Skip to content

Instantly share code, notes, and snippets.

@bgarcial
Last active January 10, 2024 10:36
Show Gist options
  • Save bgarcial/494b006fced3ac6ee1608e5237144810 to your computer and use it in GitHub Desktop.
Save bgarcial/494b006fced3ac6ee1608e5237144810 to your computer and use it in GitHub Desktop.
Installing kong to work ingress on Kubernetes
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: v1
kind: Secret
metadata:
name: az-pg-db-user-pass
namespace: kong
type: Opaque
data:
username: my-username
password: my-password-database
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongplugins.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongPlugin
plural: kongplugins
shortNames:
- kp
additionalPrinterColumns:
- name: Plugin-Type
type: string
description: Name of the plugin
JSONPath: .plugin
- name: Age
type: date
description: Age
JSONPath: .metadata.creationTimestamp
- name: Disabled
type: boolean
description: Indicates if the plugin is disabled
JSONPath: .disabled
priority: 1
- name: Config
type: string
description: Configuration of the plugin
JSONPath: .config
priority: 1
validation:
openAPIV3Schema:
required:
- plugin
properties:
plugin:
type: string
disabled:
type: boolean
config:
type: object
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongconsumers.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongConsumer
plural: kongconsumers
shortNames:
- kc
additionalPrinterColumns:
- name: Username
type: string
description: Username of a Kong Consumer
JSONPath: .username
- name: Age
type: date
description: Age
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
username:
type: string
custom_id:
type: string
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongcredentials.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongCredential
plural: kongcredentials
additionalPrinterColumns:
- name: Credential-type
type: string
description: Type of credential
JSONPath: .type
- name: Age
type: date
description: Age
JSONPath: .metadata.creationTimestamp
- name: Consumer-Ref
type: string
description: Owner of the credential
JSONPath: .consumerRef
validation:
openAPIV3Schema:
required:
- consumerRef
- type
properties:
consumerRef:
type: string
type:
type: string
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongIngress
plural: kongingresses
shortNames:
- ki
validation:
openAPIV3Schema:
properties:
upstream:
type: object
route:
properties:
methods:
type: array
items:
type: string
regex_priority:
type: integer
strip_path:
type: boolean
preserve_host:
type: boolean
protocols:
type: array
items:
type: string
enum:
- http
- https
proxy:
type: object
properties:
protocol:
type: string
enum:
- http
- https
path:
type: string
pattern: ^/.*$
retries:
type: integer
minimum: 0
connect_timeout:
type: integer
minimum: 0
read_timeout:
type: integer
minimum: 0
write_timeout:
type: integer
minimum: 0
upstream:
type: object
properties:
hash_on:
type: string
hash_on_cookie:
type: string
hash_on_cookie_path:
type: string
hash_on_header:
type: string
hash_fallback_header:
type: string
hash_fallback:
type: string
slots:
type: integer
minimum: 10
healthchecks:
type: object
properties:
active:
type: object
properties:
concurrency:
type: integer
minimum: 1
timeout:
type: integer
minimum: 0
http_path:
type: string
pattern: ^/.*$
healthy: &healthy
type: object
properties:
http_statuses:
type: array
items:
type: integer
interval:
type: integer
minimum: 0
successes:
type: integer
minimum: 0
unhealthy: &unhealthy
type: object
properties:
http_failures:
type: integer
minimum: 0
http_statuses:
type: array
items:
type: integer
interval:
type: integer
minimum: 0
tcp_failures:
type: integer
minimum: 0
timeout:
type: integer
minimum: 0
passive:
type: object
properties:
healthy: *healthy
unhealthy: *unhealthy
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kong-serviceaccount
namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kong-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- "configuration.konghq.com"
resources:
- kongplugins
- kongcredentials
- kongconsumers
- kongingresses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: kong-ingress-role
namespace: kong
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<kong>"
