Install Kong Gateway on Docker

This guide provides steps to configure Kong Gateway on Docker with or without a database. The database used in this guide is PostgreSQL.

If you prefer to use the open-source Kong Gateway image with Docker Compose, Kong also provides a Docker Compose template with built-in orchestration and scalability.

Some older Kong Gateway images are not publicly accessible. If you need a specific patch version and can’t find it on Kong’s public Docker Hub page, contact Kong Support.

The Kong Gateway software is governed by the Kong Software License Agreement. Kong Gateway (OSS) is licensed under an Apache 2.0 license.

Prerequisites

Note: If you want to run Kong Gateway without managing a control plane or a database, you can get started with Konnect in under 5 minutes using our Docker quick start script.

  • A Docker-enabled system with proper Docker access
  • (Enterprise only) A license.json file from Kong

Choose a path to install Kong Gateway:

  • With a database: Use a database to store Kong entity configurations. Can use the Admin API or declarative configuration files to configure Kong.
  • Without a database (DB-less mode): Store Kong configuration in-memory on the node. In this mode, the Admin API is read only, and you have to manage Kong using declarative configuration.

If you’re not sure which option to use, we recommend starting with a database

Install Kong Gateway with a database

Set up a Kong Gateway container with a PostgreSQL database to store Kong configuration.

Prepare the database

  1. Create a custom Docker network to allow the containers to discover and communicate with each other:

    1. docker network create kong-net

    You can name this network anything you want. We use kong-net as an example throughout this guide.

  2. Start a PostgreSQL container:

    1. docker run -d --name kong-database \
    2. --network=kong-net \
    3. -p 5432:5432 \
    4. -e "POSTGRES_USER=kong" \
    5. -e "POSTGRES_DB=kong" \
    6. -e "POSTGRES_PASSWORD=kongpass" \
    7. postgres:13
    • POSTGRES_USER and POSTGRES_DB: Set these values to kong. This is the default value that Kong Gateway expects.
    • POSTGRES_PASSWORD: Set the database password to any string.

    In this example, the Postgres container named kong-database can communicate with any containers on the kong-net network.

  3. Prepare the Kong database:

    Kong Gateway

    Kong Gateway (OSS)

    1. docker run --rm --network=kong-net \
    2. -e "KONG_DATABASE=postgres" \
    3. -e "KONG_PG_HOST=kong-database" \
    4. -e "KONG_PG_PASSWORD=kongpass" \
    5. -e "KONG_PASSWORD=test" \
    6. kong/kong-gateway:3.5.0.0 kong migrations bootstrap
    1. docker run --rm --network=kong-net \
    2. -e "KONG_DATABASE=postgres" \
    3. -e "KONG_PG_HOST=kong-database" \
    4. -e "KONG_PG_PASSWORD=kongpass" \
    5. kong:3.5.0 kong migrations bootstrap

    Where:

    • KONG_DATABASE: Specifies the type of database that Kong is using.
    • KONG_PG_HOST: The name of the Postgres Docker container that is communicating over the kong-net network, from the previous step.
    • KONG_PG_PASSWORD: The password that you set when bringing up the Postgres container in the previous step.
    • KONG_PASSWORD (Enterprise only): The default password for the admin super user for Kong Gateway.
    • {IMAGE-NAME:TAG} kong migrations bootstrap: In order, this is the Kong Gateway container name and tag, followed by the command to Kong to prepare the Postgres database.

      Start Kong Gateway

    Important: The settings below are intended for non-production use only, as they override the default admin_listen setting to listen for requests from any source. Do not use these settings in environments directly exposed to the internet.

    If you need to expose the admin_listen port to the internet in a production environment,

    secure it with authentication.

  4. (Optional) If you have an Enterprise license for Kong Gateway, export the license key to a variable:

    The license data must contain straight quotes to be considered valid JSON (' and ", not or ).

    Note: The following license is only an example. You must use the following format, but provide your own content.

    1. export KONG_LICENSE_DATA='{"license":{"payload":{"admin_seats":"1","customer":"Example Company, Inc","dataplanes":"1","license_creation_date":"2017-07-20","license_expiration_date":"2017-07-20","license_key":"00141000017ODj3AAG_a1V41000004wT0OEAU","product_subscription":"Konnect Enterprise","support_plan":"None"},"signature":"6985968131533a967fcc721244a979948b1066967f1e9cd65dbd8eeabe060fc32d894a2945f5e4a03c1cd2198c74e058ac63d28b045c2f1fcec95877bd790e1b","version":"1"}}'
  5. Run the following command to start a container with Kong Gateway:

    Kong Gateway

    Kong Gateway (OSS)

