Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[kong] Refactor listener templates #72

Merged
merged 12 commits into from
Mar 20, 2020
Merged

[kong] Refactor listener templates #72

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3d0a3b4
[kong] revamp listeners in values
rainest Mar 6, 2020
479aaa5
[kong] listener readme updates
rainest Mar 6, 2020
871089e
[kong] add legacy admin listen warning
rainest Mar 6, 2020
5b79efc
[kong] clean up NOTES spacing
rainest Mar 6, 2020
150be58
[kong] use modern listener template
rainest Mar 6, 2020
2fadc96
[kong] use arrays for parameters
rainest Mar 6, 2020
7bec831
[kong] add ci test for legacy admin
rainest Mar 7, 2020
f8652c4
[kong] refactor listener string generation
rainest Mar 7, 2020
7f37234
[kong] add helper for local admin URL
rainest Mar 7, 2020
33fc0e1
[kong] improve NOTES.txt output width
rainest Mar 12, 2020
c1d9145
[kong] update listener documentation and comments
rainest Mar 12, 2020
4af5aa1
[kong] touch up listener refactor
rainest Mar 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
87 changes: 33 additions & 54 deletions charts/kong/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,50 +203,45 @@ Kong can be configured via two methods:

### Kong parameters

The various `SVC.*` parameters below are common to the various Kong services
(the admin API, proxy, Kong Manger, the Developer Portal, and the Developer
Portal API) and define their listener configuration, K8S Service properties,
and K8S Ingress properties. Defaults are listed only if consistent across the
individual services: see values.yaml for their individual default values.

rainest marked this conversation as resolved.
Show resolved Hide resolved
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
| image.repository | Kong image | `kong` |
| image.tag | Kong image version | `1.3` |
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
| replicaCount | Kong instance count | `1` |
| admin.enabled | Create Admin Service | `false` |
| admin.useTLS | Secure Admin traffic | `true` |
| admin.servicePort | TCP port on which the Kong admin service is exposed | `8444` |
| admin.containerPort | TCP port on which Kong app listens for admin traffic | `8444` |
| admin.nodePort | Node port when service type is `NodePort` | |
| admin.hostPort | Host port to use for admin traffic | |
| admin.type | k8s service type, Options: NodePort, ClusterIP, LoadBalancer | `NodePort` |
| admin.loadBalancerIP | Will reuse an existing ingress static IP for the admin service | `null` |
| admin.loadBalancerSourceRanges | Limit admin access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| admin.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
| admin.ingress.tls | Name of secret resource, containing TLS secret | |
| admin.ingress.hosts | List of ingress hosts. | `[]` |
| admin.ingress.path | Ingress path. | `/` |
| admin.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| proxy.http.enabled | Enables http on the proxy | true |
| proxy.http.servicePort | Service port to use for http | 80 |
| proxy.http.containerPort | Container port to use for http | 8000 |
| proxy.http.nodePort | Node port to use for http | 32080 |
| proxy.http.hostPort | Host port to use for http | |
| proxy.tls.enabled | Enables TLS on the proxy | true |
| proxy.tls.containerPort | Container port to use for TLS | 8443 |
| proxy.tls.servicePort | Service port to use for TLS | 8443 |
| proxy.tls.nodePort | Node port to use for TLS | 32443 |
| proxy.tls.hostPort | Host port to use for TLS | |
| proxy.tls.overrideServiceTargetPort| Override service port to use for TLS without touching Kong containerPort | |
| proxy.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | `LoadBalancer` |
| proxy.clusterIP | k8s service clusterIP | |
| proxy.loadBalancerSourceRanges | Limit proxy access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| proxy.loadBalancerIP | To reuse an existing ingress static IP for the admin service | |
| proxy.externalIPs | IPs for which nodes in the cluster will also accept traffic for the proxy | `[]` |
| proxy.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| proxy.ingress.enabled | Enable ingress resource creation (works with proxy.type=ClusterIP) | `false` |
| proxy.ingress.tls | Name of secret resource, containing TLS secret | |
| proxy.ingress.hosts | List of ingress hosts. | `[]` |
| proxy.ingress.path | Ingress path. | `/` |
| proxy.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| proxy.annotations | Service annotations | `{}` |
| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
| SVC.http.enabled | Enables http on the service | |
| SVC.http.servicePort | Service port to use for http | |
| SVC.http.containerPort | Container port to use for http | |
| SVC.http.nodePort | Node port to use for http | |
| SVC.http.hostPort | Host port to use for http | |
| SVC.http.parameters | Array of additional listen parameters | `[]` |
| SVC.tls.enabled | Enables TLS on the service | |
| SVC.tls.containerPort | Container port to use for TLS | |
| SVC.tls.servicePort | Service port to use for TLS | |
| SVC.tls.nodePort | Node port to use for TLS | |
| SVC.tls.hostPort | Host port to use for TLS | |
| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
| SVC.clusterIP | k8s service clusterIP | |
| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
| SVC.ingress.tls | Name of secret resource, containing TLS secret | |
| SVC.ingress.hosts | List of ingress hosts. | `[]` |
| SVC.ingress.path | Ingress path. | `/` |
| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
| SVC.annotations | Service annotations | `{}` |
| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
| runMigrations | Run Kong migrations job | `true` |
Expand Down Expand Up @@ -322,7 +317,7 @@ and upper-cased before setting the environment variable.
Furthermore, all `kong.env` parameters can also accept a mapping instead of a
value to ensure the parameters can be set through configmaps and secrets.

