News KrakenD CE v2.7 released with better rate-limiting and security options

Enterprise Documentation

Recent changes

You are viewing a previous version of KrakenD Enterprise Edition (v2.4) , go to the latest version

Managing the LICENSE file

Document updated on Oct 19, 2023

To run the Enterprise software with all its capabilities you must provide a valid license. When you get a license from sales, its placement and format must comply with what the binary expects.

When the license file is expired, incorrect, or missing, KrakenD won’t start.

License file requirements

To start KrakenD Enterprise without seeing the message above, make sure that:

  • The file /etc/krakend/LICENSE exists
  • The LICENSE file is a plain text file with no extension
  • It contains the certificate we gave you (it looks like a PEM file)
  • The file includes the surrounding -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and you have not deleted any dash or character accidentally, neither you have deleted the line breaks.

Change the location of the LICENSE

The LICENSE file must be in /etc/krakend/LICENSE by default, but KrakenD internally looks for ./LICENSE. It means that the file is inside the working directory. If you would like to store the license in a different location, you can change the WORKDIR in which KrakenD executes. For instance, let’s load the license from /vault/LICENSE instead.

We can have a custom Dockerfile like this one:

FROM krakend/krakend-ee:2.4

WORKDIR /vault

When you change the working directory all relative paths move to the new path. When you start KrakenD, the configuration file path needs to consider this.

Storing the LICENSE in the Docker image

See Generating a Docker artifact

Storing the LICENSE in Secret managers

You can store your LICENSE in any secret manager of your choice if you want to. However, ensure the line breaks are respected when retrieving them again.

AWS Secrets Manager

One of the particularities of AWS Secrets Manager is that it might have problems when storing multiline contents. Therefore, when working with AWS in plain text, we recommend keeping the LICENSE content in base64 format.

You can create an AWS secret with your license with this command:

$aws secretsmanager create-secret --name krakend-valid_trough-2023_05_22 --secret-string "$(base64 LICENSE)"
    "Name": "krakend-valid_trough-2022_05_22",
    "ARN": "arn:aws:secretsmanager:eu-west-1:052351007912:secret:krakend-valid_trough-2022_05_22-OISgD6",
    "VersionId": "59f7c317-989a-4219-bdd2-b79bead69dd4"

Notice that we have added the license’s expiration date to the secret name. A practice like this will help you quickly realize the expiration date of any license without testing.

You can later retrieve the license file in your pipeline file with:

$aws secretsmanager get-secret-value --secret-id krakend-valid_trough-2022_05_22 --query 'SecretString' --output text | base64 -d > LICENSE

Note: Depending on your computer’s operative system, the decoding of base64 might be base64 -D instead of base64 -d

Automate license expiration checking

The LICENSE file is a regular openssl certificate, meaning you can use the openssl command. This command is usually available in all Linux distributions, including smaller Docker images like Alpine after installing it.

Here is a sample script that you can use to abort a pipeline when the license is expired or about to expire.

# This script will fail (exit 1) when:
# - The LICENSE file is expired, or
# - It expires in the following N days
# Otherwise it will end normally printing the expiration date (exit 0)
# Requires openssl and bc packages, e.g. (Debian/Ubuntu):
# apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssl bc
# You can edit the two variables below:
# ---------------------
# ---------------------
set -e
NOW=$(date +%s)
EXPIRATION=$(openssl x509 -in $LICENSE_FILE_PATH -text -noout -dates | grep notAfter | sed -e 's#notAfter=##')

echo "License expiration: $EXPIRATION (in $EXPIRATION_IN_DAYS days)"
if [ "1" = "$HAS_EXPIRED" ]; then echo "Your LICENSE expired and KrakenD Enterprise cannot start!"; exit 1; fi
if [ "1" = "$ABOUT_TO_EXPIRE" ]; then echo "Your LICENSE will expire soon. Lower the threshold of this warning to continue"; exit 1; fi

The output of this script is the following:

Checking the validity of the license 
License expiration: Nov  1 00:00:00 2023 GMT (in 2 days)
Your LICENSE will expire soon. Lower the threshold of this warning to continue

And exits with an error. Adding the script to a pipeline will abort the execution (pipeline failed) on expired and about-to-expire licenses.

What happens when the license expires?

Any running processes will shut down when the KrakenD Enterprise license expires.

The KrakenD sales team is always in touch before this happens to work on the next renewal.

If you no longer want to be an Enterprise customer, you can downgrade to KrakenD Community very easily, and run in the open-source mode without the Enterprise functionalities.

Updating your license

When your license renewal comes, you must replace the /etc/krakend/LICENSE with the new content in your servers running KrakenD and restart KrakenD. That’s all!


Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.