Deploy Kong Gateway in GKE
· 32 min read
CEO of DEINN
Para realizar un despliegue de Kong Gateway en GKE, de deben realizar los siguientes pasos.
Requisitos:
- Contar con un cluster GKE y acceso mediante el cli de kubectl.
- Tener helm instalado en el terminal.
- Reservar una IP para la exposición del gateway, con ámbito global.
- Generar un dominio o subdominio apuntando al ip antes reservado.
- Habilitar la API de Managed Certificate en GCP.
- Una base de datos postgres para la instalación de kong gateway.
1- Instalación chart de Helm:
Se añade el chart de kong desde el github oficial: https://github.com/Kong/charts/tree/main/charts/kong
helm repo add kong https://charts.konghq.com
helm repo update
2- Preparar el cluster GKE:
Antes de desplegar kong gateway se deben configurar algunos manifiestos de kubernetes para que el deploy se realice correctamente:
- Modificar el "Managed Certificate" En el siguiente manifiesto se debe actualizar el dominio y namespace que se utilizará.
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: certificate-api-dev
namespace: kong
spec:
domains:
- kong-dev.deinn.cl
Aplicar con el comando:
kubectl apply -f ManagedCertificate.yaml
- Modificar BackendConfig Se debe modificar el manifiesto de BackendConfig para actualizar los parametros que sean necesarios, como namespace.
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: kong-backend-config-lb
namespace: kong
spec:
cdn:
enabled: true
cachePolicy:
includeHost: true
includeProtocol: true
includeQueryString: false
healthCheck:
checkIntervalSec: 15
timeoutSec: 1
healthyThreshold: 1
unhealthyThreshold: 3
type: HTTP
# only for HTTP/HTTPS type
requestPath: /status
# defaults to serving port
port: 8100
Aplicar con el comando:
kubectl apply -f BackendConfig.yaml
3- Configuración del values.yaml de kong:
En el siguiente archivo de configuración se debe revisar en su totalidad, teniendo en cuenta la configuración de base de datos a la que kong gateway se conectará, namespace, entre otros parametros que se deben de ajustar según el ambiente y necesidades. Luego de ajustar el values se debe instalar usando helm:
helm install gateway --version 2.35.0 kong kong/kong --namespace kong --values values-kong.yaml
Para desintalar puede usar el comando:
helm uninstall gateway --namespace kong
Ejemplo del values-kong.yaml
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
# Setting this to false with ingressController.enabled=true will create a
# controller-only release.
enabled: true
## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
## for it to be considered available.
# minReadySeconds: 60
## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
serviceAccount:
create: true
# Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
# container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
# Lua code, increasing potential attack surface.
automountServiceAccountToken: false
## Optionally specify the name of the service account to create and the annotations to add.
# name:
# annotations: {}
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# initContainers:
# - name: initcon
# image: initcon:latest
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
## Define any volumes and mounts you want present in the Kong proxy container
# userDefinedVolumes:
# - name: "volumeName"
# emptyDir: {}
# userDefinedVolumeMounts:
# - name: "volumeName"
# mountPath: "/opt/user/dir/mount"
test:
# Enable creation of test resources for use with "helm test"
enabled: false
# Use a DaemonSet controller instead of a Deployment controller
daemonset: false
hostNetwork: false
# Set the Deployment's spec.template.hostname field.
# This propagates to Kong API endpoints that report
# the hostname, such as the admin API root and hybrid mode
# /clustering/data-planes endpoint
hostname: ""
# kong_prefix empty dir size
prefixDir:
sizeLimit: 256Mi
# tmp empty dir size
tmpDir:
sizeLimit: 1Gi
# Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace.
