openshift-docs
  • 不知所措的openshift kubernetes
  • 3scale
    • 在openshift使用3scale-operator部署3scale
  • Hyperledger-Fabric
    • Hyperledger Fabric on openshift 3.11
  • adminer
    • helm部署adminer
  • admission-controller
    • k8s nameapce增加默认node-selector和defaultTolerations
  • cert-manager
    • cert-manager-1.5升级到1.6
  • cicd
    • Argocd定时备份到us3
    • Argocd添加服务流程
    • Argocd自定义健康检查
    • helm安装argocd
    • k8s1.22部署gitlab对接keycloak
    • 使用Tekton+Helm-Chart+ArgoCD构建GitOps CICD
    • 使用 Tekton 构建CI流程
    • 使用argocd-notifications通知Tekton触发api-test
    • 使用 docker buildx 构建多CPU架构镜像
    • 使用image-syncer同步多CPU架构镜像到私有仓库
    • 开源helm chart 发布到 https://artifacthub.io/
    • 快速编写通用helm chart
  • client-go
    • k8s client-go 创建ingress示例
  • cluster-monitor-opertor
    • Openshift3.11 alertmanager 持久化
    • cluster-monitor-operator alertmanager配置
    • cluster-monitor-operator添加外部metrics
    • openshift3.11-cluster-monitoring-operator数据持久化
  • config-syncer
    • k8s使用config-syncer(kubed)同步secret
  • dns
    • k8s coredns 优化
    • k8s 使用coredns 自定义hosts 解析
  • dnsmasq
    • MAC 环境使用 dnsmasq 配置openshift相关自定义域名
    • 配置dnsmasq apps通配解析
  • elasticsearch
    • Elasticsearch查询重复数据
    • elasticsearch-kibana-8.10创建向量索引模板
    • openshift3.11中使用ECK安装filebeat+elasticsearch+kibana收集日志初探
    • openshift3.11部署eck1.6+es7.14.1
    • 使用kibana修改数据流索引mapping
  • etcd
    • k8s 1.22 使用cronjob 备份etcd
    • k8s1.22使用CronJob定时备份etcd到US3
    • 使用cronjob备份etcd
    • 恢复openshift3.11-etcd数据快照
  • flowiseai
    • argocd2.2.1+helm3.9-chart+k8s1.22部署flowise
  • ingress-nginx
    • ingress-nginx启用header名称中下划线
  • ipfs
    • golang计算文件ipfs cid
    • helm安装ipfs-cluster
  • kafka
    • banzaicloud-stable/kafka-operator+local-path迁移主机
    • 使用bitnami/kafka部署外部可访问的 kafka
  • keycloak
    • openshift使用keycloak登录
  • kong
    • Kong使用ip-pestriction插件配置IP白名单
    • kong admin api 使用 go-kong 调用
    • kong manager页面显示空白,报错net:ERR_HTTP2_PROTOCOL_ERROR
    • kong helm 安装
    • kong 自定义默认error html
    • 使用kong转发TCP服务
  • kube-flannel
    • kube-flannel-v0.20.1升级v0.22.2
  • kubeadm
    • RockLinux+kubeadm+k8s-1.22.16 升级到1.22.17
    • RockLinux+kubeadm+k8s-1.22.2 升级到1.22.16
  • kubevirt
    • Kubevirt on Openshift
    • kubebirt 中使用 cloud-init
    • kubevirt限制vm发布主机
    • openshift-3.11-kubevirt从v0.19.0升级到v0.27.0
    • 使用alpine-make-vm-image制作alpine-qcow2云镜像
    • 使用virtualbox自定义Alpine-vrit云镜像
  • load-balance
    • ucloud 添加负载均衡报文转发配置
  • metrics-sever
    • k8s-1.22安装metrics-server
