k8s整合kong
k8s整合kong
Kong网关的发展历程
Kong网关起源于2007年,由Augusto、Marco、Michele三人在意大利的一个小车库中开发,当时命名为Mashup平台。在随后7年的时间里,Mashup平台逐渐占据API网关市场的主导地位。2017年10月,Mashup平台正式更名为Kong,并推出了Kong企业版。2018年,Kong公司成立,并发布了Kong 1.0版本。此次用的为kong 2.8.2版本。Kong、OpenResty都是基于Nginx打造的新一代服务器。它们兼具Web服务器的功能,但侧重于网关层特性的延伸。展示了三者的关系。
在功能定位上,Kong和OpenResty有很多相似之处,都是基于Lua脚本做二次开发。但Kong在OpenResty之上又衍生出不少新的概念,对网关内部层级做了更好的抽象,更符合用户使用习惯。
2019年,Kong公司对外发布了不少更倾向于云原生服务的产品。例如:Kong网关升级到了2.0版本,并与Kubernetes有机结合,可以作为入口控制器来协调整个Kubernetes集群;Kuma产品基于Envoy的Service Mesh,降低了系统复杂性并提高了服务可靠性。相信Kong公司未来会给我们更多惊喜和更多划时代的新产品。此次调研主要是kong作为api网关,istio作为服务治理框架,结合一起使用。
下面是整合的示意图,暂时不过介绍istio
Ingress介绍
在 Kubernetes 集群内部使用 kube-dns 实现服务发现的功能,那么我们部署在 Kubernetes 集群中的应用如何暴露给外部的用户使用呢?我们知道可以使用 NodePort
和 LoadBlancer
类型的 Service 可以把应用暴露给外部用户使用,除此之外,Kubernetes 还为我们提供了一个非常重要的资源对象可以用来暴露服务给外部用户,那就是 Ingress
。对于小规模的应用我们使用 NodePort 或许能够满足我们的需求,但是当你的应用越来越多的时候,你就会发现对于 NodePort 的管理就非常麻烦了,这个时候使用 Ingress 就非常方便了,可以避免管理大量的端口。
Ingress
资源对象是 Kubernetes 内置定义的一个对象,是从 Kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器,可能你会觉得我们直接使用 nginx 就实现了,但是只使用 nginx 这种方式有很大缺陷,每次有新服务加入的时候怎么改 Nginx 配置?不可能让我们去手动更改或者滚动更新前端的 Nginx Pod 吧?那我们再加上一个服务发现的工具比如 consul 如何?貌似是可以,对吧?Ingress 实际上就是这样实现的,只是服务发现的功能自己实现了,不需要使用第三方的服务了,然后再加上一个域名规则定义,路由信息的刷新依靠 Ingress Controller 来提供。
Ingress Controller 可以理解为一个监听器,通过不断地监听 kube-apiserver,实时的感知后端 Service、Pod 的变化,当得到这些信息变化后,Ingress Controller 再结合 Ingress 的配置,更新反向代理负载均衡器,达到服务发现的作用。常见的有ingress-nginx,traefik,apisix以及kong。官网地址:https://docs.konghq.com/kubernetes-ingress-controller/latest/deployment/k4k8s/
kong安装
helm安装
官网推荐的是helm安装,步骤如下:
helm repo add kong https://charts.konghq.com
helm repo update
# Helm 3
helm install kong/kong --generate-name --set ingressController.installCRDs=false
还要设置一下变量,后续通过变量连链接kong
export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong demo-kong-proxy)
官网示例如下:
curl -i $PROXY_IP/foo
通过动态ip访问不是很友好,而且helm里面的svc安装方式为LoadBalancer,但是Kubernetes
不为裸机集群提供网络负载均衡器的实现(LoadBalancer 类型的服务)。 Kubernetes
附带的 Network LB
的实现都是调用各种 IaaS
平台(GCP,AWS,Azure 等)的粘合代码。 如果你未在受支持的 IaaS
平台(GCP,AWS,Azure 等)上运行,则 LoadBalancers
在创建后将无限期保持 “pending”
状态。
可以通过MetalLB 解决 EXTERNAL-IP
“pending”
的问题,具体参考:https://makeoptim.com/service-mesh/kubeadm-kubernetes-istio-setup#metallb
资源清单安装
常见的kong的数据库安装有3种,PG,Cassandra和DB-less,官网给出的资源清单,只有和PG和DB-less,后者是用Yaml后者JSON文件直接进行声明式配置即可,更适合CI/CD场景。官网地址:https://github.com/Kong/kubernetes-ingress-controller/blob/main/deploy/single/all-in-one-postgres.yaml
需要做部分修改,具体的如下:
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: kongclusterplugins.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongClusterPlugin
listKind: KongClusterPluginList
plural: kongclusterplugins
shortNames:
- kcp
singular: kongclusterplugin
scope: Cluster
versions:
- additionalPrinterColumns:
- description: Name of the plugin
jsonPath: .plugin
name: Plugin-Type
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: Indicates if the plugin is disabled
jsonPath: .disabled
name: Disabled
priority: 1
type: boolean
- description: Configuration of the plugin
jsonPath: .config
name: Config
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: KongClusterPlugin is the Schema for the kongclusterplugins API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
config:
description: Config contains the plugin configuration.
type: object
x-kubernetes-preserve-unknown-fields: true
configFrom:
description: ConfigFrom references a secret containing the plugin configuration.