# This may not be desirable when using this chart as a dependency.
# namespace: "example"
# -----------------------------------------------------------------------------
# Kong parameters
# -----------------------------------------------------------------------------
# Specify Kong configuration
# This chart takes all entries defined under `.env` and transforms them into into `KONG_*`
# environment variables for Kong containers.
# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default
# See https://docs.konghq.com/latest/configuration also for additional details
# Values here take precedence over values from other sections of values.yaml,
# e.g. setting pg_user here will override the value normally set when postgresql.enabled
# is set below. In general, you should not set values here if they are set elsewhere.
env:
# the chart uses the traditional router (for Kong 3.x+) because the ingress
# controller generates traditional routes. if you do not use the controller,
# you may set this to "traditional_compatible" or "expressions" to use the new
# DSL-based router
router_flavor: "traditional"
nginx_worker_processes: "2"
proxy_access_log: /dev/stdout
admin_access_log: /dev/stdout
admin_gui_access_log: /dev/stdout
portal_api_access_log: /dev/stdout
proxy_error_log: /dev/stderr
admin_error_log: /dev/stderr
admin_gui_error_log: /dev/stderr
portal_api_error_log: /dev/stderr
prefix: /kong_prefix/
trusted_ips: 0.0.0.0/0,::/0
database: "postgres"
pg_host: "35.238.221.224-hostdb"
pg_port: "5432"
pg_database: "kongdb"
pg_ssl: on
pg_user: "konguser"
pg_password: "clavedeladb"
# This section is any customer specific environments variables that doesn't require KONG_ prefix.
# These custom environment variables are typicall used in custom plugins or serverless plugins to
# access environment specific credentials or tokens.
# Example as below, uncomment if required and add additional attributes as required.
# Note that these environment variables will only apply to the proxy and init container. The ingress-controller
# container has its own customEnv section.
# customEnv:
# api_token:
# valueFrom:
# secretKeyRef:
# key: token
# name: api_key
# client_name: testClient
# Load all ConfigMap or Secret keys as environment variables:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
envFrom: []
# This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
extraLabels: {}
# Specify Kong's Docker image and repository details here
image:
repository: kong
tag: "3.5"
# Kong Enterprise
# repository: kong/kong-gateway
# tag: "3.5"
# Specify a semver version if your image tag is not one (e.g. "nightly")
effectiveSemver:
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistrKeySecretName
# Specify Kong admin API service and listener configuration
admin:
# Enable creating a Kubernetes service for the admin API
# Disabling this is recommended for most ingress controller configurations
# Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: true
type: ClusterIP
loadBalancerClass:
# To specify annotations or labels for the admin service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
http:
# Enable plaintext HTTP listen for the admin API
# Disabling this and using a TLS listen only is recommended for most configuration
enabled: true
servicePort: 8001
containerPort: 8001
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the admin API
enabled: true
servicePort: 8444
containerPort: 8444
# Set a target port for the TLS port in the admin API service, useful when using TLS
# termination on an ELB.
# overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
# Specify the CA certificate to use for TLS verification of the Admin API client by:
# - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
# - caBundle (PEM-encoded certificate string).
# If both are set, caBundle takes precedence.
client:
caBundle: ""
secretName: ""
# Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-admin.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Specify Kong status listener configuration
# This listen is internal-only. It cannot be exposed through a service or ingress.
status:
enabled: true
http:
# Enable plaintext HTTP listen for the status listen
enabled: true
containerPort: 8100
parameters: []
tls:
# Enable HTTPS listen for the status listen
# Kong versions prior to 2.1 do not support TLS status listens.
# This setting must remain false on those versions
enabled: false
containerPort: 8543
parameters: []
# Name the kong hybrid cluster CA certificate secret
clusterCaSecretName: ""
