Document updated on Oct 19, 2023
Managing the LICENSE file
To run the Enterprise software with all its capabilities you must provide a valid license. When you get a license from sales, its placement and format must comply with what the binary expects.
When the license file is expired, incorrect, or missing, KrakenD won’t start.
License file requirements
To start KrakenD Enterprise without seeing the message above, make sure that:
- The file
/etc/krakend/LICENSE
exists - The
LICENSE
file is a plain text file with no extension - It contains the certificate we gave you (it looks like a PEM file)
- The file includes the surrounding
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
, and you have not deleted any dash or character accidentally, neither you have deleted the line breaks.
Change the location of the LICENSE
The LICENSE
file must be in /etc/krakend/LICENSE
by default, but KrakenD internally looks for ./LICENSE
. It means that the file is inside the working directory. If you would like to store the license in a different location, you can change the WORKDIR
in which KrakenD executes. For instance, let’s load the license from /vault/LICENSE
instead.
We can have a custom Dockerfile
like this one:
FROM krakend/krakend-ee:2.4
WORKDIR /vault
COPY LICENSE .
When you change the working directory all relative paths move to the new path. When you start KrakenD, the configuration file path needs to consider this.
Storing the LICENSE in the Docker image
See Generating a Docker artifact
Storing the LICENSE in Secret managers
You can store your LICENSE in any secret manager of your choice if you want to. However, ensure the line breaks are respected when retrieving them again.
AWS Secrets Manager
One of the particularities of AWS Secrets Manager is that it might have problems when storing multiline contents. Therefore, when working with AWS in plain text, we recommend keeping the LICENSE
content in base64
format.
You can create an AWS secret with your license with this command:
Term
$aws secretsmanager create-secret --name krakend-valid_trough-2023_05_22 --secret-string "$(base64 LICENSE)"
{
"Name": "krakend-valid_trough-2022_05_22",
"ARN": "arn:aws:secretsmanager:eu-west-1:052351007912:secret:krakend-valid_trough-2022_05_22-OISgD6",
"VersionId": "59f7c317-989a-4219-bdd2-b79bead69dd4"
}
Notice that we have added the license’s expiration date to the secret name. A practice like this will help you quickly realize the expiration date of any license without testing.
You can later retrieve the license file in your pipeline file with:
Term
$aws secretsmanager get-secret-value --secret-id krakend-valid_trough-2022_05_22 --query 'SecretString' --output text | base64 -d > LICENSE
Note: Depending on your computer’s operative system, the decoding of base64 might be base64 -D
instead of base64 -d
Automate license expiration checking
The LICENSE file is a regular openssl certificate, meaning you can use the openssl
command. This command is usually available in all Linux distributions, including smaller Docker images like Alpine after installing it.
Here is a sample script that you can use to abort a pipeline when the license is expired or about to expire.
#!/bin/sh
# check_license.sh
# This script will fail (exit 1) when:
# - The LICENSE file is expired, or
# - It expires in the following N days
# Otherwise it will end normally printing the expiration date (exit 0)
# Requires openssl and bc packages, e.g. (Debian/Ubuntu):
# apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssl bc
# You can edit the two variables below:
# ---------------------
WARN_IN_DAYS=30
LICENSE_FILE_PATH="./LICENSE"
# ---------------------
set -e
NOW=$(date +%s)
EXPIRATION=$(openssl x509 -in $LICENSE_FILE_PATH -text -noout -dates | grep notAfter | sed -e 's#notAfter=##')
EXPIRATION_TIMESTAMP=$(date -d "$EXPIRATION" +%s)
EXPIRATION_IN_DAYS=$(echo "($EXPIRATION_TIMESTAMP - $NOW)/(3600*24)" | bc)
HAS_EXPIRED=$(echo "$NOW > $EXPIRATION_TIMESTAMP" | bc)
ABOUT_TO_EXPIRE=$(echo "$EXPIRATION_IN_DAYS < $WARN_IN_DAYS" | bc )
echo "License expiration: $EXPIRATION (in $EXPIRATION_IN_DAYS days)"
if [ "1" = "$HAS_EXPIRED" ]; then echo "Your LICENSE expired and KrakenD Enterprise cannot start!"; exit 1; fi
if [ "1" = "$ABOUT_TO_EXPIRE" ]; then echo "Your LICENSE will expire soon. Lower the threshold of this warning to continue"; exit 1; fi
The output of this script is the following:
Checking the validity of the license
$sh check_license.sh
License expiration: Nov 1 00:00:00 2023 GMT (in 2 days)
Your LICENSE will expire soon. Lower the threshold of this warning to continue
And exits with an error. Adding the script to a pipeline will abort the execution (pipeline failed) on expired and about-to-expire licenses.
What happens when the license expires?
Any running processes will shut down when the KrakenD Enterprise license expires.
The KrakenD sales team is always in touch before this happens to work on the next renewal.
If you no longer want to be an Enterprise customer, you can downgrade to KrakenD Community very easily, and run in the open-source mode without the Enterprise functionalities.
Updating your license
When your license renewal comes, you must replace the /etc/krakend/LICENSE
with the new content in your servers running KrakenD and restart KrakenD. That’s all!