properties:
secretKeyRef:
description: NamespacedSecretValueFromSource represents the source
of a secret value specifying the secret namespace
properties:
key:
description: the key containing the value
type: string
name:
description: the secret containing the key
type: string
namespace:
description: The namespace containing the secret
type: string
required:
- key
- name
- namespace
type: object
type: object
consumerRef:
description: ConsumerRef is a reference to a particular consumer
type: string
disabled:
description: Disabled set if the plugin is disabled or not
type: boolean
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
plugin:
description: PluginName is the name of the plugin to which to apply the
config
type: string
protocols:
description: Protocols configures plugin to run on requests received on
specific protocols.
items:
enum:
- http
- https
- grpc
- grpcs
- tcp
- tls
- udp
type: string
type: array
run_on:
description: RunOn configures the plugin to run on the first or the second
or both nodes in case of a service mesh deployment.
enum:
- first
- second
- all
type: string
required:
- plugin
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: kongconsumers.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongConsumer
listKind: KongConsumerList
plural: kongconsumers
shortNames:
- kc
singular: kongconsumer
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Username of a Kong Consumer
jsonPath: .username
name: Username
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: KongConsumer is the Schema for the kongconsumers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
credentials:
description: Credentials are references to secrets containing a credential
to be provisioned in Kong.
items:
type: string
type: array
custom_id:
description: CustomID existing unique ID for the consumer - useful for
mapping Kong with users in your existing database
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
username:
description: Username unique username of the consumer.
type: string
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: kongingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongIngress
listKind: KongIngressList
plural: kongingresses
shortNames:
- ki
singular: kongingress
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: KongIngress is the Schema for the kongingresses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
proxy:
description: Proxy defines additional connection options for the routes
to be configured in the Kong Gateway, e.g. `connection_timeout`, `retries`,
e.t.c.
properties:
connect_timeout:
description: The timeout in milliseconds for establishing a connection
to the upstream server.
minimum: 0
type: integer
path:
description: The path to be used in requests to the upstream server.(optional)
pattern: ^/.*$
type: string
protocol:
description: The protocol used to communicate with the upstream.
enum:
- http
- https
- grpc
- grpcs
- tcp
- tls
- udp
type: string
read_timeout:
description: The timeout in milliseconds between two successive read
operations for transmitting a request to the upstream server.
minimum: 0
type: integer
retries:
description: The number of retries to execute upon failure to proxy.
minimum: 0
type: integer
write_timeout:
description: The timeout in milliseconds between two successive write
operations for transmitting a request to the upstream server.
