Kong Ingress Controller: Kong reload

Hi,
We are using Kong in Db less mode along with Kong Ingress controller. We use custom config templates for both kong and nginx. To keep the connection secure, we also provide our ssl certificates to the following configuration fields in the respective files:

kong.conf

    ssl_cert = /etc/secret-volume/ssh-publickey
    ssl_cert_key = /etc/secret-volume/ssh-privatekey

nginx.conf

  ssl_certificate /etc/secret-volume/ssh-cluster-publickey;
  ssl_certificate_key /etc/secret-volume/ssh-cluster-privatekey

We have use case to upload new certificates while the system is online. If we do a soft reload of kong using “kong reload”, it is losing the routes/services info from kong instance till the kong ingress controller container is restarted.

Is there any other better approach to do soft restart such that the new certificates get used?

Thanks for your help!

Regards,
Srinivas

Which server block are you configuring using the ssl_cert and ssl_cert_key nginx directives?

@hbagdi, thanks for response. This is my server block:

SSL uses customer specified certificate/privatekey

server {
server_name _;
resolver %%DNS_SERVICE_IP%%;

listen $(proxy_listeners[2].listener);

if proxy_ssl_enabled then
ssl_ciphers %%SSL_CIPHERS%%;
ssl_certificate {{SSL_CERT}}; ssl_certificate_key {{SSL_CERT_KEY}};
ssl_protocols TLSv1.1 TLSv1.2;# omit SSLv3 because of POODLE (CVE-2014-3566)
end
include /etc/kong/ssl_common.conf;
}

You can use * as the SNI and configure the certificate using Kong’s Admin API:

@hbagdi, thanks a lot. Will read it up and explore the same. Can I still use custom nginx templates along with this option?

No. The whole purpose of Kong is to make your configuration dynamic and define as few setting as possible in a static file.

@hbagdi, thanks for the response. Will give it a try.


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