Full Stack Kubernetes with Kong Ingress Controller

Kubernetes has become the name of the game when it comes to container orchestration. It allows teams to deploy and scale applications to meet changes in demand while providing a great developer experience.

The key to handling modern dynamic, scalable workloads in Kubernetes is a networking stack that can deliver API management, a service mesh and an ingress controller. Kong Ingress Controller allows users to manage the routing rules that control external user access to the service in a Kubernetes cluster from the same platform.

This article will look at how you can use Kong for full-stack application deployments with Kubernetes. By full-stack, we mean Kong can handle:

• Containers
• Container networking
• Pod networking
• Service networking
• Host networking
• Load balancing
• Rate limiting
• HTTPS redirects

Let's get started by creating our cluster.

Installing Kind Kubernetes

With Kind, you can run local Kubernetes clusters using Docker. It was designed for testing Kubernetes but is perfect for local K8 development like we will do in this example. There are quite a few ways to install Kind, depending on your operating system. If you have a Mac, you can install it quickly with Homebrew:

brew install kind

If you are on a Windows machine and have Chocolatey installed, the command is just as simple:

choco install kind

If you have Go and Docker installed, you can run the following command to install kind:

GO111MODULE="on" go get sigs.k8s.io/kind@v0.10.0

For more installation options, see the Kind quickstart.

Once Kind is installed, you need to create a cluster::

kind create cluster

After making the cluster, you can interact with it using kubectl. To list your clusters, run:

kind get clusters

It should return kind, the default cluster context name.

Now run the following to point kubectl to the kind cluster:

kind export kubeconfig

If you set up Kind correctly, running the following command will give you details about your cluster:

kubectl cluster-info

Installing Kong Ingress Controller

Now that we have a cluster running, we can install Kong quickly by applying the manifest directly with the following command:

kubectl create -f https://bit.ly/k4k8s

Now run the following command to get details on kong-proxy:

kubectl -n kong get service kong-proxy

You will notice that the external IP is still pending. Kind only exposes the Kubernetes API endpoint, and so the service is not accessible outside of the cluster.

Since we are using Kind, we will have to run a port forward to do this. This command does not get daemonized, so you will have to open another console window to run other commands.

kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8080:80

Next, we need to set an environment variable with the IP address from where we want to access Kong. This will be localhost since we are using a port forward.

export PROXY_IP=localhost:8080

You can curl the IP now or visit in a browser and should see:

{"message":"no Route matched with those values"}

Deploying an Example App

Now let's deploy something that will return some results. Kubernetes has multiple example applications available in a Github repo. We are going to deploy the Guestbook App with these commands:

kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/mongo-service.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-deployment.yaml
kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-service.yaml

Now, if we run kubectl get services, we will see two new services:

We can also query the pods to make sure their status is ‘Running’:

kubectl get pods -l app.kubernetes.io/name=guestbook -l app.kubernetes.io/component=frontend

To test it, you can run another port forward really quick with:

kubectl port-forward svc/frontend 8000:80

You will find the guestbook running at http://localhost:8000/. We will now set up the Kong Ingress Controller.

Expose the App to the Internet

Now we can use the Kong Ingress Controller, so we need to set up a resource to serve traffic. We can create a proxy for our application with the following command:

echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    konghq.com/strip-path: "true"
    kubernetes.io/ingress.class: kong
spec:
  rules:
  - http:
  	paths:
  	- path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80
' | kubectl apply -f -

Now you will see the guestbook app at http://localhost:8080/.

Using Plugins as Services in Kong

With Kong Ingress, we can execute plugins on the service level. That way, Kong will execute a plugin whenever a request is sent to a specific service, no matter which ingress path from where it came. If we want to add rate limits to our app, we can add the rate limiting plugin to our Kubernetes installation with the following command:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rl-by-ip
config:
  minute: 5
  limit_by: ip
  policy: local
plugin: rate-limiting
" | kubectl apply -f -
kongplugin.configuration.konghq.com/rl-by-ip created

kubectl patch svc frontend \
  -p '{"metadata":{"annotations":{"konghq.com/plugins": "rl-by-ip\n"}}}'

If you curl the guestbook app, you will see that rate limiting has been set up.

If you plan on testing the Guestbook frequently during this example, you may want to set the limit higher, or you will run into a Kong error that says the rate limit has been exceeded.

Configuring an HTTPS Redirect

So far, the app is running on HTTP, and we want it to run on HTTPS. If we want to tell Kong to redirect all the HTTP requests, we can update its annotations to HTTPS and issue a 301 redirect with this command to patch the ingress entry:

kubectl patch ingress guestbook -p 
'{"metadata":{"annotations":{"konghq.com/protocols":"https","konghq.com/https-redirect-status-code":"301"}}}'

To test this using kind, set up another port-forward with the following command:

kubectl -n kong port-forward --address localhost,0.0.0.0 svc/kong-proxy 8443:443

You can now access a "secure" version of the guestbook at https://localhost:8443. It will not have a certificate, so you will run into warnings in your browser. Let's look at how we can add certificates.

Adding the Cert-Manager

You can install the cert-manager with the following command:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

Once the images pull down, you can verify that it is running with this command:

kubectl get all -n cert-manager

You should see something like this:

Since we have Kubernetes running locally with a port-forward, the IP address for the Kong proxy is 127.0.0.1. If you weren’t using a port forward, you could run the following command to find the IP address:

kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-proxy

But since we are using a port forward, this command will return nothing. If this were in production, you would then set up DNS records to resolve your domain to the IP address you just retrieved. Once that is done, you can request a certificate from Let's Encrypt by running the following, making sure to change the email:

echo "apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: user@example.com #change this email
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
      ingress:
        class: kong" | kubectl apply -f -

Next, you will have to update your ingress resource to provide a certificate with the following command, changing the domain to your own:

echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-example-com
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: kong
spec:
  tls:
  - secretName: guestbook-example-com
    hosts:
    - demo.example.com #change this domain/subdomain
  rules:
  - host: demo.example.com #change this domain/subdomain
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook
            port:
              number: 80
' | kubectl apply -f -

Once that is updated, the cert-manager will start to provision the certificate and the certificate will be ready soon.

Missing a Tool in Your K8s Stack?

Kong may be the missing tool in your Kubernetes stack. Kong Ingress Controller can implement authentication, HTTPS redirects, security certificates, and more across all your Kubernetes clusters. Using Kong, you can control your containers, networking, load balancing, rate limiting and more from one platform. It truly is the choice for full-stack ingress deployments.