minimum: 0
type: integer
type: object
route:
description: Route define rules to match client requests. Each Route is
associated with a Service, and a Service may have multiple Routes associated
to it.
properties:
headers:
additionalProperties:
items:
type: string
type: array
description: Headers contains one or more lists of values indexed
by header name that will cause this Route to match if present in
the request. The Host header cannot be used with this attribute.
type: object
https_redirect_status_code:
description: HTTPSRedirectStatusCode is the status code Kong responds
with when all properties of a Route match except the protocol.
type: integer
methods:
description: Methods is a list of HTTP methods that match this Route.
items:
type: string
type: array
path_handling:
description: PathHandling controls how the Service path, Route path
and requested path are combined when sending a request to the upstream.
enum:
- v0
- v1
type: string
preserve_host:
description: PreserveHost sets When matching a Route via one of the
hosts domain names, use the request Host header in the upstream
request headers. If set to false, the upstream Host header will
be that of the Service’s host.
type: boolean
protocols:
description: Protocols is an array of the protocols this Route should
allow.
items:
enum:
- http
- https
- grpc
- grpcs
- tcp
- tls
- udp
type: string
type: array
regex_priority:
description: RegexPriority is a number used to choose which route
resolves a given request when several routes match it using regexes
simultaneously.
type: integer
request_buffering:
description: RequestBuffering sets whether to enable request body
buffering or not.
type: boolean
response_buffering:
description: ResponseBuffering sets whether to enable response body
buffering or not.
type: boolean
snis:
description: SNIs is a list of SNIs that match this Route when using
stream routing.
items:
type: string
type: array
strip_path:
description: StripPath sets When matching a Route via one of the paths
strip the matching prefix from the upstream request URL.
type: boolean
type: object
upstream:
description: Upstream represents a virtual hostname and can be used to
loadbalance incoming requests over multiple targets (e.g. Kubernetes
`Services` can be a target, OR `Endpoints` can be targets).
properties:
algorithm:
description: Algorithm is the load balancing algorithm to use.
enum:
- round-robin
- consistent-hashing
- least-connections
type: string
hash_fallback:
description: 'HashFallback defines What to use as hashing input if
the primary hash_on does not return a hash. Accepted values are:
"none", "consumer", "ip", "header", "cookie".'
type: string
hash_fallback_header:
description: HashFallbackHeader is the header name to take the value
from as hash input. Only required when "hash_fallback" is set to
"header".
type: string
hash_on:
description: 'HashOn defines what to use as hashing input. Accepted
values are: "none", "consumer", "ip", "header", "cookie".'
type: string
hash_on_cookie:
description: The cookie name to take the value from as hash input.
Only required when "hash_on" or "hash_fallback" is set to "cookie".
type: string
hash_on_cookie_path:
description: The cookie path to set in the response headers. Only
required when "hash_on" or "hash_fallback" is set to "cookie".
type: string
hash_on_header:
description: HashOnHeader defines the header name to take the value
from as hash input. Only required when "hash_on" is set to "header".
type: string
healthchecks:
description: Healthchecks defines the health check configurations
in Kong.
properties:
active:
description: ActiveHealthcheck configures active health check
probing.
properties:
concurrency:
minimum: 1
type: integer
healthy:
description: Healthy configures thresholds and HTTP status
codes to mark targets healthy for an upstream.
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
http_path:
pattern: ^/.*$
type: string
https_sni:
type: string
https_verify_certificate:
type: boolean
timeout:
minimum: 0
type: integer
type:
type: string
unhealthy:
description: Unhealthy configures thresholds and HTTP status
codes to mark targets unhealthy.
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeouts:
minimum: 0
type: integer
type: object
type: object
passive:
description: PassiveHealthcheck configures passive checks around
passive health checks.
properties:
healthy:
description: Healthy configures thresholds and HTTP status
codes to mark targets healthy for an upstream.
