| Metadata | Value |
|---|---|
| Status | Accepted |
| Date | 2026-01-26 |
| Deciders | Platform Architecture Team |
| Categories | API Management, Gateway, Security |
HelpDev platform needs an API Management layer to:
- Expose internal services to external consumers (public APIs)
- Manage internal API routing between service domains
- Centralize OpenAPI specifications for documentation and governance
- Provide authentication, rate limiting, and plugin management
- Integrate with the existing GitOps pipeline workflow
- Multi-tenant: Support multiple Kong instances per domain (e.g.,
ecommerce-internal,payments-external) - GitOps-native: All configuration managed declaratively in Git
- Self-service: Service teams can configure routes/plugins without Platform Team intervention
- Multi-region: Follow existing
{account}/{env}/{region}/path patterns - Keycloak integration: Leverage existing identity provider for authentication
- Observability: Integrate with Grafana Stack (Mimir, Loki, Tempo)
We will implement Kong Gateway in DB-less mode with a two-repository architecture:
| Repository | Purpose | Ownership |
|---|---|---|
platform-kong |
Kong infrastructure (Helm, base config) | Platform Team |
platform-apis |
API configuration (OpenAPI, routes, plugins) | Service Teams + Platform Team |
- DB-less Mode: Kong runs without a database, using declarative YAML configuration synced via GitOps
- Separation of Concerns: Infrastructure (
platform-kong) vs Configuration (platform-apis) - Kong per Domain: One Kong instance serves multiple services within a domain (e.g.,
ecommerce-external) - Aggregated Config: A GitHub Action combines per-service configs into a single
kong.yamlper instance
┌─────────────────────────────────────────────────────────────────────────┐
│ API MANAGEMENT STACK │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Backstage │ │ platform-apis │ │ platform-kong │ │
│ │ │ │ (API Config) │ │ (Infra Only) │ │
│ │ • Create Kong │ │ • OpenAPI specs │ │ • Kong deploy │ │
│ │ • Associate svc │ │ • Routes config │ │ • Helm values │ │
│ │ • Update catalog │ │ • Plugins config │ │ • Base settings │ │
│ └──────────────────┘ └──────────────────┘ └──────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────────────────────────────┐ │
│ │ Kong Runtime │ │
│ │ (DB-less, config from platform-apis)│ │
│ └──────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
platform-apis:
platform-apis/{account}/{env}/{region}/{kong-instance}/{service}/
├── openapi.yaml # API specification (auto-published by pipeline)
├── routes.yaml # Kong routes (auto + manual PR)
└── plugins.yaml # Kong plugins (manual PR)
platform-kong:
platform-kong/{account}/{env}/{region}/{kong-instance}/
├── values.yaml # Helm values (replicas, resources)
└── kustomization.yaml # Kustomize overlay
Pros:
- Admin API for dynamic configuration
- Better for large-scale deployments with many changes
Cons:
- Requires database management per environment
- Configuration drift risk (state outside Git)
- Doesn't align with GitOps principles
Decision: Rejected - GitOps is a core principle (PRD P2)
Pros:
- Managed service, no infrastructure to maintain
- Native AWS integration
Cons:
- Vendor lock-in
- Limited plugin ecosystem
- Configuration via Terraform, not Kubernetes-native
- Harder to integrate with Istio service mesh
Decision: Rejected - Kubernetes-native solution preferred
Pros:
- Already part of the stack
- No additional component
Cons:
- Limited API management features (no rate limiting, API keys, developer portal)
- No OpenAPI-driven routing
- Less mature plugin ecosystem
Decision: Rejected - Need full API management capabilities
Pros:
- Simpler structure
- All Kong-related code in one place
Cons:
- Service teams need access to infrastructure repo
- Harder to enforce CODEOWNERS
- Mixes concerns (Platform Team owns infra, Service Teams own routes)
Decision: Rejected - Separation of concerns is cleaner
- GitOps-native: All configuration in Git, auditable, reviewable
- Self-service: Service teams configure routes/plugins via PR to
platform-apis - Clear ownership: Platform Team owns
platform-kong, Service Teams own their configs - Consistent patterns: Follows existing
{account}/{env}/{region}/structure - Keycloak integration: OIDC plugin leverages existing identity infrastructure
- Multi-region ready: Each region has independent configuration
- Learning curve: Teams need to learn Kong declarative configuration
- Aggregation complexity: GitHub Action needed to combine configs into
kong.yaml - Two repositories: Slight overhead in managing two repos vs one
| Risk | Mitigation |
|---|---|
| Configuration errors | Validation in CI before merge |
| Breaking API changes | OpenAPI diff detection in pipeline |
| Kong version upgrades | Platform Team manages via platform-kong |
| Plugin misconfiguration | Pre-approved plugin templates |
- Create
platform-apisandplatform-kongrepository structures - Define CODEOWNERS for governance
- Create ADR documentation
- Kong instance creation template
- Service-to-Kong association template
- catalog-info.yaml annotations for Kong
validate-openapiactionpublish-api-configactionaggregate-kong-configworkflow- Update service pipeline templates
- Phased rollout with OpenAPI publish
- Kong health check integration