DEV Community: Sudhakar Daggubati

open-source API gateway solutions and their managed offerings.

Sudhakar Daggubati — Fri, 27 Sep 2024 14:48:14 +0000

Kong and APISIX, two popular open-source #APIGateway solutions. #kong looks versatile Unified Gateway but how it fares against #APISIX backed by a similar enterprise API7 offering.

Key Features:

API Gateway and API Management
Plugin architecture
NGINX-based
Config management
Seamless Kubernetes integration
Security

Differentiation:

AI Gateway: Only Kong offers an AI gateway, leveraging AI for tasks like traffic management and anomaly detection.
Performance: API7 claims superior performance, but real-world benchmarks may vary.
Cost: Self-hosting Kong can be cost-effective, SaaS offering pricing are complex, its better to check the fine print and usage patterns Pricing Models
Service Mesh: Kong uses Envoy, while API7 uses Istio (which also uses Envoy).
Cloud Costs: Running AI and API gateways at scale in the cloud can be expensive, Network design, workload pattern and application architecture going to play a critical role in how costly its going to be.

Choosing the Right API Gateway:

APISIX(API7): If performance and native service mesh capabilities are your primary concerns, then API7 might be a good choice. While #APISIX is a top #CNCF project and cloud-native with its out-of-the-box plugins, API7's focus on performance and service mesh integration is a compelling factor.

Kong: if that #AIGateway is exiting, in-house team is capable and priority is for long standing community support and self management then considering kong is advisable; you could self mange or opt for enterprise option.

The best choice between Kong and APISIX depends on organizational inclinations and specific requirements, including the need for AI integration, performance demands, and budget constraints. Carefully evaluate your needs and consider the strengths and weaknesses of each platform to make an informed decision.

Considering both are open source in nature/base and a big community driving the adoption, over a period of time, feature coverage would eventually catch-up, so better to be cost & performance conscious when choosing the gateway. Watch out those pricing models; getting on is easy but not getting off :-)

PlatformEngineering

Automating DNS with Confidence: Terraform + DNScontrol

Sudhakar Daggubati — Mon, 23 Sep 2024 15:09:55 +0000

A split origin DNS setup with multi origin and multi subscription creating route via a gateway subnet is complex

Its even more challenging to keep it running smoothly and not to break things inadvertently; it's not a joke when people say its all DNS :-)

Terraform can automate most of this infra at scale but one aspect that it lacks is management of DNS in a complex setup in which one often need additional capabilities to test and validate before plan is applied.

There are multiple scenarios in which lack of this capability makes it hard to customize DNS and do not get into troubles.

Temporary zone and validate before apply

Use terraform to create temporary DNS zone
Use curl or https://httpie.io/ to validate the DNS entries
this setup ensures DNS changes are tested and impact is known
- Each provider has their own SDK, format that they support and API; for example terraform has no zone file import while azure does besides integration tests are non exist and complex to craft, mostly simple nslookup validation.

Combination of native DNS mgmt + Terraform

DNScontrol and Terraform are both powerful tools for managing DNS records, but they have different capabilities and use cases. Let's use them together to make a DNS management predictable and fault proof.

Designed specifically for DNS: DNScontrol is tailored for DNS management, offering features and integrations that are optimized for DNS-related tasks.
Flexibility: It provides a high level of flexibility, allowing you to define DNS records using various formats (e.g., YAML, JSON) and supports a wide range of DNS providers.

You could leave whole DNS management to DNSControl or use it for complex validations and DNS records mgmt and use AZ CLI to export and import in a CI/CD task with necessary approval flows +/- terraform.

kyverno-json; to extend kyverno policy rules framework beyond K8S resources

Sudhakar Daggubati — Wed, 14 Aug 2024 11:06:57 +0000

kyverno is a powerful policy engine for #Kubernetes artifacts governance, What if you need to extend same capabilities beyond Kubernetes resources?

Check kyverno-json, it is natural extension when one already having #kyverno as policy engine for #k8s governance.

Exploring as we got a config driven PaaS infra setup,by extending existing policy coverage to other configuration items and at plan stage itself and as a pipeline, we hope to minimize config induced errors.

Kyverno-json bridges the gap by allowing you to apply Kyverno policies to validate any JSON or YAML data. This opens doors to validating:

Terraform files: Ensure your infrastructure configurations adhere to best practices and security guidelines.
Dockerfiles: Validate image builds for compliance and prevent potential vulnerabilities.
Cloud configurations: Maintain consistency and avoid errors across your cloud infrastructure.
Authorization requests: Enforce granular access control at the request level.

Beyond Deployment-Time Validation:

With kyverno-json, validation extends beyond deployment time:

DevOps Pipelines: Integrate seamlessly into your DevOps pipelines for continuous validation.
Pre-commit hooks: Enforce validation before code commits, catching errors early in the development cycle.
Atlantis (Terraform PR Automation): Enhance your Terraform pull request automation with robust validation capabilities., atlantis also doubles up as self service tool for developers.
Makefiles: Utilize kyverno-json in your makefiles for streamlined validation as part of your build process.

Terraform plan can be validated taking its JSON output and passing to CLI when complex validation is required.

Terraform input validation is limited, kyverno-json covers a lot more with JMESPath ; a query language for JSON.