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
type:
type: string
unhealthy:
description: Unhealthy configures thresholds and HTTP status
codes to mark targets unhealthy.
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeouts:
minimum: 0
type: integer
type: object
type: object
threshold:
type: number
type: object
host_header:
description: HostHeader is The hostname to be used as Host header
when proxying requests through Kong.
type: string
slots:
description: Slots is the number of slots in the load balancer algorithm.
minimum: 10
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: kongplugins.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongPlugin
listKind: KongPluginList
plural: kongplugins
shortNames:
- kp
singular: kongplugin
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Name of the plugin
jsonPath: .plugin
name: Plugin-Type
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: Indicates if the plugin is disabled
jsonPath: .disabled
name: Disabled
priority: 1
type: boolean
- description: Configuration of the plugin
jsonPath: .config
name: Config
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: KongPlugin is the Schema for the kongplugins API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
config:
description: Config contains the plugin configuration.
type: object
x-kubernetes-preserve-unknown-fields: true
configFrom:
description: ConfigFrom references a secret containing the plugin configuration.
properties:
secretKeyRef:
description: SecretValueFromSource represents the source of a secret
value
properties:
key:
description: the key containing the value
type: string
name:
description: the secret containing the key
type: string
required:
- key
- name
type: object
type: object
consumerRef:
description: ConsumerRef is a reference to a particular consumer
type: string
disabled:
description: Disabled set if the plugin is disabled or not
type: boolean
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
plugin:
description: PluginName is the name of the plugin to which to apply the
config
type: string
protocols:
description: Protocols configures plugin to run on requests received on
specific protocols.
items:
enum:
- http
- https
- grpc
- grpcs
- tcp
- tls
- udp
type: string
type: array
run_on:
description: RunOn configures the plugin to run on the first or the second
or both nodes in case of a service mesh deployment.
enum:
- first
- second
- all
type: string
required:
- plugin
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: tcpingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: TCPIngress
listKind: TCPIngressList
plural: tcpingresses
singular: tcpingress
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Address of the load balancer
jsonPath: .status.loadBalancer.ingress[*].ip
name: Address
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: TCPIngress is the Schema for the tcpingresses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TCPIngressSpec defines the desired state of TCPIngress
properties:
rules:
description: A list of rules used to configure the Ingress.
items:
description: IngressRule represents a rule to apply against incoming
requests. Matching is performed based on an (optional) SNI and
port.
properties:
backend:
description: Backend defines the referenced service endpoint
to which the traffic will be forwarded to.
properties:
serviceName:
description: Specifies the name of the referenced service.
type: string
servicePort:
description: Specifies the port of the referenced service.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- serviceName
- servicePort
type: object
host:
description: Host is the fully qualified domain name of a network
host, as defined by RFC 3986. If a Host is specified, the
protocol must be TLS over TCP. A plain-text TCP request cannot
be routed based on Host. It can only be routed based on Port.
type: string
port:
description: Port is the port on which to accept TCP or TLS
over TCP sessions and route. It is a required field. If a
Host is not specified, the requested are routed based only
on Port.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- backend
type: object
type: array
tls:
description: TLS configuration. This is similar to the `tls` section
in the Ingress resource in networking.v1beta1 group. The mapping
of SNIs to TLS cert-key pair defined here will be used for HTTP
Ingress rules as well. Once can define the mapping in this resource
or the original Ingress resource, both have the same effect.
items:
description: IngressTLS describes the transport layer security.
properties:
hosts:
description: Hosts are a list of hosts included in the TLS certificate.
