High Availability IAM

Article

Ariel Glikman · Sep 16 14m read

Open Exchange

#API #High Availability #InterSystems API Manager (IAM) #HealthShare #InterSystems IRIS #InterSystems IRIS for Health #Documentation #Health Connect

One of the recommendations when deploying InterSystems Technologies for production is to set up High Availability. The recommended API Manager for these InterSystems Technologies is the InterSystems API Manager (IAM). IAM (essentially Kong Gateway) has multiple deployment topologies.

If you are looking for high availability you could use:

a) Kong Traditional Mode: Multiple Node Clusters

b) Hybrid Mode

c) DB-less Mode

Before we break them down let's first understand the out of the box deployment that is provided by InterSystems: Installing IAM Version 3.10.

Kong Traditional Mode

This is the Kong Traditional Mode: Single Node Cluster. If you haven't yet, go over the great article by @Guillaume Rongier : IAM (InterSystems API Manager), Zero to Hero which does a great job explaining how to get IAM up and working with InterSystems IRIS.

The Kong Traditional Mode Single Node Cluster is the only currently supported IAM deployment option via IKO at this time, check out the docs for deploying that here.

Note that in the YAML of Guillaume's article (section 2.4.4 of the article or 3.4.4 of the attached OpenExchange Application's GitHub Repository's README) , we have 3 containers:

iam-migrations (an initialization of the empty postgres database)
iam (IAM itself!)
db (the postgres database)

In Traditional Mode all configuration is done via the IAM container and all requests are sent to this container as well.

This can be scaled up so we are less reliant on a single IAM container:

It is very simple, you just add another IAM section! So if you are working on just one YAML you could have:

iam-migrations
iam1
iam2
db

Note that if you are working on just one YAML you must make sure you give IAM1 different ports than IAM2.

Spoiler (Traditional)

services:
  iam-migrations:
    image: containers.intersystems.com/intersystems/iam:3.10
    command: bash -c "kong migrations bootstrap; kong migrations up; kong migrations finish"
    depends_on:
      - db
    environment:
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-iam}
      KONG_PG_HOST: db
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      KONG_PG_USER: ${KONG_PG_USER:-iam}
      KONG_CASSANDRA_CONTACT_POINTS: db
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
    restart: on-failure
    links:
      - db:db
  iam1:
    image: containers.intersystems.com/intersystems/iam:3.10
    depends_on:
      - db
    environment:
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
      KONG_ANONYMOUS_REPORTS: 'off'
      KONG_CASSANDRA_CONTACT_POINTS: db
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-iam}
      KONG_PG_HOST: db
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      KONG_PG_USER: ${KONG_PG_USER:-iam}
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PORTAL: 'on'
      KONG_PORTAL_GUI_PROTOCOL: http
      KONG_PORTAL_GUI_HOST: '127.0.0.1:8003'
      KONG_ADMIN_GUI_URL: http://localhost:8002
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
    links:
      - db:db
    ports:
      - target: 8000
        published: 8000
        protocol: tcp
      - target: 8001
        published: 8001
        protocol: tcp
      - target: 8002
        published: 8002
        protocol: tcp
      - target: 8003
        published: 8003
        protocol: tcp
      - target: 8004
        published: 8004
        protocol: tcp
    restart: on-failure
  iam2:
    image: containers.intersystems.com/intersystems/iam:3.10
    depends_on:
      - db
    environment:
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8011'
      KONG_ANONYMOUS_REPORTS: 'off'
      KONG_CASSANDRA_CONTACT_POINTS: db
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-iam}
      KONG_PG_HOST: db
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      KONG_PG_USER: ${KONG_PG_USER:-iam}
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PORTAL: 'on'
      KONG_PORTAL_GUI_PROTOCOL: http
      KONG_PORTAL_GUI_HOST: '127.0.0.1:8003'
      KONG_ADMIN_GUI_URL: http://localhost:8012
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
    links:
      - db:db
    ports:
      - target: 8000
        published: 8010
        protocol: tcp
      - target: 8011 # kong admin listen
        published: 8011
        protocol: tcp
      - target: 8002
        published: 8012
        protocol: tcp
      - target: 8003
        published: 8013
        protocol: tcp
      - target: 8004
        published: 8014
        protocol: tcp
    restart: on-failure
  db:
    image: postgres
    environment:
      POSTGRES_DB: ${KONG_PG_DATABASE:-iam}
      POSTGRES_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      POSTGRES_USER: ${KONG_PG_USER:-iam}
    volumes:
      - 'pgdata:/var/lib/postgresql/data'
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "${KONG_PG_USER:-iam}"]
      interval: 30s
      timeout: 30s
      retries: 3
    restart: on-failure
    stdin_open: true
volumes:
  pgdata:

Ideally, you would like for the database (including the migrations bootstrap) and each Kong node to be running on independent servers. In this case the ports would not be a problem, but you would have to make sure to change the KONG_PG_HOST environment variable to point to the host the database is running on.