    1. docker run -d --name kong-gateway \
    2. --network=kong-net \
    3. -e "KONG_DATABASE=postgres" \
    4. -e "KONG_PG_HOST=kong-database" \
    5. -e "KONG_PG_USER=kong" \
    6. -e "KONG_PG_PASSWORD=kongpass" \
    7. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
    8. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
    9. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
    10. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
    11. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
    12. -e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
    13. -e KONG_LICENSE_DATA \
    14. -p 8000:8000 \
    15. -p 8443:8443 \
    16. -p 8001:8001 \
    17. -p 8444:8444 \
    18. -p 8002:8002 \
    19. -p 8445:8445 \
    20. -p 8003:8003 \
    21. -p 8004:8004 \
    22. kong/kong-gateway:3.5.0.0
    1. docker run -d --name kong-gateway \
    2. --network=kong-net \
    3. -e "KONG_DATABASE=postgres" \
    4. -e "KONG_PG_HOST=kong-database" \
    5. -e "KONG_PG_USER=kong" \
    6. -e "KONG_PG_PASSWORD=kongpass" \
    7. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
    8. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
    9. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
    10. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
    11. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
    12. -e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
    13. -p 8000:8000 \
    14. -p 8443:8443 \
    15. -p 127.0.0.1:8001:8001 \
    16. -p 127.0.0.1:8002:8002 \
    17. -p 127.0.0.1:8444:8444 \
    18. kong:3.5.0

    Where:

    • --name and --network: The name of the container to create, and the Docker network it communicates on.
    • KONG_DATABASE: Specifies the type of database that Kong is using.
    • KONG_PG_HOST: The name of the Postgres Docker container that is communicating over the kong-net network.
    • KONG_PG_USER and KONG_PG_PASSWORD: The Postgres username and password. Kong Gateway needs the login information to store configuration data in the KONG_PG_HOST database.
    • All _LOG parameters: set filepaths for the logs to output to, or use the values in the example to print messages and errors to stdout and stderr.
    • KONG_ADMIN_LISTEN: The port that the Kong Admin API listens on for requests.
    • KONG_ADMIN_GUI_URL: The URL for accessing Kong Manager, preceded by a protocol (for example, http://).
    • KONG_LICENSE_DATA: (Enterprise only) If you have a license file and have saved it as an environment variable, this parameter pulls the license from your environment.
  6. Verify your installation:

    Access the /services endpoint using the Admin API:

    1. curl -i -X GET --url http://localhost:8001/services

    You should receive a 200 status code.

  7. Verify that Kong Manager is running by accessing it using the URL specified in KONG_ADMIN_GUI_URL:

    1. http://localhost:8002

Get started with Kong Gateway

Now that you have a running Gateway instance, Kong provides a series of getting started guides to help you set up and enhance your first Service.

In particular, right after installation you might want to:

Clean up containers

If you’re done testing Kong Gateway and no longer need the containers, you can clean them up using the following commands:

  1. docker kill kong-gateway
  2. docker kill kong-database
  3. docker container rm kong-gateway
  4. docker container rm kong-database
  5. docker network rm kong-net

Install Kong Gateway in DB-less mode

The following steps walk you through starting Kong Gateway in DB-less mode.

Create a Docker network

Run the following command:

  1. docker network create kong-net

You can name this network anything you want. We use kong-net as an example throughout this guide.

This step is not strictly needed for running Kong in DB-less mode, but it is a good precaution in case you want to add other things in the future (like a Rate Limiting plugin backed up by a Redis cluster).

Prepare your configuration file

  1. Prepare your declarative configuration file in .yml or .json format.

    The syntax and properties are described in the Declarative Configuration format guide. Add whatever core entities (Services, Routes, Plugins, Consumers, etc) you need to this file.

    For example, a simple file with a Service and a Route could look something like this:

    1. _format_version: "3.0"
    2. _transform: true
    3. services:
    4. - host: httpbin.org
    5. name: example_service
    6. port: 80
    7. protocol: http
    8. routes:
    9. - name: example_route
    10. paths:
    11. - /mock
    12. strip_path: true

    This guide assumes you named the file kong.yml.

  2. Save your declarative configuration locally, and note the filepath.

Start Kong Gateway in DB-less mode

Important: The settings below are intended for non-production use only, as they override the default admin_listen setting to listen for requests from any source. Do not use these settings in environments directly exposed to the internet.

If you need to expose the admin_listen port to the internet in a production environment,

secure it with authentication.

  1. (Optional) If you have an Enterprise license for Kong Gateway, export the license key to a variable:

    The license data must contain straight quotes to be considered valid JSON (' and ", not or ).

    Note: The following license is only an example. You must use the following format, but provide your own content.

