旧バージョンのドキュメントを参照しています。最新のドキュメントはこちらをご参照ください。

Cassandra to PostgreSQL Migration Guidelines

This guide walks you through migrating Kong Gateway from a Cassandra DB-backed traditional deployment to a PostgreSQL-backed hybrid deployment.

This guide uses a blue-green migration approach. In this approach, DNS switching helps cut traffic over from a Blue environment to a Green environment. This provides the ability to roll back faster if an issue is detected.

We recommend using decK, Kong’s declarative configuration management tool.

Migration steps:

Build a target Kong Gateway hybrid environment with PostgreSQL. This acts as your blank canvas.
Use decK to export (dump) configuration from the old traditional Cassandra-backed deployment.
Use decK to import (sync) the configuration to the new hybrid PostgreSQL-backed deployment.
Create basic auth credentials and local RBAC users using either the Admin API or Kong Manager.
When the Kong Gateway configuration has been migrated over to the green environment, slowly redirect traffic via canary into the green environment. This lowers the risk of the release with a fast rollback mechanism in place.

Considerations

While the document provides high level guidelines, actual migration steps may differ based on the following factors:

Complexity of the Kong deployment environment
Kong plugins
Custom plugins
External touch points to the Gateway (for example, OIDC with external IdPs)
Number of configuration entities, for example services and routes
If running an older version of Kong Gateway, we recommend doing a Kong Gateway version upgrade before the database migration. This reduces the moving parts in the upgrade procedure.
If you’re using Cassandra, you likely have a traditional deployment. We recommend taking this opportunity to review the deployment topology options for Kong Gateway and converting to a hybrid mode deployment, if possible.

The following diagram shows the architecture of a hybrid mode deployment, which means there is a split between the Kong Gateway control and data planes. You can follow the same database migration approach for Kong Gateway instances deployed in traditional mode.

 
flowchart LR
A[api.customer.com]
B[(Cassandra)]
C( Kong Gateway VM)
D( Kong Gateway DP)
E( Kong Gateway CP)
F[(Postgres)]

H[[decK]]

A --> C & D

subgraph id1 ["`**On premise**`"]
C --> B
end

subgraph id2 ["`**Kubernetes**`"]
D --> E --> F
end

C --export config via yaml--> H --sync config to CP--> E

style id1 stroke-dasharray:3,rx:10,ry:10
style id2 stroke-dasharray:3,rx:10,ry:10

Prerequisites

The Kong Gateway blue environment (using Cassandra) and green environment (using PostgreSQL) are running the same Gateway version.
In the following examples, blue is deployed in traditional mode and green is deployed in hybrid mode. If you prefer to migrate to a traditional deployment, you can still follow the steps, but you don’t need to worry about performing separate control plane and data plane tasks.

Migration approach

The following steps should be tested in a non-production environment. Any gaps in the target state should be identified and remediated before running it in production.

Step	Name	Description
1	Platform build	Build the green environment with Kong Gateway using the same version as the blue environment
2	Database setup	Build a new Postgres DB and connect it to the green environment
3	Regression testing	Deploy your setup into the new system and regression test it. Clean up the deployment when testing is completed .

Preparation

Step	Name	Description
1	Change embargo	Place a change embargo on the old environment preventing new deployments or configuration changes
2	Blue environment backup	Make a backup of the blue environment’s Cassandra database and place it into redundant storage
3	Observability setup	Create dashboards to track the health of the new environment
4	Go/No Go checkpoint	Go/No Go decision point for the migration execution

Execution

The goal of this phase is to reproduce the Kong Gateway configuration in the blue environment and perform regression and smoke testing ahead of live traffic cut-over.

Step	Name	Description
1	Configuration dump	- Execute the `deck gateway dump` command against the blue environment for each workspace to build a YAML representation of the Kong estate - Execute `deck gateway dump --rbac-resources-only` against the blue environment for each workspace to build a YAML representation of any RBAC resources created - If using the Kong Dev Portal, run the `portal fetch` command via the Portal CLI to build a representation of the Dev Portal assets for a workspace
2	Configuration sync	- Change decK to work with the green environment, and execute `deck gateway sync` to push the configuration to the green environment - Change the Portal CLI to work against the green environment, and execute `portal deploy` to push the Dev Portal configuration against the new environment
3	Regression testing	Execute regression tests against the green environment backed by PostgreSQL
4	Go/No Go checkpoint	If all tests pass, proceed with traffic cut over

Traffic cut over

The purpose of this phase is to migrate traffic in a controlled manner, with a rapid fallback mechanism if a problem is detected. You can increase or decrease the wait times before increasing the canary split depending on the risk tolerance.

Step	Name	Description
1	Canary 1% of traffic to the new green environment	Canary 1% of traffic to the new environment and monitor the traffic health.
2	Canary 5% of traffic to the new green environment	Increase traffic split to 5% and monitor.
3	Canary 10% of traffic to the new green environment	Increase traffic split to 10% and monitor.
4	Canary 50% of traffic to the new green environment	Increase traffic split to 50% and monitor.
5	Switch 100% of traffic to the new green environment	Perform a full DNS switch over to point to the new green environment.
6	Take down old platform	After 24 hours when confidence is high, take down the old platform.

Next steps

If using the Basic Authentication plugin, the passwords are hashed and encrypted in the database. A decK dump doesn’t export these credentials, so it is impossible to get the passwords out of the database in the cleartext. You must migrate these credentials using the Admin Api or Kong Manager.
Admin users on the Kong Gateway control plane are not propagated using decK. Migrate them using the Kong Admin API.

After migration, basic authentication credentials can be managed by decK. See the following topics to learn how to manage secrets with deck: