Skip to content
Kong Gateway 2.8 Increases Security and Simplifies API Management.  —Learn More →
|
search
decK
1.10.x
You are browsing documentation for an outdated version. See the latest documentation here.

decK and Kong Gateway (Enterprise)

All features of decK work with both Kong Gateway (OSS) and Kong Gateway.

For Kong Gateway, decK provides a few additional features leveraging the power of enterprise features.

Compatibility

decK is compatible with Kong Gateway 0.35 and above.

Entities managed by decK

decK manages only the core proxy entities in Kong Gateway. It doesn’t manage enterprise-only entities such as admins, RBAC permissions, RBAC roles, or any entities related to Dev Portal.

RBAC

You should have authentication and RBAC configured for Kong’s Admin API. Supply the RBAC token to decK so that decK can authenticate itself against the Admin API.

Use the --headers flag to pass the RBAC token to decK. For example, you can pass the token as a string:

deck diff --headers "kong-admin-token:<your-token>"

However, passing the token directly is not secure and should only be used for testing. The command and all of its flags are logged to your shell’s history file, potentially leaking the token.

For a more secure approach, you can store the token in a file and load the file as you execute the command. For example:

deck diff --headers "kong-admin-token:$(cat token.txt)"

You can also use the DECK_HEADERS environment variable to supply the same token with an environment variable.

It is advised that you do not use an RBAC token with super admin privileges with decK, and always scope down the exact permissions you need to give decK.

Workspaces

decK is workspace-aware, meaning it can interact with multiple workspaces.

Manage one workspace at a time

To manage the configuration of a specific workspace, use the --workspace flag with sync, diff, ping, dump, or reset. For example, to export the configuration of the workspace my-workspace:

deck dump --workspace my-workspace

If you do not specify a --workspace flag, decK uses the default workspace.

To set a workspace directly in the state file, use the _workspace parameter. For example:

_format_version: "1.1"
_workspace: default
services:
- name: example_service

Note: decK cannot delete workspaces. If you use --workspace or --all-workspaces with deck reset, decK deletes the entire configuration inside the workspace, but not the workspace itself.

Manage multiple workspaces

You can manage the configurations of all workspaces in Kong Gateway with the --all-workspaces flag:

deck dump --all-workspaces

This creates one configuration file per workspace, or applies one file to all workspaces.

Be careful when using this flag to avoid overwriting the wrong workspace. We recommend using the singular --workspace flag in most situations.