Skip to content
|
search
Kong Gateway
3.1.x
You are browsing documentation for an outdated version. See the latest documentation here.

Vitals with InfluxDB

Leveraging a time series database for Vitals data can improve request and Vitals performance in very-high traffic Kong Enterprise clusters (such as environments handling tens or hundreds of thousands of requests per second), without placing additional write load on the database backing the Kong cluster.

For information about using Kong Vitals with a database as the backend, refer to Kong Vitals.

Set up Kong Vitals with InfluxDB

Install Kong Gateway

If you already have a Kong Gateway instance, skip to deploying a license.

If you have not installed Kong Gateway, a Docker installation will work for the purposes of this guide.

Pull the Kong Gateway Docker image

  1. Pull the following Docker image.

     docker pull kong/kong-gateway:3.1.1.3-alpine

    Some older Kong Gateway images are not publicly accessible. If you need a specific patch version and can’t find it on Kong’s public Docker Hub page, contact Kong Support.

    You should now have your Kong Gateway image locally.

  2. Tag the image.

     docker tag kong/kong-gateway:3.1.1.3-alpine kong-ee

Start the database and Kong Gateway containers

  1. Create a custom network to allow the containers to discover and communicate with each other.

     docker network create kong-ee-net

  2. Start a PostgreSQL container:

     docker run -d --name kong-ee-database \
   --network=kong-ee-net \
   -p 5432:5432 \
   -e "POSTGRES_USER=kong" \
   -e "POSTGRES_DB=kong" \
   -e "POSTGRES_PASSWORD=kong" \
   postgres:9.6

  3. Prepare the Kong database:

    docker run --rm --network=kong-ee-net \
   -e "KONG_DATABASE=postgres" \
   -e "KONG_PG_HOST=kong-ee-database" \
   -e "KONG_PG_PASSWORD=kong" \
   -e "KONG_PASSWORD=
    {PASSWORD}
    " \
   kong-ee kong migrations bootstrap

  4. Start the gateway with Kong Manager:

    Important: The settings below are intended for non-production use only, as they override the default admin_listen setting to listen for requests from any source. Do not use these settings in environments directly exposed to the internet.


    If you need to expose the admin_listen port to the internet in a production environment,

    secure it with authentication.

    docker run -d --name kong-ee --network=kong-ee-net \
   -e "KONG_DATABASE=postgres" \
   -e "KONG_PG_HOST=kong-ee-database" \
   -e "KONG_PG_PASSWORD=kong" \
   -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
   -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
   -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
   -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
   -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
   -e "KONG_ADMIN_GUI_URL=http://
    {DNSorIP}
    :8002" \
   -e "KONG_VITALS_STRATEGY=influxdb" \
   -e "KONG_VITALS_TSDB_ADDRESS=influxdb:8086" \
   -p 8000:8000 \
   -p 8443:8443 \
   -p 8001:8001 \
   -p 8444:8444 \
   -p 8002:8002 \
   -p 8445:8445 \
   -p 8003:8003 \
   -p 8004:8004 \
   kong-ee

    Note: For KONG_ADMIN_GUI_URL, replace DNSorIP with with the DNS name or IP of the Docker host. KONG_ADMIN_GUI_URL should have a protocol, for example, http://.

Deploy a Kong Gateway license

If you already have a Kong Enterprise license attached to your Kong Gateway instance, skip to starting an InfluxDB database.

You will not be able to access the Kong Vitals functionality without a valid Kong Enterprise license attached to your Kong Gateway instance.

You can deploy a license file in one of the following ways:

Method Supported deployment types
/licenses Admin API endpoint • Traditional database-backed deployment
• Hybrid mode deployment
File on the node filesystem
(license.json)		 • Traditional database-backed deployment
• DB-less mode
Environment variable
(KONG_LICENSE_DATA)		 • Traditional database-backed deployment
• DB-less mode
Environment variable
(KONG_LICENSE_PATH)		 • Traditional database-backed deployment
• DB-less mode

The recommended method is using the Admin API.

Prerequisites

  • You have received a license.json file from Kong.
  • Kong Gateway is installed.

Deploy the license

You can use the Kong Admin API to distribute the license in any database-backed or hybrid mode deployment. We recommend using this method in most deployments.

In hybrid mode, apply the license to the control plane. The control plane distributes the license to its data plane nodes. This is the only method that applies the license to data planes automatically.

The license data must contain straight quotes to be considered valid JSON (' and ", not or ).

POST the contents of the provided license.json license to your Kong Gateway instance:

Note: The following license is only an example. You must use the following format, but provide your own content.

