Kong Ingress Controller部署

说明

  • 如果不知道kong怎么部署,参考Kong API网关搭建部署记录

  • 这里简单描述一下怎么修改官方的YAML文件,不保证ctrl+cctrl+v可以直接跑起来!

  • Github项目地址

  • kong-ingress-controller的版本号是0.5.0

  • kong的版本号是1.2

Kong-Ingress-Controller介绍

这里是参考项目文档,简单的翻译一下。

简介

Kong Ingress Controller是一个动态且高度可用的Ingress Controller。

它使用在Kubernetes集群中创建的Ingress资源来配置Kong。

此外,它还可以为Kubernetes中运行的服务配置插件,负载平衡和运行状况检查。

部署方式

kong的ingress-controller是Go编写的程序,作用机制类似于Adapter,将Kubernetes里面的资源对象转换成Kong的配置规则。

支持backed with a database模式和backed without a database模式。

DBless模式

运行在DBless模式下,Kong ingress controller会作为sidecar容器与Kong容器一起运行在同一个Pod里面,并且会根据从Kubernetes API Server接收到的信息动态配置Kong。

支持增加kong容器副本数量来实现高可用和负载均衡。

后端数据库模式

运行在基于后端数据库的模式时,ingress controller与kong的控制平面部署在一起,kong的数据平面分开部署。

在下图可以看明显看到kong的控制平面和数据平面是分开的。

高可用

当部署多个kong ingress controller时,多个kong ingress controller之间会选举出leader。同一时间只有leader能配置kong的规则,并且leader失效后会自动选主。

横向扩展

如果是基于后端数据库模式,kong的控制平面和数据平面分开部署,可以单独增加kong的数据平面来实现横向扩展。

规则转换

下图是Kubernetes资源对象怎么转换成Kong配置规则的过程

PS:这个图感觉怪怪的,这哪里有转换过程,不是Kubernetes的Ingress对象模型吗

CRD资源

Kong ingress controller可以配置以下CRD资源对象,实现对kong更加精细的配置管理,官方文档在这里

  • KongIngress
  • KongPlugin
  • KongConsumer
  • KongCredential

官方YAML模板

说明

链接在这里YAML模板,下面几个资源对象可以直接套官方

  • Namespace
  • CustomResourceDefinition
  • ServiceAccount
  • ClusterRole
  • ClusterRoleBinding

其他的资源对象的定义还是有点不适合生产环境,需要改。

基于后端数据库模式部署

说明

  • Kubernetes集群环境不一定有ELB或者SLB,可以在Ingress节点上部署keepalived+haproxy实现高可用和负载均衡

  • 使用外部独立的PostgreSQL,部署方式见PostgreSQL10安装部署和初始化,数据库用户kong,密码kong

  • kong数据平面
    • 通过nodeSelectortolerations将Pod调度到Kubernetes指定的Ingress节点
    • 修改kong数据平面运行参数
    • 共享宿主机网络栈

PostgreSQL数据库

这里使用Service配合Endpoints,将外部PostgreSQL声明为Kubernetes内部的服务。

这样Kubernetes内部的Pod可以通过SVC访问外部PostgreSQL。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
---
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: kong
spec:
ports:
- name: pgsql
port: 5432
targetPort: 5432
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
name: postgres
subsets:
- addresses:
- ip: 192.168.1.1
ports:
- port: 5432

Kong Bootstrap Job

  • kong-ingress-migrations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
apiVersion: batch/v1
kind: Job
metadata:
name: kong-migrations
namespace: kong
spec:
template:
metadata:
name: kong-migrations
spec:
initContainers:
- name: wait-for-postgres
image: busybox
env:
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
containers:
- name: kong-migrations
image: kong:1.2
env:
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
command: [ "/bin/sh", "-c", "kong migrations bootstrap" ]
restartPolicy: OnFailure
---