The values in this list must match the name/s used in the
tlsSecret. Defaults to the wildcard host setting for the loadbalancer
controller fulfilling this Ingress, if left unspecified.
items:
type: string
type: array
secretName:
description: SecretName is the name of the secret used to terminate
SSL traffic.
type: string
type: object
type: array
type: object
status:
description: TCPIngressStatus defines the observed state of TCPIngress
properties:
loadBalancer:
description: LoadBalancer contains the current status of the load-balancer.
properties:
ingress:
description: Ingress is a list containing ingress points for the
load-balancer. Traffic intended for the service should be sent
to these ingress points.
items:
description: 'LoadBalancerIngress represents the status of a
load-balancer ingress point: traffic intended for the service
should be sent to an ingress point.'
properties:
hostname:
description: Hostname is set for load-balancer ingress points
that are DNS based (typically AWS load-balancers)
type: string
ip:
description: IP is set for load-balancer ingress points
that are IP based (typically GCE or OpenStack load-balancers)
type: string
ports:
description: Ports is a list of records of service ports
If used, every port defined in the service should have
an entry in it
items:
properties:
error:
description: 'Error is to record the problem with
the service port The format of the error shall comply
with the following rules: - built-in error values
shall be specified in this file and those shall
use CamelCase names - cloud provider specific
error values must have names that comply with the format
foo.example.com/CamelCase. --- The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)'
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
port:
description: Port is the port number of the service
port of which status is recorded here
format: int32
type: integer
protocol:
default: TCP
description: 'Protocol is the protocol of the service
port of which status is recorded here The supported
values are: "TCP", "UDP", "SCTP"'
type: string
required:
- port
- protocol
type: object
type: array
x-kubernetes-list-type: atomic
type: object
type: array
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: udpingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: UDPIngress
listKind: UDPIngressList
plural: udpingresses
singular: udpingress
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Address of the load balancer
jsonPath: .status.loadBalancer.ingress[*].ip
name: Address
type: string
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: UDPIngress is the Schema for the udpingresses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: UDPIngressSpec defines the desired state of UDPIngress
properties:
rules:
description: A list of rules used to configure the Ingress.
items:
description: UDPIngressRule represents a rule to apply against incoming
requests wherein no Host matching is available for request routing,
only the port is used to match requests.
properties:
backend:
description: Backend defines the Kubernetes service which accepts
traffic from the listening Port defined above.
properties:
serviceName:
description: Specifies the name of the referenced service.
type: string
servicePort:
description: Specifies the port of the referenced service.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- serviceName
- servicePort
type: object
port:
description: Port indicates the port for the Kong proxy to accept
incoming traffic on, which will then be routed to the service
Backend.
type: integer
required:
- backend
- port
type: object
type: array
type: object
status:
description: UDPIngressStatus defines the observed state of UDPIngress
properties:
loadBalancer:
description: LoadBalancer contains the current status of the load-balancer.
properties:
ingress:
description: Ingress is a list containing ingress points for the
load-balancer. Traffic intended for the service should be sent
to these ingress points.
items:
description: 'LoadBalancerIngress represents the status of a
load-balancer ingress point: traffic intended for the service
should be sent to an ingress point.'
properties:
hostname:
description: Hostname is set for load-balancer ingress points
that are DNS based (typically AWS load-balancers)
type: string
ip:
description: IP is set for load-balancer ingress points
that are IP based (typically GCE or OpenStack load-balancers)
type: string
ports:
description: Ports is a list of records of service ports
If used, every port defined in the service should have
an entry in it
items:
properties:
error:
description: 'Error is to record the problem with
