在 Kubernetes 🀄️部署 kong + kong manager (3.7.x)

部署说明

kong 3.7 部署为两个节点。
1 个 Controller Pane (Admin 端。负责管理数据)
1 个 Data Pane(API 端。负责转发数据)

依赖

  1. 一个 PG数据库
  2. kubernetes 集群主机

命名空间

创建命名空间 kong . 后续所有的资源都会创建到这个 ns 下

kubectl create namespace kong

证书管理

在 k8s 创建两个 secret

kong-enterprise-license: 企业版证书
kong-cluster-cert: tls 证书

# 创建免费的企业版证书
kubectl create secret generic kong-enterprise-license --from-literal=license="'{}'" -n kong

# 创建 kong 使用的证书
openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ./tls.key -out ./tls.crt -days 10950 -subj "/CN=kong_clustering"
kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong


CP 配置

需要注意:
admin_gui_api_url 和 admin 暴露的 ingress host 最好保持一致
admin_gui_url 和 admin_gui_api_url 协议最好保持一致,https 或 http

PG 配置根据自己需求进行配置

# Do not use Kong Ingress Controller
ingressController:
  enabled: false

image:
  repository: registry.cn-hongkong.aliyuncs.com/jansora/kong-gateway
  tag: "3.7.1.2"

# Mount the secret created earlier
secretVolumes:
  - kong-cluster-cert

env:
  # This is a control_plane node
  role: control_plane
  # These certificates are used for control plane / data plane communication
  cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
  cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key

  # Database
  # CHANGE THESE VALUES
  database: postgres
  pg_database: pve_kong_3712
  pg_user: root
  pg_password: password
  pg_host: 192.168.88.11
  pg_port: 55432
  pg_ssl: "off"

  # Kong Manager password
  password: kong_admin_password

  admin_gui_url: https://kong.fabric.jansora.com
  admin_gui_api_url: https://kong-admin.fabric.jansora.com
  # Change the secret and set cookie_secure to true if using a HTTPS endpoint
  admin_gui_session_conf: '{"secret":"secret","storage":"kong","cookie_secure":true}'


# Enterprise functionality
enterprise:
  enabled: true
  license_secret: kong-enterprise-license
  rbac:
    enabled: true
    admin_gui_auth: basic-auth
# The control plane serves the Admin API
admin:
  enabled: true
  http:
    enabled: true
  tls:
    enabled: false
  ingress:
    enabled: true
    hostname: kong-admin.fabric.jansora.com
    path: /
    pathType: Prefix
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
      nginx.ingress.kubernetes.io/enable-cors: "true"
      nginx.ingress.kubernetes.io/cors-allow-methods: "put,get,post,delete,patch,options"
      nginx.ingress.kubernetes.io/cors-allow-origin: "*"
      nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# Clustering endpoints are required in hybrid mode
cluster:
  enabled: true
  tls:
    enabled: true

clustertelemetry:
  enabled: true
  tls:
    enabled: true

# Optional features
manager:
  enabled: true
  http:
    enabled: true
  tls:
    enabled: false
  ingress:
    enabled: true
    hostname: kong.fabric.jansora.com
    path: /
    pathType: Prefix
    ingressClassName: nginx

# These roles will be served by different Helm releases
proxy:
  enabled: false

DP 配置

注意 ingress 配置: api.kubernetes.jansora.com 。 此为 api
proxy 配置

# Do not use Kong Ingress Controller
ingressController:
  enabled: false

image:
  repository: registry.cn-hongkong.aliyuncs.com/jansora/kong-gateway
  tag: "3.7.1.2"

# Mount the secret created earlier
secretVolumes:
  - kong-cluster-cert

env:
  # data_plane nodes do not have a database
  role: data_plane
  database: "off"

  # Tell the data plane how to connect to the control plane
  cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
  cluster_telemetry_endpoint: kong-cp-kong-clustertelemetry.kong.svc.cluster.local:8006

  # Configure control plane / data plane authentication
  lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
  cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
  cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key

# Enterprise functionality
enterprise:
  enabled: true
  license_secret: kong-enterprise-license

# The data plane handles proxy traffic only
proxy:
  enabled: true

  http:
    # Enable plaintext HTTP listen for the proxy
    enabled: true
    # Set a nodePort which is available if service type is NodePort
    nodePort: 32080

  tls:
    enabled: false
  ingress:
    enabled: true
    hostname: api.kubernetes.jansora.com
    path: /
    pathType: Prefix
    ingressClassName: nginx
    tls: wildcard.jansora.com

# These roles are served by the kong-cp deployment

nodeSelector:
  worker: worker2


admin:
  enabled: false

manager:
  enabled: false

评论栏