Skip to content

Commit

Permalink
[kong] refactor listener templates (#72)
Browse files Browse the repository at this point in the history 
Unify listener templates and make them more expressive:
* Listener strings are now generated by passing the listener/service
  configuration block (e.g. "proxy") to the "kong.listen" helper, rather
  than templating each listen string individually.
* The admin listen now uses the same configuration format as other
  listeners, with default values expressing the standard configuration
  (no service creation, TLS-only listen). Legacy configuration is still
  supported, but displays a deprecation warning in NOTES.txt.
* Listener configuration now allows specifying listen parameters, rather
  than hard-coding them into the template (though "ssl" is still
  hard-coded for TLS listens). To avoid too complicated a configuration
  change, users are still limited to two listens, HTTP and TLS, rather
  than being able to freely define listens.
* CI tests and README.md now account for the above.
* NOTES.txt spacing now tries to more closely adhere to 80-char columns.
* Add a "kong.adminLocalURL" helper to generate the local URL for the
  admin API, for use with the ingress controller.
  • Loading branch information
@rainest
rainest committed Mar 20, 2020
1 parent b90823a commit cc63bf2
Show file tree
Hide file tree
Showing 12 changed files with 361 additions and 184 deletions.
100 changes: 46 additions & 54 deletions charts/kong/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ $ helm install kong/kong
- [Configuration method](#configuration-method)
- [Configuration](#configuration)
- [Kong Parameters](#kong-parameters)
- [Kong Service Parameters](#kong-service-parameters)
- [Ingress Controller Parameters](#ingress-controller-parameters)
- [General Parameters](#general-parameters)
- [The `env` section](#the-env-section)
Expand Down Expand Up @@ -211,43 +212,6 @@ Kong can be configured via two methods:
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
| replicaCount | Kong instance count | `1` |
| admin.enabled | Create Admin Service | `false` |
| admin.useTLS | Secure Admin traffic | `true` |
| admin.servicePort | TCP port on which the Kong admin service is exposed | `8444` |
| admin.containerPort | TCP port on which Kong app listens for admin traffic | `8444` |
| admin.nodePort | Node port when service type is `NodePort` | |
| admin.hostPort | Host port to use for admin traffic | |
| admin.type | k8s service type, Options: NodePort, ClusterIP, LoadBalancer | `NodePort` |
| admin.loadBalancerIP | Will reuse an existing ingress static IP for the admin service | `null` |
| admin.loadBalancerSourceRanges | Limit admin access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| admin.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
| admin.ingress.tls | Name of secret resource, containing TLS secret | |
| admin.ingress.hosts | List of ingress hosts. | `[]` |
| admin.ingress.path | Ingress path. | `/` |
| admin.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| proxy.http.enabled | Enables http on the proxy | true |
| proxy.http.servicePort | Service port to use for http | 80 |
| proxy.http.containerPort | Container port to use for http | 8000 |
| proxy.http.nodePort | Node port to use for http | 32080 |
| proxy.http.hostPort | Host port to use for http | |
| proxy.tls.enabled | Enables TLS on the proxy | true |
| proxy.tls.containerPort | Container port to use for TLS | 8443 |
| proxy.tls.servicePort | Service port to use for TLS | 8443 |
| proxy.tls.nodePort | Node port to use for TLS | 32443 |
| proxy.tls.hostPort | Host port to use for TLS | |
| proxy.tls.overrideServiceTargetPort| Override service port to use for TLS without touching Kong containerPort | |
| proxy.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | `LoadBalancer` |
| proxy.clusterIP | k8s service clusterIP | |
| proxy.loadBalancerSourceRanges | Limit proxy access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| proxy.loadBalancerIP | To reuse an existing ingress static IP for the admin service | |
| proxy.externalIPs | IPs for which nodes in the cluster will also accept traffic for the proxy | `[]` |
| proxy.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| proxy.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
| proxy.ingress.tls | Name of secret resource, containing TLS secret | |
| proxy.ingress.hosts | List of ingress hosts. | `[]` |
| proxy.ingress.path | Ingress path. | `/` |
| proxy.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| proxy.annotations | Service annotations | `{}` |
| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
| runMigrations | Run Kong migrations job | `true` |
Expand All @@ -258,6 +222,50 @@ Kong can be configured via two methods:
| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` |
| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` |

#### Kong Service Parameters

The various `SVC.*` parameters below are common to the various Kong services
(the admin API, proxy, Kong Manger, the Developer Portal, and the Developer
Portal API) and define their listener configuration, K8S Service properties,
and K8S Ingress properties. Defaults are listed only if consistent across the
individual services: see values.yaml for their individual default values.