  • mongodb
    • 使用argocd部署mongo-express
    • 阿里云 Mongodb副本集实例使用
  • mysql
    • Helm部署mysql
    • helm安装phpmyadmin
    • mysql批量修改utf8mb3为utf8mb4字符集
    • 部署MySQL Server Exporter
  • openfaas
    • OpenFaaS定时任务
    • OpenFaas使用Go模板创建Function
    • helm 安装openfaas
  • operator
    • 使用Operator-SDK构建基于Helm 的 Operator
  • playwright
    • 使用playwright截图Kibana图表
  • prometheus-operator
    • helm+kube-prometheus-stack-prometheus-operator+local-path(storageclass)部署的prometheus迁移主机
    • k8s 1.22 环境 kube-prometheus-stack 22.x 升级至 41.x
    • 使用helm+kube-prometheus-stack只部署prometheus
  • proxy
    • 使用快代理使用海外代理访问海外网站
  • rancher
    • helm 安装rancher 2.6.3
    • rancher-backup使用US3备份
    • rancher2.6.3升级至rancher2.6.9
    • rancher2.6.9对接keycloak
    • 解决rancher-v2.6.3报helm-operator更新rancher-webhook异常问题
    • 解决更新rancher2.6.13后报webhook和fleet chart版本不支持
  • raspberry-pi
    • mac os golang编译ARM环境go-sqlite3项目
    • 无头(headless) raspberry pi 4 ssh wifi 安装(mac)
    • 树莓派4B+raspberry-pi-os-buster在线安装k3s
    • 树莓派Raspberry Pi OS 设置静态ip
    • 树莓派raspberry-pi-os(32bit)安装docker
    • 树莓派raspberry pi os开启ssh
    • 树莓派安装centos7并简单优化
  • rbac
    • openshift给没能打开web terminal终端的用户添加权限
  • registry
    • 使用image-syncer同步所需镜像到仓库
  • ssh
    • Mac OSX ssh隧道使用方法
  • storage
    • lvm分区配置备份与恢复测试
    • openshift3.11使用nfs-client-provisioner+UCloud-UFS提供动态pv存储
    • openshift3.11使用nfs-client-provisioner+阿里云NAS提供动态nfs
    • openshift3.11配置local volume
    • openshift动态nfs
  • tracing
    • Ipfs cluseter使用分布式追踪系统jaeper tracing
  • troubleshooting
    • coredns service 连接超时(connection timed out; no servers could be reached)
    • etcdDatabaseHighFragmentationRatio 异常处理
    • helm更新服务报错提示statefulset更新是被禁止的
    • k8s如果防止容器中出现僵尸进程
    • kubevirt api server 证书过期问题导致openshfit调度异常
    • macOS Chrome访问https://registry-console-default.appsxxx.xxx.xxx/页面显示ERR_CERT_INVALID,且不能点继续
    • master 主机df 卡死
    • openshift project Terminaing处理
    • OpenShift Docker Registry 500
    • 解决openshift3.11 node NotReady csr Pending
    • openshift3.11-pvc-delete-Terminating-hang
    • openshift3.11清理Terminating 状态project
    • pod pending event报错cni无可用IP
    • ucloud环境开启selinux后/var/log/messages不能写入问题
    • ucloud环境开启selinux
    • 解决openshift3.11不能下载redhat registry.access.redhat.com中镜像问题
    • 证书未过期但是报NET::ERR_CERT_AUTHORITY_INVALID证书错误处理
  • walletconnect
    • WalletConnect-Relay 部署
Powered by GitBook
On this page
  • 创建kong gateway secret
  • 安装 Cert Manager
  • 部署 Kong Gaeway
  • 参考