the service port The format of the error shall comply
with the following rules: - built-in error values
shall be specified in this file and those shall
use CamelCase names - cloud provider specific
error values must have names that comply with the format
foo.example.com/CamelCase. --- The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)'
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
port:
description: Port is the port number of the service
port of which status is recorded here
format: int32
type: integer
protocol:
default: TCP
description: 'Protocol is the protocol of the service
port of which status is recorded here The supported
values are: "TCP", "UDP", "SCTP"'
type: string
required:
- port
- protocol
type: object
type: array
x-kubernetes-list-type: atomic
type: object
type: array
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kong-serviceaccount
namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kong-leader-election
namespace: kong
rules:
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: kong-ingress
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- endpoints/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
verbs:
- get
- list
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways/status
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- referencepolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- referencepolicies/finalizers
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- referencepolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- tcproutes/status
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- tlsroutes/status
verbs:
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- udproutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- udproutes/status
verbs:
- get
- update
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.internal.knative.dev
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kong-leader-election
namespace: kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kong-leader-election
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kong-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kong-ingress
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: kong
---
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
name: kong-proxy
namespace: kong
spec:
ports:
- name: proxy
port: 80
protocol: TCP
targetPort: 8000
- name: proxy-ssl
port: 443
protocol: TCP
targetPort: 8443
selector:
app: ingress-kong
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: kong-validation-webhook
namespace: kong
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 8080
selector:
app: ingress-kong
---
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: kong
spec:
ports:
- name: pgql
port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-controller
namespace: kong
spec:
type: NodePort
ports:
- name: kong-admin
port: 8001
targetPort: 8001
nodePort: 30001
protocol: TCP
selector:
app: ingress-kong
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: kong
spec:
replicas: 1
selector:
matchLabels:
app: ingress-kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
traffic.sidecar.istio.io/includeInboundPorts: ""
labels:
app: ingress-kong
spec:
dnsPolicy: ClusterFirstWithHostNet ## dns对应调整为主机网络
hostNetwork: true ## 占用本机80端口和443端口,所以使用主机网络
containers:
- env:
- name: KONG_DATABASE
value: postgres
- name: KONG_PG_HOST
value: postgres
- name: KONG_PG_PASSWORD
value: kong
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:80, 0.0.0.0:443 ssl http2
- name: KONG_PORT_MAPS
value: 80:80, 443:443
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8001,0.0.0.0:8444 ssl
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100
- name: KONG_NGINX_WORKER_PROCESSES
value: "2"
- name: KONG_KIC
value: "on"
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
image: kong:2.8
securityContext:
runAsUser: 0
capabilities:
add:
- NET_ADMIN
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- kong quit
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8100
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-ssl
protocol: TCP
- containerPort: 8100
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8100
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
- env:
- name: CONTROLLER_KONG_ADMIN_URL
value: https://127.0.0.1:8444
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: "true"
- name: CONTROLLER_PUBLISH_SERVICE
value: kong/kong-proxy
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong/kubernetes-ingress-controller:2.3.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
initContainers:
- command:
- /bin/sh
- -c
