Kong是一款基于OpenResty(Nginx + Lua模块)编写的高可用、易扩展的,由Mashape公司开源的API Gateway项目。Kong是基于NGINX和Apache Cassandra或PostgreSQL构建的
在k8s集群内部创建kong网关
kong-ingress.yaml
apiVersion: v1
kind: Namespace
metadata:name: kong
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: kongclusterplugins.configuration.konghq.com
spec:additionalPrinterColumns:- JSONPath: .plugindescription: Name of the pluginname: Plugin-Typetype: string- JSONPath: .metadata.creationTimestampdescription: Agename: Agetype: date- JSONPath: .disableddescription: Indicates if the plugin is disabledname: Disabledpriority: 1type: boolean- JSONPath: .configdescription: Configuration of the pluginname: Configpriority: 1type: stringgroup: configuration.konghq.comnames:kind: KongClusterPluginplural: kongclusterpluginsshortNames:- kcpscope: Clustersubresources:status: {}validation:openAPIV3Schema:properties:config:type: objectconfigFrom:properties:secretKeyRef:properties:key:type: stringname:type: stringnamespace:type: stringrequired:- name- namespace- keytype: objecttype: objectdisabled:type: booleanplugin:type: stringprotocols:items:enum:- http- https- grpc- grpcs- tcp- tlstype: stringtype: arrayrun_on:enum:- first- second- alltype: stringrequired:- pluginversion: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: kongconsumers.configuration.konghq.com
spec:additionalPrinterColumns:- JSONPath: .usernamedescription: Username of a Kong Consumername: Usernametype: string- JSONPath: .metadata.creationTimestampdescription: Agename: Agetype: dategroup: configuration.konghq.comnames:kind: KongConsumerplural: kongconsumersshortNames:- kcscope: Namespacedsubresources:status: {}validation:openAPIV3Schema:properties:credentials:items:type: stringtype: arraycustom_id:type: stringusername:type: stringversion: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: kongingresses.configuration.konghq.com
spec:group: configuration.konghq.comnames:kind: KongIngressplural: kongingressesshortNames:- kiscope: Namespacedsubresources:status: {}validation:openAPIV3Schema:properties:proxy:properties:connect_timeout:minimum: 0type: integerpath:pattern: ^/.*$type: stringprotocol:enum:- http- https- grpc- grpcs- tcp- tlstype: stringread_timeout:minimum: 0type: integerretries:minimum: 0type: integerwrite_timeout:minimum: 0type: integertype: objectroute:properties:headers:additionalProperties:items:type: stringtype: arraytype: objecthttps_redirect_status_code:type: integermethods:items:type: stringtype: arraypath_handling:enum:- v0- v1type: stringpreserve_host:type: booleanprotocols:items:enum:- http- https- grpc- grpcs- tcp- tlstype: stringtype: arrayregex_priority:type: integerrequest_buffering:type: booleanresponse_buffering:type: booleansnis:items:type: stringtype: arraystrip_path:type: booleanupstream:properties:algorithm:enum:- round-robin- consistent-hashing- least-connectionstype: stringhash_fallback:type: stringhash_fallback_header:type: stringhash_on:type: stringhash_on_cookie:type: stringhash_on_cookie_path:type: stringhash_on_header:type: stringhealthchecks:properties:active:properties:concurrency:minimum: 1type: integerhealthy:properties:http_statuses:items:type: integertype: arrayinterval:minimum: 0type: integersuccesses:minimum: 0type: integertype: objecthttp_path:pattern: ^/.*$type: stringtimeout:minimum: 0type: integerunhealthy:properties:http_failures:minimum: 0type: integerhttp_statuses:items:type: integertype: arrayinterval:minimum: 0type: integertcp_failures:minimum: 0type: integertimeout:minimum: 0type: integertype: objecttype: objectpassive:properties:healthy:properties:http_statuses:items:type: integertype: arrayinterval:minimum: 0type: integersuccesses:minimum: 0type: integertype: objectunhealthy:properties:http_failures:minimum: 0type: integerhttp_statuses:items:type: integertype: arrayinterval:minimum: 0type: integertcp_failures:minimum: 0type: integertimeout:minimum: 0type: integertype: objecttype: objectthreshold:type: integertype: objecthost_header:type: stringslots:minimum: 10type: integertype: objectversion: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: kongplugins.configuration.konghq.com