Was this helpful?

  1. kong

kong helm 安装

创建kong gateway secret

  1. 创建namespace:

    kubectl create namespace kong
  2. 创建 Kong config 和 credential variables:

    kubectl create secret generic kong-config-secret -n kong \
        --from-literal=portal_session_conf='{"storage":"kong","secret":"super_secret_salt_string","cookie_name":"portal_session","cookie_same_site":"Lax","cookie_secure":false}' \
        --from-literal=admin_gui_session_conf='{"storage":"kong","secret":"super_secret_salt_string","cookie_name":"admin_session","cookie_same_site":"Lax","cookie_secure":false}' \
        --from-literal=pg_host="enterprise-postgresql.kong.svc.cluster.local" \
        --from-literal=kong_admin_password=kong \
        --from-literal=password=kong
  3. 创建一 个Kong 企业免费版 license secret:

    kubectl create secret generic kong-enterprise-license --from-literal=license="'{}'" -n kong --dry-run=client -o yaml | kubectl apply -f -

安装 Cert Manager

  1. 添加 Jetstack Cert Manager Helm 源:

    helm repo add jetstack https://charts.jetstack.io ; helm repo update
  2. 安装 Cert Manager:

    在安装chart之前,必须先安装cert-manager CustomResourceDefinition资源。这是在一个单独的步骤中执行的,允许您轻松卸载和重新安装cert-manager,而不需要删除已安装的自定义资源。

    wget https://github.com/jetstack/cert-manager/releases/download/v1.11.2/cert-manager.crds.yaml -O cert-manager-v1.11.2.crds.yaml

    安装

    helm pull jetstack/cert-manager
    helm upgrade --install cert-manager cert-manager-v1.11.2.tgz \
        --set installCRDs=false --namespace cert-manager --create-namespace
  3. 创建自签名证书 issuer:

    bash -c "cat <<EOF | kubectl apply -n kong -f -
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: test-kong-selfsigned-issuer-root
    spec:
      selfSigned: {}
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: test-kong-selfsigned-issuer-ca
    spec:
      commonName: test-kong-selfsigned-issuer-ca
      duration: 2160h0m0s
      isCA: true
      issuerRef:
        group: cert-manager.io
        kind: Issuer
        name: test-kong-selfsigned-issuer-root
      privateKey:
        algorithm: ECDSA
        size: 256
      renewBefore: 360h0m0s
      secretName: test-kong-selfsigned-issuer-ca
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: test-kong-selfsigned-issuer
    spec:
      ca:
        secretName: test-kong-selfsigned-issuer-ca
    EOF"

部署 Kong Gaeway

  1. 添加 Kong Helm repo:

    helm repo add kong https://charts.konghq.com ; helm repo update
  2. Install Kong:

    创建values.yaml

    admin:
      annotations:
        konghq.com/protocol: https
      enabled: true
      http:
        enabled: false
      ingress:
        annotations:
          konghq.com/https-redirect-status-code: "301"
          konghq.com/protocols: https
          konghq.com/strip-path: "true"
          nginx.ingress.kubernetes.io/app-root: /
          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
          nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
        enabled: true
        ingressClassName: kong
        hostname: kong.example.com
        path: /api
        tls: example-com-tls
      tls:
        containerPort: 8444
        enabled: true
        parameters:
        - http2
        servicePort: 8444
      type: ClusterIP
    affinity:
      podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
              - key: app.kubernetes.io/instance
                operator: In
                values:
                - dataplane
            topologyKey: kubernetes.io/hostname
          weight: 100
    certificates:
      enabled: true
      issuer: test-kong-selfsigned-issuer
      cluster:
        enabled: true
      admin:
        enabled: true
        commonName: kong.example.com
      portal:
        enabled: false
        commonName: developer.example.com
      proxy:
        enabled: true
        commonName: example.com
        dnsNames:
        - '*.example.com'
    cluster:
      enabled: true
      labels:
        konghq.com/service: cluster
      tls:
        containerPort: 8005
        enabled: true
        servicePort: 8005
      type: ClusterIP
    clustertelemetry:
      enabled: true
      tls:
        containerPort: 8006
        enabled: true
        servicePort: 8006
        type: ClusterIP
    deployment:
      kong:
        daemonset: false
        enabled: true
    serviceMonitor:
      enabled: true
      interval: 15s
      labels:
        release: prometheus-community
        
