Skip to content

Commit

Permalink
docs: add KongServiceFacade docs and examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@czeslavo
czeslavo committed Dec 7, 2023
1 parent 6470f94 commit 506c2cf
Show file tree
Hide file tree
Showing 16 changed files with 617 additions and 71 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ Adding a new version? You'll need three changes:
[#5234](https://github.com/Kong/kubernetes-ingress-controller/pull/5234)
[#5290](https://github.com/Kong/kubernetes-ingress-controller/pull/5290)
[#5282](https://github.com/Kong/kubernetes-ingress-controller/pull/5282)
[#5298](https://github.com/Kong/kubernetes-ingress-controller/pull/5298)
[#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302)
- Added support for GRPC over HTTP (without TLS) in Gateway API.
[#5128](https://github.com/Kong/kubernetes-ingress-controller/pull/5128)
Expand Down
86 changes: 86 additions & 0 deletions FEATURE_GATES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,89 @@ services: if two HTTPRoute rules use both serviceA and serviceB in their
backendRefs, KIC will generate a single Kong service with endpoints from both
serviceA and serviceB, named for the first rule and match indices with that
combination of Services.

## Using KongServiceFacade

In KIC 3.1.0 we introduced a new feature called `KongServiceFacade`. Currently, we only
support `KongServiceFacade` to be used as a backend for `netv1.Ingress`es.
If you find this might be useful to you in other contexts (e.g. Gateway API's `HTTPRoute`s),
please let us know in the [#5216](https://github.com/Kong/kubernetes-ingress-controller/issues/5216)
issue tracking this effort.

### Installation

`KongServiceFacade` feature is currently in `Alpha` maturity and is disabled by default.
To start using it, you must not only enable the feature gate (`KongServiceFacade=true`),
but also install the `KongServiceFacade` CRD which is distributed in a separate
package we named `incubator`. You can install it by running:

```shell
kubectl apply -k github.com/Kong/kubernetes-ingress-controller/main/config/crd/incubator?ref=main
```

### Usage

Once the CRD is installed and the feature gate is set to `true`, you can start using it by creating
`KongServiceFacade` objects and use them as your `netv1.Ingress` backends. For example, to create
a `KongServiceFacade` that points to a service named `my-service` in the `default` namespace and uses
its port number `80`, you can run:

```shell
kubectl apply -f - <<EOF
apiVersion: incubator.ingress-controller.konghq.com/v1alpha1
kind: KongServiceFacade
metadata:
name: my-service-facade
namespace: default
annotations:
kubernetes.io/ingress.class: kong
spec:
backendRef:
name: my-service
port: 80
EOF
```

For a complete CRD reference please see the [incubator-crd-reference] document.

To use the `KongServiceFacade` as a backend for your `netv1.Ingress`, you can create an `Ingress`
like the following:

```shell
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: default
annotations:
konghq.com/strip-path: "true"
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /my-service
pathType: Prefix
backend:
resource:
apiGroup: incubator.ingress-controller.konghq.com
kind: KongServiceFacade
name: my-service-facade
EOF
```

Please note the `KongServiceFacade` must be in the same namespace as the `Ingress` that uses it.

An advantage of using `KongServiceFacade` over plain `corev1.Service`s is that you can create multiple
`KongServiceFacade`s that point to the same `Service` and KIC will always generate one Kong Service per each
`KongServiceFacade`. That enables you to, e.g., use different `KongPlugin`s for each `KongServiceFacade`
while still pointing to the same Kubernetes `Service`. A single `KongServiceFacade` may be used in multiple
`Ingress`es and customization done through the `KongServiceFacade`'s annotations will be honored in all of them
on a single Kong Service level (no need to duplicate annotations in multiple `Ingress`es).

For a complete example of using `KongServiceFacade` for customizing `Service` authentication methods, please
refer to the [kong-service-facade.yaml] manifest in our examples.

