This demo guide demos the following:
- gRPC proxy
- plugins on gRPC proxy
- http proxy with multiple plugins
- KongConsumer resource
- Encrypted credentials via Secret resource in k8s
- Fine-grained rate-limits
kubectl apply -f https://bit.ly/k4k8s
export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-proxy)
http $PROXY_IP
# returns back 404; no ingress rules
We will also setup Admission Controller.
curl -sL https://bit.ly/install-kong-admission-webhook | bash
kubectl apply -f https://bit.ly/grpcbin-service
echo "apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: grpcbin
servicePort: 9001" | kubectl apply -f -
kubectl patch ingress demo -p '{"metadata":{"annotations":{"configuration.konghq.com/protocols":"grpc,grpcs"}}}'
kubectl patch svc grpcbin -p '{"metadata":{"annotations":{"configuration.konghq.com/protocol":"grpcs"}}}'
grpcurl -v -d '{"greeting": "Kong Hello world!"}' -insecure $PROXY_IP:443 hello.HelloService.SayHello
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: loggly-plugin
config:
foo: 'this should error'
key: $(cat ~/loggly-key)
plugin: loggly
protocols:
- grpc
- grpcs" | kubectl apply -f -
The invalid configuration is caught by our admission controller.
Fix by removing the foo
key
patch demo ingress to execute the plugin for grpc requests
plugins.konghq.com: loggly-plugin
.
execute and check loggly
grpcurl -v -d '{"greeting": "Kong Hello world!"}' -insecure $PROXY_IP:443 hello.HelloService.SayHello
kubectl apply -f https://bit.ly/k8s-httpbin
echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: httpbin-free-tier
spec:
rules:
- http:
paths:
- path: /free
backend:
serviceName: httpbin
servicePort: 80
" | kubectl apply -f -
echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: httpbin-paid-tier
spec:
rules:
- http:
paths:
- path: /paid
backend:
serviceName: httpbin
servicePort: 80
" | kubectl apply -f -
So, now we have got gRPC requests and HTTP requests being proxied
http $PROXY_IP/free/status/200
http $PROXY_IP/paid/status/200
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-auth
plugin: key-auth" | kubectl apply -f -
k edit ing httpbin-paid-tier
Add plugins.konghq.com: httpbin-auth
annotation
http $PROXY_IP/paid/status/200
kubectl create secret generic harry-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=my-sooper-secret-key
echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: harry
username: harry
credentials:
- harry-apikey" | kubectl apply -f -
Authentication now works:
http $PROXY_IP/paid/status/200 apikey:my-sooper-secret-key
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-free-tier
config:
minute: 5
limit_by: ip
policy: local
plugin: rate-limiting
" | kubectl apply -f -
Add plugins.konghq.com: httpbin-free-tier
annotation to httpbin-free-tier
ingress rule:
k edit ing httpbin-free-tier
Observe the rate-limit being imposed:
http $PROXY_IP/free/status/200
Add rate-limit to the paid tier:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-paid-tier
config:
minute: 10
limit_by: consumer
policy: local
plugin: rate-limiting" | kubectl apply -f -
Add plugins.konghq.com: httpbin-paid-tier
annotation to httpbin-paid-tier
ingress rule:
kubectl edit ing httpbin-paid-tier
http $PROXY_IP/paid/status/200 apikey:my-sooper-secret-key
http $PROXY_IP/free/status/200
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-gold-tier
config:
minute: 100
limit_by: consumer
policy: local
plugin: rate-limiting" | kubectl apply -f -
Add httpbin-gold-tier
to the plugins.konghq.com
annotation CSV list:
kubectl edit ing httpbin-paid-tier
kubectl create secret generic user1-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=user1-key
kubectl create secret generic user2-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=user2-key
echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: user1
annotations:
plugins.konghq.com: httpbin-gold-tier
username: user1
credentials:
- user1-apikey" | kubectl apply -f -
echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: user2
annotations:
plugins.konghq.com: httpbin-gold-tier
username: user2
credentials:
- user2-apikey" | kubectl apply -f -
http $PROXY_IP/paid/status/200 apikey:user1-key
http $PROXY_IP/paid/status/200 apikey:user2-key
kubectl delete -f https://bit.ly/k4k8s
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io kong-validations
kubectl delete ing demo httpbin-free-tier httpbin-paid-tier
kubectl delete -f https://bit.ly/grpcbin-service
kubectl delete -f https://bit.ly/k8s-httpbin
kubectl delete secret harry-apikey user1-apikey user2-apikey
HI,
I've followed this guide and watched the webinar on youtube. I only skipped this part: gRPC routing.
But I'm having troubles with the httpbin setup, because I'm not getting an HTTP 200 response when I do the http $PROXY_IP/free/status/200, this is what I'm getting:
I installed Kong using the YAML file:
And applied the admission controller setup: