How to use KongIngress with https ?

Hi, There.
I’m a new user for Kong API Gateway.

[K8s Version]
Client Version: version.Info{Major:“1”, Minor:“17”, GitVersion:“v1.17.6”, GitCommit:“d32e40e20d167e103faf894261614c5b45c44198”, GitTreeState:“clean”, BuildDate:“2020-05-20T13:16:24Z”, GoVersion:“go1.13.9”, Compiler:“gc”, Platform:“linux/amd64”}

[Kong Version]
2.1.1

So, I’ve installed Kong on K8s with this URL


As we can see, Above Documents said DB-Less Mode recommended with K8s. So, I’ve configured the Kong with DB-Less Mode.

I have 2 questions for Kong Configuration.

Q1) The Declarative mode is required on db less mode with K8s.
But, The Kong’s declarative Configuration format is different with K8s’s general “YAML” file. So, I don’t know how can use Kong’s Declarative Configuration such as kong.yml. Could you please let me know in detail?

Q2) As far as I understand, K8s’s Service matchs to Kong’s Service and Ingress matchs with Kong’s routes. So, I’ve configured like this to use HTTPS for Service.
Backend pods(container)has installed with other namespace.
backend can accept https only. So, I’m trying to connect with https protocol.
But, I can’t see the https protocol on Kong’s Service and can’t connect with https protocol.
Please let me know how to connect with https protocol?

[Kong Admin API]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 418 100 418 0 0 290k 0 --:–:-- --:–:-- --:–:-- 408k
{
“next”: null,
“data”: [
{
“host”: “console-np.console-system.80.svc”,
“id”: “3926a8f9-c0b8-545f-bcbe-9bafe9f3c348”,
“protocol”: “http”,
“read_timeout”: 60000,
“tls_verify_depth”: null,
“port”: 80,
“updated_at”: 1597306618,
“ca_certificates”: null,
“created_at”: 1597306618,
“connect_timeout”: 60000,
“write_timeout”: 60000,
“name”: “console-system.console-np.80”,
“retries”: 5,
“path”: “/”,
“tls_verify”: null,
“client_certificate”: null,
“tags”: null
}
]
}

[Service]

apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
konghq.com/override: “console-kong”
konghq.com/protocols: “https”
name: kong-proxy
namespace: kong
spec:
ports:

  • name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
    nodePort: 30012
  • name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
    nodePort: 30013
    selector:
    app: ingress-kong
    type: NodePort

[DaemoinSet]

apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: kong
spec:
selector:
matchLabels:
app: ingress-kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
prometheus.io/port: “8100”
prometheus.io/scrape: “true”
traffic.sidecar.istio.io/includeInboundPorts: “”
labels:
app: ingress-kong
spec:
containers:
- env:
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, 0.0.0.0:8443 http2 ssl
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8001, 0.0.0.0:8444 http2 ssl
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100
- name: KONG_DATABASE
value: “off”
- name: KONG_NGINX_WORKER_PROCESSES
value: “1”
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr

[KongIngress]

apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: console-kong
namespace: console-system
annotations:
konghq.com/protocols: “https”
route:
https_redirect_status_code: 302
strip_path: false
protocols:

  • https
    proxy:
    protocols:
  • https
    path: /
    port: 80

[Ingress]

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: console-kong
namespace: console-system
annotations:
kubernetes.io/ingress.class: “kong”
konghq.com/override: “console-kong”
konghq.com/protocols: “https”
spec:
tls:

[Backend Service]
[root@pstest01 kong]# kubectl get svc -n console-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
console-np NodePort 10.96.192.212 80:30003/TCP 35d

Kong’s declarative Configuration format is different with K8s’s general “YAML” file. So, I don’t know how can use Kong’s Declarative Configuration such as kong.yml. Could you please let me know in detail?

The ingress controller container running alongside the Kong proxy/admin API container handles translation between Kubernetes manifests and Kong configuration automatically. Under the hood it’s generating a kong.yml and providing it to Kong.

I can’t see the https protocol on Kong’s Service and can’t connect with https protocol.
Please let me know how to connect with https protocol?

You want to use https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/annotations.md#konghqcomprotocol on the Kubernetes Service. https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/annotations.md#konghqcomprotocols is a similarly-named annotation for Ingress objects. The Service annotation is singular since Kong always uses only HTTP or only HTTPS to communicate with the upstream service, while the Ingress annotation is plural because it can accept multiple protocols. The naming there is unfortunately a bit confusing since they’re similar concepts:

apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/protocol: “https”

Thank you for answer.
Unfortunately, A new user had limitation when I wrote question… So, some information missed.
I’ve checked and configured “konghq.com/protocol” annotation already you posted.

apiVersion: v1
kind: Service
metadata:
labels:
app: ingress-kong
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
konghq.com/override: “https-only”
konghq.com/protocol: “https”
name: kong-proxy
namespace: kong
spec:
ports:

  • name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
    nodePort: 30012
  • name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
    nodePort: 30013
    selector:
    app: ingress-kong
    type: NodePort

But, I’m facing same problem.
This is an output of kong’s proxy when I called backend service.

upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 192.168.208.77, server: kong, request: “GET / HTTP/2.0”, upstream: "http://10.244.127.211:6443/

This is an output of backend pod’s log

http: TLS handshake error from 10.244.56.235:46942: tls: first record does not look like a TLS handshake

I think kong sent “http” protocol so that backend could not accept it.

So, is it correct config when I execute curl with services? (protocol is fixed to http)

{
“next”: null,
“data”: [
{
“host”: “console-np.hypercloud4-console.80.svc”,
“id”: “3fdbebdc-0568-5093-bd0a-c7c6daa76465”,
"protocol": “http”,
“read_timeout”: 60000,
“tls_verify_depth”: null,
“port”: 80,
“updated_at”: 1598320762,
“ca_certificates”: null,
“created_at”: 1598320762,
“connect_timeout”: 60000,
“write_timeout”: 60000,
“name”: “hypercloud4-console.console-np.80”,
“retries”: 5,
“path”: “/”,
“tls_verify”: null,
“client_certificate”: null,
“tags”: null
}
]
}

Please let me know If I wrong… I want to resolve it…
Thank you!

Any change if you remove the konghq.com/override annotation? If you check the controller logs, does it indicate the configuration is syncing correctly?

Not sure if override will interfere with that, since it has some overlap with the other annotations. It looks like you were attempting to use it for the same purpose, so it should be okay to go ahead and remove it.

Minor note, but if you can use code blocks (see the example at the bottom of https://commonmark.org/help/) and below for manifests, admin API output, and the like, they’ll be easier for us to read, as the forum messes up their formatting otherwise.

Thank you for answer.
I’ve removed the “konghq.com/override” annotation you mentioned.
But, same problem is being occured.

BTW, Even though I changed the settings, it doesn’t seem to sync.
This is an output of ingress controller logs after removing the annotation and applying the “YAML”

“no configuration change, skipping sync to Kong”
I don’t understand it…

I have one more question…
The doc indicates that need to annotate “konghq.com/override” If I use KongIngress for HTTPS redirection.
https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/configuring-https-redirect.md

Please let me know If there is wrong…


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