- while true; do kong migrations list; if [[ 0 -eq $? ]]; then exit 0; fi;
sleep 2; done;
env:
- name: KONG_PG_HOST
value: postgres
- name: KONG_PG_PASSWORD
value: kong
image: kong:2.8
name: wait-for-migrations
serviceAccountName: kong-serviceaccount
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
namespace: kong
spec:
replicas: 1
selector:
matchLabels:
app: postgres
serviceName: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- env:
- name: POSTGRES_USER
value: kong
- name: POSTGRES_PASSWORD
value: kong
- name: POSTGRES_DB
value: kong
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
image: postgres:9.5
name: postgres
ports:
- containerPort: 5432
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: datadir
subPath: pgdata
terminationGracePeriodSeconds: 60
volumes:
- name: datadir
persistentVolumeClaim:
claimName: pvc
---
apiVersion: batch/v1
kind: Job
metadata:
name: kong-migrations
namespace: kong
spec:
template:
metadata:
name: kong-migrations
spec:
containers:
- command:
- /bin/sh
- -c
- kong migrations bootstrap
env:
- name: KONG_PG_PASSWORD
value: kong
- name: KONG_PG_HOST
value: postgres
- name: KONG_PG_PORT
value: "5432"
image: kong:2.8
name: kong-migrations
initContainers:
- command:
- /bin/sh
- -c
- until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db';
sleep 1; done
env:
- name: KONG_PG_HOST
value: postgres
- name: KONG_PG_PORT
value: "5432"
image: busybox
name: wait-for-postgres
restartPolicy: OnFailure
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: kong
spec:
controller: ingress-controllers.konghq.com/kong
由于在安装pg的时候会做一个数据挂载,因此需要提前创建好nfs的存储类和pvc
执行后,等相关pod都在running的时候就可以了,如下:
注:postgresql其实只有一个pod,此处为2个,是因为打了istio的标签会自动注入一个边车容器。ingress-kong本身为2个容器,因为修改了相关配置,使用了hostNetwork把相关端口改成了80和443,直接占用了主机的端口,导致不会注入边车容器。istio官网也给出了相关说明:
konga安装
1.先导入数据库
docker run --rm pantsel/konga:latest -c prepare -a postgres -u postgresql://kong:kong@10.244.209.217:5432/konga
10.244.179.5为pg容器的ip地址
2.在编写相关的资源清单,具体如下:
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong-konga
namespace: kong
spec:
selector:
matchLabels:
app: kong-konga
replicas: 1
template:
metadata:
labels:
app: kong-konga
spec:
containers:
- name: kong-konga
image: pantsel/konga:latest
imagePullPolicy: IfNotPresent
env:
- name: DB_ADAPTER
value: postgres
- name: DB_HOST
value: postgres
- name: DB_PORT
value: "5432"
- name: DB_USER
value: kong
- name: DB_DATABASE
value: konga
- name: DB_PASSWORD
value: kong
- name: NODE_ENV
value: production
- name: TZ
value: Asia/Shanghai
ports:
- containerPort: 1337
---
#service
apiVersion: v1
kind: Service
metadata:
name: kong-konga
namespace: kong
spec:
ports:
- port: 80
protocol: TCP
targetPort: 1337
nodePort: 31337
type: NodePort
selector:
app: kong-konga
3.应用后,就能打开相关的页面了,然后与kong进行链接,填kong的svc地址。
kong-ingress
http访问
前面都安装好后,就可以配置相关ingress,通过域名来访问相关应用。
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: konga
namespace: kong
spec:
ingressClassName: kong
rules:
- host: konga-wgr.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: kong-konga
port:
number: 80
" | kubectl apply -f -
进行访问:
在界面也能看到相关的路由
https访问(http 强制转https)
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: avatar-https
namespace: spacex-avatar
annotations:
konghq.com/https-redirect-status-code: \"308\"
konghq.com/protocols: https
spec:
ingressClassName: kong
tls:
- hosts:
- avatar.3dlink.cn
secretName: uino-tls
rules:
- host: avatar.3dlink.cn
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: avatar-svc
port:
number: 80
" | kubectl apply -f -
如果不想强制跳转,就不要加下面的注解。
annotations:
konghq.com/https-redirect-status-code: \"308\"
konghq.com/protocols: https
kong插件
官方提供了几十种插件,地址:https://docs.konghq.com/hub,下面就举几个常见的插件,插件可以有多种形式,根据svc,根据路由,根据消费者,最后就是全局,全局是可以跨namespace的。
Correlation ID
为会请求头中添加一个唯一的id。
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: test-id
annotations:
kubernetes.io/ingress.class: kong
labels:
global: "true"
config:
header_name: kong-request-id
generator: uuid#counter
echo_downstream: false
plugin: correlation-id
部署一个测试的应用:
kubectl apply -f https://bit.ly/echo-service
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /foo
pathType: ImplementationSpecific
backend:
service:
name: echo
port:
number: 80
" | kubectl apply -f -
限流
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rl-by-ip
config:
minute: 5
limit_by: ip
policy: local
plugin: rate-limiting
" | kubectl apply -f -
再给之前测试的应用添加限流标签:
kubectl patch svc echo \
-p '{"metadata":{"annotations":{"konghq.com/plugins": "rl-by-ip\n"}}}'
下面几个插件用konga管理页面创建展示,注意:konga创建的插件不会在k8s的KongPlugin资源清单中找到,但是在K8s中创建的清单,可以在konga找到
身份验证
前提要创建好相关的凭证,访问前就会有弹窗提示
在添加basic auth插件
黑白名单
请求大小限制
当小于10bytes时,就能通过