Deck CLI

decK is a command-line tool developed for API lifecycle automation (APIOps). It allows developers and operations teams to manage APIs from development to deployment, ensuring consistency, reliability, and speed in API integration.

decK commands have the following features and characteristics:

  • Export (Backup) Export existing Kong configuration to a YAML configuration file

  • Import (Restore) Apply Kong configuration using exported or hand-written configuration files

  • Diff and Sync decK can compare the configuration in the file with the configuration in Kong’s DB and synchronize them. It can also detect configuration differences

  • Reverse Sync If there is a configuration in Kong’s DB that is not in the file, it can also sync back to the file

  • Validation Validate configuration file syntax errors

  • Reset Delete all entities in Kong’s database

  • Parallel Operations Calls to Kong’s Admin API are executed in parallel, using multiple threads to speed up the sync process

  • Authentication with Kong You can access Kong that requires authentication by adding authentication information to the HTTP header in the form --headers Kong-Admin-Token:test

  • Manage Kong configuration with multiple files You can split Kong configuration into multiple files based on a set of shared tags between entities

  • Automated configuration management decK is designed as part of a CI pipeline, not only pushing configuration to Kong but also detecting configuration drift

Below are examples for each subcommand

Preparation

The following Kong configuration file is used as a base. There is one Service and one Route.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

_format_version: "3.0"
services:
- host: httpbin.org
  name: uuid-generator
  path: /
  protocol: http
  routes:
  - name: uuid-generator
    paths:
    - ~/uuid$
    strip_path: false

deck gateway ping

First, check connectivity with ping

1
2
3

deck gateway ping --headers Kong-Admin-Token:test
Successfully connected to Kong!
Kong version:  3.4.3.5

If you do not specify the location of Kong’s Admin API, it will connect to localhost:8001 by default. If you want to check connectivity to a non-local Kong, specify the address with --kong-addr.

1
2
3

deck gateway ping --kong-addr http://18.178.66.113:8001 --headers Kong-Admin-Token:test
Successfully connected to Kong!
Kong version:  3.4.3.5

deck gateway validate

Check the syntax of the configuration file. If there are no problems, nothing is output, but if there is a syntax error, the line number and error details are displayed. This command connects to the Kong Admin API for validation. It takes some time, but can catch serious errors. If you only want to validate a local file, use deck file validate. No changes are made to Kong’s DB during validation.

1
2
3

deck gateway validate kong.yaml --headers Kong-Admin-Token:test
Error: 1 errors occurred:
  reading file kong.yaml: validating file content: unmarshaling file content: error converting YAML to JSON: yaml: line 7: could not find expected ':'

deck gateway sync

Apply the above configuration file to Kong Gateway. By default, it reads the configuration from standard input.

1
2
3
4
5
6
7

$ cat kong.yaml | deck gateway sync --headers Kong-Admin-Token:test
creating service uuid-generator
creating route uuid-generator
Summary:
  Created: 2
  Updated: 0
  Deleted: 0

deck gateway diff

After updating the file, run deck gateway diff to check the difference between the configuration in Kong’s DB and the file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

$ sed -i 's/protocol: http/protocol: https/g' kong.yaml
$ deck gateway diff kong.yaml --headers Kong-Admin-Token:test
updating service uuid-generator  {
   "connect_timeout": 60000,
   "enabled": true,
   "host": "httpbin.org",
   "id": "033e20b1-9a83-4f80-a75e-ee4f9b354676",
   "name": "uuid-generator",
   "path": "/",
   "port": 80,
-  "protocol": "http",
+  "protocol": "https",
   "read_timeout": 60000,
   "retries": 5,
   "write_timeout": 60000
 }

Summary:
  Created: 0
  Updated: 1
  Deleted: 0

If you want to apply the file configuration, run deck gateway sync again.

deck gateway dump

If you want to reflect the configuration in the DB back to the file, or take a backup, use dump. After that, run diff again to confirm that the DB configuration has been reflected in the file.

