • Update the registration URL if needed
  • Fix certificate errors

You can check the cattle-node-agent logs:

kubectl logs -n cattle-system cattle-node-agent-xxxxx

Step 5: Stabilize PVCs

If AWX Postgres uses PVC (Persistent Volume Claim), ensure that:

  • Storage class is fast and resilient
  • Volumes aren’t remounting during node pressure

If you use Longhorn or local-path, make sure your storage is attached and healthy.

⚡ Quick Summary

SymptomRoot CauseFix
AWX web and Postgres pods crash when Rancher agent wakes upNode pressure, network overload, volume flappingSet AWX hard resource requests/limits, stabilize Rancher agent, pin critical pods to best nodes, ensure fast storage

✍️ What I Recommend for You Right Now

  1. Look at AWX pods: kubectl get pods -n awx kubectl describe pod <awx-pod> -n awx kubectl get events -n awx --sort-by='.metadata.creationTimestamp'
  2. Look at Node status: bashCopyEditkubectl describe node <node-name>
  3. Look at Rancher cattle-node-agent logs: bashCopyEditkubectl logs -n cattle-system cattle-node-agent-xxxx

Paste me (if you want) the errors and I can tell you exactly what’s killing AWX.
You’re very close to solving it. 🚀

❓ Quick Questions

create a better AWX deployment YAML that sets:

  • Node Affinity
  • Hard CPU/memory limits
  • Stable PVC
  • Tolerations (if needed)

Troubleshooting

kubectl get secret awx-admin-password -n awx -o jsonpath=”{.data.password}” | base64 –decode

install license

techhadoop Uncategorized 
#!/bin/bash

# === CONFIGURATION ===
LICENSE_FILE="/path/to/your/maprlicense.txt"
PRIMARY_NODE="cldb-node.example.com"   # change to your CLDB node hostname or IP

# === STEP 1: Copy license to the primary node ===
echo "Copying license file to $PRIMARY_NODE..."
scp "$LICENSE_FILE" "$PRIMARY_NODE:/tmp/maprlicense.txt"

# === STEP 2: Add the license on the cluster ===
echo "Adding license using maprcli on $PRIMARY_NODE..."
ssh "$PRIMARY_NODE" "sudo maprcli license add -license /tmp/maprlicense.txt"

# === STEP 3: Verify license ===
echo "Verifying license status..."
ssh "$PRIMARY_NODE" "sudo maprcli license list -json | jq ."

echo "✅ License added and verified successfully!"


How Cluster ID is normally generated
When you first install MapR, you run something like:


sudo /opt/mapr/server/configure.sh -C <cldb-nodes> -Z <zookeeper-nodes> -N <cluster-name>
When configure.sh runs for the first time:

It creates /opt/mapr/conf/clusterid

It creates /opt/mapr/conf/mapr-clusters.conf

It registers your node with CLDB

The Cluster ID is a random large number, created automatically.

If you need to (re)generate a Cluster ID manually:
If you're setting up a new cluster, and no CLDB is initialized yet, you can force generate a Cluster ID like this:

Stop Warden if running:


sudo systemctl stop mapr-warden
Clean old config (careful, if cluster already had data, don't do this):


sudo rm -rf /opt/mapr/conf/clusterid
sudo rm -rf /opt/mapr/conf/mapr-clusters.conf
Re-run configure.sh:

Example:


sudo /opt/mapr/server/configure.sh -N mycluster.example.com -C cldb-node1,cldb-node2 -Z zk-node1,zk-node2
-N: Cluster Name

-C: CLDB nodes

-Z: ZooKeeper nodes

After that:
cat /opt/mapr/conf/clusterid
→ You will now see the new Cluster ID!

How Cluster ID is normally generated
When you first install MapR, you run something like:

sudo /opt/mapr/server/configure.sh -C <cldb-nodes> -Z <zookeeper-nodes> -N <cluster-name>
When configure.sh runs for the first time:

It creates /opt/mapr/conf/clusterid

It creates /opt/mapr/conf/mapr-clusters.conf

It registers your node with CLDB

✅ The Cluster ID is a random large number, created automatically.

🔥 If you need to (re)generate a Cluster ID manually:
If you're setting up a new cluster, and no CLDB is initialized yet, you can force generate a Cluster ID like this:

Stop Warden if running:

bash
Copy
Edit
sudo systemctl stop mapr-warden
Clean old config (careful, if cluster already had data, don't do this):

bash
Copy
Edit
sudo rm -rf /opt/mapr/conf/clusterid
sudo rm -rf /opt/mapr/conf/mapr-clusters.conf
Re-run configure.sh:

Example:

bash
Copy
Edit
sudo /opt/mapr/server/configure.sh -N mycluster.example.com -C cldb-node1,cldb-node2 -Z zk-node1,zk-node2
-N: Cluster Name

-C: CLDB nodes

-Z: ZooKeeper nodes

After that:

bash
Copy
Edit
cat /opt/mapr/conf/clusterid
→ You will now see the new Cluster ID!

