We currently have an architecture that results in X number of Kubernetes cluster that have the same applications deployed for resilience. We are using kong as our ingress controller in both of these clusters without any issues. It is also important to note that currently we have two seperate databases for each Kong/cluster combination. My question comes from us wanting to use Kong to also handle our authentication layer, currently our application handles that. However, if we were to move the authentication layer into Kong ( we use the ingress controller deployment method) then we would have to make sure that the consumer is replicated per cluster.
Is it possible to / Do you see any issues with using the same database for both Kong instances and insert consumers into the database instead of using the KongConsumer CRD?
If not, then what would the best practice be for accomplishing the above? Do we just need to make sure every cluster is in sync with the consumer object by making the call for every cluster when adding consumers?
Is it possible to / Do you see any issues with using the same database for both Kong instances and insert consumers into the database instead of using the KongConsumer CRD?
Kong Ingress Controller configures Kong’s database, meaning
if any entity is manually created in Kong (such as a consumer), and if the corresponding KongConsumer CRD doesn’t exist, the Ingress Controller will delete it. Please do not manually create any entities in Kong. If you’re using Kong Enterprise, you do not have this limitation. Having said that, what you’re trying to do is a very common use case and we are already working on adding support for this.
Sharing database across two Ingress controllers in two k8s separate means you’re effictively increasing your blast radius and it will defeat the purpose of having multiple k8s cluster, since if one cluster with a DB goes down, all remaining ones will be affected as well.
If not, then what would the best practice be for accomplishing the above? Do we just need to make sure every cluster is in sync with the consumer object by making the call for every cluster when adding consumers?
As of today, yes. You will have to make API calls for every cluster when adding a consumer. An alternative solution here will be to have a controller running in every k8s cluster, which pulls the KongConsumer CRD from an active cluster and creates those in it’s k8s cluster. This will introduce some latency in how consumers are created but will be much simpler to debug.