# Specify Kong cluster service and listener configuration
#
# The cluster service *must* use TLS. It does not support the "http" block
# available on other services.
#
# The cluster service cannot be exposed through an Ingress, as it must perform
# TLS client validation directly and is not compatible with TLS-terminating
# proxies. If you need to expose it externally, you must use "type:
# LoadBalancer" and use a TCP-only load balancer (check your Kubernetes
# provider's documentation, as the configuration required for this varies).
cluster:
enabled: false
# To specify annotations or labels for the cluster service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
tls:
enabled: false
servicePort: 8005
containerPort: 8005
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong cluster ingress settings. Useful if you want to split CP and DP
# in different clusters.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-cluster.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Specify Kong proxy service configuration
proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
# type: LoadBalancer
type: ClusterIP
loadBalancerClass:
# Override proxy Service name
nameOverride: ""
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations:
# networking.gke.io/load-balancer-type: "Internal"
# cloud.google.com/app-protocols: '{"kong-proxy-tls":"HTTPS","kong-proxy":"HTTP"}'
cloud.google.com/backend-config: '{"default": "kong-backend-config-lb"}'
cloud.google.com/neg: '{"ingress":true}'
cloud.google.com/app-protocols: '{"kong-proxy-tls":"HTTPS","kong-proxy":"HTTP"}'
# If terminating TLS at the ELB, the following annotations can be used
# "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*",
# "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true",
# "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX",
# "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls",
# "service.beta.kubernetes.io/aws-load-balancer-type": "elb"
labels:
enable-metrics: "true"
http:
# Enable plaintext HTTP listen for the proxy
enabled: true
servicePort: 80
containerPort: 8000
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the proxy
enabled: true
servicePort: 443
containerPort: 8443
# Set a target port for the TLS port in proxy service
# overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
# Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their containerPort,
# e.g. "stream-9000" for the below.
# Note: although you can select the protocol here, you cannot set UDP if you
# use a LoadBalancer Service due to limitations in current Kubernetes versions.
# To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
# in the next section and place all UDP stream listen configuration under it.
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
# - containerPort: 9000
# servicePort: 9000
# protocol: TCP
# # Optionally set a static nodePort if the service type is NodePort
# # nodePort: 32080
# # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
# # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
# parameters: []
# Kong proxy ingress settings.
# Note: You need this only if you are using another Ingress Controller
# to expose Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# To specify annotations or labels for the ingress, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
labels: {}
# Ingress hostname
hostname:
# Ingress path (when used with hostname above).
path: /
# Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
hosts: []
# - host: kong-proxy.example.com
# paths:
# # Ingress path.
# - path: /*
# # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
# pathType: ImplementationSpecific
# - host: kong-proxy-other.example.com
# paths:
# # Ingress path.
# - path: /other
# # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
# pathType: ImplementationSpecific
# backend:
# service:
# name: kong-other-proxy
# port:
# number: 80
#
# TLS secret(s)
# tls: kong-proxy.example.com-tls
# Or if multiple hosts/secrets needs to be configured:
# tls:
# - secretName: kong-proxy.example.com-tls
# hosts:
# - kong-proxy.example.com
# - secretName: kong-proxy-other.example.com-tls
# hosts:
# - kong-proxy-other.example.com
# Optionally specify a static load balancer IP.
# loadBalancerIP:
# Specify Kong UDP proxy service configuration
# Currently, LoadBalancer type Services are generally limited to a single transport protocol
# Multi-protocol Services are an alpha feature as of Kubernetes 1.20:
# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types
# You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it
udpProxy:
# Enable creating a Kubernetes service for UDP proxying
enabled: false
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
# Optionally specify a static load balancer IP.
# loadBalancerIP:
# Define stream (UDP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# e.g. "stream-9000" for the below.
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
# - containerPort: 9000
# servicePort: 9000
# protocol: UDP
# # Optionally set a static nodePort if the service type is NodePort
# # nodePort: 32080
# # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
# # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
# parameters: []
# Custom Kong plugins can be loaded into Kong by mounting the plugin code
# into the file-system of Kong container.
# The plugin code should be present in ConfigMap or Secret inside the same
# namespace as Kong is being installed.
# The `name` property refers to the name of the ConfigMap or Secret
# itself, while the pluginName refers to the name of the plugin as it appears
# in Kong.
# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins: {}
# configMaps:
# - pluginName: rewriter
# name: kong-plugin-rewriter
# subdirectories:
# - name: kong-plugin-rewriter-migrations
# path: migrations
# secrets:
# - pluginName: rewriter
# name: kong-plugin-rewriter
# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
# This can be used to override default SSL certificates.
# Be aware that the secret name will be used verbatim, and that certain types
# of punctuation (e.g. `.`) can cause issues.
# Example configuration
# secretVolumes:
# - kong-proxy-tls
# - kong-admin-tls
secretVolumes: []
# Enable/disable migration jobs, and set annotations for them
migrations:
# Enable pre-upgrade migrations (run "kong migrations up")
preUpgrade: true
# Enable post-upgrade migrations (run "kong migrations finish")
postUpgrade: true
# Annotations to apply to migrations job pods
# By default, these disable service mesh sidecar injection for Istio and Kuma,
# as the sidecar containers do not terminate and prevent the jobs from completing
annotations:
sidecar.istio.io/inject: false
# Additional annotations to apply to migration jobs
# This is helpful in certain non-Helm installation situations such as GitOps
# where additional control is required around this job creation.
jobAnnotations: {}
# Optionally set a backoffLimit. If none is set, Jobs will use the cluster default
backoffLimit:
resources: {}
# Example reasonable setting for "resources":
# resources:
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 128Mi
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
## Keep in mind these containers should be terminated along with the main
## migration containers
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# Kong's configuration for DB-less mode
# Note: Use this section only if you are deploying Kong in DB-less mode
# and not as an Ingress Controller.
dblessConfig:
# Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
configMap: ""
# Or Kong's configuration is managed from an existing Secret (with Key: kong.yml)
secret: ""
# Or the configuration is passed in full-text below
config: |
# # _format_version: "1.1"
# # services:
# # # Example configuration
# # # - name: example.com
# # # url: http://example.com
# # # routes:
# # # - name: example
# # # paths:
# # # - "/example"
## Optionally specify any extra sidecar containers to be included in the
## migration jobs
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# -----------------------------------------------------------------------------
# Ingress Controller parameters
# -----------------------------------------------------------------------------
# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
enabled: false
image:
repository: kong/kubernetes-ingress-controller
tag: "3.0"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
# version of your tag: for example if using a "next" image for an unreleased 3.1.0
# version, set this to "3.1.0".
effectiveSemver:
args: []
gatewayDiscovery:
enabled: false
generateAdminApiService: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific
# namespaces, the controller will watch those namespaces only and will create
# namespaced-scoped Roles for each of them. The controller will still use a
# ClusterRole for cluster-scoped resources.
# Requires controller 2.0.0 or newer.
watchNamespaces: []
# Specify Kong Ingress Controller configuration via environment variables
env:
# The controller disables TLS verification by default because Kong
# generates self-signed certificates by default. Set this to false once you
# have installed CA-signed certificates.
kong_admin_tls_skip_verify: true
# If using Kong Enterprise with RBAC enabled, uncomment the section below
# and specify the secret/key containing your admin token.
# kong_admin_token:
# valueFrom:
# secretKeyRef:
# name: CHANGEME-admin-token-secret
# key: CHANGEME-admin-token-key
# This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
# Example as below, uncomment if required and add additional attributes as required.
# customEnv:
# TZ: "Europe/Berlin"
# Load all ConfigMap or Secret keys as environment variables:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
envFrom: []
admissionWebhook:
enabled: true
failurePolicy: Ignore
port: 8080
certificate:
provided: false
namespaceSelector: {}
# Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: ""
# Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle:
# | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
# Tune the default Kubernetes timeoutSeconds of 10 seconds
# timeoutSeconds: 10
ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+)
ingressClassAnnotations: {}
## Define any volumes and mounts you want present in the ingress controller container
## Volumes are defined above in deployment.userDefinedVolumes
# userDefinedVolumeMounts:
# - name: "volumeName"
# mountPath: "/opt/user/dir/mount"
rbac:
# Specifies whether RBAC resources should be created
create: true
# general properties
livenessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: "/readyz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources: {}
# Example reasonable setting for "resources":
# resources:
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 128Mi
konnect:
enabled: false
# Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: ""
# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# -----------------------------------------------------------------------------