[incubator-crd-reference]: ./docs/incubator-api-reference.md
[kong-service-facade.yaml]: ./examples/kong-service-facade.yaml
10 changes: 6 additions & 4 deletions config/crd/incubator/incubator.ingress-controller.konghq.com_kongservicefacades.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,14 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: KongServiceFacade allows creating separate Kong Services for
description: "KongServiceFacade allows creating separate Kong Services for
a single Kubernetes Service. It can be used as Kubernetes Ingress' backend
(via its path's `backend.resource` field). It's designed to enable creating
two "virtual" Services in Kong that will point to the same Kubernetes Service,
but will have different configuration (e.g. different set of plugins, different
load balancing algorithm, etc.).
two \"virtual\" Services in Kong that will point to the same Kubernetes
Service, but will have different configuration (e.g. different set of plugins,
different load balancing algorithm, etc.). \n KongServiceFacade requires
`kubernetes.io/ingress.class` annotation with a value matching the ingressClass
of the Kong Ingress Controller (`kong` by default) to be reconciled."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
Expand Down
62 changes: 62 additions & 0 deletions docs/incubator-api-reference.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
<!-- This document is generated by KIC's 'generate.docs' make target, DO NOT EDIT -->

## Packages
- [incubator.ingress-controller.konghq.com/v1alpha1](#incubatoringress-controllerkonghqcomv1alpha1)


## incubator.ingress-controller.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the incubator.ingress-controller.konghq.com v1alpha1 API group.

- [KongServiceFacade](#kongservicefacade)

### KongServiceFacade



KongServiceFacade allows creating separate Kong Services for a single Kubernetes Service. It can be used as Kubernetes Ingress' backend (via its path's `backend.resource` field). It's designed to enable creating two "virtual" Services in Kong that will point to the same Kubernetes Service, but will have different configuration (e.g. different set of plugins, different load balancing algorithm, etc.). <br /><br /> KongServiceFacade requires `kubernetes.io/ingress.class` annotation with a value matching the ingressClass of the Kong Ingress Controller (`kong` by default) to be reconciled.

<!-- kong_service_facade description placeholder -->

| Field | Description |
| --- | --- |
| `apiVersion` _string_ | `incubator.ingress-controller.konghq.com/v1alpha1`
| `kind` _string_ | `KongServiceFacade`
| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
| `spec` _[KongServiceFacadeSpec](#kongservicefacadespec)_ | |




### KongServiceFacadeBackend



KongServiceFacadeBackend is a reference to a Kubernetes Service that is used as a backend for a Kong Service Facade.



| Field | Description |
| --- | --- |
| `name` _string_ | Name is the name of the referenced Kubernetes Service. |
| `port` _integer_ | Port is the port of the referenced Kubernetes Service. |


_Appears in:_
- [KongServiceFacadeSpec](#kongservicefacadespec)

### KongServiceFacadeSpec



KongServiceFacadeSpec defines the desired state of KongServiceFacade.



| Field | Description |
| --- | --- |
| `backendRef` _[KongServiceFacadeBackend](#kongservicefacadebackend)_ | Backend is a reference to a Kubernetes Service that is used as a backend for this Kong Service Facade. |