# This has to be adapted if you change either parameter
# when launching the kong-ingress-controller.
- "ingress-controller-leader-kong"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kong-ingress-role-nisa-binding
namespace: kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kong-ingress-role
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kong-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kong-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: kong
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-controller
namespace: kong
spec:
type: NodePort
ports:
- name: kong-admin
port: 8001
targetPort: 8001
protocol: TCP
selector:
app: ingress-kong
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: kong-ingress-controller
namespace: kong
spec:
selector:
matchLabels:
app: ingress-kong
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
# the returned metrics are related to the kong ingress controller not kong itself
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app: ingress-kong
spec:
serviceAccountName: kong-serviceaccount
initContainers:
- name: wait-for-migrations
image: kong:1.0.0
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
# ##### some differences fixed
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
- name: KONG_PG_PORT
value: "5432"
- name: KONG_DATABASE
value: postgres
# Here new
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
containers:
- name: admin-api
image: kong:1.0.0
env:
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
# I dont had the port nnd database
- name: KONG_PG_PORT
value: "5432"
- name: KONG_DATABASE
value: postgres
# Here new
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8001, 0.0.0.0:8444 ssl
- name: KONG_PROXY_LISTEN
value: 'off'
ports:
- name: kong-admin
containerPort: 8001
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
- name: ingress-controller
args:
- /kong-ingress-controller
# the kong URL points to the kong admin api server
- --kong-url=http://localhost:8001 #--kong-url=https://localhost:8444
- --admin-tls-skip-verify
# the default service is the kong proxy service
- --default-backend-service=kong/kong-proxy
# Service from were we extract the IP address/es to use in Ingress status
- --publish-service=kong/kong-proxy
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
# Adding acme-kong-kube-helper to solve the acme http01 challenge [preserve_host]
- name: acme-kong-kube-helper
image: ollystephens/acme-kong-kube-helper:0.0.1
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: kong-proxy
namespace: kong
spec:
type: LoadBalancer
ports:
- name: kong-proxy
port: 80
targetPort: 8000
protocol: TCP
- name: kong-proxy-ssl
port: 443
targetPort: 8443
protocol: TCP
selector:
app: kong
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kong
namespace: kong
spec:
template:
metadata:
labels:
name: kong
app: kong
spec:
initContainers:
# hack to verify that the DB is up to date or not
# TODO remove this for Kong >= 0.15.0
- name: wait-for-migrations
image: kong:1.0.0
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
# I don't had the port and database
- name: KONG_PG_PORT
value: "5432"
- name: KONG_DATABASE
value: postgres
# Here new
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
containers:
- name: kong-proxy
image: kong:1.0.0
env:
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
- name: KONG_PG_PORT
value: "5432"
- name: KONG_DATABASE
value: postgres
# Here new
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: 'off'
ports:
- name: proxy
containerPort: 8000
protocol: TCP
- name: proxy-ssl
containerPort: 8443
protocol: TCP
---
apiVersion: batch/v1
kind: Job
metadata:
name: kong-migrations
namespace: kong
spec:
template:
metadata:
name: kong-migrations
spec:
initContainers:
- name: wait-for-postgres
image: busybox
env:
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
# User created previously or user to be created?
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
- name: KONG_DATABASE
value: postgres
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
- name: KONG_PG_PORT
value: "5432"
command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
containers:
- name: kong-migrations
image: kong:1.0.0-centos
env:
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: password
- name: KONG_PG_USER
valueFrom:
secretKeyRef:
name: az-pg-db-user-pass
key: username
- name: KONG_PG_HOST
value: zcrm365-postgresql1.postgres.database.azure.com
# I don't had the database
- name: KONG_DATABASE
value: postgres
- name: KONG_PG_DATABASE
value: kong_zcrm365_dev_sandbox
- name: KONG_PG_PORT
value: "5432"
command: [ "/bin/sh", "-c", "kong migrations bootstrap --vv" ]
restartPolicy: OnFailure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment