Last active
January 10, 2024 10:36
-
-
Save bgarcial/494b006fced3ac6ee1608e5237144810 to your computer and use it in GitHub Desktop.
Installing kong to work ingress on Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: kong | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: az-pg-db-user-pass | |
| namespace: kong | |
| type: Opaque | |
| data: | |
| username: my-username | |
| password: my-password-database | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: kongplugins.configuration.konghq.com | |
| spec: | |
| group: configuration.konghq.com | |
| version: v1 | |
| scope: Namespaced | |
| names: | |
| kind: KongPlugin | |
| plural: kongplugins | |
| shortNames: | |
| - kp | |
| additionalPrinterColumns: | |
| - name: Plugin-Type | |
| type: string | |
| description: Name of the plugin | |
| JSONPath: .plugin | |
| - name: Age | |
| type: date | |
| description: Age | |
| JSONPath: .metadata.creationTimestamp | |
| - name: Disabled | |
| type: boolean | |
| description: Indicates if the plugin is disabled | |
| JSONPath: .disabled | |
| priority: 1 | |
| - name: Config | |
| type: string | |
| description: Configuration of the plugin | |
| JSONPath: .config | |
| priority: 1 | |
| validation: | |
| openAPIV3Schema: | |
| required: | |
| - plugin | |
| properties: | |
| plugin: | |
| type: string | |
| disabled: | |
| type: boolean | |
| config: | |
| type: object | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: kongconsumers.configuration.konghq.com | |
| spec: | |
| group: configuration.konghq.com | |
| version: v1 | |
| scope: Namespaced | |
| names: | |
| kind: KongConsumer | |
| plural: kongconsumers | |
| shortNames: | |
| - kc | |
| additionalPrinterColumns: | |
| - name: Username | |
| type: string | |
| description: Username of a Kong Consumer | |
| JSONPath: .username | |
| - name: Age | |
| type: date | |
| description: Age | |
| JSONPath: .metadata.creationTimestamp | |
| validation: | |
| openAPIV3Schema: | |
| properties: | |
| username: | |
| type: string | |
| custom_id: | |
| type: string | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: kongcredentials.configuration.konghq.com | |
| spec: | |
| group: configuration.konghq.com | |
| version: v1 | |
| scope: Namespaced | |
| names: | |
| kind: KongCredential | |
| plural: kongcredentials | |
| additionalPrinterColumns: | |
| - name: Credential-type | |
| type: string | |
| description: Type of credential | |
| JSONPath: .type | |
| - name: Age | |
| type: date | |
| description: Age | |
| JSONPath: .metadata.creationTimestamp | |
| - name: Consumer-Ref | |
| type: string | |
| description: Owner of the credential | |
| JSONPath: .consumerRef | |
| validation: | |
| openAPIV3Schema: | |
| required: | |
| - consumerRef | |
| - type | |
| properties: | |
| consumerRef: | |
| type: string | |
| type: | |
| type: string | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: kongingresses.configuration.konghq.com | |
| spec: | |
| group: configuration.konghq.com | |
| version: v1 | |
| scope: Namespaced | |
| names: | |
| kind: KongIngress | |
| plural: kongingresses | |
| shortNames: | |
| - ki | |
| validation: | |
| openAPIV3Schema: | |
| properties: | |
| upstream: | |
| type: object | |
| route: | |
| properties: | |
| methods: | |
| type: array | |
| items: | |
| type: string | |
| regex_priority: | |
| type: integer | |
| strip_path: | |
| type: boolean | |
| preserve_host: | |
| type: boolean | |
| protocols: | |
| type: array | |
| items: | |
| type: string | |
| enum: | |
| - http | |
| - https | |
| proxy: | |
| type: object | |
| properties: | |
| protocol: | |
| type: string | |
| enum: | |
| - http | |
| - https | |
| path: | |
| type: string | |
| pattern: ^/.*$ | |
| retries: | |
| type: integer | |
| minimum: 0 | |
| connect_timeout: | |
| type: integer | |
| minimum: 0 | |
| read_timeout: | |
| type: integer | |
| minimum: 0 | |
| write_timeout: | |
| type: integer | |
| minimum: 0 | |
| upstream: | |
| type: object | |
| properties: | |
| hash_on: | |
| type: string | |
| hash_on_cookie: | |
| type: string | |
| hash_on_cookie_path: | |
| type: string | |
| hash_on_header: | |
| type: string | |
| hash_fallback_header: | |
| type: string | |
| hash_fallback: | |
| type: string | |
| slots: | |
| type: integer | |
| minimum: 10 | |
| healthchecks: | |
| type: object | |
| properties: | |
| active: | |
| type: object | |
| properties: | |
| concurrency: | |
| type: integer | |
| minimum: 1 | |
| timeout: | |
| type: integer | |
| minimum: 0 | |
| http_path: | |
| type: string | |
| pattern: ^/.*$ | |
| healthy: &healthy | |
| type: object | |
| properties: | |
| http_statuses: | |
| type: array | |
| items: | |
| type: integer | |
| interval: | |
| type: integer | |
| minimum: 0 | |
| successes: | |
| type: integer | |
| minimum: 0 | |
| unhealthy: &unhealthy | |
