CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "demo-control-plane"
}'
)
Copied!
Install Kong Gateway in Konnect with Helm
Uses:
Kong Gateway
TL;DR
Create a Control Plane in Konnect, populate a values.yaml file with the Control Plane details, and run helm install kong kong/kong --values ./values.yaml -n kong --create-namespace.
Konnect setup
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Helm setup
helm repo add kong https://charts.konghq.com
helm repo update
Copied!
Create certificates
Create a certificate and key:
openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ./tls.key -out ./tls.crt -days 1095 -subj "/CN=kong_clustering"
Copied!
Create a Secret containing the certificate:
kubectl create namespace kong
kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong
Copied!
Create a Control Plane
Konnect allows you to create a Control Plane in a single API request.
Create a Control Plane and capture the details for later:
Upload the certificates to this Control Plane:
CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
Copied!
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"cert": "'$CERT'"
}'
Copied!
Deploy a Data Plane
Export the Control Plane ID and telemetry endpoint for later:
CONTROL_PLANE_ENDPOINT=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.control_plane_endpoint | sub("https://";"")')
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')
Copied!
Create a values-dp.yaml file with the following content:
echo '
ingressController:
enabled: false
image:
repository: kong/kong-gateway
tag: ""
# Mount the secret created earlier
secretVolumes:
- kong-cluster-cert
env:
# data_plane nodes do not have a database
role: data_plane
database: "off"
konnect_mode: 'on'
vitals: "off"
cluster_mtls: pki
cluster_control_plane: "'$CONTROL_PLANE_ENDPOINT'"
cluster_telemetry_endpoint: "'$CONTROL_PLANE_ENDPOINT':443"
cluster_telemetry_server_name: "'$CONTROL_PLANE_ENDPOINT'"
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
lua_ssl_trusted_certificate: system
proxy_access_log: "off"
dns_stale_ttl: "3600"
resources:
requests:
cpu: 1
memory: "2Gi"
secretVolumes:
- kong-cluster-cert
# The data plane handles proxy traffic only
proxy:
enabled: true
admin:
enabled: false
manager:
enabled: false
' > values-dp.yaml
Copied!
Deploy the Data Plane using the values-dp.yaml:
helm install kong kong/kong --values ./values-dp.yaml -n kong --create-namespace
Copied!
FAQs
Can I install Kong Gateway via Helm without cluster permissions?
Yes. Using the kong chart, set ingressController.rbac.enableClusterRoles to false.
Warning: Some resources require a ClusterRole for reconciliation because the controllers need to watch cluster scoped resources. Disabling ClusterRoles causes them fail, so you need to disable the controllers when setting it to
false. These resources include:
- All Gateway API resources
IngressClassKNative/Ingress(KIC 2.x only)KongClusterPluginKongVault,KongLicense(KIC 3.1 and above)