I have the following paths:
/ - unauthenticated
/_healthcheck - unauthenticated
/.* - authenticated
Unfortunately I can’t seem to make Kong work with this. I’ve tried 2 Ingress
resources, but they seem to compete. I’ve tried the following configurations:
new k8s.networking.v1beta1.Ingress(`${config.projectName}-unauthenticated`, {
metadata: {
namespace: namespace.metadata.name,
annotations: {
'kubernetes.io/tls-acme': 'true',
'cert-manager.io/cluster-issuer': 'letsencrypt-http01',
'acme.cert-manager.io/http01-ingress-class': 'kong-external',
'kubernetes.io/ingress.class': 'kong-internal',
'configuration.konghq.com': 'https-only'
}
},
spec: {
tls: [
{
secretName: `${config.projectName}-certificate`,
hosts: [config.app.hostname]
}
],
rules: [
{
http: {
paths: [
{
path: '/',
backend: {
serviceName: service.metadata.name,
servicePort: service.spec.ports[0].port
}
}
]
}
}
]
}
});
new k8s.networking.v1beta1.Ingress(`${config.projectName}-authenticated`, {
metadata: {
namespace: namespace.metadata.name,
annotations: {
'kubernetes.io/tls-acme': 'true',
'cert-manager.io/cluster-issuer': 'letsencrypt-http01',
'acme.cert-manager.io/http01-ingress-class': 'kong-external',
'kubernetes.io/ingress.class': 'kong-internal',
'configuration.konghq.com': 'https-only',
'plugins.konghq.com': 'auth'
}
},
spec: {
tls: [
{
secretName: `${config.projectName}-certificate`,
hosts: [config.app.hostname]
}
],
rules: [
{
http: {
paths: [
{
path: '/',
backend: {
serviceName: service.metadata.name,
servicePort: service.spec.ports[0].port
}
}
]
}
}
]
}
});
new k8s.networking.v1beta1.Ingress(`${config.projectName}-unauthenticated`, {
metadata: {
namespace: namespace.metadata.name,
annotations: {
'kubernetes.io/tls-acme': 'true',
'cert-manager.io/cluster-issuer': 'letsencrypt-http01',
'acme.cert-manager.io/http01-ingress-class': 'kong-external',
'kubernetes.io/ingress.class': 'kong-internal',
'configuration.konghq.com': 'https-only'
}
},
spec: {
tls: [
{
secretName: `${config.projectName}-certificate`,
hosts: [config.app.hostname]
}
],
rules: [
{
http: {
paths: [
{
path: '/',
backend: {
serviceName: service.metadata.name,
servicePort: service.spec.ports[0].port
}
},
{
path: '/_healthcheck',
backend: {
serviceName: service.metadata.name,
servicePort: service.spec.ports[0].port
}
}
]
}
}
]
}
});
new k8s.networking.v1beta1.Ingress(`${config.projectName}-authenticated`, {
metadata: {
namespace: namespace.metadata.name,
annotations: {
'kubernetes.io/tls-acme': 'true',
'cert-manager.io/cluster-issuer': 'letsencrypt-http01',
'acme.cert-manager.io/http01-ingress-class': 'kong-external',
'kubernetes.io/ingress.class': 'kong-internal',
'configuration.konghq.com': 'https-only',
'plugins.konghq.com': 'auth'
}
},
spec: {
tls: [
{
secretName: `${config.projectName}-certificate`,
hosts: [config.app.hostname]
}
],
rules: [
{
http: {
paths: [
{
path: '/',
backend: {
serviceName: service.metadata.name,
servicePort: service.spec.ports[0].port
}
}
]
}
}
]
}
});
and a few more, but nothing seems to work.
I’ve only seen the ability to apply plugins via annotations (referencing a KongPlugin
), but not vice versa. Ideally annotations would not be used at all, and instead Kong would read all resources of it’s CRDs. I’m actually not quite sure why it doesn’t work this way, as I think it would simplify configuration a ton.