Hi,
I’m trying out Kong on an existing cluster on GKE, using the all-in-one-dbless yaml: https://github.com/Kong/kubernetes-ingress-controller/blob/main/deploy/single/all-in-one-dbless.yaml
What I’m doing is just route traffic to my internal Services with some Ingress resources, have them rate limited using KongPlugin and make each endpoint ask for a token at the Authorization header with OIDC plugin config with Keycloak (after modifying the base Kong image with ENV KONG_PLUGINS oidc).
Everything is working fine so far. But after scanning through the all-in-one-dbless yaml file, I was wondering is this the most minimal yaml to get Kong up and running? Is there anything that I can shave off?
Firstly, I am seeing 6 CRDs in the yaml file:
- KongClusterPlugin
- KongConsumer
- KongCredential
- KongIngress
- KongPlugin
- TCPIngress
After reading the docs on the github repo, I think I would only make use of KongPlugin and maybe KongIngress, not all of them. I did go and try removing some of the CRDs, but most of the time the ingress-controller fails to start and the logs read that it could not find the CRDs defined.
Is there anyway to maybe remove some of the CRDs and add it when I need it in the future?
Secondly, in the yaml file also defines a ServiceAccount. If I already have a ServiceAccount defined for my cluster, can I just add the necessary apiGroups, reousrces to the existing ServiceAccount and refer it to the Deployment of kong-ingress-controller?
Third one is that the Kong-proxy service is using these 2 annotations:
- service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
-
service.beta.kubernetes.io/aws-load-balancer-type: nlb
Would this have any effect if I’m on GKE? I tried removing it and traffic is still being route correctly with rate limiting enabled.
Lastly, there is a Service, kong-validation-webhook, what purpose does it serve and do I need this for a normal installation?
I did try removing it and everything still runs fine. Is this the yaml file behind it?
I’m not very familiar with admissionregistration.k8s.io/v1beta1 and have a vague understanding that an admission webhook prevents some similar Resources from conflicting with each other (?)
I did my best to look through the docs to see if these are all mandatory but still not sure.
Best regards,
lafonte