$ curl -i -X POST http://<hostname>:8001/licenses \
  -d payload='{"license":{"payload":{"admin_seats":"1","customer":"Example Company, Inc","dataplanes":"1","license_creation_date":"2017-07-20","license_expiration_date":"2017-07-20","license_key":"00141000017ODj3AAG_a1V41000004wT0OEAU","product_subscription":"Konnect Enterprise","support_plan":"None"},"signature":"6985968131533a967fcc721244a979948b1066967f1e9cd65dbd8eeabe060fc32d894a2945f5e4a03c1cd2198c74e058ac63d28b045c2f1fcec95877bd790e1b","version":"1"}}'

$ http POST :8001/licenses \
  payload='{"license":{"payload":{"admin_seats":"1","customer":"Example Company, Inc","dataplanes":"1","license_creation_date":"2017-07-20","license_expiration_date":"2017-07-20","license_key":"00141000017ODj3AAG_a1V41000004wT0OEAU","product_subscription":"Konnect Enterprise","support_plan":"None"},"signature":"6985968131533a967fcc721244a979948b1066967f1e9cd65dbd8eeabe060fc32d894a2945f5e4a03c1cd2198c74e058ac63d28b045c2f1fcec95877bd790e1b","version":"1"}}'

Result:

{
  "created_at": 1500508800,
  "id": "30b4edb7-0847-4f65-af90-efbed8b0161f",
  "payload": "{\"license\":{\"payload\":{\"admin_seats\":\"1\",\"customer\":\"Example Company, Inc\",\"dataplanes\":\"1\",\"license_creation_date\":\"2017-07-20\",\"license_expiration_date\":\"2017-07-20\",\"license_key\":\"00141000017ODj3AAG_a1V41000004wT0OEAU\",\"product_subscription\":\"Konnect Enterprise\",\"support_plan\":\"None\"},\"signature\":\"6985968131533a967fcc721244a979948b1066967f1e9cd65dbd8eeabe060fc32d894a2945f5e4a03c1cd2198c74e058ac63d28b045c2f1fcec95877bd790e1b\",\"version\":\"1\"}}",
  "updated_at": 1500508800
}

For more detail and options, see the Admin API licenses endpoint reference.

You can provide a license file to Kong Gateway in any database-backed or DB-less deployment. This method is not recommended for use in hybrid mode, as you have to maintain the license on each node manually.

The license data must contain straight quotes to be considered valid JSON (' and ", not or ).

  1. Securely copy the license.json file to your home directory on the filesystem where you have installed Kong Gateway.

     $ scp license.json <system_username>@<server>:~

  2. Then, copy the license file again, this time to the /etc/kong directory:

     $ scp license.json /etc/kong/license.json

    Kong Gateway will look for a valid license in this location.

You can use the KONG_LICENSE_DATA environment variable to apply a license to Kong Gateway in any database-backed or DB-less deployment. This method is not recommended for use in hybrid mode, as you have to maintain the license on each node manually.

The license data must contain straight quotes to be considered valid JSON (' and ", not or ).

  1. Export the license key to a variable by running the following command, substituting your own license key.

    Note: The following license is only an example. You must use the following format, but provide your own content.

     $ export KONG_LICENSE_DATA='{"license":{"signature":"LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tClZlcnNpb246IEdudVBHIHYyCgpvd0did012TXdDSFdzMTVuUWw3dHhLK01wOTJTR0tLWVc3UU16WTBTVTVNc2toSVREWk1OTFEzVExJek1MY3dTCjA0ek1UVk1OREEwc2pRM04wOHpNalZKVHpOTE1EWk9TVTFLTXpRMVRVNHpTRXMzTjA0d056VXdUTytKWUdNUTQKR05oWW1VQ21NWEJ4Q3NDc3lMQmorTVBmOFhyWmZkNkNqVnJidmkyLzZ6THhzcitBclZtcFZWdnN1K1NiKzFhbgozcjNCeUxCZzdZOVdFL2FYQXJ0NG5lcmVpa2tZS1ozMlNlbGQvMm5iYkRzcmdlWFQzek1BQUE9PQo9b1VnSgotLS0tLUVORCBQR1AgTUVTU0FHRS0tLS0tCg=","payload":{"customer":"Test Company Inc","license_creation_date":"2017-11-08","product_subscription":"Kong Enterprise","admin_seats":"5","support_plan":"None","license_expiration_date":"2017-11-10","license_key":"00141000017ODj3AAG_a1V41000004wT0OEAU"},"version":1}}'

  2. Include the license as part of the docker run command when starting a Kong Gateway container:

    Note: This is only a snippet. For a full working example, see the instructions to Install Kong Gateway on Docker.

     docker run -d --name kong-gateway \
  --network=kong-net \
  ...
  -e KONG_LICENSE_DATA \
  kong/kong-gateway:-alpine

You can use the KONG_LICENSE_PATH environment variable to apply a license to Kong Gateway in any database-backed or DB-less deployment. This method is not recommended for use in hybrid mode, as you have to maintain the license on each node manually.