Kong Konnect vs Kong Gateway

techhadoop Uncategorized
AspectKong Gateway (self-hosted)Kong Konnect (cloud SaaS)
DeploymentYou install and manage Kong yourself (VMs, Kubernetes, bare metal)Kong hosts the control plane; you run minimal “Data Planes”
UpgradesYou upgrade Kong manuallyKong handles upgrades for control plane automatically
ScalingYou manage scaling (HA, clustering)Kong auto-scales the Control Plane, you scale only Data Planes
SecurityYou manage certificates, patching, hardeningKong handles security for the control plane, you secure data planes
AnalyticsOptional, via your own Prometheus/Grafana, or Enterprise Edition AnalyticsBuilt-in with Konnect — real-time metrics, usage, dashboards
Admin GUIKong Manager on your VMCloud UI in Konnect (always updated)
Developer PortalHost and manage it yourselfCloud-hosted Developer Portal included
RBAC / Single Sign-On (SSO)Enterprise feature; you configure LDAP, OIDC yourselfNative SSO, multi-organization support
PricingLicense + cost of infrastructure + admin workSubscription pricing (includes hosting + support)
ReliabilityDepends on your HA setupKonnect is a SaaS SLA (uptime guaranteed)

Why choose Kong Konnect over self-managed Kong Gateway?

  • Faster to deploy: no need to install, configure, secure Control Plane.
  • Zero maintenance: no patching, backups, upgrades for control plane.
  • Global availability: Control Plane is multi-region by default.
  • Modern features: You get new Kong features faster (Konnect users get earlier access).
  • Built-in observability: native dashboards, logging, analytics ready.
  • Multi-tenant support: You can separate teams, apps, etc easily.
  • Reduced DevOps overhead: focus only on managing lightweight Data Planes.

JWTs and client certificates

techhadoop Uncategorized

Great question — JWTs and client certificates are both authentication methods, but they are not directly dependent on each other. They solve different security goals, and in some advanced setups, they can complement each other.

Let’s break it down:

🔄 JWT vs. Client Certificate — Purpose

FeatureJWTClient Certificate (mTLS)
TypeToken-based authenticationCertificate-based mutual TLS (mTLS)
Validated ByApplication / API Gateway (e.g., Kong)TLS handshake (mutual authentication)
AuthenticatesWho you are (user/app identity)What you are (trusted machine or client)
RevocationHard to revoke unless you use a blacklistCan be revoked by CRL or OCSP
Stateless✅ Yes, self-contained❌ No, cert revocation/status may require state
Setup ComplexityModerateHigher (requires PKI, CA, trust setup)

Kong Troubleshooting

techhadoop Uncategorized

Invalid status code received from the token endpoint” means Kong tried to exchange an authorization code for a token, but the PingFederate token endpoint replied with an error

302 Found:

  • Kong redirects the client to the authorization endpoint of PingFederate.
  • This is normal behavior during the initial OIDC flow (when no token is present).

401 Unauthorized (after redirect):

  • The client is redirected back to Kong with an authorization code.
  • Then Kong calls the token endpoint to exchange code → tokens.
  • But this step fails (e.g., bad client credentials, redirect URI mismatch, wrong token endpoint).
  • Result: 401 Unauthorized, often shown to the user after the browser returns from the IdP.

A 400 Bad Request from the OpenID Connect token endpoint usually means something is wrong with the request payload you’re sending. This often happens during a token exchange or authorization code flow.

Let’s troubleshoot it step by step:

🔍 Common Causes of 400 from Token Endpoint

  1. Invalid or missing parameters
    • Missing grant_type, client_id, client_secret, code, or redirect_uri
    • Using wrong grant_type (e.g., should be authorization_code, client_credentials, refresh_token, etc.)
  2. Mismatched or invalid redirect URI
    • Must match the URI registered with the provider exactly.
  3. Invalid authorization code
    • Expired or already used.
  4. Invalid client credentials
    • Bad client_id / client_secret
  5. Wrong Content-Type
    • The request should be: bashCopyEditContent-Type: application/x-www-form-urlencoded

To know why Ping returned 400, you need to:

  1. Check PingFederate logs – often shows detailed error like:

Invalid redirect_uri
Invalid client credentials
Unsupported grant_type

Kong is probably misconfigured or failing to capture the code from the redirect step before trying the token exchange.