`SVC` below can be substituted with each of:
* `proxy`
* `admin`
* `manager`
* `portal`
* `portalapi`

| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
| SVC.http.enabled | Enables http on the service | |
| SVC.http.servicePort | Service port to use for http | |
| SVC.http.containerPort | Container port to use for http | |
| SVC.http.nodePort | Node port to use for http | |
| SVC.http.hostPort | Host port to use for http | |
| SVC.http.parameters | Array of additional listen parameters | `[]` |
| SVC.tls.enabled | Enables TLS on the service | |
| SVC.tls.containerPort | Container port to use for TLS | |
| SVC.tls.servicePort | Service port to use for TLS | |
| SVC.tls.nodePort | Node port to use for TLS | |
| SVC.tls.hostPort | Host port to use for TLS | |
| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
| SVC.ingress.tls | Name of secret resource, containing TLS secret | |
| SVC.ingress.hosts | List of ingress hosts. | `[]` |
| SVC.ingress.path | Ingress path. | `/` |
| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| SVC.annotations | Service annotations | `{}` |

### Ingress Controller Parameters

All of the following properties are nested under the `ingressController`
Expand Down Expand Up @@ -323,7 +331,7 @@ and upper-cased before setting the environment variable.
Furthermore, all `kong.env` parameters can also accept a mapping instead of a
value to ensure the parameters can be set through configmaps and secrets.

An example :
An example:

```yaml
kong:
Expand All @@ -342,22 +350,6 @@ For complete list of Kong configurations please check the

> **Tip**: You can use the default [values.yaml](values.yaml)
##### Admin/Proxy listener override

If you specify `env.admin_listen` or `env.proxy_listen`, this chart will use
the value provided by you as opposed to constructing a listen variable
from fields like `proxy.http.containerPort` and `proxy.http.enabled`.
This allows you to be more prescriptive when defining listen directives.

**Note:** Overriding `env.proxy_listen` and `env.admin_listen` will
potentially cause `admin.containerPort`, `proxy.http.containerPort` and
`proxy.tls.containerPort` to become out of sync,
and therefore must be updated accordingly.

For example, updating to `env.proxy_listen: 0.0.0.0:4444, 0.0.0.0:4443 ssl`
will need `proxy.http.containerPort: 4444` and `proxy.tls.containerPort: 4443`
to be set in order for the service definition to work properly.

## Kong Enterprise Parameters

### Overview
Expand Down
36 changes: 36 additions & 0 deletions charts/kong/ci/test4-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# CI test for testing dbless deployment without ingress controllers using legacy admin listen
# TODO: remove legacy admin listen behavior at a future date
# - disable ingress controller
ingressController:
enabled: false
# - use legacy admin listen config
admin:
enabled: true
useTLS: true
servicePort: 8444
containerPort: 8444

# - disable DB for kong
env:
database: "off"
postgresql:
enabled: false
# - supply DBless config for kong
dblessConfig:
# Or the configuration is passed in full-text below
config:
_format_version: "1.1"
services:
- name: test-svc
url: http://example.com
routes:
- name: test
paths:
- /test
plugins:
- name: request-termination
config:
status_code: 200
message: "dbless-config"
proxy:
type: NodePort
21 changes: 16 additions & 5 deletions charts/kong/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,23 @@ PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fu
export PROXY_IP=${HOST}:${PORT}
curl $PROXY_IP

Once installed, please follow along the getting started guide to start using Kong:
https://bit.ly/k4k8s-get-started
Once installed, please follow along the getting started guide to start using
Kong: https://bit.ly/k4k8s-get-started

{{ if and (.Values.enterprise.portal.enabled) (or (.Values.enterprise.portal.portal_auth) (.Values.enterprise.portal.session_conf_secret)) -}} {{/* Legacy Portal auth handling */}}
/!\ WARNING: You are currently using legacy Portal authentication configuration in values.yaml (https://github.com/Kong/charts/blob/kong-1.2.0/charts/kong/values.yaml#L384-L392). Support for this will be removed in a future release.
/!\ WARNING: You are currently using legacy Portal authentication configuration
in values.yaml. Support for this will be removed in a future release:
https://github.com/Kong/charts/blob/kong-1.2.0/charts/kong/values.yaml#L384-L392

You should move these settings to "portal_session_conf" (using a secretKeyRef) and "portal_auth" under your "env" block.
{{- end -}}
You should move these settings to "portal_session_conf" (using a secretKeyRef)
and "portal_auth" under your "env" block.
{{- end }}

{{ if .Values.admin.containerPort -}} {{/* Legacy admin API listen */}}
/!\ WARNING: You are currently using legacy admin API configuration in
values.yaml. Support for this will be removed in a future release:
https://github.com/Kong/charts/blob/kong-1.3.0/charts/kong/values.yaml#L58-L66

You should rework your admin listen configuration to match the current format
(https://github.com/Kong/charts/blob/master/charts/kong/values.yaml).
{{- end -}}

0 comments on commit cc63bf2

Please sign in to comment.