| type: object | |
| properties: | |
| http_failures: | |
| type: integer | |
| minimum: 0 | |
| http_statuses: | |
| type: array | |
| items: | |
| type: integer | |
| interval: | |
| type: integer | |
| minimum: 0 | |
| tcp_failures: | |
| type: integer | |
| minimum: 0 | |
| timeout: | |
| type: integer | |
| minimum: 0 | |
| passive: | |
| type: object | |
| properties: | |
| healthy: *healthy | |
| unhealthy: *unhealthy | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kong-serviceaccount | |
| namespace: kong | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRole | |
| metadata: | |
| name: kong-ingress-clusterrole | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - endpoints | |
| - nodes | |
| - pods | |
| - secrets | |
| verbs: | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - services | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "extensions" | |
| resources: | |
| - ingresses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| - apiGroups: | |
| - "extensions" | |
| resources: | |
| - ingresses/status | |
| verbs: | |
| - update | |
| - apiGroups: | |
| - "configuration.konghq.com" | |
| resources: | |
| - kongplugins | |
| - kongcredentials | |
| - kongconsumers | |
| - kongingresses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: Role | |
| metadata: | |
| name: kong-ingress-role | |
| namespace: kong | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| - pods | |
| - secrets | |
| - namespaces | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| resourceNames: | |
| # Defaults to "<election-id>-<ingress-class>" | |
| # Here: "<ingress-controller-leader>-<kong>" | |
| # This has to be adapted if you change either parameter | |
| # when launching the kong-ingress-controller. | |
| - "ingress-controller-leader-kong" | |
| verbs: | |
| - get | |
| - update | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| verbs: | |
| - create | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - endpoints | |
| verbs: | |
| - get | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: RoleBinding | |
| metadata: | |
| name: kong-ingress-role-nisa-binding | |
| namespace: kong | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: kong-ingress-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kong-serviceaccount | |
| namespace: kong | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: kong-ingress-clusterrole-nisa-binding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kong-ingress-clusterrole | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kong-serviceaccount | |
| namespace: kong | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: kong-ingress-controller | |
| namespace: kong | |
| spec: | |
| type: NodePort | |
| ports: | |
| - name: kong-admin | |
| port: 8001 | |
| targetPort: 8001 | |
| protocol: TCP | |
| selector: | |
| app: ingress-kong | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| app: ingress-kong | |
| name: kong-ingress-controller | |
| namespace: kong | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: ingress-kong | |
| strategy: | |
| rollingUpdate: | |
| maxSurge: 1 | |
| maxUnavailable: 0 | |
| type: RollingUpdate | |
| template: | |
| metadata: | |
| annotations: | |
| # the returned metrics are related to the kong ingress controller not kong itself | |
| prometheus.io/port: "10254" | |
| prometheus.io/scrape: "true" | |
| labels: | |
| app: ingress-kong | |
| spec: | |
| serviceAccountName: kong-serviceaccount | |
| initContainers: | |
| - name: wait-for-migrations | |
| image: kong:1.0.0 | |
| command: [ "/bin/sh", "-c", "kong migrations list" ] | |
| env: | |
| - name: KONG_ADMIN_LISTEN | |
| value: 'off' | |
| - name: KONG_PROXY_LISTEN | |
| value: 'off' | |
| - name: KONG_PROXY_ACCESS_LOG | |
| value: "/dev/stdout" | |
| - name: KONG_ADMIN_ACCESS_LOG | |
| value: "/dev/stdout" | |
| - name: KONG_PROXY_ERROR_LOG | |
| value: "/dev/stderr" | |
| - name: KONG_ADMIN_ERROR_LOG | |
| value: "/dev/stderr" | |
| # ##### some differences fixed | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| - name: KONG_DATABASE | |
| value: postgres | |
| # Here new | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| containers: | |
| - name: admin-api | |
| image: kong:1.0.0 | |
| env: | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| # I dont had the port nnd database | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| - name: KONG_DATABASE | |
| value: postgres | |
| # Here new | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| - name: KONG_ADMIN_ACCESS_LOG | |
| value: /dev/stdout | |
| - name: KONG_ADMIN_ERROR_LOG | |
| value: /dev/stderr | |
| - name: KONG_ADMIN_LISTEN | |
| value: 0.0.0.0:8001, 0.0.0.0:8444 ssl | |
| - name: KONG_PROXY_LISTEN | |
| value: 'off' | |
| ports: | |
| - name: kong-admin | |
| containerPort: 8001 | |
| livenessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: /status | |
| port: 8001 | |
| scheme: HTTP | |
| initialDelaySeconds: 30 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 1 | |
| readinessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: /status | |
| port: 8001 | |
| scheme: HTTP | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 1 | |
| - name: ingress-controller | |
| args: | |
| - /kong-ingress-controller | |
| # the kong URL points to the kong admin api server | |
| - --kong-url=http://localhost:8001 #--kong-url=https://localhost:8444 | |
| - --admin-tls-skip-verify | |
| # the default service is the kong proxy service | |
| - --default-backend-service=kong/kong-proxy | |
| # Service from were we extract the IP address/es to use in Ingress status | |
| - --publish-service=kong/kong-proxy | |
| env: | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: metadata.namespace | |
| image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.3.0 | |
| imagePullPolicy: IfNotPresent | |
| livenessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: /healthz | |
| port: 10254 | |
| scheme: HTTP | |
| initialDelaySeconds: 30 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 1 | |
| readinessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: /healthz | |
| port: 10254 | |
| scheme: HTTP | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 1 | |
| # Adding acme-kong-kube-helper to solve the acme http01 challenge [preserve_host] | |
| - name: acme-kong-kube-helper | |
| image: ollystephens/acme-kong-kube-helper:0.0.1 | |
| imagePullPolicy: IfNotPresent | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: kong-proxy | |
| namespace: kong | |
| spec: | |
| type: LoadBalancer | |
| ports: | |
| - name: kong-proxy | |
| port: 80 | |
| targetPort: 8000 | |
| protocol: TCP | |
| - name: kong-proxy-ssl | |
| port: 443 | |
| targetPort: 8443 | |
| protocol: TCP | |
| selector: | |
| app: kong | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: Deployment | |
| metadata: | |
| name: kong | |
| namespace: kong | |
| spec: | |
| template: | |
| metadata: | |
| labels: | |
| name: kong | |
| app: kong | |
| spec: | |
| initContainers: | |
| # hack to verify that the DB is up to date or not | |
| # TODO remove this for Kong >= 0.15.0 | |
| - name: wait-for-migrations | |
| image: kong:1.0.0 | |
| command: [ "/bin/sh", "-c", "kong migrations list" ] | |
| env: | |
| - name: KONG_ADMIN_LISTEN | |
| value: 'off' | |
| - name: KONG_PROXY_LISTEN | |
| value: 'off' | |
| - name: KONG_PROXY_ACCESS_LOG | |
| value: "/dev/stdout" | |
| - name: KONG_ADMIN_ACCESS_LOG | |
| value: "/dev/stdout" | |
| - name: KONG_PROXY_ERROR_LOG | |
| value: "/dev/stderr" | |
| - name: KONG_ADMIN_ERROR_LOG | |
| value: "/dev/stderr" | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| # I don't had the port and database | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| - name: KONG_DATABASE | |
| value: postgres | |
| # Here new | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| containers: | |
| - name: kong-proxy | |
| image: kong:1.0.0 | |
| env: | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| - name: KONG_DATABASE | |
| value: postgres | |
| # Here new | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| - name: KONG_PROXY_ACCESS_LOG | |
| value: "/dev/stdout" | |
| - name: KONG_PROXY_ERROR_LOG | |
| value: "/dev/stderr" | |
| - name: KONG_ADMIN_LISTEN | |
| value: 'off' | |
| ports: | |
| - name: proxy | |
| containerPort: 8000 | |
| protocol: TCP | |
| - name: proxy-ssl | |
| containerPort: 8443 | |
| protocol: TCP | |
| --- | |
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: kong-migrations | |
| namespace: kong | |
| spec: | |
| template: | |
| metadata: | |
| name: kong-migrations | |
| spec: | |
| initContainers: | |
| - name: wait-for-postgres | |
| image: busybox | |
| env: | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| # User created previously or user to be created? | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| - name: KONG_DATABASE | |
| value: postgres | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ] | |
| containers: | |
| - name: kong-migrations | |
| image: kong:1.0.0-centos | |
| env: | |
| - name: KONG_PG_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: password | |
| - name: KONG_PG_USER | |
| valueFrom: | |
| secretKeyRef: | |
| name: az-pg-db-user-pass | |
| key: username | |
| - name: KONG_PG_HOST | |
| value: zcrm365-postgresql1.postgres.database.azure.com | |
| # I don't had the database | |
| - name: KONG_DATABASE | |
| value: postgres | |
| - name: KONG_PG_DATABASE | |
| value: kong_zcrm365_dev_sandbox | |
| - name: KONG_PG_PORT | |
| value: "5432" | |
| command: [ "/bin/sh", "-c", "kong migrations bootstrap --vv" ] | |
| restartPolicy: OnFailure |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment