Skip to content

Instantly share code, notes, and snippets.

@hbagdi

hbagdi/k4k8s-demo.md

Last active January 10, 2022 00:52
Show Gist options
  • Save hbagdi/a61384258126d620193d3a31dc8749c8 to your computer and use it in GitHub Desktop.
Save hbagdi/a61384258126d620193d3a31dc8749c8 to your computer and use it in GitHub Desktop.
Download ZIP
A demo guide to demo some features of Kong for Kubernetes
Raw
k4k8s-demo.md

Kong for Kubernetes demo

This demo guide demos the following:

  • gRPC proxy
  • plugins on gRPC proxy
  • http proxy with multiple plugins
  • KongConsumer resource
  • Encrypted credentials via Secret resource in k8s
  • Fine-grained rate-limits

Setup

Basic installation

Using: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/deployment/k4k8s.md#yaml-manifests

kubectl apply -f https://bit.ly/k4k8s
export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-proxy)

http $PROXY_IP
#  returns back 404; no ingress rules

Admission Controller

We will also setup Admission Controller.

Using: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/deployment/admission-webhook.md

curl -sL https://bit.ly/install-kong-admission-webhook | bash

gRPC routing

Basic

Using https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-ingress-with-grpc.md

kubectl apply -f https://bit.ly/grpcbin-service


echo "apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: grpcbin
          servicePort: 9001" | kubectl apply -f -

kubectl patch ingress demo -p '{"metadata":{"annotations":{"configuration.konghq.com/protocols":"grpc,grpcs"}}}'

kubectl patch svc grpcbin -p '{"metadata":{"annotations":{"configuration.konghq.com/protocol":"grpcs"}}}'

grpcurl -v -d '{"greeting": "Kong Hello world!"}' -insecure $PROXY_IP:443 hello.HelloService.SayHello

Observability

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: loggly-plugin
config:
  foo: 'this should error'
  key: $(cat ~/loggly-key)
plugin: loggly
protocols:
- grpc
- grpcs" | kubectl apply -f -

The invalid configuration is caught by our admission controller. Fix by removing the foo key

patch demo ingress to execute the plugin for grpc requests plugins.konghq.com: loggly-plugin.

execute and check loggly

grpcurl -v -d '{"greeting": "Kong Hello world!"}' -insecure $PROXY_IP:443 hello.HelloService.SayHello

Fine-grained plugins and encrypted credentials

Setup

kubectl apply -f https://bit.ly/k8s-httpbin

echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpbin-free-tier
spec:
  rules:
  - http:
      paths:
      - path: /free
        backend:
          serviceName: httpbin
          servicePort: 80
" | kubectl apply -f -

echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpbin-paid-tier
spec:
  rules:
  - http:
      paths:
      - path: /paid
        backend:
          serviceName: httpbin
          servicePort: 80
" | kubectl apply -f -

So, now we have got gRPC requests and HTTP requests being proxied

http $PROXY_IP/free/status/200
http $PROXY_IP/paid/status/200

Lockdown the paid tier

Using https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-auth
plugin: key-auth" | kubectl apply -f -

k edit ing httpbin-paid-tier

Add plugins.konghq.com: httpbin-auth annotation

http $PROXY_IP/paid/status/200

kubectl create secret generic harry-apikey  \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=my-sooper-secret-key

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
username: harry
credentials:
- harry-apikey" | kubectl apply -f -

Authentication now works:

http $PROXY_IP/paid/status/200 apikey:my-sooper-secret-key

rate-limiting

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-free-tier
config:
  minute: 5
  limit_by: ip
  policy: local
plugin: rate-limiting
" | kubectl apply -f -

Add plugins.konghq.com: httpbin-free-tier annotation to httpbin-free-tier ingress rule:

k edit ing httpbin-free-tier

Observe the rate-limit being imposed:

http $PROXY_IP/free/status/200

Add rate-limit to the paid tier:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-paid-tier
config:
  minute: 10
  limit_by: consumer
  policy: local
plugin: rate-limiting" | kubectl apply -f -

Add plugins.konghq.com: httpbin-paid-tier annotation to httpbin-paid-tier ingress rule:

kubectl edit ing httpbin-paid-tier

http $PROXY_IP/paid/status/200 apikey:my-sooper-secret-key
http $PROXY_IP/free/status/200

Bonus: special rate-limits based on further tiers

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-gold-tier
config:
  minute: 100
  limit_by: consumer
  policy: local
plugin: rate-limiting" | kubectl apply -f -

Add httpbin-gold-tier to the plugins.konghq.com annotation CSV list:

kubectl edit ing httpbin-paid-tier

kubectl create secret generic user1-apikey  \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=user1-key
kubectl create secret generic user2-apikey  \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=user2-key

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: user1
  annotations:
    plugins.konghq.com: httpbin-gold-tier
username: user1
credentials:
- user1-apikey" | kubectl apply -f -

echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: user2
  annotations:
    plugins.konghq.com: httpbin-gold-tier
username: user2
credentials:
- user2-apikey" | kubectl apply -f -

http $PROXY_IP/paid/status/200 apikey:user1-key
http $PROXY_IP/paid/status/200 apikey:user2-key

Cleanup

kubectl delete -f https://bit.ly/k4k8s
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io kong-validations
kubectl delete ing demo httpbin-free-tier httpbin-paid-tier
kubectl delete -f https://bit.ly/grpcbin-service
kubectl delete -f https://bit.ly/k8s-httpbin
kubectl delete secret harry-apikey user1-apikey user2-apikey
@esalaverria
Copy link

esalaverria commented Jun 29, 2020
edited
Loading

HI,
I've followed this guide and watched the webinar on youtube. I only skipped this part: gRPC routing.
But I'm having troubles with the httpbin setup, because I'm not getting an HTTP 200 response when I do the http $PROXY_IP/free/status/200, this is what I'm getting:

$ http $PROXY_IP/free/status/200
HTTP/1.1 404 NOT FOUND
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 233
Content-Type: text/html; charset=UTF-8
Date: Mon, 29 Jun 2020 20:51:25 GMT
Server: gunicorn/19.9.0
Via: kong/2.0.4
X-Kong-Proxy-Latency: 1
X-Kong-Upstream-Latency: 2

I installed Kong using the YAML file:

kubectl apply -f https://bit.ly/kong-ingress-dbless

And applied the admission controller setup:

curl -sL https://bit.ly/install-kong-admission-webhook | bash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment