Proxy GRPC Traffic over HTTP
Create a GRPCRoute resource, which will then be converted in to a Kong Gateway Service and Route.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Enable the Gateway API
-
Install the Gateway API CRDs before installing Kong Ingress Controller.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml -
Create a
GatewayandGatewayClassinstance to use.
echo "
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kong
annotations:
konghq.com/gatewayclass-unmanaged: 'true'
spec:
controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong
spec:
gatewayClassName: kong
listeners:
- name: proxy
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
" | kubectl apply -n kong -f -
Create a KIC Control Plane
Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:
CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "My KIC CP",
"cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
}')
We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:
CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')
Create mTLS certificates
Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.
Generate a new certificate using openssl:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:
export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
Next, upload the certificate to Konnect:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"cert": "'$CERT'"
}'
Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:
kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key
Kong Ingress Controller running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update -
Install Kong Ingress Controller using Helm:
helm install kong kong/ingress -n kong --create-namespace -
Set
$PROXY_IPas an environment variable for future commands:export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}') echo $PROXY_IP
Required Kubernetes resources
This how-to requires some Kubernetes services to be available in your cluster. These services will be used by the resources created in this how-to.
kubectl apply -f https://developer.konghq.com/manifests/kic/grpcbin-service.yaml -n kong
gRPCurl installed
Install gRPCurl, which is a CLI that lets you interact with gRPC servers. This tutorial requires gRPCurl for validation.
gRPC over HTTP
All Gateway Services are assumed to be either HTTP or HTTPS by default. We need to update the Service to specify gRPC as the protocol by adding a konghq.com/protocol annotation.
Annotate the grpcbin Service you installed in the prerequisites with grpc to inform Kong Gateway that this service is a gRPC (with TLS) service and not an HTTP service:
kubectl annotate service -n kong grpcbin 'konghq.com/protocol=grpc'
Kong Gateway accepts HTTP/2 traffic with TLS on port 443, and HTTP/1.1 traffic on port 80 by default. To accept HTTP/2 traffic (which is required by the gRPC standard) over HTTP (plaintext without TLS) on port 80 the configuration has to be adjusted.
kubectl set env deployment/kong-gateway -n kong 'KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl'
Caveat: Kong Gateway 3.6.x and earlier do not offer simultaneous support of HTTP/1.1 and HTTP/2 without TLS on a single TCP socket. You may configure an alternative HTTP/2 port (e.g.
8080) if you require HTTP/1.1 traffic on port 80.Kong Gateway 3.6.x and later supports listening HTTP/2 without TLS and HTTP/1.1 on the same port, allowing use of port 80 for both HTTP/1.1 and HTTP/2 without TLS.
Route gRPC traffic
Now that the test application is running, you can create a GRPC routing configuration that proxies traffic to the application.
Test the configuration
Use grpcurl to send a gRPC request through the proxy:
grpcurl -d '{"greeting": "Kong"}' -plaintext -authority example.com $PROXY_IP:80 hello.HelloService.SayHello
You should see the following response:
{
"reply": "hello Kong"
}
Use grpcurl to send a gRPC request through the proxy:
grpcurl -d '{"greeting": "Kong"}' -plaintext -authority example.com $PROXY_IP:80 hello.HelloService.SayHello
You should see the following response:
{
"reply": "hello Kong"
}
Cleanup
Delete created Kubernetes resources
kubectl delete -n kong -f https://developer.konghq.com/manifests/kic/grpcbin-service.yaml
Uninstall KIC from your cluster
helm uninstall kong -n kong