Kong数据平面

  • kong-proxy TLS证书

可以通过kubectl命令生成Secret

1
kubectl -n kong create secret tls kong-tls-secret --key ./tls.key --cert ./tls.crt
  • kong-ingress-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-proxy
namespace: kong
spec:
type: ClusterIP
ports:
- name: kong-proxy
port: 80
targetPort: 80
protocol: TCP
- name: kong-proxy-ssl
port: 443
targetPort: 443
protocol: TCP
selector:
app: kong-ingres-proxy
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kong-ingress-proxy
namespace: kong
spec:
template:
metadata:
labels:
name: kong-ingress-proxy
app: kong-ingress-proxy
spec:
# 共享宿主机网络栈
hostNetwork: true
# 选择节点标签为node-role=kong的节点
nodeSelector:
node-role: kong
# 容忍node-role=kong的污点
tolerations:
- effect: NoSchedule
key: "node-role"
operator: "Equal"
value: "kong"
dnsPolicy: ClusterFirstWithHostNet
initContainers:
# hack to verify that the DB is up to date or not
# TODO remove this for Kong >= 0.15.0
- name: wait-for-migrations
image: kong:1.2
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
containers:
- name: kong-proxy
image: kong:1.2
env:
- name: KONG_NGINX_DAEMON
value: "off"
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: '0.0.0.0:80, 0.0.0.0:443 ssl'
- name: KONG_SSL_CIPHER_SUITE
value: "modern"
- name: KONG_SSL_CERT
value: "/opt/tls/tls.crt"
- name: KONG_SSL_CERT_KEY
value: "/opt/tls/tls.key"
- name: KONG_CLIENT_MAX_BODY_SIZE
value: "0"
- name: KONG_CLIENT_BODY_BUFFER_SIZE
value: "16k"
- name: KONG_UPSTREAM_KEEPALIVE
value: "60"
- name: KONG_REAL_IP_HEADER
value: "X-Real-IP"
- name: KONG_DB_UPDATE_FREQUENCY
value: "5"
#- name: KONG_MEM_CACHE_SIZE
# value: "128m"
command:
- /usr/local/bin/kong
- start
#securityContext:
# capabilities:
# add:
# - NET_BIND_SERVICE
ports:
- name: proxy
containerPort: 8000
protocol: TCP
- name: proxy-ssl
containerPort: 8443
protocol: TCP
lifecycle:
preStop:
exec:
command: [ "/bin/sh", "-c", "kong quit" ]
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
- name: tls-volume
mountPath: /opt/tls/
readOnly: true
volumes:
- name: timezone-volume
hostPath:
path: /usr/share/zoneinfo/Asia/Shanghai
- name: tls-volume
secret:
secretName: kong-tls-secret
---

Kong控制平面

  • kong-ingress-controller.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-controller
namespace: kong
spec:
type: ClusterIP
ports:
- name: kong-admin
port: 8001
targetPort: 8001
protocol: TCP
selector:
app: ingress-kong
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: kong-ingress-controller
namespace: kong
spec:
selector:
matchLabels:
app: ingress-kong
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
# the returned metrics are related to the kong ingress controller not kong itself
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app: ingress-kong
spec:
serviceAccountName: kong-serviceaccount
initContainers:
- name: wait-for-migrations
image: kong:1.2
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
containers:
- name: admin-api
image: kong:1.2
env:
- name: KONG_NGINX_DAEMON
value: "off"
- name: KONG_PG_HOST
value: "postgres.kong.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: "0.0.0.0:8001, 0.0.0.0:8444 ssl"
- name: KONG_PROXY_LISTEN
value: 'off'
ports:
- name: kong-admin
containerPort: 8001
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
- name: ingress-controller
args:
- /kong-ingress-controller
# the kong URL points to the kong admin api server
- --kong-url=https://localhost:8444
- --admin-tls-skip-verify
# Service from were we extract the IP address/es to use in Ingress status
- --publish-service=kong/kong-proxy
- --sync-period=10m0s
- --v=2
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.5.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
volumes:
- name: timezone-volume
hostPath:
path: /usr/share/zoneinfo/Asia/Shanghai

基于无数据库模式部署

说明

  • 在DBless模式中,每个kong都是独立工作的,由Kong-Ingress-Controller作为sidecar调用kong的config接口来实现配置更新。
  • 这样就有点像把kong的配置保存在Kubernetes里面,每个kong都是独立配置,不需要依赖外部数据库,避免因为数据库故障影响所有的kong。
  • DBless模式有些限制,可以看这里

KongIngressDBless

  • kong-proxy TLS证书

可以通过kubectl命令生成Secret

1
kubectl -n kong create secret tls kong-tls-secret --key ./tls.key --cert ./tls.crt
  • kong-ingress-controller-dbless-cm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kong-server-blocks
namespace: kong
data:
servers.conf: |
# Prometheus metrics server
server {
server_name kong_prometheus_exporter;
listen 0.0.0.0:9542; # can be any other port as well

access_log off;
location /metrics {
default_type text/plain;
content_by_lua_block {
local prometheus = require "kong.plugins.prometheus.exporter"
prometheus:collect()
}
}

location /nginx_status {
internal;
access_log off;
stub_status;
}
}
# Health check server
# TODO how to health check kong in dbless?
server {
server_name kong_health_check;
listen 0.0.0.0:9001; # can be any other port as well

access_log off;
location /health {
return 200;
}
}
  • kong-ingress-controller-dbless-ds.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-proxy
namespace: kong
spec:
type: ClusterIP
ports:
- name: kong-proxy
port: 80
targetPort: 80
protocol: TCP
- name: kong-proxy-ssl
port: 443
targetPort: 443
protocol: TCP
selector:
app: kong-ingres-proxy
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kong-ingress-proxy
namespace: kong
spec:
template:
metadata:
labels:
name: kong-ingress-proxy
app: kong-ingress-proxy
annotations:
prometheus.io/port: "9542"
prometheus.io/scrape: "true"
spec:
# 共享宿主机网络栈
hostNetwork: true
# 选择节点标签为node-role=kong的节点
nodeSelector:
node-role: kong
# 容忍node-role=kong的污点
tolerations:
- effect: NoSchedule
key: "node-role"
operator: "Equal"
value: "kong"
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: kong-serviceaccount
containers:
- name: proxy
image: kong:1.2
env:
- name: KONG_NGINX_DAEMON
value: "off"
- name: KONG_DATABASE
value: "off"
- name: KONG_NGINX_HTTP_INCLUDE
value: "/kong/servers.conf"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: "127.0.0.1:8444 ssl"
- name: KONG_PROXY_LISTEN
value: '0.0.0.0:80, 0.0.0.0:443 ssl'
- name: KONG_SSL_CIPHER_SUITE
value: "modern"
- name: KONG_SSL_CERT
value: "/opt/tls/tls.crt"
- name: KONG_SSL_CERT_KEY
value: "/opt/tls/tls.key"
- name: KONG_CLIENT_MAX_BODY_SIZE
value: "0"
- name: KONG_CLIENT_BODY_BUFFER_SIZE
value: "16k"
- name: KONG_UPSTREAM_KEEPALIVE
value: "60"
- name: KONG_REAL_IP_HEADER
value: "X-Real-IP"
- name: KONG_MEM_CACHE_SIZE
value: "128m"
command:
- /usr/local/bin/kong
- start
#securityContext:
# capabilities:
# add:
# - NET_BIND_SERVICE
lifecycle:
preStop:
exec:
command: [ "/bin/sh", "-c", "kong quit" ]
ports:
- name: proxy
containerPort: 80
protocol: TCP
- name: proxy-ssl
containerPort: 443
protocol: TCP
- name: metrics
containerPort: 9542
protocol: TCP
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 9001
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 9001
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: kong-server-blocks
mountPath: /kong
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
- name: tls-volume
mountPath: /opt/tls/
readOnly: true
- name: ingress-controller
args:
- /kong-ingress-controller
# the kong URL points to the kong admin api server
- --kong-url=https://localhost:8444
- --admin-tls-skip-verify
# Service from were we extract the IP address/es to use in Ingress status
- --publish-service=kong/kong-proxy
- --sync-period=10m0s
- --v=2
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.5.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
volumes:
- name: kong-server-blocks
configMap:
name: kong-server-blocks
- name: timezone-volume
hostPath:
path: /usr/share/zoneinfo/Asia/Shanghai
- name: tls-volume
secret:
secretName: kong-tls-secret