Now you have High Availability, though this is Active/Active as opposed to the IRIS/HealthConnect Active/Passive Mirroring. You can go ahead and set up any configuration on either IAM1 or IAM2 and since they share a database the other will be updated and store the same information.

If you would like independent databases you would have to have 2 individual single node clusters. Note that Kong does not have an option to "mirror" databases such as IRIS so you would need to create a pipeline to automate the configuration (or configure everything twice, or get rid of the DB entirely - see DB-less Mode). In the above diagram provided by Kong, we see that they would have just had 3 IAMs instead of 2. You would also want to add a load balancer as well as a health check probe on each IAM node, with the environment variable KONG_STATUS_LISTEN: 0.0.0.0:8100.

A significant advantage to the Traditional Mode is (per the Kong Docs):

Traditional mode is the only deployment topology that supports plugins that require a database, like rate limiting with the cluster strategy, or OAuth2.

But it comes with downsides as well (from the Kong Docs):

When running in traditional mode, every Kong Gateway node runs as both a Control Plane (CP) and Data Plane (DP). This means that if any of your nodes are compromised, the entire running gateway configuration is compromised.

If you’re running Kong Gateway Enterprise with Kong Manager, request throughput may be reduced on nodes running Kong Manager due to expensive calculations being run to render analytics data and graphs.

The following modes solve these issues.

Kong Hybrid Mode

Hybrid Mode splits what we previously referred to as the IAM container into two: the Control Plane (CP) and the Data Plane (DP).

The CP is where the administration of Kong is hosted, such as the Kong Manager (this is the "management portal" of Kong, by default accessed on port 8002 or 8445). The control plane is connected to the database and sends its configuration out to the DPs. The DPs do not have any of the responsibility for managing Kong, only for implementing the configurations. All client API requests via Kong are sent directly to the DPs without going through the CP (this is the routes, by default at port 8000 or 8443). This resolves the downsides introduced by Traditional Mode Multi Node Clusters. An imperfect InterSystems analogy to Hybrid Mode is that of ECP. The client interacts with the fast running DP who's only purpose is to serve the application, while we leave everything else, such as management, and rendering of data and graphs to the CP.

Have a look at what the Control and Data Plane YAMLs look like below.

Spoiler (Control Plane)

# Hybrid mode example: Control plane.
services:
  iam-migrations:
    image: containers.intersystems.com/intersystems/iam:3.10
    command: bash -c "kong migrations bootstrap; kong migrations up; kong migrations finish"
    depends_on:
      - db
    environment:
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-iam}
      KONG_PG_HOST: db
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      KONG_PG_USER: ${KONG_PG_USER:-iam}
      KONG_CASSANDRA_CONTACT_POINTS: db
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
    restart: on-failure
    links:
      - db:db
  iam:
    image: containers.intersystems.com/intersystems/iam:3.10
    depends_on:
      - db
    environment:
      KONG_LOG_LEVEL: debug
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
      KONG_ANONYMOUS_REPORTS: 'off'
      KONG_CASSANDRA_CONTACT_POINTS: db
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-iam}
      KONG_PG_HOST: db
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      KONG_PG_USER: ${KONG_PG_USER:-iam}
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PORTAL: 'on'
      KONG_PORTAL_GUI_PROTOCOL: http
      KONG_PORTAL_GUI_HOST: 'localhost:8003'
      KONG_ADMIN_GUI_URL: http://localhost:8002
      KONG_VITALS: 'on'
      KONG_ADMIN_GUI_HIDE_KONNECT_CTA: 'on'
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
      KONG_ROLE: control_plane
      KONG_CLUSTER_SERVER_NAME: 'kong_clustering'
      KONG_CLUSTER_LISTEN: '0.0.0.0:8005 ssl'
      KONG_CLUSTER_TELEMETRY_LISTEN: '0.0.0.0:8006 ssl'
      KONG_CLUSTER_MTLS: 'shared'
      KONG_CLUSTER_CERT: /etc/kong/admin.crt
      KONG_CLUSTER_CERT_KEY: /etc/kong/admin.key
      KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/kong/admin.crt
    # This IP needs to be changed to point at the docker host.
    extra_hosts:
        - "kong_clustering:host-gateway"
    links:
      - db:db
    ports:
      - target: 8001
        published: 8001
        protocol: tcp
      - target: 8002
        published: 8002
        protocol: tcp
      - target: 8003
        published: 8003
        protocol: tcp
      - target: 8004
        published: 8004
        protocol: tcp
      - target: 8005
        published: 8105
        protocol: tcp
      - target: 8006
        published: 8006
        protocol: tcp
    restart: on-failure
    volumes:
    - ./Certificates/admin.crt:/etc/kong/admin.crt
    - ./Certificates/admin.key:/etc/kong/admin.key
  db:
    image: postgres
    environment:
      POSTGRES_DB: ${KONG_PG_DATABASE:-iam}
      POSTGRES_PASSWORD: ${KONG_PG_PASSWORD:-iam}
      POSTGRES_USER: ${KONG_PG_USER:-iam}
    volumes:
      - 'pgdata:/var/lib/postgresql/data'
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "${KONG_PG_USER:-iam}"]
      interval: 30s
      timeout: 30s
      retries: 3
    restart: on-failure
    stdin_open: true
volumes:
  pgdata:

