I’m using Kong Enterprise on Kubernetes and trying to set up Kong Manager using the Kubernetes Ingress Controller. The only way I have been able to get Kong Manager to successfully connect to the Admin API is by either setting up the Admin API service as a load balancer with an external IP or exposing it through ingress. However, I’d prefer to not expose the Admin API service publicly. I’ve tried setting up basic auth on the admin API but that does not work. Is there a way I could connect to the Admin API using the cluster IP? Setting up the service as a cluster IP service and setting KONG_ADMIN_API_URI to the cluster IP or service host name does not work:
- name: KONG_ADMIN_API_URI
value: "http://kong-admin-api:8001"
You can create a ClusterIP Service, but I’m not sure it’d be that useful, since your client is presumably outside the cluster. That’d be more to provide a means for other Pods interact with the admin API.
The closest equivalent for an outside-cluster client is to use kubectl port-forward to tunnel from your machine into the container network. Accessing the GUI and admin API using a port forward should work fine–it’s a bit clunky, but will do in a pinch.
With full Enterprise, RBAC is the recommended option. The service will be public, but will require authentication.
With free mode, you’d want one of the non-RBAC options. For the option where you connect through the proxy, configuring a shared session plugin for both the GUI and API should work well. Exposing the API via a path (note that you need to set admin_gui_url and admin_api_uri), e.g. the GUI at example.com/ and the API at example.com/api should work best, since it avoids needing to deal with cookie domains and cross-origin concerns.
Thanks for the help! I’ll give this a shot.