Minimal Kong deployment on GKE

lafonte · August 13, 2020, 3:22pm

Hi,
I’m trying out Kong on an existing cluster on GKE, using the all-in-one-dbless yaml: https://github.com/Kong/kubernetes-ingress-controller/blob/main/deploy/single/all-in-one-dbless.yaml

What I’m doing is just route traffic to my internal Services with some Ingress resources, have them rate limited using KongPlugin and make each endpoint ask for a token at the Authorization header with OIDC plugin config with Keycloak (after modifying the base Kong image with ENV KONG_PLUGINS oidc).

Everything is working fine so far. But after scanning through the all-in-one-dbless yaml file, I was wondering is this the most minimal yaml to get Kong up and running? Is there anything that I can shave off?

Firstly, I am seeing 6 CRDs in the yaml file:

KongClusterPlugin
KongConsumer
KongCredential
KongIngress
KongPlugin
TCPIngress
After reading the docs on the github repo, I think I would only make use of KongPlugin and maybe KongIngress, not all of them. I did go and try removing some of the CRDs, but most of the time the ingress-controller fails to start and the logs read that it could not find the CRDs defined.
Is there anyway to maybe remove some of the CRDs and add it when I need it in the future?

Secondly, in the yaml file also defines a ServiceAccount. If I already have a ServiceAccount defined for my cluster, can I just add the necessary apiGroups, reousrces to the existing ServiceAccount and refer it to the Deployment of kong-ingress-controller?

Third one is that the Kong-proxy service is using these 2 annotations:

service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
Would this have any effect if I’m on GKE? I tried removing it and traffic is still being route correctly with rate limiting enabled.

Lastly, there is a Service, kong-validation-webhook, what purpose does it serve and do I need this for a normal installation?
I did try removing it and everything still runs fine. Is this the yaml file behind it?
I’m not very familiar with admissionregistration.k8s.io/v1beta1 and have a vague understanding that an admission webhook prevents some similar Resources from conflicting with each other (?)

I did my best to look through the docs to see if these are all mandatory but still not sure.

Best regards,
lafonte

hbagdi · August 14, 2020, 7:53pm

Not yet. The controller requires all the CRDs as of now. This is something we would like to change in future. A Github issue for this feature request would be helpful.

Yes.

No. You can safely remove those.

This:

github.com

Kong/kubernetes-ingress-controller/blob/main/docs/deployment/admission-webhook.md

# Validating Admission Controller

Kong Ingress Controller ships with an Admission Controller for KongPlugin
and KongConsumer resources in the `configuration.konghq.com` API group.

The Admission Controller needs a TLS certificate and key pair which
you need to generate as part of the deployment.

Following guide walks through a setup of how to create the required key-pair
and enable the admission controller.

Please note that this requires Kong Ingress Controller >= 0.6 to be
already installed in the cluster.

## tldr;

If you are using the stock YAML manifests to install and setup Kong for
Kubernetes, then you can setup the admission webhook using a single command:

```bash

This file has been truncated. show original

lafonte · August 15, 2020, 1:21pm

Thanks for the quick response, @hbagdi, it helped me clear things up.