An example :
An example:

```yaml
kong:
Expand All @@ -341,22 +336,6 @@ For complete list of Kong configurations please check the

> **Tip**: You can use the default [values.yaml](values.yaml)

##### Admin/Proxy listener override

If you specify `env.admin_listen` or `env.proxy_listen`, this chart will use
the value provided by you as opposed to constructing a listen variable
from fields like `proxy.http.containerPort` and `proxy.http.enabled`.
This allows you to be more prescriptive when defining listen directives.

**Note:** Overriding `env.proxy_listen` and `env.admin_listen` will
potentially cause `admin.containerPort`, `proxy.http.containerPort` and
`proxy.tls.containerPort` to become out of sync,
and therefore must be updated accordingly.

For example, updating to `env.proxy_listen: 0.0.0.0:4444, 0.0.0.0:4443 ssl`
will need `proxy.http.containerPort: 4444` and `proxy.tls.containerPort: 4443`
to be set in order for the service definition to work properly.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is override not possible at all? From the current read, it seems it should be possible.
There will be use-cases that will demand override, and for those, we should mention this.

Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What cases are you thinking of in particular? The simplest I can think of (restricting the listen IP) doesn't seem like it'd be of use in containerized deployments.

While it's still possible, I couldn't think of obvious cases for overriding and figured it would be best left unmentioned.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OSS users can get very creative sometimes.
We don't need a dedicated section but let's mention this in the env section itself maybe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They can be, but it's easier to support them if they aren't. I don't want to document this even though it does work, since IMO it shouldn't appear that it's a standard way of configuring things.

If there are cases where the standard listen config doesn't work, I'd want those to come in via issues for us to try and see if there's a way we can support it without overrides.


## Kong Enterprise Parameters

### Overview
Expand Down
36 changes: 36 additions & 0 deletions charts/kong/ci/test4-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# CI test for testing dbless deployment without ingress controllers using legacy admin listen
# TODO: remove legacy admin listen behavior at a future date
# - disable ingress controller
ingressController:
enabled: false
# - use legacy admin listen config
admin:
enabled: true
useTLS: true
servicePort: 8444
containerPort: 8444

# - disable DB for kong
env:
database: "off"
postgresql:
enabled: false
# - supply DBless config for kong
dblessConfig:
# Or the configuration is passed in full-text below
config:
_format_version: "1.1"
services:
- name: test-svc
url: http://example.com
routes:
- name: test
paths:
- /test
plugins:
- name: request-termination
config:
status_code: 200
message: "dbless-config"
proxy:
type: NodePort
21 changes: 16 additions & 5 deletions charts/kong/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,23 @@ PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fu
export PROXY_IP=${HOST}:${PORT}
curl $PROXY_IP

Once installed, please follow along the getting started guide to start using Kong:
https://bit.ly/k4k8s-get-started
Once installed, please follow along the getting started guide to start using
Kong: https://bit.ly/k4k8s-get-started

{{ if and (.Values.enterprise.portal.enabled) (or (.Values.enterprise.portal.portal_auth) (.Values.enterprise.portal.session_conf_secret)) -}} {{/* Legacy Portal auth handling */}}
/!\ WARNING: You are currently using legacy Portal authentication configuration in values.yaml (https://github.com/Kong/charts/blob/kong-1.2.0/charts/kong/values.yaml#L384-L392). Support for this will be removed in a future release.
/!\ WARNING: You are currently using legacy Portal authentication configuration
in values.yaml. Support for this will be removed in a future release:
https://github.com/Kong/charts/blob/kong-1.2.0/charts/kong/values.yaml#L384-L392

You should move these settings to "portal_session_conf" (using a secretKeyRef) and "portal_auth" under your "env" block.
{{- end -}}
You should move these settings to "portal_session_conf" (using a secretKeyRef)
and "portal_auth" under your "env" block.
{{- end }}

{{ if .Values.admin.containerPort -}} {{/* Legacy admin API listen */}}
/!\ WARNING: You are currently using legacy admin API configuration in
values.yaml. Support for this will be removed in a future release:
https://github.com/Kong/charts/blob/kong-1.3.0/charts/kong/values.yaml#L58-L66

You should rework your admin listen configuration to match the current format
(https://github.com/Kong/charts/blob/master/charts/kong/values.yaml).
{{- end -}}