Kubernetes has become the name of the game when it comes to container orchestration. It allows teams to deploy and scale applications to meet changes in demand while providing a great developer experience.
The key to handling modern dynamic, scalable workloads in Kubernetes is a networking stack that can deliver API management, a service mesh and an ingress controller. Kong Ingress Controller allows users to manage the routing rules that control external user access to the service in a Kubernetes cluster from the same platform.
This article will look at how you can use Kong for full-stack application deployments with Kubernetes. By full-stack, we mean Kong can handle:
Let's get started by creating our cluster.
With Kind, you can run local Kubernetes clusters using Docker. It was designed for testing Kubernetes but is perfect for local K8 development like we will do in this example. There are quite a few ways to install Kind, depending on your operating system. If you have a Mac, you can install it quickly with Homebrew:
brew install kind
If you are on a Windows machine and have Chocolatey installed, the command is just as simple:
choco install kind
If you have Go and Docker installed, you can run the following command to install kind:
GO111MODULE="on" go get sigs.k8s.io/kind@v0.10.0
For more installation options, see the Kind quickstart.
Once Kind is installed, you need to create a cluster::
kind create cluster
After making the cluster, you can interact with it using kubectl. To list your clusters, run:
kind get clusters
It should return kind, the default cluster context name.
Now run the following to point kubectl to the kind cluster:
kind export kubeconfig
If you set up Kind correctly, running the following command will give you details about your cluster:
kubectl cluster-info
Now that we have a cluster running, we can install Kong quickly by applying the manifest directly with the following command:
kubectl create -f https://bit.ly/k4k8s
Now run the following command to get details on kong-proxy:
kubectl -n kong get service kong-proxy
You will notice that the external IP is still pending. Kind only exposes the Kubernetes API endpoint, and so the service is not accessible outside of the cluster.
Since we are using Kind, we will have to run a port forward to do this. This command does not get daemonized, so you will have to open another console window to run other commands.
kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8080:80
Next, we need to set an environment variable with the IP address from where we want to access Kong. This will be localhost since we are using a port forward.
export PROXY_IP=localhost:8080
You can curl the IP now or visit in a browser and should see:
{"message":"no Route matched with those values"}
Now let's deploy something that will return some results. Kubernetes has multiple example applications available in a Github repo. We are going to deploy the Guestbook App with these commands:
kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-service.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-service.yaml
Now, if we run kubectl get services, we will see two new services:
We can also query the pods to make sure their status is ‘Running’:
kubectl get pods -l app.kubernetes.io/name=guestbook -l app.kubernetes.io/component=frontend
To test it, you can run another port forward really quick with:
kubectl port-forward svc/frontend 8000:80
You will find the guestbook running at http://localhost:8000/. We will now set up the Kong Ingress Controller.
Now we can use the Kong Ingress Controller, so we need to set up a resource to serve traffic. We can create a proxy for our application with the following command:
echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: guestbook
annotations:
konghq.com/strip-path: "true"
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
' | kubectl apply -f -
Now you will see the guestbook app at http://localhost:8080/.
With Kong Ingress, we can execute plugins on the service level. That way, Kong will execute a plugin whenever a request is sent to a specific service, no matter which ingress path from where it came. If we want to add rate limits to our app, we can add the rate limiting plugin to our Kubernetes installation with the following command:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rl-by-ip
config:
minute: 5
limit_by: ip
policy: local
plugin: rate-limiting
" | kubectl apply -f -
kongplugin.configuration.konghq.com/rl-by-ip created
Once you install the plugin, you can apply the konghq.com/plugins annotation on our Guestbook with the following command:
kubectl patch svc frontend \
-p '{"metadata":{"annotations":{"konghq.com/plugins": "rl-by-ip\n"}}}'
If you curl the guestbook app, you will see that rate limiting has been set up.
If you plan on testing the Guestbook frequently during this example, you may want to set the limit higher, or you will run into a Kong error that says the rate limit has been exceeded.
So far, the app is running on HTTP, and we want it to run on HTTPS. If we want to tell Kong to redirect all the HTTP requests, we can update its annotations to HTTPS and issue a 301 redirect with this command to patch the ingress entry:
kubectl patch ingress guestbook -p '{"metadata":{"annotations":{"konghq.com/protocols":"https","konghq.com/https-redirect-status-code":"301"}}}'
To test this using kind, set up another port-forward with the following command:
kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8443:443
You can now access a "secure" version of the guestbook at https://localhost:8443. It will not have a certificate, so you will run into warnings in your browser. Let's look at how we can add certificates.
You can install the cert-manager with the following command:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
Once the images pull down, you can verify that it is running with this command:
kubectl get all -n cert-manager
You should see something like this:
Since we have Kubernetes running locally with a port-forward, the IP address for the Kong proxy is 127.0.0.1. If you weren’t using a port forward, you could run the following command to find the IP address:
kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-proxy
But since we are using a port forward, this command will return nothing. If this were in production, you would then set up DNS records to resolve your domain to the IP address you just retrieved. Once that is done, you can request a certificate from Let's Encrypt by running the following, making sure to change the email:
echo "apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: [email protected] #change this email
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: kong" | kubectl apply -f -
Next, you will have to update your ingress resource to provide a certificate with the following command, changing the domain to your own:
echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: guestbook-example-com
annotations:
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: kong
spec:
tls:
- secretName: guestbook-example-com
hosts:
- demo.example.com #change this domain/subdomain
rules:
- host: demo.example.com #change this domain/subdomain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: guestbook
port:
number: 80
' | kubectl apply -f -
Once that is updated, the cert-manager will start to provision the certificate and the certificate will be ready soon.
Kong may be the missing tool in your Kubernetes stack. Kong Ingress Controller can implement authentication, HTTPS redirects, security certificates, and more across all your Kubernetes clusters. Using Kong, you can control your containers, networking, load balancing, rate limiting and more from one platform. It truly is the choice for full-stack ingress deployments.
Also published on: https://dzone.com/articles/kubernetes-full-stack-example-with-kong-ingress-co