-
Notifications
You must be signed in to change notification settings - Fork 16.4k
[WIP]: Kong ingress controller #7350
Changes from 1 commit
96389c2
65a9e85
1dd5022
debc7c1
f64400b
66648a2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: kong-ingress-clusterrole | ||
| rules: | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - endpoints | ||
| - nodes | ||
| - pods | ||
| - secrets | ||
| verbs: | ||
| - list | ||
| - watch | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - nodes | ||
| verbs: | ||
| - get | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - services | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
| - apiGroups: | ||
| - "extensions" | ||
| resources: | ||
| - ingresses | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - events | ||
| verbs: | ||
| - create | ||
| - patch | ||
| - apiGroups: | ||
| - "extensions" | ||
| resources: | ||
| - ingresses/status | ||
| verbs: | ||
| - update | ||
| - apiGroups: | ||
| - "configuration.konghq.com" | ||
| resources: | ||
| - kongplugins | ||
| - kongcredentials | ||
| - kongconsumers | ||
| - kongingresses | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: apps/v1beta2 | ||
| kind: Deployment | ||
| metadata: | ||
| name: "{{ template "kong.fullname" . }}-controller" | ||
| labels: | ||
| app: "{{ template "kong.name" . }}" | ||
| chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
| release: "{{ .Release.Name }}" | ||
| heritage: "{{ .Release.Service }}" | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| replicas: {{ .Values.ingressController.replicaCount }} | ||
| selector: | ||
| matchLabels: | ||
| app: {{ template "kong.name" . }} | ||
| release: {{ .Release.Name }} | ||
| template: | ||
| metadata: | ||
| {{- if .Values.podAnnotations }} | ||
| annotations: | ||
| {{ toYaml .Values.podAnnotations | indent 8 }} | ||
| {{- end }} | ||
| labels: | ||
| app: {{ template "kong.name" . }} | ||
| release: {{ .Release.Name }} | ||
| spec: | ||
| serviceAccountName: kong-serviceaccount | ||
| {{- if .Values.image.imagePullSecrets }} | ||
| imagePullSecrets: | ||
| - name: {{ .Values.image.imagePullSecrets }} | ||
| {{- end }} | ||
| containers: | ||
| - name: admin-api | ||
| image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
| imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
| env: | ||
| - name: KONG_PROXY_LISTEN | ||
| value: 'off' | ||
| - name: KONG_ADMIN_ACCESS_LOG | ||
| value: "/dev/stdout" | ||
| - name: KONG_ADMIN_ERROR_LOG | ||
| value: "/dev/stderr" | ||
| {{- if .Values.postgresql.enabled }} | ||
| - name: KONG_PG_HOST | ||
| value: {{ template "kong.postgresql.fullname" . }} | ||
| - name: KONG_PG_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: {{ template "kong.postgresql.fullname" . }} | ||
| key: postgres-password | ||
| {{- end }} | ||
| {{- if .Values.cassandra.enabled }} | ||
| - name: KONG_CASSANDRA_CONTACT_POINTS | ||
| value: {{ template "kong.cassandra.fullname" . }} | ||
| {{- end }} | ||
| ports: | ||
| - name: admin | ||
| containerPort: {{ .Values.admin.containerPort }} | ||
| protocol: TCP | ||
| readinessProbe: | ||
| {{ toYaml .Values.readinessProbe | indent 10 }} | ||
| livenessProbe: | ||
| {{ toYaml .Values.livenessProbe | indent 10 }} | ||
| resources: | ||
| {{ toYaml .Values.resources | indent 10 }} | ||
| - name: ingress-controller | ||
| args: | ||
| - /kong-ingress-controller | ||
| # the kong URL points to the kong admin api server | ||
| - --kong-url=http://localhost:{{ .Values.admin.containerPort }} | ||
| # the default service is the kong proxy service | ||
| - --default-backend-service={{ .Release.Namespace }}/{{ template "kong.fullname" . }}-proxy | ||
| # Service from were we extract the IP address/es to use in Ingress status | ||
| - --publish-service={{ .Release.Namespace }}/{{ template "kong.fullname" . }}-proxy | ||
| env: | ||
| - name: POD_NAME | ||
| valueFrom: | ||
| fieldRef: | ||
| apiVersion: v1 | ||
| fieldPath: metadata.name | ||
| - name: POD_NAMESPACE | ||
| valueFrom: | ||
| fieldRef: | ||
| apiVersion: v1 | ||
| fieldPath: metadata.namespace | ||
| image: "{{ .Values.ingressController.image.repository }}:{{ .Values.ingressController.image.tag }}" | ||
| imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
| readinessProbe: | ||
| {{ toYaml .Values.ingressController.readinessProbe | indent 10 }} | ||
| livenessProbe: | ||
| {{ toYaml .Values.ingressController.livenessProbe | indent 10 }} | ||
| resources: | ||
| {{ toYaml .Values.ingressController.resources | indent 10 }} | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: kong-ingress-clusterrole-nisa-binding | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: kong-ingress-clusterrole | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: kong-serviceaccount | ||
| namespace: {{ .Release.Namespace }} | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: kong-ingress-role-nisa-binding | ||
| namespace: {{ .Release.Namespace }} | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: kong-ingress-role | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: kong-serviceaccount | ||
