How to deploy Kong Gateway as Ingress Controller using Helm
Kong Ingress Controller is a native way of deploying Kong Gateway in K8s cluster. Here you can learn how to deploy this using Helm charts.
Terminologies
Let's clear out some terminologies before we start diving into the topic. Assuming you have some knowledge of containerized applications.
Service: A service is an object in Kubernetes which is used to expose the pods deployed in the cluster.
Ingress: An Ingress is an object that is used to provide external access to services deployed in the cluster. It does this by providing HTTP/HTTPS routes.
Ingress Controller: An Ingress controller is a specialized load balancer for a containerized (K8s) environment. It helps to monitor the pods running in Kubernetes and automatically update the load‑balancing rules when pods are added or removed from service.
Kong Ingress Controller
As mentioned earlier, Ingress Controller is the kubernetes way of exposing services deployed. These services are nothing but APIs that are being deployed by your enterprise to receive or provide data.
Since these APIs need to be protected with some security mechanism, Kong helps perform this additional functionality by deploying a gateway in the path of this. For example, if you need to secure your API with an api-key, then Kong provides a plugin (list of plugins) where you can configure the API key that is allowed for accessing the services.
Kong does this with two components,
kong proxy — handles the user API invocations
kong controller — manages the configurations and pushes them to kong proxy as and when changes are happening in the k8s cluster
With this prelude let's dive in on how to deploy Kong Ingress Controller.
Pre-requisites
minikube or any k8s cluster
k9s (optional)
konnect account (optional)
KIC - Standalone
Start your minikube or k8s cluster and make sure you can run commands and verify connection to cluster
kubectl get pods -A
Create a namespace so that you can have all kong related objects grouped.
kubectl create namespace kong
Let's start installing kong components. Follow the steps below,
Add the kong helm chart,
helm repo add kong https://charts.konghq.com
Charts come with default values based on the published ones. You can also configure/customize the values for charts using values.yaml file. For this installation, I am using a values file kic.yaml
Install the chart with a release name kic
under a namespace kong
with customized values file.
helm install kic kong/kong -n kong -f kic.yaml
You will see below pods have been created. The screenshot is from k9s which helps you to visualize the cluster and navigate quickly instead of running kubectl commands.
You can also check the status using,
kubectl get pods -n kong
To test that the kong gateway is up and running you need to expose the port outside the cluster. I will be using port-forward. You can replace the pod name from the output of the above command.
kubectl port-forward kic-kong-75955b98cf-6t4bg -n kong 8000:8000
Open a new shell prompt and run the curl command,
curl -i http://localhost:8000
Output
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 52
X-Kong-Response-Latency: 0
Server: kong/3.4.0
{
"message":"no Route matched with those values"
}
If you get 404 no route matched then the gateway is configured successfully. This is because you have not deployed any services or ingress.
KIC - Konnect
You need an account with Kong Konnect to deploy KIC in a managed way. This option provides a read-only Kong Manager which would help you to view, and monitor the Ingress Controller which is connected to your runtime running on your platform. It also manages all your configurations using a DB which is managed by Kong.
Create a runtime group to manage the ingress controller nodes. During the creation, you can generate the certs and helm script that can be run on your cluster to perform the installation.
On the runtime group creation page, you will get the option to generate the certificate. Copy and store the cert and key locally to files and generate secrets using the below command,
kubectl create secret tls konnect-client-tls -n kong --cert=konnect-cluster.crt --key=konnect-cluster.key
You can now copy the helm values and store in your values.yaml
Run the helm command to install the ingress controller,
helm install kong kong/ingress -n kong -f kic-konnect.yaml
Once your cluster gets connected to Konnect you will see the dashboard showing the KIC operational and details of the ingress controller. From here you can view the services, routes and other objects that are being deployed in your K8s.
To test that the kong gateway is up and running you need to expose the port outside the cluster. I will be using port-forward. You can replace the pod name from the output of the above command.
kubectl port-forward kong-gateway-cf949fcf5-7ss96 -n kong 8000:8000
Open a new shell prompt and run the curl command,
curl -i http://localhost:8000
Now you can start deploying your services and routes to cluster and can view their analytics on the read-only Kong Manager.
Proxying services via Kong
Now that you have kong gateway up and running, you need to start deploying services in the K8s cluster and expose them via Kong Ingress.
service.yaml is a predefined echo service that we can use to deploy and test the services running inside the k8s cluster.
To deploy the service run the below command,
kubectl apply -f service.yaml
This would create a pod in the default namespace running on port 1027 (http). Check if the pod is running using the command,
kubectl get pods
Now comes the part where you need to define a route/ingress for this service to be exposed outside.
ingress.yaml is the specification that contains the definition of how to expose the service via kong gateway.
kubectl apply -f ingress.yaml
Below is the mapping of service to ingress,
With the service exposed on ingress, you can test the API using the below command,
curl -i http://kong.example:8000/echo --resolve kong.example:8000:127.0.0.1
Output
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 133
Connection: keep-alive
X-Kong-Upstream-Latency: 5
X-Kong-Proxy-Latency: 1
Via: kong/3.4.0
Welcome, you are connected to node minikube.
Running on Pod echo-7c8dd7d64-k9w22.
In namespace default.
With IP address 172.17.0.2
For you to proxy any external services running outside of your cluster, you can use the files ext-service and ext-ingress
Create these objects in your cluster using the below commands,
kubectl apply -f ext-service.yaml
kubectl apply -f ext-ingress.yaml
Test the URL and you should see the response from httpbin service,
curl -i http://kong.example:8000/httpbin/anything --resolve kong.example:8000:127.0.0.1
Output
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 482
Connection: keep-alive
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Kong-Upstream-Latency: 510
X-Kong-Proxy-Latency: 2
Via: kong/3.4.0
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Host": "kong.example",
"User-Agent": "curl/7.86.0",
"X-Amzn-Trace-Id": "Root=1-6503f82b-6412279a702c96dd301ea656",
"X-Forwarded-Host": "kong.example",
"X-Forwarded-Path": "/httpbin/anything",
"X-Forwarded-Prefix": "/httpbin"
},
"json": null,
"method": "GET",
"origin": "127.0.0.1, 49.207.192.144",
"url": "http://kong.example/anything"
}
The power of Kong Gateway can be seen in the latency experienced when it passes through Ingress. Note the X-Kong-Proxy-Latency
values in the output.
Switching to Enterprise
To use the enterprise capabilities of Kong like advanced plugins and others, you need to add the license as secret and add the secret name to values.yaml
kubectl create secret generic kong-enterprise-license --from-file=license=./license.json
This values.yaml has the complete setup including kong manager, dev portal, and Postgres DB with enterprise license which is typical deployment for your enterprise.
You can refer to the Kong Charts for a complete list of values that can be used with charts.
Quickstart Guide
The repo also contains a full-fledged implementation of Kong Ingress Controller with enterprise features like Kong Manager, Vitals and Dev Portal.
quickstart file has the commands needed to bring up the deployments. It's good practice to follow along by running each command separately. You can also run the shell script to get you started quickly.
cleanup file has commands to delete the resources created
preinstall file has commands that are required for enterprise full capabilities.