Kong Gateway: Helm Deployment in Kubernetes (Hybrid Mode)
The last decade of the tech industry has been dominated by the move towards microservices i.e. small, loosely coupled applications with a single purpose. The main advantages of these are faster development cycles, easier maintenance, and scalability. Therefore, rather than having one big monolith application for online banking, we should opt for individual services such as Fund Transfers, Notifications, Statements, etc. The UI will interact with these services as required and these separate applications can scale independently and update accordingly per the need. However, soon we realize that this move to microservices brings a new set of challenges. As our applications are separated out, the cross-cutting concerns get duplicated in each application. That’s where an API gateway like Kong comes into the picture. Kong consolidates the common functionality in the middleware so that the dev teams have less overhead and can focus on the business logic of their apps.
Kong can be deployed in four different modes:
- DB-Less
- Hybrid
- Konnect (Kong Cloud)
- Traditional
In this article, we will go into detail about how to install Kong in a Kubernetes cluster in Hybrid mode.
In Hybrid mode, Kong Gateway is divided into two parts — Control plane (CP) and Data plane (DP). CP node(s) manage the kong configuration and the Admin API, while DP node(s) carries out the actual work — serving requests to the API consumers. This way we can scale the data plane only as per our needs and the data plane can be deployed into different geographical regions as per business needs.
Pre-requisites:
- Kubernetes Cluster
- Postgres Database (9.6+)
- Linux VM with Kubectl and Helm 3 installed
Installation Steps:
- Generate certificate/key pair using OpenSSL. This will be shared by both CP and DP nodes for mTLS:
openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) \
-keyout cluster.key \
-out cluster.crt -days 1095 -subj "/CN=kong_clustering"2. Create a namespace in the Kubernetes cluster to deploy kong:
kubectl create namespace kong --dry-run -o yaml3. Create a Kubernetes secret to store the certificate/key pair for mTLS created earlier in step 1:
kubectl create secret tls kong-cluster-cert --cert=cluster.crt \
--key=cluster.key --namespace kong --dry-run -o yaml4. Create a Kubernetes secret for the super admin password which will be later used to login to the Kong manager and Admin API:
kubectl create secret generic kong-enterprise-superuser-password \
--namespace kong --from-literal=password=HardToGuessPwd5. (Optional, only if you want to install Kong Enterprise) Create a Kubernetes secret to store the Kong enterprise license:
kubectl create secret generic kong-enterprise-license \
--from-file=license.json --namespace kong6. Create a ‘dbsecret’ YAML file with the database credentials encoded in Base64 format. Then, create a Kubernetes secret for storing the database credentials:
#dbsecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: postgres-db-secrets
namespace: kong
type: Opaque
data:
user: "dXNlcm5hbWU="
password: "SGFyZFRvR3Vlc3NQYXNzd29yZA=="kubectl apply -f dbsecret.yaml -n kong7. Login sessions for Kong Manager and the Developer Portal make use of the Kong Sessions plugin. When configured via ‘values.yaml’, their configuration must be stored in Kubernetes secret, as it contains an HMAC key. Create two YAML files for the admin GUI session and portal session and then create a Kubernetes secret to store these configs secrets:
// admin_gui_session_conf.yaml
{
"cookie_name": "admin_session",
"cookie_samesite": "off",
"secret": "HardToGuessPasswordGoesHere",
"cookie_secure": true,
"cookie_lifetime": 3600,
"cookie_renew": 600,
"storage": "kong"
}
// portal_session_conf.yaml
{
"cookie_name": "portal_session",
"cookie_samesite": "off",
"secret": "HardToGuessPasswordGoesHere",
"cookie_secure": true,
"cookie_lifetime": 3600,
"cookie_renew": 600,
"storage": "kong",
"cookie_domain": "mycompany.com"
}kubectl create secret generic kong-session-config \
--from-file=admin_gui_session_conf \
--from-file=portal_session_conf --namespace kong8. Make sure to add Kong Helm charts:
helm repo add kong https://charts.konghq.com
helm repo update9. Create YAML files for the control plane and data plane specific configurations (Sample files). Then use helm to install the control plane and the data plane nodes, and utilize these files to override the default configurations:
helm install kong-cp kong/kong --namespace kong --values=controlplane-values.yaml
helm install kong-dp kong/kong --namespace kong --values=dataplane-values.yaml10. (Optional) Create a Kubernetes secret named ‘kong-tls’ if you would like to secure the ingress via TLS:
kubectl create secret tls kong-tls --cert=wildcard-company.crt \
--key=wildcard-company.key --namespace kongNote: Referencing this secret in the ingress tells the ingress controller to secure the communication between the client and the load balancer using TLS
11. Create an ingress YAML file and use it to create a Kubernetes ingress to expose Kong outside your cluster:
kubectl apply -f ingress.yaml --namespace kongThat’s it! This is how we can deploy Kong to a Kubernetes cluster in hybrid mode. As usual, all of the code samples for this exercise are available on GitHub.
Extra Considerations:
- What if you are not using Kong Enterprise?
If you are not using Kong Enterprise, your deployment will have a few changes:
- Set
enterprise.enabledtofalseincontrolplane-values.yamlanddataplane-values.yamlfiles - Update
controlplane-values.yamlfile to utilize the open-source Kong image —konginstead ofkong/kong-gateway - Skip the step which creates the enterprise license secret in Kubernetes
2. Automation Pipeline
I also created a bamboo pipeline that automates this entire process. We put all the steps in a script file and execute that step through bamboo. More details on this can be found here.
Hope this helps!
References:
- Kong Helm Chart Documentation
- Kong Official Documentation