This usually happens due to:

  • Misconfigured redirect_uri
  • Missing or misrouted callback handling (/callback)
  • Client app hitting the wrong route first
  • Kong OIDC plugin misconfigured (missing session_secret, or improper auth_methods)

Troubleshooting

Migrating from Kong Gateway to Kong Konnect

techhadoop Uncategorized

Migrating from Kong Gateway (self-managed/on-prem) to Kong Konnect (cloud-managed) involves a combination of:

  • Exporting your current Kong configuration
  • Translating any on-prem customizations or plugins
  • Importing services and routes into Konnect
  • Updating auth, plugins, and Dev Portal configuration
  • Re-pointing your traffic and observability tools

Here’s a step-by-step migration plan with optional tooling for automation:

Step 1: Inventory Your Current Kong Gateway

Start by identifying all current components:

  • Services
  • Routes
  • Plugins
  • Consumers & credentials
  • RBAC users & roles
  • Custom plugins (if any)
  • Certificates
  • Upstreams / Targets
  • Rate limiting or security policies

You can use:

deck dump --kong-addr http://<admin-api>:8001 --output-file kong-export.yaml

This uses decK, a declarative config tool for Kong.

Step 2: Set Up Kong Konnect

  1. Sign up for Kong Konnect
  2. Create a Runtime Group (this is where your data plane will connect)
  3. Install Kong Gateway (with Konnect mode) as the Data Plane: curl -O https://download.konghq.com/gateway-3.x-centos/Packages/k/kong-3.x.rpm Configure it with: yamlCopyEditrole: data_plane cluster_control_plane: <Konnect CP endpoint> cluster_telemetry_endpoint: <Telemetry CP endpoint>

Step 3: Translate & Import Configuration

Use decK to sync into Konnect:

bashCopyEditdeck sync --konnect-runtime-group <runtime-group-name> \
          --konnect-token <your-token> \
          --state kong-export.yaml

DecK v1.16+ supports direct Konnect import via --konnect flags.

Note: decK does not migrate:

  • RBAC user roles
  • Developer Portal assets (you’ll need to re-upload manually)
  • Custom plugins (must be re-implemented and built for Konnect if supported)

Step 4: Migrate Authentication & Plugins

  • Consumers / Auth: Recreate consumers in Konnect or use Konnect Dev Portal to register apps
  • Certificates: Re-upload any TLS certs to Konnect
  • Custom Plugins: Migrate only if they are supported on Kong Konnect. Otherwise, consider rewriting logic using Lua/Python and submit to Kong support if needed.

Step 5: Reconfigure Observability

Kong Konnect offers built-in integrations:

  • Logs: Datadog, HTTP log, Splunk (via plugin)
  • Metrics: Prometheus, Kong Vitals
  • Use the Konnect GUI or API to configure logging plugins

Step 6: Redirect Traffic to Konnect Runtime

  • Update DNS or Load Balancer to send traffic to new Konnect Data Plane IPs
  • Perform traffic shadowing/canary if needed

Final Step: Validation & Cutover

  • Smoke test all endpoints
  • Test rate limits, auth flows, consumer access
  • Validate logs and metrics collection
  • Disable/decommission legacy Kong Gateway only after validation

Databricks

techhadoop Uncategorized

Databricks is a cloud-based data platform built for data engineering, data science, machine learning, and analytics. It provides a unified environment that integrates popular open-source tools like Apache Spark, Delta Lake, and MLflow, and is designed to simplify working with big data and AI workloads at scale.

What Databricks Does

Databricks allows you to:

  • Ingest, clean, and transform large volumes of data
  • Run machine learning models and notebooks collaboratively
  • Perform interactive and batch analytics using SQL, Python, R, Scala, and more
  • Securely govern and share data across teams and workspaces

Core Components

ComponentDescription
Databricks WorkspaceYour development environment for notebooks, jobs, and clusters
ClustersScalable compute resources (based on Apache Spark)
Delta LakeOpen-source storage layer that adds ACID transactions and versioning to data lakes
Unity CatalogCentralized data governance and access control layer
MLflowManages the lifecycle of machine learning experiments, models, and deployments
JobsScheduled or triggered ETL pipelines and batch workloads
SQL WarehousesServerless SQL compute for BI and analytics workloads

Runs on Major Clouds

  • AWS
  • Microsoft Azure
  • Google Cloud

Use Cases

  • Data lakehouse architecture
  • ETL/ELT processing
  • Business intelligence and analytics
  • Real-time streaming data processing
  • Machine learning and MLOps
  • GenAI development using large language models

Quick Analogy:

Think of Databricks as a “data factory + AI lab + SQL analytics tool” all in one, built on top of scalable cloud compute and storage.