# Kong can run without a database or use either Postgres or Cassandra
# as a backend datatstore for it's configuration.
# By default, this chart installs Kong without a database.
# If you would like to use a database, there are two options:
# - (recommended) Deploy and maintain a database and pass the connection
# details to Kong via the `env` section.
# - You can use the below `postgresql` sub-chart to deploy a database
# along-with Kong as part of a single Helm release. Running a database
# independently is recommended for production, but the built-in Postgres is
# useful for quickly creating test instances.
# PostgreSQL chart documentation:
# https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
#
# WARNING: by default, the Postgres chart generates a random password each
# time it upgrades, which breaks access to existing volumes. You should set a
# password explicitly:
# https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do
postgresql:
enabled: false
auth:
username: kong
database: kong
image:
# use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
# enterprise (kong-gateway) supports postgres 14
tag: 13.11.0-debian-11-r20
service:
ports:
postgresql: "5432"
# -----------------------------------------------------------------------------
# Configure cert-manager integration
# -----------------------------------------------------------------------------
certificates:
enabled: false
# Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer
# If left blank a built in self-signed issuer will be created and utilized
issuer: ""
clusterIssuer: ""
# Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager
proxy:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "app.example"
# Remove the "[]" and uncomment/change the examples to add SANs
dnsNames: []
# - "app.example"
# - "*.apps.example"
# - "*.kong.example"
# Set admin.enabled true to issue kong admin api and manager certificate with cert-manager
admin:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "kong.example"
# Remove the "[]" and uncomment/change the examples to add SANs
dnsNames: []
# - "manager.kong.example"
# Set portal.enabled to true to issue a developer portal certificate with cert-manager
portal:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "developer.example"
# Remove the "{}" and uncomment/change the examples to add SANs
dnsNames: []
# - "manager.kong.example"
# Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager
cluster:
enabled: true
# Issuers used by the control and data plane releases must match for this certificate.
issuer: ""
clusterIssuer: ""
commonName: "kong_clustering"
dnsNames: []
# -----------------------------------------------------------------------------
# Miscellaneous parameters
# -----------------------------------------------------------------------------
waitImage:
# Wait for the database to come online before starting Kong or running migrations
# If Kong is to access the database through a service mesh that injects a sidecar to
# Kong's container, this must be disabled. Otherwise there'll be a deadlock:
# InitContainer waiting for DB access that requires the sidecar, and the sidecar
# waiting for InitContainers to finish.
enabled: true
# Optionally specify an image that provides bash for pre-migration database
# checks. If none is specified, the chart uses the Kong image. The official
# Kong images provide bash
# repository: bash
# tag: 5
pullPolicy: IfNotPresent
# update strategy
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: "100%"
# maxUnavailable: "0%"
# If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources: {}
# limits:
# cpu: 1
# memory: 2G
# requests:
# cpu: 1
# memory: 2G
# readinessProbe for Kong pods
readinessProbe:
httpGet:
path: "/status/ready"
port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
# livenessProbe for Kong pods
livenessProbe:
httpGet:
path: "/status"
port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
# startupProbe for Kong pods
# startupProbe:
# httpGet:
# path: "/status"
# port: status
# scheme: HTTP
# initialDelaySeconds: 5
# timeoutSeconds: 5
# periodSeconds: 2
# successThreshold: 1
# failureThreshold: 40
# Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
preStop:
exec:
# kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds.
# Note: together they should be less than the terminationGracePeriodSeconds setting below.
command:
- kong
- quit
- '--wait=15'
# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
terminationGracePeriodSeconds: 30
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}
# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19)
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# topologySpreadConstraints: []
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Annotation to be added to Kong pods
podAnnotations:
kuma.io/gateway: enabled
traffic.sidecar.istio.io/includeInboundPorts: ""
