🛠️ Managing KONG Configurations in CI/CD with InterSystems IRIS IAM
🔍 Context: InterSystems IRIS IAM & Kong Gateway
As part of integrating InterSystems IRIS into a secure and controlled environment, InterSystems IRIS IAM relies on Kong Gateway to manage exposed APIs. Kong acts as a modern API Gateway, capable of handling authentication, security, traffic management, plugins, and more.
However, maintaining consistent Kong configurations (routes, services, plugins, etc.) across different environments (development, testing, production) is a major challenge. This is where tools like deck and this Python script become highly valuable.
⚙️ Overview of kong_config_tool.py
This tool allows you to:
- Export the current configuration of a KONG Gateway into a versionable YAML file.
- Import a YAML configuration into a KONG Gateway (via
deck sync).
- Automate full logging (logs, stdout/stderr) for accurate tracking.
- Easily integrate into a CI/CD pipeline.
🎯 Goals and Benefits
🔄 Consistent Synchronization Across Environments
The tool simplifies propagating KONG configuration between environments. By exporting from dev and importing into staging or prod, you ensure functional parity.
🔐 Traceability and Audits via Logs
With the --log option, all operations (including internal deck commands) are logged:
- Who executed what
- What configuration was applied
- What was Kong’s response (number of resources created, modified, etc.)
🧪 CI/CD Pipeline Integration
In GitLab CI, GitHub Actions, or Jenkins:
- The export step can be triggered automatically after API changes.
- The import step can deploy the Kong config on every merge or release.
- The generated YAML files can be version-controlled in Git.
🧰 Example GitLab Pipeline
stages:
- export
- deploy
export_kong:
stage: export
script:
- python3 kong_config_tool.py --export --log export.log
artifacts:
paths:
- kong.yaml
- export.log
deploy_kong:
stage: deploy
script:
- python3 kong_config_tool.py --import --log deploy.log
🛡️ Security and Reproducibility
Since InterSystems IRIS IAM is often used in sensitive environments (healthcare, finance...), it’s essential to:
- Avoid manual errors using
deck sync
- Ensure each deployment applies the exact same configuration
- Maintain a clear audit trail via
.log files
💡 Tool Highlights
| Feature |
Description |
--export |
Saves the current config to a file like kong-<timestamp>.yaml |
--import |
Applies the contents of kong.yaml to the Gateway |
--log |
Enables full logging (stdout, stderr, logs) |
| Automatic Symlink |
kong.yaml is always a symlink to the latest exported version |
| Easy Integration |
No heavy dependencies — relies on standard Python and deck |
📦 Conclusion
The kong_config_tool.py script is a key component for industrializing KONG configuration management in the context of InterSystems IRIS IAM. It enables:
- Better configuration control
- Enhanced traceability
- Smooth integration into CI/CD pipelines
- Compliance with security requirements
🚀 Potential Future Enhancements
- Native GitOps integration (ArgoCD, FluxCD)
- Configuration validation with
deck diff
- Error notifications (Slack, Teams)
🧬 Python Code Overview
The kong_config_tool.py script is a Python CLI tool designed to automate configuration exports and imports for KONG Gateways using deck, while ensuring robust logging.
📁 General Structure
#!/usr/bin/env python3
import argparse
import subprocess
from datetime import datetime
from pathlib import Path
import sys
import logging
- Uses only standard Python modules.
argparse: to handle command-line options.subprocess: to run deck commands.logging: for structured output (console + file).
🧱 Logger Initialization
logger = logging.getLogger("kong_config_tool")
- Initializes a named logger, configurable based on whether a log file is requested.
📝 setup_logging(log_file=None)
This function:
- Creates handlers for both console and/or file.
- Redirects
sys.stdout and sys.stderr to the log file if --log is provided.
🔎 This captures everything: Python logs, print(), errors, and also output from deck.
📤 export_kong_config()
deck_dir = Path.cwd()
output_file = deck_dir / f"kong-{timestamp}.yaml"
- Executes
deck gateway dump -o ... to export the current configuration.
- Captures
stdout and stderr and sends them to logger.debug(...).
- Creates or updates a
kong.yaml symlink pointing to the exported file — simplifying future imports.
- Logs and exits on failure.
📥 import_kong_config()
- Checks for the presence of the
kong.yaml file (symlink or actual file).
- Runs
deck gateway sync kong.yaml.
- Captures and logs full output.
- Handles errors via
CalledProcessError.
🔁 This logic mirrors the export process.
🚀 main()
The main entry point that:
- Handles
--export, --import, and --log arguments.
- Calls the appropriate functions.
Example usage:
python kong_config_tool.py --export --log export.log
python kong_config_tool.py --import --log import.log
💡 If --log is omitted, output goes to console only.
🧪 Typical CI/CD Execution
Export
python kong_config_tool.py --export --log export.log
Results:
kong-2025-07-18_12-34-56.yaml (versionable content)kong.yaml (useful symlink for import)export.log (audit log)
Import
python kong_config_tool.py --import --log import.log
Results:
- Applies the configuration to a new gateway (staging, prod, etc.)
import.log to prove what was done
✅ Code Summary Table
| Feature |
Implementation |
| Intuitive CLI Interface |
argparse with help descriptions |
| Clean Export |
deck gateway dump + timestamp |
| Controlled Import |
deck gateway sync kong.yaml |
| Full Logging |
logging + stdout/stderr redirection |
| Resilience |
Error handling via try/except |
| CI/CD Ready |
Simple interface, no external dependencies |
Let me know if you'd like the English version of the actual code too!
.png)
.png)