Include the license as part of the docker run command when starting a Kong Gateway container. Mount the path to the file on your local filesystem to a directory in the Docker container, making the file visible from the container:

Note: This is only a snippet. For a full working example, see the instructions to Install Kong Gateway on Docker.

docker run -d --name kong-gateway \
 --network=kong-net \
 ...
 -v "$(pwd)/kong-license/:/kong-license/" \
 -e "KONG_LICENSE_PATH=/kong-license/license.json" \
 kong/kong-gateway:-alpine

Start an InfluxDB database

Production-ready InfluxDB installations should be deployed as a separate effort, but for proof-of-concept testing, running a local InfluxDB instance is possible with Docker:

docker run -p 8086:8086 \
  --network=<YOUR_NETWORK_NAME> \
  --name influxdb \
  -e INFLUXDB_DB=kong \
  influxdb:1.8.4-alpine

You must use InfluxDB 1.8.4-alpine because InfluxDB 2.0 will not work.

Writing Vitals data to InfluxDB requires that the kong database is created, this is done using the INFLUXDB_DB variable.

Configure Kong Gateway

Note: If you used the configuration in Installing Kong Gateway on Docker, then you do not need to complete this step.

In addition to enabling Kong Vitals, Kong Gateway must be configured to use InfluxDB as the backing strategy for Vitals. The InfluxDB host and port must also be defined:

echo "KONG_VITALS_STRATEGY=influxdb KONG_VITALS_TSDB_ADDRESS=influxdb:8086 kong reload exit" \
| docker exec -i kong-ee /bin/sh

Note: In Hybrid Mode, configure vitals_strategy and vitals_tsdb_address on both the control plane and all data planes.

Understanding Vitals data using InfluxDB measurements

Kong Vitals records metrics in two InfluxDB measurements:

  1. kong_request: Contains field values for request latencies and HTTP, and tags for various Kong entities associated with the requests (for example, the Route and Service in question).
  2. kong_datastore_cache: Contains points about cache hits and misses.

To display the measurement schemas on your InfluxDB instance running in Docker:

  1. Open command line in your InfluxDB Docker container.

     docker exec -it influxdb /bin/sh

  2. Log in to the InfluxDB CLI.

     influx -precision rfc3339

  3. Enter the InfluxQL query for returning a list of tag keys associated with the specified database.

     > SHOW TAG KEYS ON kong

    Example result:

     name: kong_request
 tagKey
 ------
 consumer
 hostname
 route
 service
 status_f
 wid
 workspace

 name: kong_datastore_cache
 tagKey
 ------
 hostname
 wid

  4. Enter the InfluxQL query for returning the field keys and the data type of their field values.

     > SHOW FIELD KEYS ON kong

    Example result:

     name: kong_request
 fieldKey	         fieldType
 --------	         ---------
 kong_latency       integer
 proxy_latency      integer
 request_latency    integer
 status             integer

 name: kong_datastore_cache
 fieldKey  fieldType
 --------  ---------

 hits      integer
 misses    integer

The tag wid is used to differentiate the unique worker ID per host, to avoid duplicate metrics shipped at the same point in time.

As demonstrated above, the series cardinality of the kong_request measurement varies based on the cardinality of the Kong cluster configuration - a greater number of Service/Route/Consumer/Workspace combinations handled by Kong results in a greater series cardinality as written by Vitals.

Sizing an InfluxDB node/cluster for Vitals

Consult the InfluxDB sizing guidelines for reference on appropriately sizing an InfluxDB node/cluster.

Note: The query behavior when reading Vitals data falls under the “moderate” load category as defined by the InfluxDB sizing guidelines. Several GROUP BY statements and functions are used to generate the Vitals API responses, which can require significant CPU resources to execute when hundreds of thousands or millions of data points are present.

Query frequency and precision

Kong buffers Vitals metrics and writes InfluxDB points in batches to improve throughput in InfluxDB and reduce overhead in the Kong proxy path. Each Kong worker process flushes its buffer of metrics every 5 seconds or 5000 data points, whichever comes first.

Metrics points are written with microsecond (u) precision. To comply with the Vitals API, measurement values are read back grouped by second.

Note: Because of limitations in the OpenResty API, writing values with microsecond precision requires an additional syscall per request.

Managing the retention policy of the Kong database

Vitals InfluxDB data points are not downsampled or managed by a retention policy through Kong. InfluxDB operators are encouraged to manually manage the retention policy of the kong database to reduce the disk space and memory needed to manage Vitals data points.