CRD资源

关于CRD资源怎么用,在Github上面是有相关的说明文档

KongPlugin

在kong官方网站是有关于Plugin的介绍

开启IP黑白名单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ip-restriction
namespace: default
disabled: false # optional
plugin: ip-restriction
config:
# whitelist: # 黑名单和白名单只能选一
# - 8.8.8.8
# - 8.8.4.4
blacklist:
- 8.8.8.8
- 8.8.4.4

开启prometheus

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: kong-prometheus
namespace: kong
label:
global: true
plugin: prometheus
disabled: false
config:
status_code: 503
content_type: null
body: null
message: null

开启rate-limiting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limit
namespace: default
labels:
global: "false"
plugin: rate-limiting
disabled: false
config:
second: 5
hour: 10000
limit_by: ip
policy: local #local,cluster,redis

开启zipkin链路追踪

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: echo-http-zipkin-trace
namespace: default
labels:
global: "false"
disabled: false
plugin: zipkin
config:
http_endpoint: "http://your.zipkin.collector:9411/api/v2/spans"
sample_ratio: 1 # 不带tracid的请求的采样比率,1是100%,全部采集

开启Basic Authentication

这里认证的时候会查找KongConsumerKongCredential

1
2
3
4
5
6
7
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: demo-basic-auth
namespace: default
disabled: false
plugin: basic-auth

配置Response Header

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: response-transformer
namespace: default
label:
global: false
disable: false
plugin: response-transformer
config:
replace:
json: []
headers: []
append:
json: []
headers: []
add:
json: []
headers:
- "abc: def"
remove:
json: []
headers:
- Last-Modified

KongIngress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: configuration-demo
upstream:
hash_on: none
hash_fallback: none
healthchecks:
active:
concurrency: 10
healthy:
http_statuses:
- 200
- 302
interval: 0
successes: 0
http_path: "/"
timeout: 1
unhealthy:
http_failures: 0
http_statuses:
- 429
interval: 0
tcp_failures: 0
timeouts: 0
passive:
healthy:
http_statuses:
- 200
successes: 0
unhealthy:
http_failures: 0
http_statuses:
- 429
- 503
tcp_failures: 0
timeouts: 0
slots: 10
proxy:
protocol: http
path: /
connect_timeout: 10000
retries: 10
read_timeout: 10000
write_timeout: 10000
route:
methods:
- GET
- HEAD
- POST
- PUT
- DELETE
#- CONNECT
#- OPTIONS
#- TRACE
#- PATCH
regex_priority: 0
strip_path: false
preserve_host: true
protocols:
- http
- https

KongConsumer

示例

1
2
3
4
5
6
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: consumer-team-x
username: team-X
custom_id: my_team_x

KongCredential

示例

1
2
3
4
5
6
7
8
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: credential-team-x
consumerRef: consumer-team-x
type: key-auth
config:
key: 62eb165c070a41d5c1b58d9d3d725ca1

Kubernetes Ingress配置

在Ingress里面声明annotations属性,可以调用Kong Ingress Controller定义的CRD资源

Github文档说明在此

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress
namespace: default
annotations:
# 这里声明使用kong ingress controller
kubernetes.io/ingress.class: "kong"
# 声明使用kongIngress配置
configuration.konghq.com: "configuration-demo"
# 声明使用KongPlugin
plugins.konghq.com: "ip-restriction,kong-prometheus,response-transformer"
spec:
tls:
- secretName: example-com-secret
hosts:
- "*.example.com"
rules:
# host定义域名
- host: tomcat.example.com
# 定义HTTP服务
http:
paths:
- path: /
backend:
serviceName: tomcat-service
# 这里可以写端口号或者端口别名http
servicePort: 8080