DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations

Trending

  • How to Load Cypress Chrome Extension
  • AI Technology Is Drastically Disrupting the Background Screening Industry
  • WireMock: The Ridiculously Easy Way (For Spring Microservices)
  • Simplifying SAP Data Integration With Google Cloud
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Full Stack Kubernetes with Kong Ingress Controller

Full Stack Kubernetes with Kong Ingress Controller

The key to handling modern dynamic, scalable workloads in Kubernetes is a networking stack that can deliver API management, a service mesh and an ingress controller.

Michael Bogan user avatar by
Michael Bogan
CORE ·
Jun. 28, 21 · Tutorial
Like (6)
Save
Tweet
Share
24.18K Views

Join the DZone community and get the full member experience.

Join For Free

Kubernetes has become the name of the game when it comes to container orchestration. It allows teams to deploy and scale applications to meet changes in demand while providing a great developer experience.

The key to handling modern dynamic, scalable workloads in Kubernetes is a networking stack that can deliver API management, a service mesh and an ingress controller. Kong Ingress Controller allows users to manage the routing rules that control external user access to the service in a Kubernetes cluster from the same platform.

This article will look at how you can use Kong for full-stack application deployments with Kubernetes. By full-stack, we mean Kong can handle:

  • Containers
  • Container networking
  • Pod networking
  • Service networking
  • Host networking
  • Load balancing
  • Rate limiting
  • HTTPS redirects

Let's get started by creating our cluster.

Installing Kind Kubernetes

With Kind, you can run local Kubernetes clusters using Docker. It was designed for testing Kubernetes but is perfect for local K8 development like we will do in this example. There are quite a few ways to install Kind, depending on your operating system. If you have a Mac, you can install it quickly with Homebrew:

brew install kind

If you are on a Windows machine and have Chocolatey installed, the command is just as simple:

choco install kind

If you have Go and Docker installed, you can run the following command to install kind:

GO111MODULE="on" go get sigs.k8s.io/kind@v0.10.0

For more installation options, see the Kind quickstart.

Once Kind is installed, you need to create a cluster::

kind create cluster

After making the cluster, you can interact with it using kubectl. To list your clusters, run:

kind get clusters

It should return kind, the default cluster context name.

Now run the following to point kubectl to the kind cluster:

kind export kubeconfig

If you set up Kind correctly, running the following command will give you details about your cluster:

kubectl cluster-info

Installing Kong Ingress Controller

Now that we have a cluster running, we can install Kong quickly by applying the manifest directly with the following command:

kubectl create -f https://bit.ly/k4k8s

Now run the following command to get details on kong-proxy:

kubectl -n kong get service kong-proxy

You will notice that the external IP is still pending. Kind only exposes the Kubernetes API endpoint, and so the service is not accessible outside of the cluster.

Since we are using Kind, we will have to run a port forward to do this. This command does not get daemonized, so you will have to open another console window to run other commands.

kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8080:80

Next, we need to set an environment variable with the IP address from where we want to access Kong. This will be localhost since we are using a port forward.

export PROXY_IP=localhost:8080

You can curl the IP now or visit in a browser and should see:

{"message":"no Route matched with those values"}

Deploying an Example App

Now let's deploy something that will return some results. Kubernetes has multiple example applications available in a Github repo. We are going to deploy the Guestbook App with these commands:

Plain Text
 
kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-service.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-service.yaml


Now, if we run kubectl get services, we will see two new services:

We can also query the pods to make sure their status is ‘Running’:

Plain Text
 
kubectl get pods -l app.kubernetes.io/name=guestbook -l app.kubernetes.io/component=frontend


To test it, you can run another port forward really quick with:

kubectl port-forward svc/frontend 8000:80

You will find the guestbook running at http://localhost:8000/. We will now set up the Kong Ingress Controller.

