Install Kong Gateway on-prem with Helm

Uses: Kong Gateway

These instructions configure Kong Gateway to use separate control plane and data plane deployments. This is the recommended production installation method.

Helm Setup

Kong provides a Helm chart for deploying Kong Gateway. Add the charts.konghq.com repository and run helm repo update to ensure that you have the latest version of the chart.

helm repo add kong https://charts.konghq.com
helm repo update

Create a Kong Gateway Enterprise License

First, create the kong namespace:

kubectl create namespace kong

Next, create a Kong Gateway Enterprise license secret.

Ensure you are in the directory that contains a license.json file before running this command.

kubectl create secret generic kong-enterprise-license --from-file=license=license.json -n kong

Create clustering certificates

Kong Gateway uses mTLS to secure the control plane/data plane communication when running in hybrid mode.

  1. Generate a TLS certificate using OpenSSL.

    openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) \
      -keyout ./tls.key -out ./tls.crt -days 1095 -subj "/CN=kong_clustering"
    
  2. Create a Kubernetes secret containing the certificate.

    kubectl create secret tls kong-cluster-cert --cert=./tls.crt --key=./tls.key -n kong
    

Create a Control Plane

The control plane contains all Kong Gateway configurations. The configuration is stored in a PostgreSQL database.

  1. Create a values-cp.yaml file.

    # Do not use Kong Ingress Controller
    ingressController:
      enabled: false
       
    image:
      repository: kong/kong-gateway
      tag: "3.11"
       
    # Mount the secret created earlier
    secretVolumes:
      - kong-cluster-cert
       
    env:
      # This is a control_plane node
      role: control_plane
      # These certificates are used for control plane / data plane communication
      cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
      cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
       
      # Database
      # CHANGE THESE VALUES
      database: postgres
      pg_database: kong
      pg_user: kong
      pg_password: demo123
      pg_host: kong-cp-postgresql.kong.svc.cluster.local
      pg_ssl: "on"
       
      # Kong Manager password
      password: kong_admin_password
       
    # Enterprise functionality
    enterprise:
      enabled: true
      license_secret: kong-enterprise-license
       
    # The control plane serves the Admin API
    admin:
      enabled: true
      http:
        enabled: true
       
    # Clustering endpoints are required in hybrid mode
    cluster:
      enabled: true
      tls:
        enabled: true
       
    clustertelemetry:
      enabled: true
      tls:
        enabled: true
       
    manager:
      enabled: false
       
    # These roles will be served by different Helm releases
    proxy:
      enabled: false
    
  2. (Optional) If you want to deploy a Postgres database within the cluster for testing purposes, add the following to the bottom of values-cp.yaml.

    # This is for testing purposes only
    # DO NOT DO THIS IN PRODUCTION
    # Your cluster needs a way to create PersistentVolumeClaims
    # if this option is enabled
    postgresql:
      enabled: true
      auth:
        password: demo123
    
  3. Update the database connection values in values-cp.yaml.

    • env.pg_database: The database name to use
    • env.pg_user: Your database username
    • env.pg_password: Your database password
    • env.pg_host: The hostname of your Postgres database
    • env.pg_ssl: Use SSL to connect to the database
  4. Set your Kong Manager super admin password in values-cp.yaml.

    • env.password: The Kong Manager super admin password
  5. Run helm install to create the release.

    helm install kong-cp kong/kong -n kong --values ./values-cp.yaml
    
  6. Run kubectl get pods -n kong. Ensure that the control plane is running as expected.

    NAME                                 READY   STATUS
    kong-cp-kong-7bb77dfdf9-x28xf        1/1     Running
    

Create a Data Plane

The Kong Gateway data plane is responsible for processing incoming traffic. It receives the routing configuration from the control plane using the clustering endpoint.

  1. Create a values-dp.yaml file.

    # Do not use Kong Ingress Controller
    ingressController:
      enabled: false
       
    image:
      repository: kong/kong-gateway
      tag: "3.11"
       
    # Mount the secret created earlier
    secretVolumes:
      - kong-cluster-cert
       
    env:
      # data_plane nodes do not have a database
      role: data_plane
      database: "off"
       
      # Tell the data plane how to connect to the control plane
      cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
      cluster_telemetry_endpoint: kong-cp-kong-clustertelemetry.kong.svc.cluster.local:8006
       
      # Configure control plane / data plane authentication
      lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
      cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
      cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
       
    # Enterprise functionality
    enterprise:
      enabled: true
      license_secret: kong-enterprise-license
       
    # The data plane handles proxy traffic only
    proxy:
      enabled: true
       
    # These roles are served by the kong-cp deployment
    admin:
      enabled: false
       
    manager:
      enabled: false
    
  2. Run helm install to create the release:

    helm install kong-dp kong/kong -n kong --values ./values-dp.yaml
    
  3. Run kubectl get pods -n kong to ensure that the Data Plane is running as expected:

    NAME                                 READY   STATUS
    kong-dp-kong-5dbcd9f6b9-f2w49        1/1     Running
    

Test your deployment

Kong Gateway is now running. To send some test traffic, try the following:

  1. Fetch the LoadBalancer address for the kong-dp service and store it in the PROXY_IP environment variable:

    PROXY_IP=$(kubectl get service --namespace kong kong-dp-kong-proxy \
      -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}')
    
  2. Make an HTTP request to your $PROXY_IP. This will return a HTTP 404 served by Kong Gateway:

    curl $PROXY_IP/mock/anything
    
  3. In another terminal, run kubectl port-forward to set up port forwarding and access the Admin API:

    kubectl port-forward -n kong service/kong-cp-kong-admin 8001
    
  4. Create a mock Service and Route:

    curl localhost:8001/services -d name=mock -d url="https://httpbin.konghq.com"
    curl localhost:8001/services/mock/routes -d "paths=/mock"
    
  5. Make an HTTP request to your $PROXY_IP again. This time Kong Gateway will route the request to httpbin:

    curl $PROXY_IP/mock/anything
    
Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!