Comments (11)
jaskiratr
commented on May 24, 2024
15
I was able to edit yaml to create kong-admin service.
---
apiVersion: v1
kind: Service
metadata:
name: kong-admin
namespace: kong
spec:
type: NodePort
ports:
- name: admin
port: 8001
protocol: TCP
targetPort: 8001
- name: admin-ssl
port: 8444
targetPort: 8444
protocol: TCP
selector:
app: ingress-kong
# type: ClusterIP
---Additionally, I modified the ingress-kong deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: kong
spec:
...
template:
...
spec:
containers:
- env:
...
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8001,0.0.0.0:8444 ssl
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000,0.0.0.0:8443 ssl
image: kong:1.3
name: proxy
ports:
- containerPort: 8001
name: admin
protocol: TCP
- containerPort: 8444
name: admin-ssl
protocol: TCP
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-ssl
protocol: TCP
- containerPort: 9542
name: metrics
protocol: TCP
...Once the Admin-API is created, I'm able to port forward it to my local machine by issuing following command
# Port forward Admin API service to localhost:8080
kubectl port-forward -n kong svc/kong-admin 8080:8001From there, I can setup the Admin API Loopback by creating a consumer and key credentials associated with that. Finally, remove the Admin-API service and just access the loopback endpoint via the proxy service LoadBalancer.
Is there a better strategy?
from kubernetes-ingress-controller.
jaskiratr
commented on May 24, 2024
2
Side note: I commented out type: ClusterIP in favor of type: NodePort
@WoodyFleurant
Also could you provide the request you used to create the consumer ?
I am puzzled which service you will consume
Once the loopback is setup, you can stop the port-forward on your local machine. You can then access the Kong admin API via proxy. Your question pertains to my comment :
From there, I can setup the Admin API Loopback by creating a consumer and key credentials associated with that. Finally, remove the Admin-API service and just access the loopback endpoint via the proxy service LoadBalancer.
1. Temporary access for Admin API
We can now expose the Admin API through Kubernetes Port Forwarding
Issue the following command in a separate terminal to expose the Admin API on :8080
kubectl port-forward -n kong svc/kong-control-plane 8080:8001
# OR
kubectl port-forward -n kong svc/kong-admin 8080:8001Verify if the Admin API endpoint is available locally on :8080
curl -X GET http://localhost:8080Expected Response:
{
"hostname": "",
"node_id": "6a72192c-a3a1-4c8d-95c6-efabae9fb969",
"lua_version": "LuaJIT 2.1.0-beta3",
"plugins": {
"available_on_server": [
...
],
"enabled_in_cluster": [
...
]
},
"configuration" : {
...
},
"tagline": "Welcome to Kong",
"version": "0.14.0"
}2. Create Admin API Service
curl -X POST http://localhost:8080/services \
--data name=admin-api \
--data host=kong-admin \
--data port=80013. Add a route for Admin API Service
curl -X POST http://localhost:8080/services/admin-api/routes \
--data 'paths[]=/admin-api'3. Access Admin-API through Proxy
Get the Proxy API endpoint
kubectl get svc -n kong
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
kong-admin ClusterIP 100.69.176.127 <none> 8001/TCP,8444/TCP
kong-proxy LoadBalancer 100.70.121.18 <LoadBalancer-URL> 80:30594/TCP,443:30325/TCP
kong-validation-webhook ClusterIP 100.65.113.99 <none> 443/TCP
konga-svc LoadBalancer 100.70.69.48 <LoadBalancer-URL> 1337:30337/TCP
postgres ClusterIP 100.69.25.163 <none> 5432/TCPWe can now transparently reach the Admin API through the proxy server
export PROXY_API=$(kubectl get svc --namespace kong kong-proxy -o jsonpath='{.status.loadBalancer.ingress[*].hostname}')
# or
export PROXY_API=$(kubectl get svc --namespace kong kong-ingress-data-plane -o jsonpath='{.status.loadBalancer.ingress[*].hostname}')
curl $PROXY_API/admin-api/4. Enable ACL Plugin on Admin-API Service
Reference: https://docs.konghq.com/hub/kong-inc/acl/ We will create two consumer groups admin-group & dev-group. Later, we will configure only the users in admin-group to access the Admin API endpoint via proxy.