    # securityContext for containers. 如果配置了自定义插件,要把容器设置为非只读权限,否则插件的socket文件不能创建
    containerSecurityContext:
      readOnlyRootFilesystem: false
    enterprise:
      enabled: true
      license_secret: kong-enterprise-license
      portal:
        enabled: false
      rbac:
        admin_api_auth: basic-auth
        admin_gui_auth_conf_secret: kong-config-secret
        enabled: true
        session_conf_secret: kong-config-secret
      smtp:
        enabled: false
      vitals:
        enabled: false
    env:
      admin_access_log: /dev/stdout
      admin_api_uri: https://kong.example.com/api
      admin_error_log: /dev/stdout
      admin_gui_access_log: /dev/stdout
      admin_gui_error_log: /dev/stdout
      admin_gui_host: kong.example.com
      admin_gui_protocol: https
      admin_gui_url: https://kong.example.com/
      cluster_data_plane_purge_delay: 60
      cluster_listen: 0.0.0.0:8005
      cluster_telemetry_listen: 0.0.0.0:8006
      database: "postgres"
      log_level: debug
      lua_package_path: /opt/?.lua;;
      nginx_worker_processes: "2"
      password:
        valueFrom:
          secretKeyRef:
            key: kong_admin_password
            name: kong-config-secret
      pg_database: kong
      pg_host:
        valueFrom:
          secretKeyRef:
            key: pg_host
            name: kong-config-secret
      pg_ssl: "off"
      pg_ssl_verify: "off"
      pg_user: kong
      plugins: bundled,openid-connect
      # 如果有自定义插件下面内容替换plugins 配置,同时要注意containerSecurityContext配置
      #plugins: "bundled,openid-connect,plugin-custom"
      #pluginserver_names: "plugin-custom"
      #pluginserver_plugin_bucket_start_cmd: "/usr/local/bin/plugin-custom"
      #pluginserver_plugin_bucket_query_cmd: "/usr/local/bin/plugin-custom -dump"
      portal: false
      #portal_api_access_log: /dev/stdout
      #portal_api_error_log: /dev/stdout
      #portal_api_url: https://developer.example.com/api
      #portal_auth: basic-auth
      #portal_cors_origins: '*'
      #portal_gui_access_log: /dev/stdout
      #portal_gui_error_log: /dev/stdout
      #portal_gui_host: developer.example.com
      #portal_gui_protocol: https
      #portal_gui_url: https://developer.example.com/
      #portal_session_conf:
      #  valueFrom:
      #    secretKeyRef:
      #      key: portal_session_conf
      #      name: kong-config-secret
      prefix: /kong_prefix/
      proxy_access_log: /dev/stdout
      proxy_error_log: /dev/stdout
      proxy_stream_access_log: /dev/stdout
      proxy_stream_error_log: /dev/stdout
      smtp_mock: "on"
      status_listen: 0.0.0.0:8100
      trusted_ips: 0.0.0.0/0,::/0
      vitals: "off"
      dns_order: "LAST,SRV,A,CNAME"
    