Expose the App to the Internet

Now we can use the Kong Ingress Controller, so we need to set up a resource to serve traffic. We can create a proxy for our application with the following command:

Plain Text
 
echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    konghq.com/strip-path: "true"
    kubernetes.io/ingress.class: kong
spec:
  rules:
  - http:
  	paths:
  	- path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80
' | kubectl apply -f -


Now you will see the guestbook app at http://localhost:8080/.

Using Plugins as Services in Kong

With Kong Ingress, we can execute plugins on the service level. That way, Kong will execute a plugin whenever a request is sent to a specific service, no matter which ingress path from where it came. If we want to add rate limits to our app, we can add the rate limiting plugin to our Kubernetes installation with the following command:

Plain Text
 
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rl-by-ip
config:
  minute: 5
  limit_by: ip
  policy: local
plugin: rate-limiting
" | kubectl apply -f -
kongplugin.configuration.konghq.com/rl-by-ip created


Once you install the plugin, you can apply the konghq.com/plugins annotation on our Guestbook with the following command:
Java
 
kubectl patch svc frontend \
  -p '{"metadata":{"annotations":{"konghq.com/plugins": "rl-by-ip\n"}}}'


If you curl the guestbook app, you will see that rate limiting has been set up.

If you plan on testing the Guestbook frequently during this example, you may want to set the limit higher, or you will run into a Kong error that says the rate limit has been exceeded.

Configuring an HTTPS Redirect

So far, the app is running on HTTP, and we want it to run on HTTPS. If we want to tell Kong to redirect all the HTTP requests, we can update its annotations to HTTPS and issue a 301 redirect with this command to patch the ingress entry:

Plain Text
 
kubectl patch ingress guestbook -p 
'{"metadata":{"annotations":{"konghq.com/protocols":"https","konghq.com/https-redirect-status-code":"301"}}}'


To test this using kind, set up another port-forward with the following command:

Plain Text
 
kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8443:443


You can now access a "secure" version of the guestbook at https://localhost:8443. It will not have a certificate, so you will run into warnings in your browser. Let's look at how we can add certificates.

Adding the Cert-Manager

You can install the cert-manager with the following command:

Plain Text
 
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml


Once the images pull down, you can verify that it is running with this command:

kubectl get all -n cert-manager

You should see something like this:

Since we have Kubernetes running locally with a port-forward, the IP address for the Kong proxy is 127.0.0.1. If you weren’t using a port forward, you could run the following command to find the IP address:

Plain Text
 
kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-proxy


But since we are using a port forward, this command will return nothing. If this were in production, you would then set up DNS records to resolve your domain to the IP address you just retrieved. Once that is done, you can request a certificate from Let's Encrypt by running the following, making sure to change the email:

Plain Text
 
echo "apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: user@example.com #change this email
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
      ingress:
        class: kong" | kubectl apply -f -


Next, you will have to update your ingress resource to provide a certificate with the following command, changing the domain to your own:

Plain Text
 
echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-example-com
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: kong
spec:
  tls:
  - secretName: guestbook-example-com
    hosts:
    - demo.example.com #change this domain/subdomain
  rules:
  - host: demo.example.com #change this domain/subdomain
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook
            port:
              number: 80
' | kubectl apply -f -


Once that is updated, the cert-manager will start to provision the certificate and the certificate will be ready soon.

Missing a Tool in Your K8s Stack?

Kong may be the missing tool in your Kubernetes stack. Kong Ingress Controller can implement authentication, HTTPS redirects, security certificates, and more across all your Kubernetes clusters. Using Kong, you can control your containers, networking, load balancing, rate limiting and more from one platform. It truly is the choice for full-stack ingress deployments.

Kubernetes Docker (software) Plain text Command (computing) rate limit app

Opinions expressed by DZone contributors are their own.

Trending

  • How to Load Cypress Chrome Extension
  • AI Technology Is Drastically Disrupting the Background Screening Industry
  • WireMock: The Ridiculously Easy Way (For Spring Microservices)
  • Simplifying SAP Data Integration With Google Cloud

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: