There are 3 scripts/actions;
This script will pull the internal Kong test license from 1Password/Pulp and store it locally.
The intent is to store a single company wide test license, short lived, in 1Password/Pulp. And make it easy for everyone to update the local license they use, whilst being able to do rotation of the license on a regular basis.
It will also set the environment variable KONG_LICENSE_DATA
whenever you open
up a new terminal, so it is easy to pass to Kong. 10 days before the license
expires it will start printing warnings, accompanied by the proper update
command.
Before continuing, make sure you have access to the "Shared" vault in 1Password. You can request access to this vault via the #it
Kong slack channel. There is an example request here that can be referenced if it's not clear what is being requested from the IT team.
Note that if you have configured your local 1Password with biometric security (e.g. Apple Face ID), this is not supported by the license script. You will have to add your accounts to the 1Password CLI tool manually.
- Install dependencies:
- Install
jq
, see https://stedolan.github.io/jq/ - Install 1Password CLI tools, see 1Password CLI
- Install
- Make sure you did the initial sign-in, see 1Password instructions
- Clone this git repo
- Run
make install
from the repo - Run
~/.local/bin/license
from the command line, this will initiate the initial update - When asked enter your 1Password credentials
- Done! You now have the latest license data from 1Password/Bintray
Utility to automatically set the Kong Enterprise license
environment variable 'KONG_LICENSE_DATA' from 1Password.
Usage:
~/.local/bin/license [--help | --no-update | --update | --clean]
--update : force update a non-expired license
--no-update : do not automatically try to update an expired license
--clean : remove locally cached license file
--help : display this help information
For convenience you can add the following to your bash profile:
source ~/.local/bin/license --no-update
When running the script, it will start printing a warning 10 days before the license expires.
If you want to use the exported KONG_LICENSE_DATA
environment variable,
then you cannot just run the script, but MUST use source
to execute it.
source ~/.local/bin/license
It is probably best to add the following line to your bash/zsh profile:
source ~/.local/bin/license --no-update
The auto-license.sh
script will download the Kong license file given a Pulp
password, and pass it to stdout
. The script will take the Pulp password either
via stdin
or from the environment variable PULP_PASSWORD
.
The PULP_USERNAME
environment variable is optional, and will default to
admin
.
Note that this just exchanges one secret problem (the license) for another (the Pulp password), but in many cases the latter is already available, and in those cases this helps prevent having yet another secret.
Example use:
# assumes PULP_PASSWORD is set
git clone --depth=1 --single-branch https://github.com/Kong/kong-license.git
export KONG_LICENSE_DATA=$(./kong-license/auto-license.sh)
# assumes the Pulp password is stored in THE_PASSWORD
git clone --depth=1 --single-branch https://github.com/Kong/kong-license.git
export KONG_LICENSE_DATA=$(./kong-license/auto-license.sh <<< "$THE_PASSWORD")
The Github action in this repo will fetch a license provided the Pulp credentials
are available. To do this it uses the Automation script under
the hood. The action output will be the Kong License. The license will also be
exported as the KONG_LICENSE_DATA
environment variable for follow up steps.
The license signature will be masked in the log output.
Here's how to use the action:
steps:
- uses: Kong/kong-license@master
id: getLicense
with:
# The password is required
password: ${{ secrets.PULP_PASSWORD }}
# The username defaults to "admin"
#username: ${{ secrets.PULP_USERNAME }}
In any follow up step, requiring the Kong license, it can be added like this:
steps:
- run: kong start
shell: bash
env:
#KONG_LICENSE_DATA has been set by the license-action
MY_LICENSE: ${{ steps.getLicense.outputs.license }}
The shortest version relying on defaults and environment variables being set:
steps:
- uses: Kong/kong-license@master
with:
password: ${{ secrets.PULP_PASSWORD }}
- run: kong start
shell: bash
There should be no need to update it, as an automated job runs to do this on every 10th day of the month. The job generates a license valid until the 20th of the next month.
The job is an internal Jenkins job named; kong-gateway-license-update
. In case of failures, first remedy is to restart the job.
To update the license in Pulp, the release_scripts Docker image can be used
docker run -e PULP_USERNAME="<username>" \
-e PULP_PASSWORD="<password>" \
-e PULP_HOST="https://api.pulp.konnect-prod.konghq.com" \
-v ${PWD}/license.json:/license.json:ro \
-it kong/release-script \
--package-type license \
--file /license.json
Note: Credentials for the production Pulp API can be obtained in 1Password shared vault.
If you see an error similar to the following:
[ERROR] 2021/03/16 08:59:05 "c5jg2oc6wzg6ffs2awxeohrnmm" isn't an item in any vault.
This means that you don't have access to the shared vault in 1Password. See above for more information on how to get the necessary access.