_Appears in:_
- [KongServiceFacade](#kongservicefacade)
215 changes: 215 additions & 0 deletions examples/kong-service-facade.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,215 @@
# This example demonstrates how to use the KongServiceFacade resource to
# configure Kong to route traffic to a Kubernetes Service, and secure it
# with a different plugin for each KongServiceFacade.
#
# To verify the example:
#
# 1. Install the KongServiceFacade CRD:
# $ kubectl apply -k "github.com/Kong/kubernetes-ingress-controller/config/crd/incubator?ref=main"
#
# 2. Install the Kong Ingress Controller with KongServiceFacade feature gate enabled:
# $ helm upgrade --install kong kong/ingress -n kong --create-namespace \
# --set controller.ingressController.env.feature_gates=KongServiceFacade=true \
# --set controller.ingressController.image.repository=kong/nightly-ingress-controller \
# --set controller.ingressController.image.tag=2023-12-07 \
# --set controller.ingressController.image.effectiveSemver=3.1.0
#
# 3. Apply the example manifest:
#
# $ kubectl apply -f https://raw.githubusercontent.com/Kong/kubernetes-ingress-controller/main/examples/kong-service-facade.yaml
#
# 4. Wait for KongServiceFacades to be configured in Kong:
#
# $ kubectl wait --for=condition=Programmed=True kongservicefacade/svc-facade-alpha kongservicefacade/svc-facade-beta
#
# 5. Get Proxy's Service external IP:
#
# $ export PROXY_IP=$(kubectl get service -n kong kong-gateway-proxy -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
# $ echo $PROXY_IP # To ensure that the variable is set.
# 198.19.249.2
#
# 6. Verify that paths /alpha and /beta are secured with key-auth and basic-auth respectively (we're using httpie here):
#
# $ http -h ${PROXY_IP}/alpha key:alice-password # /alpha allows valid key.
# HTTP/1.1 200 OK
# $ http -h ${PROXY_IP}/alpha key:wrong-key # /alpha doesn't allow invalid key.
# HTTP/1.1 401 Unauthorized
# $ http -h ${PROXY_IP}/alpha -a bob:bob-password # /alpha doesn't allow valid basic-auth credentials.
# HTTP/1.1 401 Unauthorized
# $ http -h ${PROXY_IP}/beta -a bob:bob-password # /beta allows valid basic-auth credentials.
# HTTP/1.1 200 OK
# $ http -h ${PROXY_IP}/beta -a bob:wrong # /beta doesn't allow invalid basic-auth credentials.
# HTTP/1.1 401 Unauthorized
# $ http -h ${PROXY_IP}/beta key:alice-password # /beta doesn't allow valid key.
# HTTP/1.1 401 Unauthorized
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin-deployment
namespace: default
labels:
app: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- name: httpbin
image: kong/httpbin:0.1.0
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: httpbin
name: httpbin-deployment
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: httpbin
type: ClusterIP
---
# KongServiceFacade pointing to the httpbin-deployment,
# secured with key-auth plugin.
apiVersion: incubator.ingress-controller.konghq.com/v1alpha1
kind: KongServiceFacade
metadata:
name: svc-facade-alpha
namespace: default
annotations:
kubernetes.io/ingress.class: kong
konghq.com/plugins: key-auth
spec:
backendRef:
name: httpbin-deployment
port: 80
---
# KongServiceFacade pointing to the same httpbin-deployment,
# secured with basic-auth plugin.
apiVersion: incubator.ingress-controller.konghq.com/v1alpha1
kind: KongServiceFacade
metadata:
name: svc-facade-beta
namespace: default
annotations:
kubernetes.io/ingress.class: kong
konghq.com/plugins: basic-auth
spec:
backendRef:
name: httpbin-deployment
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: httpbin-ingress
namespace: default
annotations:
konghq.com/strip-path: "true"
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /alpha
pathType: Prefix
backend:
# The /alpha path uses the KongServiceFacade secured with key-auth plugin.
resource:
apiGroup: incubator.ingress-controller.konghq.com
kind: KongServiceFacade
name: svc-facade-alpha
- path: /beta
pathType: Prefix
backend:
# The /beta path uses the KongServiceFacade secured with basic-auth plugin.
resource:
apiGroup: incubator.ingress-controller.konghq.com
kind: KongServiceFacade
name: svc-facade-beta
---
# The following resources are used to configure the key-auth and basic-auth plugins
# used by the KongServiceFacade resources.
#
# For key-auth it sets up a KongConsumer `alice` that can be authenticated by
# setting the `key` header to `alice-password`.
#
# For basic-auth it sets up a KongConsumer `bob` that can be authenticated by
# setting the `Authorization` header to `Basic <base64("bob:bob-password")>`.
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: key-auth
namespace: default
plugin: key-auth
config:
key_names: ["key"]
---
apiVersion: v1
kind: Secret
metadata:
name: alice-credentials
namespace: default
annotations:
kubernetes.io/ingress.class: kong
labels:
konghq.com/credential: key-auth
type: Opaque
stringData:
key: "alice-password"
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: alice
namespace: default
annotations:
kubernetes.io/ingress.class: kong
username: alice
credentials:
- alice-credentials
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: basic-auth
namespace: default
plugin: basic-auth
---
apiVersion: v1
kind: Secret
metadata:
name: bob-credentials
namespace: default
annotations:
kubernetes.io/ingress.class: kong
labels:
konghq.com/credential: basic-auth
type: Opaque
stringData:
username: "bob"
password: "bob-password"
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: bob
namespace: default
annotations:
kubernetes.io/ingress.class: kong
username: bob
credentials:
- bob-credentials

0 comments on commit 506c2cf

Please sign in to comment.