    extraLabels:
      konghq.com/component: test
    image:
      repository: kong/kong-gateway
      tag: "3.2"
    ingressController:
      enabled: true
      env:
        kong_admin_filter_tag: ingress_controller_kong
        kong_admin_tls_skip_verify: true
        kong_admin_token:
          valueFrom:
            secretKeyRef:
              key: password
              name: kong-config-secret
        kong_admin_url: https://localhost:8444
        kong_workspace: default
        publish_service: kong/test-kong-proxy
      image:
        repository: docker.io/kong/kubernetes-ingress-controller
        tag: "2.9"
      ingressClass: kong
      installCRDs: false
    manager:
      annotations:
        konghq.com/protocol: https
      enabled: true
      http:
        containerPort: 8002
        enabled: false
        servicePort: 8002
      ingress:
        annotations:
          konghq.com/https-redirect-status-code: "301"
          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
        enabled: true
        ingressClassName: kong
        hostname: kong.example.com
        path: /
        tls: test-kong-admin-cert
      tls:
        containerPort: 8445
        enabled: true
        parameters:
        - http2
        servicePort: 8445
      type: ClusterIP
    migrations:
      enabled: true
      postUpgrade: true
      preUpgrade: true
    namespace: kong
    podAnnotations:
      kuma.io/gateway: enabled
    portal:
      annotations:
        konghq.com/protocol: https
      enabled: false
      http:
        containerPort: 8003
        enabled: false
        servicePort: 8003
      ingress:
        annotations:
          konghq.com/https-redirect-status-code: "301"
          konghq.com/protocols: https
          konghq.com/strip-path: "false"
        enabled: false
        ingressClassName: kong
        hostname: developer.example.com
        path: /
        tls: test-kong-portal-cert
      tls:
        containerPort: 8446
        enabled: true
        parameters:
        - http2
        servicePort: 8446
      type: ClusterIP
    portalapi:
      annotations:
        konghq.com/protocol: https
      enabled: false
      http:
        enabled: false
      ingress:
        annotations:
          konghq.com/https-redirect-status-code: "301"
          konghq.com/protocols: https
          konghq.com/strip-path: "true"
          nginx.ingress.kubernetes.io/app-root: /
        enabled: true
        ingressClassName: kong
        hostname: developer.example.com
        path: /api
        tls: test-kong-portal-cert
      tls:
        containerPort: 8447
        enabled: true
        parameters:
        - http2
        servicePort: 8447
      type: ClusterIP
    postgresql:
      enabled: true
      auth:
        database: kong
        username: kong
    proxy:
      annotations:
        prometheus.io/port: "9542"
        prometheus.io/scrape: "true"
      enabled: true
      http:
        containerPort: 8080
        enabled: true
        hostPort: 80
      ingress:
        enabled: false
      labels:
        enable-metrics: true
      tls:
        containerPort: 8443
        enabled: true
        hostPort: 443
      externalIPs:
        - x.x.x.x
      externalTrafficPolicy: Local # 配置这个是为了获取proxy 转发到后端的 remote_addr 为 真实client ip
      type: NodePort
    replicaCount: 1
    secretVolumes: []
    status:
      enabled: true
      http:
        containerPort: 8100
        enabled: true
      tls:
        containerPort: 8543
        enabled: false
    updateStrategy:
      rollingUpdate:
        maxSurge: 50%
        maxUnavailable: 50%
      type: RollingUpdate

    安装

    helm pull kong/kong
    helm upgrade --install test kong-2.20.1.tgz --namespace kong -f values.yaml 
  3. 等待所有pod都处于“Running”和“Completed”状态:

    kubectl get po --namespace kong -w
  4. open "https://$(kubectl get ingress --namespace kong test-kong-manager -o jsonpath='{.spec.tls[0].hosts[0]}')"

    由于使用自签名证书,您将收到“您的连接不是私有的”警告消息。如果您使用的是Chrome浏览器,可能没有“接受风险并继续”选项,请在标签集中继续时键入“thisisunsafe”。

  5. 免费版本默认没有认证直接访问即可,如果需要配置认证需要安装配置kong 认证插件

参考

https://docs.konghq.com/gateway/latest/install/kubernetes/helm-quickstart/

https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/preserve-client-ip/

https://docs.konghq.com/gateway/latest/plugin-development/pluginserver/go/

https://docs.konghq.com/gateway/latest/plugin-development/pluginserver/plugins-kubernetes/

Previouskong manager页面显示空白,报错net:ERR_HTTP2_PROTOCOL_ERRORNextkong 自定义默认error html

Last updated 1 year ago

Was this helpful?

一旦所有pod都开始运行,在浏览器的入口主机域中打开Kong Manager,例如:。或者用下面的命令打开它:

https://kong.example.com