Skip to content
This repository was archived by the owner on Feb 22, 2022. It is now read-only.
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion stable/kong/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ maintainers:
name: kong
sources:
- https://github.com/Kong/kong
version: 0.4.0
version: 0.5.0
appVersion: 0.14.0
152 changes: 100 additions & 52 deletions stable/kong/README.md

Large diffs are not rendered by default.

63 changes: 63 additions & 0 deletions stable/kong/templates/controller-cluster-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kong-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- "configuration.konghq.com"
resources:
- kongplugins
- kongcredentials
- kongconsumers
- kongingresses
verbs:
- get
- list
- watch
{{- end -}}
95 changes: 95 additions & 0 deletions stable/kong/templates/controller-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: "{{ template "kong.fullname" . }}-controller"
labels:
app: "{{ template "kong.name" . }}"
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
namespace: {{ .Release.Namespace }}
spec:
replicas: {{ .Values.ingressController.replicaCount }}
selector:
matchLabels:
app: {{ template "kong.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "kong.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: kong-serviceaccount
{{- if .Values.image.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.image.imagePullSecrets }}
{{- end }}
containers:
- name: admin-api
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
{{- if .Values.postgresql.enabled }}
- name: KONG_PG_HOST
value: {{ template "kong.postgresql.fullname" . }}
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "kong.postgresql.fullname" . }}
key: postgres-password
{{- end }}
{{- if .Values.cassandra.enabled }}
- name: KONG_CASSANDRA_CONTACT_POINTS
value: {{ template "kong.cassandra.fullname" . }}
{{- end }}
ports:
- name: admin
containerPort: {{ .Values.admin.containerPort }}
protocol: TCP
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
- name: ingress-controller
args:
- /kong-ingress-controller
# the kong URL points to the kong admin api server
- --kong-url=http://localhost:{{ .Values.admin.containerPort }}
# the default service is the kong proxy service
- --default-backend-service={{ .Release.Namespace }}/{{ template "kong.fullname" . }}-proxy
# Service from were we extract the IP address/es to use in Ingress status
- --publish-service={{ .Release.Namespace }}/{{ template "kong.fullname" . }}-proxy
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: "{{ .Values.ingressController.image.repository }}:{{ .Values.ingressController.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
readinessProbe:
{{ toYaml .Values.ingressController.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.ingressController.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.ingressController.resources | indent 10 }}
{{- end -}}
14 changes: 14 additions & 0 deletions stable/kong/templates/controller-rbac-cluster-role-binding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kong-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kong-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: {{ .Release.Namespace }}
{{- end -}}
15 changes: 15 additions & 0 deletions stable/kong/templates/controller-rbac-role-binding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kong-ingress-role-nisa-binding
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kong-ingress-role
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: {{ .Release.Namespace }}
{{- end -}}
42 changes: 42 additions & 0 deletions stable/kong/templates/controller-rbac-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: kong-ingress-role
namespace: {{ .Release.namespace }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end -}}
7 changes: 7 additions & 0 deletions stable/kong/templates/controller-service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: kong-serviceaccount
namespace: {{ .Release.Namespace }}
{{- end -}}
13 changes: 13 additions & 0 deletions stable/kong/templates/crd-kongconsumer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongconsumers.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongConsumer
plural: kongconsumers
{{- end -}}
13 changes: 13 additions & 0 deletions stable/kong/templates/crd-kongcredential.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongcredentials.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongCredential
plural: kongcredentials
{{- end -}}
13 changes: 13 additions & 0 deletions stable/kong/templates/crd-kongingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongIngress
plural: kongingresses
{{- end -}}
13 changes: 13 additions & 0 deletions stable/kong/templates/crd-kongplugins.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongplugins.configuration.konghq.com
spec:
group: configuration.konghq.com
version: v1
scope: Namespaced
names:
kind: KongPlugin
plural: kongplugins
{{- end -}}
4 changes: 4 additions & 0 deletions stable/kong/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ spec:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- if .Values.ingressController.enabled }}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be an option to override this setting? What if there is a use case where Kong should be deployed with Admin API enabled along with Ingress controller?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, any suggestions on how to handle that ? Maybe:
values.yml

ingressController:
  admin:
     enabled: true   # <--- Enable admin in the controller deployment
     unique: true     # <--- Enable the admin in the controller deployment only

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this is a bug.
If ingressController.enabled is true and admin.useTLS is set to to true, the behavior will be a weird.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any suggestions on how we should manage this form a Helm users perspective ? For me, documenting the incompatibility seems the way to go for now, but I'm open to any solution you might have on mind

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My recommendation would be to remove this if clause and let the Admin API be configured using the existing settings. We can recommend the user to disabled Admin API when running in the Ingress controller mode but if the need be, it should be possible to enable it.

Let's not clobber Ingress Controller logic inside here. Ingress Controller really should ideally be a drop-in in addition to an existing Kong setup.

Thoughts?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this, so we should warn people in the docs .

- name: KONG_ADMIN_LISTEN
value: 'off'
{{- end }}
{{- if .Values.admin.useTLS }}
- name: KONG_ADMIN_LISTEN
value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
Expand Down
30 changes: 30 additions & 0 deletions stable/kong/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -142,3 +142,33 @@ postgresql:
postgresDatabase: kong
persistence:
enabled: false

# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
enabled: false
image:
repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller
tag: 0.1.0
replicaCount: 1
livenessProbe:
failureThreshold: 3
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 180

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shashiranjan84 Thoughts on these delays?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think its needs to be that high. Also I would increase timeoutSeconds to 5 or 10

periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a initialDelaySeconds of 120 for readinessProbe as set for Kong pods?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, it was missing here, modified to 102, thanks

failureThreshold: 3
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 120
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1