See what makes Kong the fastest, most-adopted API gateway
Check out the latest Kong feature releases and updates
Single platform for SaaS end-to-end connectivity
Enterprise service mesh based on Kuma and Envoy
Collaborative API design platform
API and Microservices Security for Gateways, Service Mesh, and Beyond
Call for speakers & sponsors, Kong API Summit 2023!
6 MIN READ
Hello, everyone! Viktor Gamov, a developer advocate with Kong here. In this article, I would like to show you how to set up service connectivity using Kong Konnect and Kubernetes. I will deploy an application in Kubernetes, configure a runtime through Konnect and demonstrate some management capabilities like enabling plugins.
Let’s dive right in!
As a prerequisite, I have created an account set up in Konnect. If you don’t already have one, you can sign up for free and follow our getting started documentation, blog post or video.
Also, I have prepared my three-node Kubernetes cluster in GCP.
Kubectl get nodes
I also have Helm 3 installed on my computer.
Kong provides you with Helm Charts for Kong Gateway and Ingress Controller.
Follow this documentation to add the Kong repository to your computer.
Next, we’ll securely establish a connection between our control plane and our data plane. To do this, click Generate Certificate in the Runtimes section of Konnect.
You need to copy the certificate, root certificate and server private key to your files system.
We will deploy those to Kubernetes in a few steps.
Next, we should connect the runtime to our data plane. Then, we need to create secrets inside our Kubernetes cluster. One secret for the Kong cluster certificate and the other for the Kong cluster certificate code. There’s more detail on this in the Kong Konnect documentation.
Note: Make sure you’ve created the namespace.
$ kubectl create secret tls kong-cluster-cert -n kong \ --cert=/<path-to-file>/tls.crt \ --key=/<path-to-file>/tls.key
$ kubectl create secret generic kong-cluster-ca -n kong \ --from-file=ca.crt=/<path-to-file>/ca.crt
The next thing we’ll need is the values.yaml file.
We can put all our customizations for Kong Helm Charts.
In case you are interested in customizing this installation, take a look at a repository of examples. In your case, it might contain different links because you might be using different URLs.
image: repository: kong/kong-gateway tag: "2.4.1.1-alpine" secretVolumes: - kong-cluster-cert - kong-cluster-ca admin: enabled: false env: role: data_plane database: "off" anonymous_reports: off vitals_ttl_days: 732 cluster_mtls: pki cluster_control_plane: <example.cp.konnect.foo>:443 cluster_server_name: <kong-cpoutlet-example.service> cluster_telemetry_endpoint: <example.tp.konnect.foo>:443 cluster_telemetry_server_name: <kong-telemetry-example.service> cluster_ca_cert: /etc/secrets/kong-cluster-ca/ca.crt cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-ca/ca.crt ingressController: enabled: false installCRDs: false
Apply the values.yaml file.
$ helm install my-kong kong/kong -n kong \ --values ./values.yaml
To get Helm access to Kong, we need to get the external IP address. For example, when creating a service with a load balancer in Google Cloud, Google Cloud will provide us with an external address. So to communicate with our application service, we need this address.
$ kubectl get service my-kong-kong-proxy -n kong
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kong-proxy LoadBalancer 10.63.254.78 35.233.198.16 80:32697/TCP,443:32365/TCP 22h
Next, let’s make sure we have a connection to this runtime in Konnect and K9s.
It’s connected in my Konnect Runtime Manager.
Here’s my pod in K9s. It’s connected to my control plane.
Now we have our data plane, our applications are running and our API gateway is running. Next, we need to manage this API gateway from the outside world.
We’ll create a new service in Konnect ServiceHub called mock service. I’m creating a service that will proxy the request to this Mockbin through my Kong Gateway.
To create a new implementation, we’ll go into our current version for the mock service and click Add New Implementation.
From Mockbin, we can try testing with foo and bar (http://mockbin.com/request?foo=bar&foo=baz), and I get the following response.
{ "startedDateTime": "2021-06-28T21:26:17.519Z", "clientIPAddress": "69.119.63.202", "method": "GET", "url": "http://mockbin.com/request?foo=bar&foo=baz", "httpVersion": "HTTP/1.1", "cookies": {}, "headers": { "host": "mockbin.com", "connection": "close", "accept-encoding": "gzip", "x-forwarded-for": "69.119.63.202, 172.70.110.190", "cf-ray": "6669fe174b5317ad-EWR", "x-forwarded-proto": "http", "cf-visitor": "{\"scheme\":\"http\"}", "upgrade-insecure-requests": "1", "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "accept-language": "en-US,en;q=0.9", "cf-connecting-ip": "69.119.63.202", "cdn-loop": "cloudflare", "cf-request-id": "0af61d228a000017ad618f1000000001", "x-request-id": "b665811b-5c7e-433a-9648-532aca7f22d1", "x-forwarded-port": "80", "via": "1.1 vegur", "connect-time": "0", "x-request-start": "1624915577517", "total-route-time": "0" }, "queryString": { "foo": [ "bar", "baz" ] }, "postData": { "mimeType": "application/octet-stream", "text": "", "params": [] }, "headersSize": 859, "bodySize": 0 }
If we try to hit the same URL through Kong, we’ll see some extra headers.
We should also be able to see this traffic in our Konnect Vitals data. I just hit once, so there’s one spike.
So far, in the Konnect UI, we configured a mock service. That configuration propagated into our data plane that deployed in Kubernetes. We didn’t configure anything in Kubernetes, but suddenly our Kong Gateway service running inside Kubernetes started understanding the mock URL.
I wrote a small application called Quote Service that shows random quotes from Back to the Future. Once the application deploys, we’ll create the port forwarding. Then, once port forwarding is enabled, we’ll get responses from the service.
We’ll hit this Kubernetes service through service discovery. So this Quote Service is now available on port 8080.
We’ll go back to Konnect and create a new service and implementation again.
We’ll add the route.
When we hit this now, it immediately goes through our Kong Ingress Controller. That’s because the communication between the Konnect control plane and the data plane in Kubernetes is super fast.
If we continue hitting this with requests on repeat, we should see that in the Konnect Vitals graph.
What should we do in real life to prevent this type of situation? That’s where rate limiting policies come in.
We can quickly enable Kong’s rate limiting plugin. Let’s allow one request per second.
If we start getting too many requests, our mock service will push back with a 429.
And in Kong Vitals, we should be able to see errors in red.
Another thing we could do is enable Kong’s request validator plugin.
When our application starts getting bad requests, we’ll get a Bad Request that says, “request body doesn’t conform to the schema.”
However, when I enter the magic_word, the application works as it should.
All of these plugins are on the runtime and don’t require changing the application service. I think that’s pretty powerful.
Start a free trial, or contact us if you have any questions as you’re getting set up.
Once you’ve set up Kong Konnect and Kubernetes, you may find these other tutorials helpful:
Share Post