Full Lifecycle API Management: Microgateway Infrastructural Pattern adopting Kong Gateway

As Web APIs emerged as the fundamental technology to facilitate the interactions between organizations and their customers or partners, their ease of access and wide exposure demanded heightened attention on security and service availability. The adoption of the microservice infrastructural paradigm led industries to integrate API Gateways as central components responsible for managing and routing incoming requests to specific applications, as well as ensuring authentication of end-users, policy enforcement, logging, caching and monitoring. However, owning to their inherent monolithic design, they face the same challenges that prompted the shift towards decentralized infrastructures. Consistent with the trend, this thesis emphasizes a holistic approach to manage the entire lifecycle of Web APIs, embracing a new and innovative paradigm: the Microgateway Infrastructural Pattern. Based on ad-hoc, lightweight, and flexible API Microgateways, sitting closer to the applications they serve, this paradigm decouples the management of Web APIs among teams, empowering developers to concentrate on their microservices’ production. This research aims to integrate the commercial product Kong Gateway, both in the open-source (OSS) and the enterprise version, into realistic scenarios involving hybrid and multi-cloud infrastructure deployment and employing a DevSecOps approach to oversee APIs. Everything is managed in CI/CD pipelines, with Jenkins and GitHub Actions as automation tools, starting from the initial design phase of the APIs with security assessments based on OpenAPI Specification (OAS) files scanned by 42Crunch. This process continues through the automation of Kong microgateway configurations with decK, ultimately leading to deployment in Kubernetes clusters. Industry-level infrastructure standards are achieved in Identity and Access Management (IAM) scenarios through the use of Keycloak and Open Policy Agent (OPA) servers for decentralized operations. Additionally, Prometheus and Grafana are employed to monitor the status of the cluster, while HashiCorp Vault is utilized for secret management. All the PoC scenarios developed in this research has undergone a series of functional and performance tests using Postman, Insomnia and Gatling. Kong microgateways have been deployed and tested both in a on-premise microk8s cluster and a on-cloud Azure Kubernetes Service (AKS) cluster, where OAuth 2.0, OpenID Connect and SAML 2.0 authentication and authorization flows have been throughout validated.