Note that for the first time we have introduced some certificates and keys. For the sake of simplicity I will try to avoid them in this article and write about how to properly set up secure communication in an upcoming article. That being said, Hybrid Mode requires that the CP and DP communicate via mTLS hence it was necessary.

Spoiler (Data Plane)

# Hybrid mode example: Data plane.
services:
  iam-data1:
    image: containers.intersystems.com/intersystems/iam:3.10
    environment:
      KONG_LOG_LEVEL: debug
      KONG_DATABASE: 'off'
      KONG_PROXY_LISTEN:      '0.0.0.0:8000'
      KONG_ADMIN_LISTEN:      'off'
      KONG_ADMIN_GUI_LISTEN:  'off'
      KONG_PORTAL_GUI_LISTEN: 'off'
      KONG_PORTAL_API_LISTEN: 'off'
      KONG_ANONYMOUS_REPORTS: 'off'
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PORTAL: 'off'
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
      KONG_ROLE: data_plane
      KONG_CLUSTER_MTLS: 'shared'
      KONG_CLUSTER_CERT: /etc/kong/admin.crt
      KONG_CLUSTER_CERT_KEY: /etc/kong/admin.key
      KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/kong/admin.crt
      KONG_CLUSTER_CONTROL_PLANE: kong_clustering:8105
      KONG_CLUSTER_TELEMETRY_ENDPOINT: kong_clustering:8006
      KONG_CLUSTER_SERVER_NAME: "kong.clustering"
      KONG_CLUSTER_TELEMETRY_SERVER_NAME: "kong.clustering"
      KONG_STATUS_LISTEN: 0.0.0.0:8100
    # This IP needs to be changed to point at the docker host.
    extra_hosts:
        - "kong_clustering:host-gateway"
    ports:
      - target: 8000
        published: 8000
        protocol: tcp
      - target: 8100
        published: 8101
        protocol: tcp
    restart: on-failure
    # This directory should be changed to point at your cert files on the host OS.
    volumes:
    - ./Certificates/admin.crt:/etc/kong/admin.crt
    - ./Certificates/admin.key:/etc/kong/admin.key
  iam-data2:
    image: containers.intersystems.com/intersystems/iam:3.10
    environment:
      KONG_LOG_LEVEL: debug
      KONG_DATABASE: 'off'
      KONG_PROXY_LISTEN:      '0.0.0.0:8000'
      KONG_ADMIN_LISTEN:      'off'
      KONG_ADMIN_GUI_LISTEN:  'off'
      KONG_PORTAL_GUI_LISTEN: 'off'
      KONG_PORTAL_API_LISTEN: 'off'
      KONG_ANONYMOUS_REPORTS: 'off'
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PORTAL: 'off'
      ISC_IRIS_URL: IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license
      KONG_ROLE: data_plane
      KONG_CLUSTER_MTLS: 'shared'
      KONG_CLUSTER_CERT: /etc/kong/admin.crt
      KONG_CLUSTER_CERT_KEY: /etc/kong/admin.key
      KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/kong/admin.crt
      KONG_CLUSTER_CONTROL_PLANE: kong_clustering:8105
      KONG_CLUSTER_TELEMETRY_ENDPOINT: kong_clustering:8006
      KONG_CLUSTER_SERVER_NAME: "kong.clustering"
      KONG_CLUSTER_TELEMETRY_SERVER_NAME: "kong.clustering"
      KONG_STATUS_LISTEN: 0.0.0.0:8100
    # This IP needs to be changed to point at the docker host.
    extra_hosts:
        - "kong_clustering:host-gateway"
    ports:
      - target: 8000
        published: 8100
        protocol: tcp
      - target: 8100
        published: 8102
        protocol: tcp
    restart: on-failure
    # This directory should be changed to point at your cert files on the host OS.
    volumes:
    - ./Certificates/admin.crt:/etc/kong/admin.crt
    - ./Certificates/admin.key:/etc/kong/admin.key