    1. export KONG_LICENSE_DATA='{"license":{"payload":{"admin_seats":"1","customer":"Example Company, Inc","dataplanes":"1","license_creation_date":"2017-07-20","license_expiration_date":"2017-07-20","license_key":"00141000017ODj3AAG_a1V41000004wT0OEAU","product_subscription":"Konnect Enterprise","support_plan":"None"},"signature":"6985968131533a967fcc721244a979948b1066967f1e9cd65dbd8eeabe060fc32d894a2945f5e4a03c1cd2198c74e058ac63d28b045c2f1fcec95877bd790e1b","version":"1"}}'
  2. From the same directory where you just created the kong.yml file, run the following command to start a container with Kong Gateway:

    Kong Gateway

    Kong Gateway (OSS)

    1. docker run -d --name kong-dbless \
    2. --network=kong-net \
    3. -v "$(pwd):/kong/declarative/" \
    4. -e "KONG_DATABASE=off" \
    5. -e "KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml" \
    6. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
    7. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
    8. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
    9. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
    10. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
    11. -e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
    12. -e KONG_LICENSE_DATA \
    13. -p 8000:8000 \
    14. -p 8443:8443 \
    15. -p 8001:8001 \
    16. -p 8444:8444 \
    17. -p 8002:8002 \
    18. -p 8445:8445 \
    19. -p 8003:8003 \
    20. -p 8004:8004 \
    21. kong/kong-gateway:3.5.0.0
    1. docker run -d --name kong-dbless \
    2. --network=kong-net \
    3. -v "$(pwd):/kong/declarative/" \
    4. -e "KONG_DATABASE=off" \
    5. -e "KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml" \
    6. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
    7. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
    8. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
    9. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
    10. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
    11. -e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
    12. -p 8000:8000 \
    13. -p 8443:8443 \
    14. -p 127.0.0.1:8001:8001 \
    15. -p 127.0.0.1:8444:8444 \
    16. kong:3.5.0

    Where:

    • --name and --network: The name of the container to create, and the Docker network it communicates on.
    • -v $(pwd):/path/to/target/: Mount the current directory on your local filesystem to a directory in the Docker container. This makes the kong.yml file visible from the Docker container.
    • KONG_DATABASE: Sets the database to off to tell Kong not to use any backing database for configuration storage.
    • KONG_DECLARATIVE_CONFIG: The path to a declarative configuration file inside the container. This path should match the target path that you’re mapping with -v.
    • All _LOG parameters: set filepaths for the logs to output to, or use the values in the example to print messages and errors to stdout and stderr.
    • KONG_ADMIN_LISTEN: The port that the Kong Admin API listens on for requests.
    • KONG_ADMIN_GUI_URL: The URL for accessing Kong Manager, preceded by a protocol (for example, http://).
    • KONG_LICENSE_DATA: (Enterprise only) If you have a license file and have saved it as an environment variable, this parameter pulls the license from your environment.
  3. Verify that Kong Gateway is running:

    1. curl -i http://localhost:8001

    Test an endpoint. For example, get a list of services:

    1. curl -i http://localhost:8001/services

Get started with Kong Gateway

Now that you have a running Gateway instance, Kong provides a series of getting started guides to help you set up and enhance your first Service.

If you use the sample kong.yml in this guide, you already have a Service and a Route configured. Here are a few more things to check out:

Clean up containers

If you’re done testing Kong Gateway and no longer need the containers, you can clean them up using the following commands:

  1. docker kill kong-dbless
  2. docker container rm kong-dbless
  3. docker network rm kong-net

Running Kong in read-only mode

Starting with Kong Gateway 3.2.0, you can run the container in read-only mode. To do so, mount a Docker volume to the locations where Kong needs to write data. The default configuration requires write access to /tmp and to the prefix path:

Kong Gateway

Kong Gateway (OSS)

  1. docker run --read-only -d --name kong-dbless \
  2. --network=kong-net \
  3. -v "$(pwd)/declarative:/kong/declarative/" \
  4. -v "$(pwd)/tmp_volume:/tmp" \
  5. -v "$(pwd)/prefix_volume:/var/run/kong" \
  6. -e "KONG_PREFIX=/var/run/kong" \
  7. -e "KONG_DATABASE=off" \
  8. -e "KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml" \
  9. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
  10. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
  11. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
  12. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
  13. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
  14. -e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
  15. -e KONG_LICENSE_DATA \
  16. -p 8000:8000 \
  17. -p 8443:8443 \
  18. -p 8001:8001 \
  19. -p 8444:8444 \
  20. -p 8002:8002 \
  21. -p 8445:8445 \
  22. -p 8003:8003 \
  23. -p 8004:8004 \
  24. kong/kong-gateway:3.5.0.0
  1. docker run --read-only -d --name kong-dbless \
  2. --network=kong-net \
  3. -v "$(pwd)/declarative:/kong/declarative/" \
  4. -v "$(pwd)/tmp_volume:/tmp" \
  5. -v "$(pwd)/prefix_volume:/var/run/kong" \
  6. -e "KONG_PREFIX=/var/run/kong" \
  7. -e "KONG_DATABASE=off" \
  8. -e "KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml" \
  9. -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
  10. -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
  11. -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
  12. -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
  13. -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
  14. -p 8000:8000 \
  15. -p 8443:8443 \
  16. -p 127.0.0.1:8001:8001 \
  17. -p 127.0.0.1:8444:8444 \
  18. kong:3.5.0

Troubleshooting

For troubleshooting license issues, see:

If you did not receive a 200 OK status code or need assistance completing setup, reach out to your support contact or head over to the Support Portal.