helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1
Copied!
Route traffic with a Kubernetes Ingress resource
Uses:
Kong Operator
Incompatible with
konnect
Related Documentation
TL;DR
Set the spec.ingressClass field in the ControlPlane resource to match your Ingress resource’s spec.ingressClassName.
Prerequisites
Kong Operator running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Install Kong Operator using Helm:
If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=trueCopied!If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates. Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane. This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the
certificateAuthoritysection in thevalues.yamlof the Helm chart to learn how to create and reference your own CA certificate.
This tutorial doesn’t require a license, but you can add one using KongLicense. This assumes that your license is available in ./license.json.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongLicense
metadata:
name: kong-license
rawLicenseString: '$(cat ./license.json)'
" | kubectl apply -f -
Copied!
While the Kubernetes Gateway API is the preferred mechanism for configuring inbound routing, Kong Operator also supports the Kubernetes Ingress resource.
Create the kong namespace
Create the kong namespace in your Kubernetes cluster, which is where the demo will run:
kubectl create namespace kong
Copied!
Create the GatewayConfiguration
Create a GatewayConfiguration resource to customize the deployment options for your data plane and control plane:
echo '
apiVersion: gateway-operator.konghq.com/v2beta1
kind: GatewayConfiguration
metadata:
name: kong-ingress-config
namespace: kong
spec:
dataPlaneOptions:
deployment:
replicas: 1
' | kubectl apply -f -
Copied!
Create the DataPlane
Create a DataPlane resource to define the Kong Gateway deployment:
echo '
apiVersion: gateway-operator.konghq.com/v1beta1
kind: DataPlane
metadata:
name: kong-ingress-dp
namespace: kong
spec:
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong/kong-gateway:3.13
' | kubectl apply -f -
Copied!
Create the ControlPlane
Create a ControlPlane resource to define the controller that will manage the DataPlane.
To enable Ingress support, you must specify the spec.ingressClass field:
echo '
apiVersion: gateway-operator.konghq.com/v2beta1
kind: ControlPlane
metadata:
name: kong-ingress-cp
namespace: kong
spec:
dataplane:
type: ref
ref:
name: kong-ingress-dp
ingressClass: kong
' | kubectl apply -f -
Copied!
Create the echo Service
Run the following command to create a sample echo Service:
kubectl apply -f https://developer.konghq.com/manifests/kic/echo-service.yaml -n kong
Copied!
Create the Ingress
Create an Ingress resource that points to the echo service and specify the spec.ingressClass configured in the ControlPlane resource in the spec;ingressClassName field:
echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: echo-ingress
namespace: kong
spec:
ingressClassName: kong
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: echo
port:
number: 1027
' | kubectl apply -f -
Copied!
Validate
-
Check that the resources have been created:
kubectl get controlplane,dataplane,ingress -n kongCopied! -
Get the external IP of the
DataPlaneservice:export PROXY_IP=$(kubectl get svc -n kong -l app=kong-ingress-dp,gateway-operator.konghq.com/dataplane-service-type=ingress -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')Copied! -
Send a request to the Ingress:
curl -i http://$PROXY_IP/Copied!