[WIP]: Kong ingress controller #7350
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Hi @merqurio. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
/check-cla |
1 similar comment
|
/check-cla |
k8s-ci-robot
added
cncf-cla: yes
Yes, the ingress controller currently does not take into account any authentication applied on the Admin port of Kong. |
stable/kong/values.yaml
Outdated
|
|
||
| # Ingress Controller: | ||
| # A controller watches for kubernetes resources defined with a | ||
| # CustomResourceDefinition that represent the configuration of a deployment. |
There was a problem hiding this comment.
Kong Ingress Controller's primary purpose is to satisfy Ingress resources created in k8s.
It uses CRDs for more fine grained control over routing and for Kong specific configuration.
@merqurio Could you update the description to communicate this? Thanks!
|
ping @shashiranjan84 |
|
I will try to review it as soon as possible. |
|
I would like to list out two approaches to do this:
I currently don't have a preference, although (2) will be better in the longer term? |
stable/kong/values.yaml
Outdated
| path: "/healthz" | ||
| port: 10254 | ||
| scheme: HTTP | ||
| initialDelaySeconds: 30 |
There was a problem hiding this comment.
Can we bump this up to 180 as set for Kong Admin and proxy pods?
There was a problem hiding this comment.
Sure, I took that from here, changing to 180.
| periodSeconds: 10 | ||
| successThreshold: 1 | ||
| timeoutSeconds: 1 | ||
| readinessProbe: |
There was a problem hiding this comment.
Can we add a initialDelaySeconds of 120 for readinessProbe as set for Kong pods?
There was a problem hiding this comment.
Done, it was missing here, modified to 102, thanks
| @@ -0,0 +1,7 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we name this file controller-service-account?
There was a problem hiding this comment.
Done, thanks for the suggestion.
| @@ -0,0 +1,15 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we name this file controller-rbac-role-binding since kong is redundant here?
| @@ -0,0 +1,42 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we name this file controller-rbac-role?
| @@ -0,0 +1,63 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we name this file controller-cluster-role?
| @@ -0,0 +1,14 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we name this file controller-rbac-cluster-role-binding?
| @@ -0,0 +1,13 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we keep the names of the files for all CRDs singular?
Like crd-kongconsumer for this file? Thanks!
| @@ -0,0 +1,119 @@ | |||
| {{- if .Values.ingressController.enabled -}} | |||
There was a problem hiding this comment.
Can we rename this to controller-deployment?
| livenessProbe: | ||
| {{ toYaml .Values.ingressController.livenessProbe | indent 10 }} | ||
| resources: | ||
| {{ toYaml .Values.ingressController.resources | indent 10 }} |
|
@shashiranjan84
|
|
@merqurio Before I review this PR I am wondering why can't we have Kong-ingress as separate chart? |
mattfarina
added
the
Contribution Allowed
Personally I think this is the best approach, due to the templating nature of Helm, setting the ingress controller as a feature feels more natural to me.
I do like the init-container approach i saw in the kong ingress examples. I just modified that too, as I consider that as a kong maintainer you understand better the lifecycle.
I completely agree. I didn't want to be too destructive with the existing chart. @shashiranjan84, you're the main maintainer, thoughts on that ? I will remove them in the meantime. |
|
@merqurio thanks again for PR. I discussed it with @hbagdi and we planned to keep it separate as both Kong as application and as ingress controller behave in a different way. Matter of fact we were planning to create a new chart for ingress controller last week. So I would request you to send a separate PR with a new chart for Kong ingress controller.
init-container is not the right approach. Goal was to not start multiple kong pods running migration at once and a separate migration job handles it well. |
|
Thanks @shashiranjan84 for the feedback, I'll move things around and push back as a new chart. I prefer to keep the changes on the same PR to make it easier to follow. I will create the chart in the incubator directory. |
|
Problems that have emerged due to the split chart approach:
I really think the one chart solution is much more elegant and simpler to maintain. Please, think about complex charts where the ingress will be used. A couple of questions:
|
|
For some reason even if |
|
Thanks @shashiranjan84 and @hbagdi for the support, I really appreciate @Kong presence to make this chart reliable and focused in the long term. |
|
Hello @merqurio, @shashiranjan84 and I had a discussion on this and we've agreed on keeping the ingress controller chart as part of the Could you revert it to the original PR you had? Thank you for taking the initiative to make this possible! |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: merqurio If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hello guys! Great work with this chart, looking forward to getting this very important improvement merged. Once this PR is merged, I'd like to add support to customized ingress class name, via Do you think it would make sense? If yes, I could work on that PR. My use case is that I'll have a normal nginx-ingress serving internal stuff (like prometheus, grafana etc) and Kong serving my microservices endpoints. Thanks for your input and hard work on this PR! |
|
@RTodorov Sounds good, thank you! |
|
@merqurio Could you merge and resolve conflicts and add docs? Let's wrap this up soon to avoid staleness. |
helm-bot
added
size/L
Signed-off-by: Gabriel de Maeztu <gabriel.maeztu@gmail.com>
helm-bot
added
Contribution Allowed
Signed-off-by: Gabriel de Maeztu <gabriel.maeztu@gmail.com>
helm-bot
added
size/XL
|
@cpanato @mattfarina @davidkarlsen Could you guys /ok-to-test? |
| @@ -10,5 +10,5 @@ maintainers: | |||
| name: kong | |||
| sources: | |||
| - https://github.com/Kong/kong | |||
| version: 0.5.0 | |||
| version: 0.5.1 | |||
There was a problem hiding this comment.
Let's bump this up to 0.6.0 since there are other PRs on this charts which might cause conflicts and I want to minimize back and forth on this PR now.
| | Parameter | Description | Default | | ||
| | ------------------------------ | -------------------------------------------------------------------------------- | ------------------- | | ||
| | image.repository | Kong image | `kong` | | ||
| | image.tag | Kong image version | `0.14.0` | |
There was a problem hiding this comment.
Can we keep this to 0.14.1, I think this could came in here due to a rebase/merge from master.
| kong run the following command: | ||
|
|
||
| ```bash | ||
| helm install . \ |
There was a problem hiding this comment.
This seems like it's being used during development but end users shouldn't really need to do it.
Should it rather be helm install stable/kong?
| @@ -97,7 +97,7 @@ livenessProbe: | |||
| path: "/status" | |||
| port: admin | |||
| scheme: HTTPS | |||
| initialDelaySeconds: 30 | |||
| initialDelaySeconds: 180 | |||
There was a problem hiding this comment.
2 and 3 minutes are extremely high.
@shashiranjan84 has shown concern around this change in one of this past review.
|
@merqurio Gentle nudge for this. We're at the last mile I believe! |
|
@merqurio please rebase and also sign the DCO |
k8s-ci-robot
added
the
do-not-merge/hold
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/close |
1 similar comment
|
/close |
What this PR does / why we need it:
Adds a kong ingress controller deployment to the chart. This enables the management of kong using custom resources.
Which issue this PR fixes:
fixes Kong/kubernetes-ingress-controller/issues/36
Special notes for your reviewer:
It's a first approach, it's working for us, please, I'm open to suggestions and reviews.
It's limited to Kong CE 0.13.X, but support for 0.14.0 was merged a couple of days. @shashiranjan84, can you release a new version of the docker image ?
@hbagdi, I wasn't able to make it work when the kong-admin port is secured, is this the expeceted behaviour ? It makes sense to me, but I wanted to check first:
Thanks !