curl -X POST \
--url http://localhost:8080/services/admin-api/plugins/ \
--data "name=acl" \
--data "config.whitelist=admin-group" \
--data "config.hide_groups_header=true"5. Create Admin consumer
curl -i -X POST \
--url http://localhost:8080/consumers/ \
--data "username=admin"5. Create key credentials for Admin consumer
curl -i -X POST \
--url http://localhost:8080/consumers/admin/key-auth/ \
--data 'key=ENTER_ADMIN_KEY'6. Add Admin consumer to Admin group
curl -i -X POST \
--url http://localhost:8080/consumers/admin/acls \
--data "group=admin-group"7. Verify ACLS configuration for Admin
curl -X GET http://localhost:8080/consumers/admin/aclsExpected response:
{
"total": 1,
"data": [
{
"group": "admin-group",
"created_at": 1568944581,
"consumer": {
"id": "e827e641-409c-4543-8059-13403e9da44f"
},
"id": "27f827b1-542d-4221-96b2-b95f08808af1"
}
]
}8. Enable Key Auth Plugin on Admin-API Service
curl -i -X POST \
--url http://localhost:8080/services/admin-api/plugins/ \
--data 'name=key-auth'9. Access Admin-API through Proxy API as Admin
As expected, access to the endpoint without Admin key credentials should now be blocked.
curl -X GET $PROXY_API/admin-apiExpected response:
{"message":"No API key found in request"}Now provide the Admin key credentials to access the Admin API endpoint via the Proxy API.
curl -X GET $PROXY_API/admin-api \
--header "apikey: ENTER_ADMIN_KEY"Expected Response:
{
"hostname": "",
"node_id": "6a72192c-a3a1-4c8d-95c6-efabae9fb969",
"lua_version": "LuaJIT 2.1.0-beta3",
"plugins": {
"available_on_server": [
...
],
"enabled_in_cluster": [
...
]
},
"configuration" : {
...
},
"tagline": "Welcome to Kong",
"version": "0.14.0"
}
Finally, you may now stop the port forwarding for Admin API to localhost:8080.
from kubernetes-ingress-controller.
Ngob
commented on May 24, 2024
1
Did you try to change the type of the service kong-proxy to LoadBalancer ? the type NodePort mean the service will be exposed on the node so it probably does not create any loadbalancer in AWS ELB. Can you try something like:
kubectl delete svc kong-proxy -n kong
echo "
apiVersion: v1
kind: Service
metadata:
name: kong-proxy
namespace: kong
spec:
type: LoadBalancer
ports:
- name: kong-proxy
port: 80
targetPort: 8000
protocol: TCP
- name: kong-proxy-ssl
port: 443
targetPort: 8443
protocol: TCP
selector:
app: kong
" | kubectl apply -f -
from kubernetes-ingress-controller.
arunk16
commented on May 24, 2024
@Ngob thanks for that, I have used the type: LoadBalancer to solve this already.
from kubernetes-ingress-controller.
Ngob
commented on May 24, 2024
@arunk16 You are welcome
@gerred I can help to improve the deployment documentation on GKE / AWS Kubernetes, feel free to assign me
from kubernetes-ingress-controller.
engmsaleh
commented on May 24, 2024
I'm using the same setup but I have configured it on a subdomain on Route53
I have the same issue, I couldn't connect to the Kong proxy or Admin API also, I have done as suggested by @Ngob
Could you please advise?
from kubernetes-ingress-controller.