# Labels to be added to Kong pods
podLabels: {}
# Kong pod count.
# It has no effect when autoscaling.enabled is set to true
replicaCount: 1
# Annotations to be added to Kong deployment
deploymentAnnotations: {}
# Enable autoscaling using HorizontalPodAutoscaler
# When configuring an HPA, you must set resource requests on all containers via
# "resources" and, if using the controller, "ingressController.resources" in values.yaml
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 5
behavior: {}
## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta
targetCPUUtilizationPercentage:
## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# Kong Pod Disruption Budget
podDisruptionBudget:
enabled: false
# Uncomment only one of the following when enabled is set to true
# maxUnavailable: "50%"
# minAvailable: "50%"
podSecurityPolicy:
enabled: false
labels: {}
annotations: {}
spec:
privileged: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
runAsGroup:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'secret'
- 'emptyDir'
- 'projected'
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
# Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5.
# If you use Kong Enterprise <1.5, this must be set to false.
readOnlyRootFilesystem: true
priorityClassName: ""
# securityContext for Kong pods.
securityContext: {}
# securityContext for containers.
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
# dnsConfig:
# nameservers:
# - "10.100.0.10"
# options:
# - name: ndots
# value: "5"
# searches:
# - default.svc.cluster.local
# - svc.cluster.local
# - cluster.local
# - us-east-1.compute.internal
serviceMonitor:
# Specifies whether ServiceMonitor for Prometheus operator should be created
# If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
# https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
enabled: false
# interval: 30s
# Specifies namespace, where ServiceMonitor should be installed
# namespace: monitoring
# labels:
# foo: bar
# targetLabels:
# - foo
# honorLabels: false
# metricRelabelings: []
# -----------------------------------------------------------------------------
# Kong Enterprise parameters
# -----------------------------------------------------------------------------
# Toggle Kong Enterprise features on or off
# RBAC and SMTP configuration have additional options that must all be set together
# Other settings should be added to the "env" settings below
enterprise:
enabled: false
# Kong Enterprise license secret name
# This secret must contain a single 'license' key, containing your base64-encoded license data
# The license secret is required to unlock all Enterprise features. If you omit it,
# Kong will run in free mode, with some Enterprise features disabled.
# license_secret: kong-enterprise-license
vitals:
enabled: true
portal:
enabled: false
rbac:
enabled: false
admin_gui_auth: basic-auth
# If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
# The key value must be a secret configuration, following the example at
# https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions
session_conf_secret: kong-session-config
# If admin_gui_auth is not set to basic-auth, provide a secret name which
# has an admin_gui_auth_conf key containing the plugin config JSON
admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
# For configuring emails and SMTP, please read through:
# https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp
# https://docs.konghq.com/enterprise/latest/kong-manager/networking/email
smtp:
enabled: false
portal_emails_from: none@example.com
portal_emails_reply_to: none@example.com
admin_emails_from: none@example.com
admin_emails_reply_to: none@example.com
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
smtp_auth_type: ''
smtp_ssl: nil
smtp_starttls: true
auth:
