Hi,
I’m evaluating Kong and want to install Kong Enterprise in Free mode + Kong Ingress Controller using the kong helm chart. I alread managed to set up Kong without the Kong Ingress Controller before (using NGINX for that) but now I want to switch to the kong ingress controller.
My goal would be the following:
- all services in my k8s do not have a public IP and no ingress set “hardcoded” in their deployment
- Internal communication to the services can be in http, so TLS can be terminated at ingress-level
- I configure routes using the Kong Manager UI, and for those routes, Kong generates Let’s Encrypt certificates automatically using cert-manager.
- (For those services that do explicitly have an ingress set in the YAML deployment, Kong Ingress Controller should configure a service and gateway for those and also generate certificates.)
- Get it working with multiple subdomains and route to different APIs depending on the subdomain.
If I read the docs correctly, the setting proxy.ingress should be set to false since I use Kong Ingress Controller. I was then able to access my APIs without a valid certificate:
ingressController:
enabled: true
proxy:
enabled: true
type: LoadBalancer
loadBalancerIP: '${public_ip}'
ingress:
enabled: false
I have then tried to set certificates.enabled to true and expected that kong generates valid SSL certificates. However, this won’t work. I also tried to enable certificates.proxy.enabled to true, but then my deployment does not even start anymore as the pod kong-pre-upgrade-migrations is stuck in ContainerCreating because secret "kong-proxy-cert" not found is logged. If I were to create the secret for the cert manually before, the cert data is already needed. How should the workflow of creating certificates be? Does proxy certificates.proxy.enabled need to be true for my setup?
certificates:
enabled: true
clusterIssuer: letsencrypt-production
proxy:
enabled: true
commonName: '${fqdn}'
dnsNames:
- '${fqdn}'
- '*.${fqdn}'
admin:
enabled: false
portal:
enabled: false
cluster:
enabled: false
Below is my current setup, using Terraform to deploy the Helm chart. It works in principle but since I have proxy.ingress set to true (which is wrong per the docs) and the tls hosts hardcoded, I think it does not work that Kong generates certificates automatically for routes matching other hostnames. I think that is not really the point of using KIC+Gateway this way:
image:
repository: kong/kong-gateway
tag: '3.3'
env:
database: postgres
pg_host: ...
pg_port: ...
pg_user: ...
pg_password: ...
pg_database: ...
admin:
enabled: true
http:
enabled: true
servicePort: 8001
containerPort: 8001
enterprise:
enabled: true
vitals:
enabled: false
manager:
# Enable creating a Kubernetes service for Kong Manager
enabled: true
http:
# Enable plaintext HTTP listen for Kong Manager
enabled: true
servicePort: 8002
containerPort: 8002
postgresql:
enabled: false
ingressController:
enabled: true
proxy:
enabled: true
type: LoadBalancer
loadBalancerIP: '${public_ip}'
ingress:
enabled: true
hostname: '${fqdn}'
annotations:
ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: kong
cert-manager.io/cluster-issuer: letsencrypt-production
path: /
tls:
- secretName: '${fqdn}'
hosts:
- '${fqdn}'
My cert-manager is installed like this (Terraform):
module "cert-manager" {
source = "terraform-iaac/cert-manager/kubernetes"
namespace_name = "cert-manager"
create_namespace = true
cluster_issuer_server = "https://acme-v02.api.letsencrypt.org/directory"
cluster_issuer_email = "email.address@example.com"
cluster_issuer_name = "letsencrypt-production"
cluster_issuer_private_key_secret_name = "issuer-letsencrypt-production"
solvers = [
{
http01 = {
ingress = {
class = "kong"
}
}
}
]
}
Is there any example on how to use the Kong Helm chart for Kong + Kong Ingress Controller + Cert-Manager/Lets Encrypt? I’d appreciate any help, thanks a lot!