Ngob
commented on May 24, 2024
@engmsaleh I do not know about AWS deployment or Route53, but I will try to help:
I think this is a AWS specific problem (and the kubernetes deployment), so this is probably not a kong issue. From what I know, if you configure a subdomain you will need something like the route53 mapper
Let me know if this help.
I think your question should be posted on Kong Nation.
from kubernetes-ingress-controller.
jaskiratr
commented on May 24, 2024
Hi,
I'm able to access the Proxy API via the LoadBalancer. Which Pod or Service needs to be exposed to access the Admin API?
I'm trying to setup the Admin API Loopback, but I'm not sure how to access it.
Thank you
kubectl apply -f https://bit.ly/kong-ingress
kubectl get all -n kong
NAME READY STATUS RESTARTS AGE
pod/ingress-kong-74f469bbb6-hlxkf 2/2 Running 1 13m
pod/kong-migrations-qztcl 0/1 Completed 0 13m
pod/postgres-0 1/1 Running 0 13m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kong-proxy LoadBalancer 100.71.102.112 xxxxxx.elb.us-west-2.amazonaws.com 80:32500/TCP,443:30156/TCP 13m
service/kong-validation-webhook ClusterIP 100.65.114.214 <none> 443/TCP 13m
service/postgres ClusterIP 100.67.213.155 <none> 5432/TCP 13m
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/ingress-kong 1 1 1 1 13m
NAME DESIRED CURRENT READY AGE
replicaset.apps/ingress-kong-74f469bbb6 1 1 1 13m
NAME DESIRED CURRENT AGE
statefulset.apps/postgres 1 1 13m
NAME COMPLETIONS DURATION AGE
job.batch/kong-migrations 1/1 17s 13mfrom kubernetes-ingress-controller.
marcospassos
commented on May 24, 2024
I'm also able to access the admin using the instructions @jaskiratr described.
Could you guys please confirm if this is the best way of enabling the admin using the ingress controller?
from kubernetes-ingress-controller.
WoodyFleurant
commented on May 24, 2024
@jaskiratr Could you please describe what address you provided in the loopback ?
Also could you provide the request you used to create the consumer ?
I am puzzled which service you will consume
Thanks in advance
from kubernetes-ingress-controller.
axelsean
commented on May 24, 2024
Is there a way to do this that does not involve setting the KONG_ADMIN_LISTEN to 0.0.0.0:8001 ?
Given there's a service (kong-admin above) I would expect kong-admin:8001 to work - but it doesn't seem to
from kubernetes-ingress-controller.
Related Issues (20)
- Kong / kubernetes-ingress-controller : Error: parse error at (kong/templates/_helpers.tpl:1281): unclosed action HOT 5
- Listener certificates are not used when coming from managed gateways
- Configuration apply error from applying 2 Prometheus plugins against 1 `Service` fails to be parsed
- Frequent kong ingress controller leader re-election happening HOT 3
- When configuring Kong Gateway OSS, KIC tries to apply KongLicense regardless and fails HOT 2
- Cannot apply licenses to DB backed Kong gateways HOT 1
- Update more real-time `status.conditions` for license validity in KongLicense controller
- Support vaults and licenses in config fetcher
- Test Request: Kong Gateway EE kong/kong-gateway-dev:3.6.1.0-rc1 HOT 3
- Startup issue with KIC wipes database HOT 1
- Use generated ValidatingWebhookConfiguration in integration tests
- Release 3.1.1 HOT 1
- Test Request: Kong Gateway EE 3.6.1.1-rc1 HOT 2
- Could not unmarshal config error HOT 13
- Helm Chart - Multiple kong releases - ingress classes overrides HOT 2
- Not able to Use configPatches in KongPlugin Resource HOT 7
- KongPlugin Konnect sync fails when Konnect sanitizer enabled and configFrom used
- Release 3.1.2 HOT 1
- Test Request: Kong Gateway EE kong/kong-gateway-dev:3.4.3.5-rc.1 HOT 2
- `GRPCRoute` conformance HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress-controller.