1
2
3
4
5
6
7
8

$ deck gateway dump -o kong.yaml --headers Kong-Admin-Token:test
File 'kong.yaml' already exists. Do you want to overwrite it? yes

$ deck gateway diff kong.yaml --headers Kong-Admin-Token:test
Summary:
  Created: 0
  Updated: 0
  Deleted: 0

deck gateway reset

Delete all configuration in Kong’s DB.

1
2
3
4
5
6
7
8
9

deck gateway reset --headers Kong-Admin-Token:test
This will delete all configuration from Kong's database.
> Are you sure? yes
deleting route uuid-generator
deleting service uuid-generator
Summary:
  Created: 0
  Updated: 0
  Deleted: 2

deck file mainly handles operations related to Kong configuration files.

deck file validate

Similar to deck gateway validate, but only checks local file syntax without communicating with the Kong Admin API, so it is faster.

1
2
3

deck file validate kong.yaml
Error: 1 errors occurred:
  reading file kong.yaml: validating file content: unmarshaling file content: error converting YAML to JSON: yaml: line 7: could not find expected ':'

deck file kong2kic

Convert Kong configuration files for use with Kubernetes. For example, using the following kong.yaml configuration file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

_format_version: "3.0"
services:
- connect_timeout: 60000
  enabled: true
  host: httpbin.org
  name: uuid-generator
  path: /
  port: 80
  protocol: http
  read_timeout: 60000
  retries: 5
  routes:
  - https_redirect_status_code: 426
    name: uuid-generator
    path_handling: v0
    paths:
    - ~/uuid$
    preserve_host: false
    protocols:
    - http
    - https
    regex_priority: 0
    request_buffering: true
    response_buffering: true
    strip_path: false
  write_timeout: 60000

HTTPRoute + Service (Default)

To generate HTTPRoute + Service resources, run the following command:

1

deck file kong2kic -s kong.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  annotations:
    konghq.com/https-redirect-status-code: "426"
    konghq.com/path-handling: v0
    konghq.com/preserve-host: "false"
    konghq.com/regex-priority: "0"
    konghq.com/request-buffering: "true"
    konghq.com/response-buffering: "true"
    konghq.com/strip-path: "false"
  name: uuid-generator-uuid-generator
spec:
  parentRefs:
  - name: kong
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/connect-timeout: "60000"
    konghq.com/path: /
    konghq.com/protocol: http
    konghq.com/read-timeout: "60000"
    konghq.com/retries: "5"
    konghq.com/write-timeout: "60000"
  name: uuid-generator
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: uuid-generator
---

Ingress + Service

To generate Ingress + Service resources, add the –ingress option and run the command.

1

deck file kong2kic -s kong.yaml --ingress

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    konghq.com/https-redirect-status-code: "426"
    konghq.com/path-handling: v0
    konghq.com/preserve-host: "false"
    konghq.com/protocols: http,https
    konghq.com/regex-priority: "0"
    konghq.com/request-buffering: "true"
    konghq.com/response-buffering: "true"
    konghq.com/strip-path: "false"
  name: uuid-generator-uuid-generator
spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - backend:
          service:
            name: uuid-generator
            port:
              number: 80
        path: /~/uuid$
        pathType: ImplementationSpecific
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/connect-timeout: "60000"
    konghq.com/path: /
    konghq.com/protocol: http
    konghq.com/read-timeout: "60000"
    konghq.com/retries: "5"
    konghq.com/write-timeout: "60000"
  name: uuid-generator
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: uuid-generator
---

deck file openapi2kong

Convert OpenAPI specifications (OAS) to Kong configuration files. For example, using the following OAS file, which includes not only Service and Route but also Plugin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

openapi: 3.0.0
tags:
  - description: Creates a random UUID and returns it in a JSON structure
    name: Generate UUID
  - description: Returns a delayed response (max of 10 seconds).
    name: Delayed Response
info:
  contact:
    email: [email protected]
    url: https://konghq.com/
  description: A simple service returning a UUID based on https://httpbin.org
  title: UUID generator based on httpbin.org
  version: 1.0.8
paths:
  /uuid:
    get:
      operationId: uuid
      summary: Return a UUID.
      description: Return a UUID
      responses:
        "200":
          description: A UUID4.
      tags:
        - Generate UUID
    x-kong-plugin-rate-limiting:
      enabled: true
      config:
        minute: 5
    x-kong-plugin-proxy-cache:
      enabled: true
      config:
        strategy: memory

servers:
  - url: https://httpbin.org/

You can convert it in one shot with the following command. The plugin settings are also converted properly.