| namespace: {{ .Release.Namespace }} | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: Role | ||
| metadata: | ||
| name: kong-ingress-role | ||
| namespace: {{ .Release.namespace }} | ||
| rules: | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - configmaps | ||
| - pods | ||
| - secrets | ||
| - namespaces | ||
| verbs: | ||
| - get | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - configmaps | ||
| resourceNames: | ||
| # Defaults to "<election-id>-<ingress-class>" | ||
| # Here: "<ingress-controller-leader>-<nginx>" | ||
| # This has to be adapted if you change either parameter | ||
| # when launching the nginx-ingress-controller. | ||
| - "ingress-controller-leader-nginx" | ||
| verbs: | ||
| - get | ||
| - update | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - configmaps | ||
| verbs: | ||
| - create | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - endpoints | ||
| verbs: | ||
| - get | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: kong-serviceaccount | ||
| namespace: {{ .Release.Namespace }} | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: kongconsumers.configuration.konghq.com | ||
| spec: | ||
| group: configuration.konghq.com | ||
| version: v1 | ||
| scope: Namespaced | ||
| names: | ||
| kind: KongConsumer | ||
| plural: kongconsumers | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: kongcredentials.configuration.konghq.com | ||
| spec: | ||
| group: configuration.konghq.com | ||
| version: v1 | ||
| scope: Namespaced | ||
| names: | ||
| kind: KongCredential | ||
| plural: kongcredentials | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: kongingresses.configuration.konghq.com | ||
| spec: | ||
| group: configuration.konghq.com | ||
| version: v1 | ||
| scope: Namespaced | ||
| names: | ||
| kind: KongIngress | ||
| plural: kongingresses | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| {{- if .Values.ingressController.enabled -}} | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: kongplugins.configuration.konghq.com | ||
| spec: | ||
| group: configuration.konghq.com | ||
| version: v1 | ||
| scope: Namespaced | ||
| names: | ||
| kind: KongPlugin | ||
| plural: kongplugins | ||
| {{- end -}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -142,3 +142,33 @@ postgresql: | |
| postgresDatabase: kong | ||
| persistence: | ||
| enabled: false | ||
|
|
||
| # Kong Ingress Controller's primary purpose is to satisfy Ingress resources | ||
| # created in k8s. It uses CRDs for more fine grained control over routing and | ||
| # for Kong specific configuration. | ||
| ingressController: | ||
| enabled: false | ||
| image: | ||
| repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller | ||
| tag: 0.1.0 | ||
| replicaCount: 1 | ||
| livenessProbe: | ||
| failureThreshold: 3 | ||
| httpGet: | ||
| path: "/healthz" | ||
| port: 10254 | ||
| scheme: HTTP | ||
| initialDelaySeconds: 180 | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @shashiranjan84 Thoughts on these delays?
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think its needs to be that high. Also I would increase timeoutSeconds to 5 or 10 |
||
| periodSeconds: 10 | ||
| successThreshold: 1 | ||
| timeoutSeconds: 1 | ||
| readinessProbe: | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we add a
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done, it was missing here, modified to 102, thanks |
||
| failureThreshold: 3 | ||
| httpGet: | ||
| path: "/healthz" | ||
| port: 10254 | ||
| scheme: HTTP | ||
| initialDelaySeconds: 120 | ||
| periodSeconds: 10 | ||
| successThreshold: 1 | ||
| timeoutSeconds: 1 | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be an option to override this setting? What if there is a use case where Kong should be deployed with Admin API enabled along with Ingress controller?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, any suggestions on how to handle that ? Maybe:
values.ymlThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this is a bug.
If
ingressController.enabledis true andadmin.useTLSis set to to true, the behavior will be a weird.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any suggestions on how we should manage this form a Helm users perspective ? For me, documenting the incompatibility seems the way to go for now, but I'm open to any solution you might have on mind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My recommendation would be to remove this if clause and let the Admin API be configured using the existing settings. We can recommend the user to disabled Admin API when running in the Ingress controller mode but if the need be, it should be possible to enable it.
Let's not clobber Ingress Controller logic inside here. Ingress Controller really should ideally be a drop-in in addition to an existing Kong setup.
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed this, so we should warn people in the docs .