spec:additionalPrinterColumns:- JSONPath: .plugindescription: Name of the pluginname: Plugin-Typetype: string- JSONPath: .metadata.creationTimestampdescription: Agename: Agetype: date- JSONPath: .disableddescription: Indicates if the plugin is disabledname: Disabledpriority: 1type: boolean- JSONPath: .configdescription: Configuration of the pluginname: Configpriority: 1type: stringgroup: configuration.konghq.comnames:kind: KongPluginplural: kongpluginsshortNames:- kpscope: Namespacedsubresources:status: {}validation:openAPIV3Schema:properties:config:type: objectconfigFrom:properties:secretKeyRef:properties:key:type: stringname:type: stringrequired:- name- keytype: objecttype: objectdisabled:type: booleanplugin:type: stringprotocols:items:enum:- http- https- grpc- grpcs- tcp- tlstype: stringtype: arrayrun_on:enum:- first- second- alltype: stringrequired:- pluginversion: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: tcpingresses.configuration.konghq.com
spec:additionalPrinterColumns:- JSONPath: .status.loadBalancer.ingress[*].ipdescription: Address of the load balancername: Addresstype: string- JSONPath: .metadata.creationTimestampdescription: Agename: Agetype: dategroup: configuration.konghq.comnames:kind: TCPIngressplural: tcpingressesscope: Namespacedsubresources:status: {}validation:openAPIV3Schema:properties:apiVersion:type: stringkind:type: stringmetadata:type: objectspec:properties:rules:items:properties:backend:properties:serviceName:type: stringservicePort:format: int32type: integertype: objecthost:type: stringport:format: int32type: integertype: objecttype: arraytls:items:properties:hosts:items:type: stringtype: arraysecretName:type: stringtype: objecttype: arraytype: objectstatus:type: objectversion: v1beta1
status:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:name: kong-serviceaccountnamespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:name: kong-ingress-clusterrole
rules:
- apiGroups:- ""resources:- endpoints- nodes- pods- secretsverbs:- list- watch
- apiGroups:- ""resources:- nodesverbs:- get
- apiGroups:- ""resources:- servicesverbs:- get- list- watch
- apiGroups:- networking.k8s.io- extensions- networking.internal.knative.devresources:- ingressesverbs:- get- list- watch
- apiGroups:- ""resources:- eventsverbs:- create- patch
- apiGroups:- networking.k8s.io- extensions- networking.internal.knative.devresources:- ingresses/statusverbs:- update
- apiGroups:- configuration.konghq.comresources:- tcpingresses/statusverbs:- update
- apiGroups:- configuration.konghq.comresources:- kongplugins- kongclusterplugins- kongcredentials- kongconsumers- kongingresses- tcpingressesverbs:- get- list- watch
- apiGroups:- ""resources:- configmapsverbs:- create- get- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:name: kong-ingress-clusterrole-nisa-binding
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kong-ingress-clusterrole
subjects:
- kind: ServiceAccountname: kong-serviceaccountnamespace: kong
---
apiVersion: v1
kind: Service
metadata:annotations:service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcpservice.beta.kubernetes.io/aws-load-balancer-type: nlbname: kong-proxynamespace: kong
spec:type: NodePortports:- name: proxyport: 80protocol: TCPtargetPort: 8000nodePort: 80- name: proxy-sslport: 443protocol: TCPtargetPort: 8443nodePort: 443selector:app: ingress-kong
---
apiVersion: v1
kind: Service
metadata:name: kong-adminnamespace: konglabels:k8s-app: kong
spec:ports:- name: adminport: 8001protocol: TCPtargetPort: 8001- name: admin-sslport: 8444protocol: TCPtargetPort: 8444selector:app: ingress-kong
---
apiVersion: v1
kind: Service
metadata:name: kong-validation-webhooknamespace: kong
spec:ports:- name: webhookport: 443protocol: TCPtargetPort: 8080selector:app: ingress-kong
---
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: ingress-kongname: ingress-kongnamespace: kong
spec:replicas: 1selector:matchLabels:app: ingress-kongtemplate:metadata:annotations:kuma.io/gateway: enabledprometheus.io/port: "8100"prometheus.io/scrape: "true"traffic.sidecar.istio.io/includeInboundPorts: ""labels:app: ingress-kongspec:tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/mastercontainers:- env:- name: KONG_DATABASEvalue: postgres- name: KONG_PG_HOSTvalue: postgres- name: KONG_PG_PASSWORDvalue: kong- name: KONG_PROXY_LISTENvalue: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2- name: KONG_PORT_MAPSvalue: 80:8000, 443:8443- name: KONG_ADMIN_LISTENvalue: 0.0.0.0:8001, 0.0.0.0:8444 ssl- name: KONG_STATUS_LISTENvalue: 0.0.0.0:8100- name: KONG_NGINX_WORKER_PROCESSESvalue: "2"- name: KONG_ADMIN_ACCESS_LOGvalue: /dev/stdout- name: KONG_ADMIN_ERROR_LOGvalue: /dev/stderr- name: KONG_PROXY_ERROR_LOGvalue: /dev/stderrimage: