Install Kong Gateway in Konnect with Helm

Uses: Kong Gateway

Deployment Platform

konnect

on-prem

Konnect setup

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Set the personal access token as an environment variable:
```
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
```
Copied!

Helm setup

helm repo add kong https://charts.konghq.com
helm repo update

Copied!

Create certificates

Create a certificate and key:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ./tls.key -out ./tls.crt -days 1095 -subj "/CN=kong_clustering"

Copied!

Create a Secret containing the certificate:

kubectl create namespace kong
kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong

Copied!

Create a Control Plane

Konnect allows you to create a Control Plane in a single API request.

Create a Control Plane and capture the details for later:

CONTROL_PLANE_DETAILS=$( curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "demo-control-plane"
     }')

Copied!

Upload the certificates to this Control Plane:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);

Copied!

 curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Copied!

Deploy a Data Plane

Export the Control Plane ID and telemetry endpoint for later:

CONTROL_PLANE_ENDPOINT=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.control_plane_endpoint | sub("https://";"")')
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Copied!

Create a values-dp.yaml file with the following content:

echo '
ingressController:
 enabled: false
  
image:
 repository: kong/kong-gateway
 tag: ""
  
# Mount the secret created earlier
secretVolumes:
 - kong-cluster-cert
  
env:
  # data_plane nodes do not have a database
  role: data_plane
  database: "off"
  konnect_mode: 'on'
  vitals: "off"
  cluster_mtls: pki

  cluster_control_plane: "'$CONTROL_PLANE_ENDPOINT'"
  cluster_telemetry_endpoint: "'$CONTROL_PLANE_ENDPOINT':443"
  cluster_telemetry_server_name: "'$CONTROL_PLANE_ENDPOINT'"
  cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
  cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key

  lua_ssl_trusted_certificate: system
  proxy_access_log: "off"
  dns_stale_ttl: "3600"
resources:
  requests:
    cpu: 1
    memory: "2Gi"
secretVolumes:
  - kong-cluster-cert
  
# The data plane handles proxy traffic only
proxy:
 enabled: true
  
admin:
 enabled: false
  
manager:
 enabled: false
' > values-dp.yaml

Copied!

Deploy the Data Plane using the values-dp.yaml:

helm install kong kong/kong --values ./values-dp.yaml -n kong --create-namespace

Copied!

FAQs

Can I install Kong Gateway via Helm without cluster permissions?

Yes. Using the kong chart, set ingressController.rbac.enableClusterRoles to false.

Warning: Some resources require a ClusterRole for reconciliation because the controllers need to watch cluster scoped resources. Disabling ClusterRoles causes them fail, so you need to disable the controllers when setting it to false. These resources include:

All Gateway API resources

IngressClass

KNative/Ingress (KIC 2.x only)

KongClusterPlugin

KongVault, KongLicense (KIC 3.1 and above)

Next Steps

Rate limit a Gateway Service

Enable key authentication on a Gateway Service

Install Kong Gateway in Konnect with Helm

Konnect setup

Helm setup

Create certificates

Create a Control Plane

Deploy a Data Plane

FAQs

Next Steps

Help us make these docs great!

Still need help