# If your SMTP server does not require authentication, this section can
# be left as-is. If smtp_username is set to anything other than an empty
# string, you must create a Secret with an smtp_password key containing
# your SMTP password and specify its name here.
smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: CHANGEME-smtp-password
manager:
# Enable creating a Kubernetes service for Kong Manager
enabled: false
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the Manager service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
http:
# Enable plaintext HTTP listen for Kong Manager
enabled: true
servicePort: 8002
containerPort: 8002
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for Kong Manager
enabled: true
servicePort: 8445
containerPort: 8445
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-manager.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
portal:
# Enable creating a Kubernetes service for the Developer Portal
enabled: true
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the Portal service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
http:
# Enable plaintext HTTP listen for the Developer Portal
enabled: true
servicePort: 8003
containerPort: 8003
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the Developer Portal
enabled: true
servicePort: 8446
containerPort: 8446
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-portal.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
portalapi:
# Enable creating a Kubernetes service for the Developer Portal API
enabled: true
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the Portal API service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
http:
# Enable plaintext HTTP listen for the Developer Portal API
enabled: true
servicePort: 8004
containerPort: 8004
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the Developer Portal API
enabled: true
servicePort: 8447
containerPort: 8447
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-portalapi.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
clustertelemetry:
enabled: false
# To specify annotations or labels for the cluster telemetry service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
tls:
enabled: false
servicePort: 8006
containerPort: 8006
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong clustertelemetry ingress settings. Useful if you want to split
# CP and DP in different clusters.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-clustertelemetry.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
extraConfigMaps: []
# extraConfigMaps:
# - name: my-config-map
# mountPath: /mount/to/my/location
# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
extraSecrets: []
# extraSecrets:
# - name: my-secret
# mountPath: /mount/to/my/location
# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
extraObjects: []
# extraObjects:
# - apiVersion: configuration.konghq.com/v1
# kind: KongClusterPlugin
# metadata:
# name: prometheus
# config:
# per_consumer: false
# plugin: prometheus
4- Deploy ingress:
Debemos esperar a que kong gateway se este ejecutando correctamente y luego aplicar el manifiesto de ingress. Ajustar los parametros necesarios a nuestra implementación en el manifiesto, service name, domain, port, etc...:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: kong-dev
networking.gke.io/managed-certificates: certificate-api-dev
name: ingress-api-demo
namespace: kong
spec:
rules:
- host: kong-dev.deinn.cl
http:
paths:
- backend:
service:
name: gateway-kong-proxy
port:
number: 443
path: /*
pathType: ImplementationSpecific
Transcurrido unos minutos podíamos entrar mediante la url con https en el navegador y visualicemos que kong responde y el certificado web está formado por "Google Trust Services LLC"
5- Exponer la api de administración con seguridad jwt:
En un terminal usando kubectl podemos exponer la api de administración para realizar la primera configuración de exposición usado el cli Deck:
1- Primero exponer el puerto del service de administración con:
kubectl -n kong port-forward service/kong-kong-admin 8001:8001
2- Aplicar el manifiesto de la proxy para la administración:
deck --kong-addr http://127.0.0.1:8001 gateway sync dump-server-config-jwt.yaml
_format_version: "3.0"
_info:
select_tags:
- admin-api
services:
- connect_timeout: 60000
host: kong-kong-admin.kong.svc
name: gateway-kong-admin
path: /
port: 8001
protocol: http
read_timeout: 60000
retries: 5
write_timeout: 60000
tags:
- admin-api
routes:
- name: gateway-kong-admin-route
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
paths:
- /admin-api-jwt
path_handling: v1
preserve_host: false
protocols:
- https
regex_priority: 0
strip_path: true
tags:
- admin-api
https_redirect_status_code: 426
plugins:
- name: acl
config:
allow:
- admin
deny: null
hide_groups_header: false
enabled: true
protocols:
- grpc
- grpcs
- http
- https
- name: jwt
config:
anonymous: null
claims_to_verify: null
cookie_names: []
header_names:
- authorization
key_claim_name: iss
maximum_expiration: 0
run_on_preflight: true
secret_is_base64: false
uri_param_names:
- jwt
enabled: true
protocols:
- grpc
- grpcs
- http
- https
consumers:
- username: admin
tags:
- admin-api
jwt_secrets:
- algorithm: HS256
key: JA1XgGW5zRMb1hr6XL8x0t0hCED6X5LX
secret: s4fJzU625fU0nT9xoKFbgfH4BIo8hE6C
acls:
- group: admin
2- Para probar el buen funcionamiento se puede usar un CURL:
curl --location --request GET 'https://kong-dev.deinn.cl/admin-api-jwt' \
--header 'authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkVkdWFyZG8gUm9zYWxlcyIsImlhdCI6MTUxNjIzOTAyMiwiaXNzIjoiSkExWGdHVzV6Uk1iMWhyNlhMOHgwdDBoQ0VENlg1TFgifQ.fohBsujrLBdlj5hL_IHaLZKKa4CkI_alDVncQOA2mlQ'