部署说明
kong 3.7 部署为两个节点。
1 个 Controller Pane (Admin 端。负责管理数据)
1 个 Data Pane(API 端。负责转发数据)
依赖
- 一个 PG数据库
- kubernetes 集群主机
命名空间
创建命名空间 kong
. 后续所有的资源都会创建到这个 ns 下
kubectl create namespace kong
证书管理
在 k8s 创建两个 secret
kong-enterprise-license
: 企业版证书
kong-cluster-cert
: tls 证书
# 创建免费的企业版证书
kubectl create secret generic kong-enterprise-license --from-literal=license="'{}'" -n kong
# 创建 kong 使用的证书
openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ./tls.key -out ./tls.crt -days 10950 -subj "/CN=kong_clustering"
kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong
CP 配置
需要注意:
admin_gui_api_url 和 admin 暴露的 ingress host 最好保持一致
admin_gui_url 和 admin_gui_api_url 协议最好保持一致,https 或 http
PG 配置根据自己需求进行配置
# Do not use Kong Ingress Controller
ingressController:
enabled: false
image:
repository: registry.cn-hongkong.aliyuncs.com/jansora/kong-gateway
tag: "3.7.1.2"
# Mount the secret created earlier
secretVolumes:
- kong-cluster-cert
env:
# This is a control_plane node
role: control_plane
# These certificates are used for control plane / data plane communication
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
# Database
# CHANGE THESE VALUES
database: postgres
pg_database: pve_kong_3712
pg_user: root
pg_password: password
pg_host: 192.168.88.11
pg_port: 55432
pg_ssl: "off"
# Kong Manager password
password: kong_admin_password
admin_gui_url: https://kong.fabric.jansora.com
admin_gui_api_url: https://kong-admin.fabric.jansora.com
# Change the secret and set cookie_secure to true if using a HTTPS endpoint
admin_gui_session_conf: '{"secret":"secret","storage":"kong","cookie_secure":true}'
# Enterprise functionality
enterprise:
enabled: true
license_secret: kong-enterprise-license
rbac:
enabled: true
admin_gui_auth: basic-auth
# The control plane serves the Admin API
admin:
enabled: true
http:
enabled: true
tls:
enabled: false
ingress:
enabled: true
hostname: kong-admin.fabric.jansora.com
path: /
pathType: Prefix
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "put,get,post,delete,patch,options"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# Clustering endpoints are required in hybrid mode
cluster:
enabled: true
tls:
enabled: true
clustertelemetry:
enabled: true
tls:
enabled: true
# Optional features
manager:
enabled: true
http:
enabled: true
tls:
enabled: false
ingress:
enabled: true
hostname: kong.fabric.jansora.com
path: /
pathType: Prefix
ingressClassName: nginx
# These roles will be served by different Helm releases
proxy:
enabled: false
DP 配置
注意 ingress 配置: api.kubernetes.jansora.com 。 此为 api
proxy 配置
# Do not use Kong Ingress Controller
ingressController:
enabled: false
image:
repository: registry.cn-hongkong.aliyuncs.com/jansora/kong-gateway
tag: "3.7.1.2"
# Mount the secret created earlier
secretVolumes:
- kong-cluster-cert
env:
# data_plane nodes do not have a database
role: data_plane
database: "off"
# Tell the data plane how to connect to the control plane
cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
cluster_telemetry_endpoint: kong-cp-kong-clustertelemetry.kong.svc.cluster.local:8006
# Configure control plane / data plane authentication
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
# Enterprise functionality
enterprise:
enabled: true
license_secret: kong-enterprise-license
# The data plane handles proxy traffic only
proxy:
enabled: true
http:
# Enable plaintext HTTP listen for the proxy
enabled: true
# Set a nodePort which is available if service type is NodePort
nodePort: 32080
tls:
enabled: false
ingress:
enabled: true
hostname: api.kubernetes.jansora.com
path: /
pathType: Prefix
ingressClassName: nginx
tls: wildcard.jansora.com
# These roles are served by the kong-cp deployment
nodeSelector:
worker: worker2
admin:
enabled: false
manager:
enabled: false