Install Kong Gateway in Konnect with Helm

Uses: Kong Gateway
Deployment Platform
Related Documentation
TL;DR

Create a Control Plane in Konnect, populate a values.yaml file with the Control Plane details, and run helm install kong kong/kong --values ./values.yaml -n kong --create-namespace.

Konnect setup

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'
    

Helm setup

helm repo add kong https://charts.konghq.com
helm repo update

Create certificates

Create a certificate and key:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ./tls.key -out ./tls.crt -days 1095 -subj "/CN=kong_clustering"

Create a Secret containing the certificate:

kubectl create namespace kong
kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong

Create a Control Plane

Konnect allows you to create a Control Plane in a single API request.

Create a Control Plane and capture the details for later:

CONTROL_PLANE_DETAILS=$( curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "demo-control-plane"
     }')

Upload the certificates to this Control Plane:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
 curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Deploy a Data Plane

Export the Control Plane ID and telemetry endpoint for later:

CONTROL_PLANE_ENDPOINT=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.control_plane_endpoint | sub("https://";"")')
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Create a values-dp.yaml file with the following content:

echo '
ingressController:
 enabled: false
  
image:
 repository: kong/kong-gateway
 tag: ""
  
# Mount the secret created earlier
secretVolumes:
 - kong-cluster-cert
  
env:
  # data_plane nodes do not have a database
  role: data_plane
  database: "off"
  konnect_mode: 'on'
  vitals: "off"
  cluster_mtls: pki

  cluster_control_plane: "'$CONTROL_PLANE_ENDPOINT'"
  cluster_telemetry_endpoint: "'$CONTROL_PLANE_ENDPOINT':443"
  cluster_telemetry_server_name: "'$CONTROL_PLANE_ENDPOINT'"
  cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
  cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key

  lua_ssl_trusted_certificate: system
  proxy_access_log: "off"
  dns_stale_ttl: "3600"
resources:
  requests:
    cpu: 1
    memory: "2Gi"
secretVolumes:
  - kong-cluster-cert
  
# The data plane handles proxy traffic only
proxy:
 enabled: true
  
admin:
 enabled: false
  
manager:
 enabled: false
' > values-dp.yaml

Deploy the Data Plane using the values-dp.yaml:

helm install kong kong/kong --values ./values-dp.yaml -n kong --create-namespace

FAQs

Yes. Using the kong chart, set ingressController.rbac.enableClusterRoles to false.

Warning: Some resources require a ClusterRole for reconciliation because the controllers need to watch cluster scoped resources. Disabling ClusterRoles causes them fail, so you need to disable the controllers when setting it to false. These resources include:

  • All Gateway API resources
  • IngressClass
  • KNative/Ingress (KIC 2.x only)
  • KongClusterPlugin
  • KongVault, KongLicense (KIC 3.1 and above)
Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!