As before you would want to make sure to set up a load balancer. This is my preferred Highly Available Deployment Topology for IAM as I am a fan of working with the GUI, but enjoy the compartmentalization in that administration is on the control plane, while the client/application connects to the data plane. Have a look through at the other benefits of this mode (from the Kong Docs):

Deployment flexibility: Users can deploy groups of Data Planes in different data centers, geographies, or zones without needing a local clustered database for each DP group.

Increased reliability: The availability of the database doesn’t affect the availability of the Data Planes. Each DP caches the latest configuration it received from the Control Plane on local disk storage, so if CP nodes are down, the DP nodes keep functioning.

While the CP is down, DP nodes constantly try to reestablish communication.

DP nodes can be restarted while the CP is down, and still proxy traffic normally.

Traffic reduction: Drastically reduces the amount of traffic to and from the database, since only CP nodes need a direct connection to the database.

Increased security: If one of the DP nodes is compromised, an attacker won’t be able to affect other nodes in the Kong Gateway cluster.

Ease of management: Admins only need to interact with the CP nodes to control and monitor the status of the entire Kong Gateway cluster.

DB-less mode

The third and final Kong Gateway Deployment Topology available is DB-less mode. There is no database because all of the configuration is done declaratively in a YAML, and the application runs ephemerally (with no persistent storage).

This of course comes with the following downsides (from the Kong Docs):

The Admin API is read only.

Any plugin that stores information in the database, like rate limiting (cluster mode), doesn’t fully function.

But there is upsides as well (from the Kong Docs):

Reduced number of dependencies: no need to manage a database installation if the entire setup for your use case fits in memory.

Your configuration is always in a known state. There is no intermediate state between creating a Service and a Route using the Admin API.

DB-less mode is a good fit for automation in CI/CD scenarios. Configuration for entities can be kept in a single source of truth managed via a Git repository.

Note that this time the YAML has no database, and hence no iam-migrations either.

Spoiler (DB-less)

services:
  iam1:
    image: containers.intersystems.com/intersystems/iam:3.10
    environment:
      KONG_DATABASE: "off"
      KONG_DECLARATIVE_CONFIG: /etc/kong/kong.yml
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ANONYMOUS_REPORTS: "off"
      KONG_ADMIN_LISTEN: "0.0.0.0:8001"
      ISC_IRIS_URL: "IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license"
    volumes:
      - ./kong.yml:/etc/kong/kong.yml
    ports:
      - target: 8000
        published: 8000
        protocol: tcp
      - target: 8001
        published: 8001
        protocol: tcp
    restart: on-failure
  iam2:
    image: containers.intersystems.com/intersystems/iam:3.10
    environment:
      KONG_DATABASE: "off"
      KONG_DECLARATIVE_CONFIG: /etc/kong/kong.yml
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ANONYMOUS_REPORTS: "off"
      KONG_ADMIN_LISTEN: "0.0.0.0:8001"
      ISC_IRIS_URL: "IAM:${IRIS_PASSWORD}@host.docker.internal:80/api/iam/license"
    volumes:
      - ./kong.yml:/etc/kong/kong.yml
    ports:
      - target: 8000
        published: 8010
        protocol: tcp
      - target: 8001
        published: 8011
        protocol: tcp
    restart: on-failure

And of course we would need the declarative configuration of Kong. See an example YAML of this below.

Spoiler (kong.yml)

_format_version: "3.0"
services:
  - name: test-api
    protocol: http
    host: host.docker.internal     # If Kong runs *on your host*.
    port: 80
    path: /api/atelier
    routes:
      - name: test-api
        paths:
          - /somepath
        strip_path: true   # /somepath is removed before proxying

To summarize, there are three deployment topologies you can use for IAM to achieve HA, each with its advantages and disadvantages. I encourage you to check out the attached Open Exchange Application which takes you through deploying these topologies one by one.