1

deck file openapi2kong -s openapi.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

_format_version: "3.0"
services:
- host: httpbin.org
  id: 50f943d2-3299-5315-adf6-7da92729c8ce
  name: uuid-generator-based-on-httpbin-org
  path: /
  plugins: []
  port: 443
  protocol: https
  routes:
  - id: c58bf17c-dfd9-544d-965b-cc3e26be87f1
    methods:
    - GET
    name: uuid-generator-based-on-httpbin-org_uuid
    paths:
    - ~/uuid$
    plugins:
    - config:
        strategy: memory
      enabled: true
      id: fc364f07-919d-5fd5-b9fe-ac6540848e4f
      name: proxy-cache
      tags: []
    - config:
        minute: 5
      enabled: true
      id: ff5cb72c-3698-5403-9420-3beb6c2fb26c
      name: rate-limiting
      tags: []
    regex_priority: 200
    strip_path: false
    tags: []
  tags: []
upstreams: []

deck file add-plugins

Add plugin definitions to a Kong configuration file.

For the usual configuration below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

_format_version: "3.0"
services:
- host: httpbin.org
  name: uuid-generator
  path: /
  port: 80
  protocol: http
  routes:
  - name: uuid-generator
    paths:
    - ~/uuid$
    strip_path: false

If you run the following command, as written with --selector='services[*]', the plugin defined with --config will be added to all Services. If you change the --selector expression to ='route[*]', the plugin will be added to all Routes.

1

cat kong.yaml | deck file add-plugins --selector='services[*]' --config='{"plugins":[{"config":{"strategy":"memory"},"enabled":true,"name":"proxy-cache"}]}'

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

_format_version: "3.0"
services:
- host: httpbin.org
  name: uuid-generator
  path: /
  plugins:
  - plugins:
    - config:
        strategy: memory
      enabled: true
      name: proxy-cache
  port: 80
  protocol: http
  routes:
  - name: uuid-generator
    paths:
    - ~/uuid$
    strip_path: false

With the above method, since --selector and --config are all written on the command line, the command itself becomes long. You can also save these two parameters to a file and apply them. For example, save the following content to a JSON file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

{ "_format_version": "1.0",
 "add-plugins": [
   { "selectors": [
      "service[*]"
     ],
     "overwrite": false,
     "plugins": [
       { "name": "proxy-cache",
         "config": {
           "strategy": "memory"
         }
       }
      ]
   }
 ]
}

Then, add this file after add-plugins, and the plugin will be appended to the configuration content from STDIN.

1

cat kong.yaml | deck file add-plugins proxy-cache.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

_format_version: "3.0"
services:
- host: httpbin.org
  name: uuid-generator
  path: /
  plugins:
  - config:
      strategy: memory
    name: proxy-cache
  port: 80
  protocol: http
  routes:
  - name: uuid-generator
    paths:
    - ~/uuid$
    strip_path: false

There are still more subcommands, but I’ll stop here for the first half.

  • deck file add-tags - Add tags to objects in a decK file
  • deck file convert - Convert files from one format into another format
  • deck file lint - Validate a file against a ruleset
  • deck file list-tags - List current tags from objects in a decK file
  • deck file merge - Merge multiple decK files into one
  • deck file namespace - Apply a namespace to routes in a decK file by prefixing the path.
  • deck file patch - Apply patches on top of a decK file
  • deck file remove-tags - Remove tags from objects in a decK file
  • deck file render - Combines multiple complete configuration files and renders them as one Kong declarative config file.