kong helm 安装
创建kong gateway secret
创建namespace:
kubectl create namespace kong创建 Kong config 和 credential variables:
kubectl create secret generic kong-config-secret -n kong \ --from-literal=portal_session_conf='{"storage":"kong","secret":"super_secret_salt_string","cookie_name":"portal_session","cookie_same_site":"Lax","cookie_secure":false}' \ --from-literal=admin_gui_session_conf='{"storage":"kong","secret":"super_secret_salt_string","cookie_name":"admin_session","cookie_same_site":"Lax","cookie_secure":false}' \ --from-literal=pg_host="enterprise-postgresql.kong.svc.cluster.local" \ --from-literal=kong_admin_password=kong \ --from-literal=password=kong创建一 个Kong 企业免费版 license secret:
kubectl create secret generic kong-enterprise-license --from-literal=license="'{}'" -n kong --dry-run=client -o yaml | kubectl apply -f -
安装 Cert Manager
添加 Jetstack Cert Manager Helm 源:
helm repo add jetstack https://charts.jetstack.io ; helm repo update安装 Cert Manager:
在安装chart之前,必须先安装cert-manager CustomResourceDefinition资源。这是在一个单独的步骤中执行的,允许您轻松卸载和重新安装cert-manager,而不需要删除已安装的自定义资源。
wget https://github.com/jetstack/cert-manager/releases/download/v1.11.2/cert-manager.crds.yaml -O cert-manager-v1.11.2.crds.yaml安装
helm pull jetstack/cert-manager helm upgrade --install cert-manager cert-manager-v1.11.2.tgz \ --set installCRDs=false --namespace cert-manager --create-namespace创建自签名证书 issuer:
bash -c "cat <<EOF | kubectl apply -n kong -f - apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: test-kong-selfsigned-issuer-root spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-kong-selfsigned-issuer-ca spec: commonName: test-kong-selfsigned-issuer-ca duration: 2160h0m0s isCA: true issuerRef: group: cert-manager.io kind: Issuer name: test-kong-selfsigned-issuer-root privateKey: algorithm: ECDSA size: 256 renewBefore: 360h0m0s secretName: test-kong-selfsigned-issuer-ca --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: test-kong-selfsigned-issuer spec: ca: secretName: test-kong-selfsigned-issuer-ca EOF"
部署 Kong Gaeway
添加 Kong Helm repo:
helm repo add kong https://charts.konghq.com ; helm repo updateInstall Kong:
创建values.yaml
admin: annotations: konghq.com/protocol: https enabled: true http: enabled: false ingress: annotations: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "true" nginx.ingress.kubernetes.io/app-root: / nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/permanent-redirect-code: "301" enabled: true ingressClassName: kong hostname: kong.example.com path: /api tls: example-com-tls tls: containerPort: 8444 enabled: true parameters: - http2 servicePort: 8444 type: ClusterIP affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - dataplane topologyKey: kubernetes.io/hostname weight: 100 certificates: enabled: true issuer: test-kong-selfsigned-issuer cluster: enabled: true admin: enabled: true commonName: kong.example.com portal: enabled: false commonName: developer.example.com proxy: enabled: true commonName: example.com dnsNames: - '*.example.com' cluster: enabled: true labels: konghq.com/service: cluster tls: containerPort: 8005 enabled: true servicePort: 8005 type: ClusterIP clustertelemetry: enabled: true tls: containerPort: 8006 enabled: true servicePort: 8006 type: ClusterIP deployment: kong: daemonset: false enabled: true serviceMonitor: enabled: true interval: 15s labels: release: prometheus-community # securityContext for containers. 如果配置了自定义插件,要把容器设置为非只读权限,否则插件的socket文件不能创建 containerSecurityContext: readOnlyRootFilesystem: false enterprise: enabled: true license_secret: kong-enterprise-license portal: enabled: false rbac: admin_api_auth: basic-auth admin_gui_auth_conf_secret: kong-config-secret enabled: true session_conf_secret: kong-config-secret smtp: enabled: false vitals: enabled: false env: admin_access_log: /dev/stdout admin_api_uri: https://kong.example.com/api admin_error_log: /dev/stdout admin_gui_access_log: /dev/stdout admin_gui_error_log: /dev/stdout admin_gui_host: kong.example.com admin_gui_protocol: https admin_gui_url: https://kong.example.com/ cluster_data_plane_purge_delay: 60 cluster_listen: 0.0.0.0:8005 cluster_telemetry_listen: 0.0.0.0:8006 database: "postgres" log_level: debug lua_package_path: /opt/?.lua;; nginx_worker_processes: "2" password: valueFrom: secretKeyRef: key: kong_admin_password name: kong-config-secret pg_database: kong pg_host: valueFrom: secretKeyRef: key: pg_host name: kong-config-secret pg_ssl: "off" pg_ssl_verify: "off" pg_user: kong plugins: bundled,openid-connect # 如果有自定义插件下面内容替换plugins 配置,同时要注意containerSecurityContext配置 #plugins: "bundled,openid-connect,plugin-custom" #pluginserver_names: "plugin-custom" #pluginserver_plugin_bucket_start_cmd: "/usr/local/bin/plugin-custom" #pluginserver_plugin_bucket_query_cmd: "/usr/local/bin/plugin-custom -dump" portal: false #portal_api_access_log: /dev/stdout #portal_api_error_log: /dev/stdout #portal_api_url: https://developer.example.com/api #portal_auth: basic-auth #portal_cors_origins: '*' #portal_gui_access_log: /dev/stdout #portal_gui_error_log: /dev/stdout #portal_gui_host: developer.example.com #portal_gui_protocol: https #portal_gui_url: https://developer.example.com/ #portal_session_conf: # valueFrom: # secretKeyRef: # key: portal_session_conf # name: kong-config-secret prefix: /kong_prefix/ proxy_access_log: /dev/stdout proxy_error_log: /dev/stdout proxy_stream_access_log: /dev/stdout proxy_stream_error_log: /dev/stdout smtp_mock: "on" status_listen: 0.0.0.0:8100 trusted_ips: 0.0.0.0/0,::/0 vitals: "off" dns_order: "LAST,SRV,A,CNAME" extraLabels: konghq.com/component: test image: repository: kong/kong-gateway tag: "3.2" ingressController: enabled: true env: kong_admin_filter_tag: ingress_controller_kong kong_admin_tls_skip_verify: true kong_admin_token: valueFrom: secretKeyRef: key: password name: kong-config-secret kong_admin_url: https://localhost:8444 kong_workspace: default publish_service: kong/test-kong-proxy image: repository: docker.io/kong/kubernetes-ingress-controller tag: "2.9" ingressClass: kong installCRDs: false manager: annotations: konghq.com/protocol: https enabled: true http: containerPort: 8002 enabled: false servicePort: 8002 ingress: annotations: konghq.com/https-redirect-status-code: "301" nginx.ingress.kubernetes.io/backend-protocol: HTTPS enabled: true ingressClassName: kong hostname: kong.example.com path: / tls: test-kong-admin-cert tls: containerPort: 8445 enabled: true parameters: - http2 servicePort: 8445 type: ClusterIP migrations: enabled: true postUpgrade: true preUpgrade: true namespace: kong podAnnotations: kuma.io/gateway: enabled portal: annotations: konghq.com/protocol: https enabled: false http: containerPort: 8003 enabled: false servicePort: 8003 ingress: annotations: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "false" enabled: false ingressClassName: kong hostname: developer.example.com path: / tls: test-kong-portal-cert tls: containerPort: 8446 enabled: true parameters: - http2 servicePort: 8446 type: ClusterIP portalapi: annotations: konghq.com/protocol: https enabled: false http: enabled: false ingress: annotations: konghq.com/https-redirect-status-code: "301" konghq.com/protocols: https konghq.com/strip-path: "true" nginx.ingress.kubernetes.io/app-root: / enabled: true ingressClassName: kong hostname: developer.example.com path: /api tls: test-kong-portal-cert tls: containerPort: 8447 enabled: true parameters: - http2 servicePort: 8447 type: ClusterIP postgresql: enabled: true auth: database: kong username: kong proxy: annotations: prometheus.io/port: "9542" prometheus.io/scrape: "true" enabled: true http: containerPort: 8080 enabled: true hostPort: 80 ingress: enabled: false labels: enable-metrics: true tls: containerPort: 8443 enabled: true hostPort: 443 externalIPs: - x.x.x.x externalTrafficPolicy: Local # 配置这个是为了获取proxy 转发到后端的 remote_addr 为 真实client ip type: NodePort replicaCount: 1 secretVolumes: [] status: enabled: true http: containerPort: 8100 enabled: true tls: containerPort: 8543 enabled: false updateStrategy: rollingUpdate: maxSurge: 50% maxUnavailable: 50% type: RollingUpdate安装
helm pull kong/kong helm upgrade --install test kong-2.20.1.tgz --namespace kong -f values.yaml等待所有pod都处于“Running”和“Completed”状态:
kubectl get po --namespace kong -w一旦所有pod都开始运行,在浏览器的入口主机域中打开Kong Manager,例如:https://kong.example.com。或者用下面的命令打开它:
open "https://$(kubectl get ingress --namespace kong test-kong-manager -o jsonpath='{.spec.tls[0].hosts[0]}')"由于使用自签名证书,您将收到“您的连接不是私有的”警告消息。如果您使用的是Chrome浏览器,可能没有“接受风险并继续”选项,请在标签集中继续时键入“thisisunsafe”。
免费版本默认没有认证直接访问即可,如果需要配置认证需要安装配置kong 认证插件
参考
https://docs.konghq.com/gateway/latest/install/kubernetes/helm-quickstart/
https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/preserve-client-ip/
https://docs.konghq.com/gateway/latest/plugin-development/pluginserver/go/
https://docs.konghq.com/gateway/latest/plugin-development/pluginserver/plugins-kubernetes/
Last updated