End-to-end connectivity platform
Universal service mesh
Empower your developers
Manage all your services
Autonomously identify issues
Native Kubernetes Ingress Controller
Instantly implement policies
Monitor your Kong Enterprise
API Design and Testing
Ingress and CRDs
Kong Gateway and Enterprise features
Accelerate your journey into microservices
Empower teams to provide security, governance and
Rapidly design, publish and consume APIs and services
Take control of your microservices with the world’s most
popular API gateway
Own your Kubernetes cluster by using Kong as an Ingress
Build, secure and observe your modern Service Mesh
decK helps manage Kong’s configuration in a declarative fashion. It can sync
configuration to a running Kong cluster, diff configuration to detect any drift
or manual changes and backup your Kong’s configuration. It also can manage Kong’s
configuration in a distributed way using tags, helping you split Kong’s
configuration across various teams.
Here is an introductory screencast explaining decK:
Export: Export Kong configuration to a YAML configuration file.
This feature is especially useful for backing up Kong’s configuration.
Import: Populate Kong’s database using a previously exported or
manually written configuration file.
Diff and sync capabilities: decK can diff the configuration between the
provided configuration file and Kong’s database, then sync the configs based on
the diff. This feature is particularly useful for detecting config drifts or
Reverse sync: decK also supports sync in the opposite direction, meaning
that if an entity is created in Kong and isn’t added to the config file,
decK will detect the change.
Validation: decK can validate YAML files that you backup or modify to
catch errors early on.
Reset: decK can completely reset Kong’s database by deleting all entities.
Parallel operations: All Admin API calls to Kong are executed in parallel
using multiple threads to speed up the sync process.
Authentication with Kong: Custom HTTP headers can be injected in requests
to Kong’s Admin API for authentication or authorization purposes.
Manage Kong’s config with multiple config files: Split your configuration
into multiple logical files based on a shared set of tags amongst entities.
Designed to automate configuration management: decK is designed to be part
of your CI pipeline, where it can push configuration to Kong and detect drifts
decK is compatible with Kong Gateway >= 1.x and
Kong Enterprise >= 0.35.
The command line --help flag on the main command or a subcommand (like diff,
sync, reset, etc.) shows the help text along with supported flags for those
A list of all commands that are available in decK can be found
You can find answers to FAQs here.
Harry Bagdi gave a talk on motivation behind decK and demonstrated a few key
features of decK at Kong Summit 2019. The following is a recording of that session:
The changelog can be found in the
decK is licensed with Apache License Version 2.0.
Please read the
LICENSE file for more details.
decK does not offer to secure your Kong deployment but only configures it.
It encourages you to protect your Kong’s Admin API with authentication but
doesn’t offer such a service itself.
decK’s state file can contain sensitive data such as private keys of
certificates, credentials, etc. It is left up to the user to manage
and store the state file in a secure fashion.
If you believe that you have found a security vulnerability in decK, please
submit a detailed report, along with reproducible steps
to Harry Bagdi (email address is first name last name At gmail Dot com).
I will try to respond in a timely manner and will really appreciate it you
report the issue privately first.
One of the design goals of decK is deliver a good developer experience to you.
Part of it is getting the required help when you need it.
To seek help, use the following resources:
If you believe you have run into a bug with decK, please open
a Github issue.
If you think you’ve found a security issue with decK, please read the