kong:2.3lifecycle:preStop:exec:command:- /bin/sh- -c- kong quitlivenessProbe:failureThreshold: 3httpGet:path: /statusport: 8100scheme: HTTPinitialDelaySeconds: 5periodSeconds: 10successThreshold: 1timeoutSeconds: 1name: proxyports:- containerPort: 8000name: proxyprotocol: TCP- containerPort: 8443name: proxy-sslprotocol: TCP- containerPort: 8100name: metricsprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /statusport: 8100scheme: HTTPinitialDelaySeconds: 5periodSeconds: 10successThreshold: 1timeoutSeconds: 1- env:- name: CONTROLLER_KONG_ADMIN_URLvalue: http://127.0.0.1:8001- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFYvalue: "false"- name: CONTROLLER_PUBLISH_SERVICEvalue: kong/kong-proxy- name: POD_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespaceimage: kong/kubernetes-ingress-controller:1.2imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 5periodSeconds: 10successThreshold: 1timeoutSeconds: 1name: ingress-controllerports:- containerPort: 8080name: webhookprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 5periodSeconds: 10successThreshold: 1timeoutSeconds: 1initContainers:- command:- /bin/sh- -c- while true; do kong migrations list; if [[ 0 -eq $? ]]; then exit 0; fi; sleep 2; done;env:- name: KONG_PG_HOSTvalue: postgres- name: KONG_PG_PASSWORDvalue: kongimage: kong:2.3name: wait-for-migrationsserviceAccountName: kong-serviceaccount
---
apiVersion: apps/v1
kind: StatefulSet
metadata:name: postgresnamespace: kong
spec:replicas: 1selector:matchLabels:app: postgresserviceName: postgrestemplate:metadata:labels:app: postgresspec:containers:- env:- name: POSTGRES_USERvalue: kong- name: POSTGRES_PASSWORDvalue: kong- name: POSTGRES_DBvalue: kong- name: PGDATAvalue: /var/lib/postgresql/data/pgdataimage: postgres:11.5name: postgresports:- containerPort: 5432volumeMounts:- mountPath: /var/lib/postgresql/dataname: kong-pgsubPath: pgdataterminationGracePeriodSeconds: 60volumeClaimTemplates:- metadata:name: kong-pgspec:accessModes:- ReadWriteOncestorageClassName: "nfs-storage"resources:requests:storage: 3Gi
---
apiVersion: v1
kind: Service
metadata:name: postgresnamespace: kong
spec:ports:- name: pgqlport: 5432protocol: TCPtargetPort: 5432selector:app: postgres
---
apiVersion: batch/v1
kind: Job
metadata:name: kong-migrationsnamespace: kong
spec:template:metadata:name: kong-migrationsspec:containers:- command:- /bin/sh- -c- kong migrations bootstrapenv:- name: KONG_PG_PASSWORDvalue: kong- name: KONG_PG_HOSTvalue: postgres- name: KONG_PG_PORTvalue: "5432"image: kong:2.3name: kong-migrationsinitContainers:- command:- /bin/sh- -c- until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; doneenv:- name: KONG_PG_HOSTvalue: postgres- name: KONG_PG_PORTvalue: "5432"image: busyboxname: wait-for-postgresrestartPolicy: OnFailure---
apiVersion: apps/v1
kind: Deployment
metadata:name: konganamespace: kong
spec:replicas: 1selector:matchLabels:app: kongatemplate:metadata:labels:app: kongaspec:containers:- name: kongaimage: pantsel/kongaenv:- name: DB_ADAPTERvalue: postgres- name: DB_HOSTvalue: postgres- name: DB_PORTvalue: '5432'- name: DB_PASSWORDvalue: kong- name: DB_USERvalue: kong- name: DB_DATABASEvalue: kongaports:- containerPort: 1337name: webinitContainers:- command:- /bin/sh- -c- while true; do kong migrations list; if [[ 0 -eq $? ]]; then exit 0; fi; sleep 2; done;env:- name: KONG_PG_HOSTvalue: postgres- name: KONG_PG_PASSWORDvalue: kongimage: kong:2.3name: wait-for-migrations---
apiVersion: v1
kind: Service
metadata:name: konganamespace: kong
spec:ports:- port: 1337protocol: TCPtargetPort: 1337selector:app: konga
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:name: web-ingressnamespace: kongannotations:kubernetes.io/ingress.class: "kong"
spec:rules:- host: konga.test.lanhttp:paths:- path: /backend:serviceName: kongaservicePort: 1337
先把上面这个文件下载下来,了解以下里面主要的架构
kong网关几个注意的架构
-
ingress-kong 以kong网关建立的 Kubernetes 入口控制器
-
konga 网关管理界面
-
postgres 网关数据存储
-
job 初始化结构表数据
一般在新的集群内创建kong网关的时候是需要先进行postgres数据库的创建,数据库正常运行之后,再进行job初始化数据库表数据。最后再创建ingress-kong和konga。现在我进行将这些资源整合,变成了一个ingress-kong.yaml,我们直接通过一条命令就可以部署起来。
$ kubectl apply -f ingress-kong.yaml
等待3分钟,查看运行创建情况
$ kubectl get po -n kong
NAME READY STATUS RESTARTS AGE
ingress-kong-f7bd9f9f-bb6rg 2/2 Running 9 126d
kong-migrations-w2v4b 0/1 Completed 0 168d
konga-85fd66dcff-jw8gn 1/1 Running 0 97d
postgres-0 1/1 Running 1 168d
配置host
ingress-kong节点ip konga.test.lan
访问konga管理平台http://konga.nq.lan