Create a Gateway
Creating GatewayClass
and Gateway
resources in Kubernetes causes Kong Gateway Operator to create a Kong Ingress Controller and Kong Gateway deployment.
GatewayConfiguration
You can customize your Kong Ingress Controller and Kong Gateway deployments using the GatewayConfiguration
CRD. This allows you to control the image being used, and set any required environment variables.
If you are creating a KIC in Konnect deployment, you need to customize the deployment to contain your control plane ID and authentication certificate.
To get the endpoint and the authentication details of the data plane.
-
Log in to Konnect.
- Navigate to Gateway Manager, click New Control Plane and select Kong Ingress Controller.
- Enter a name for your new control plane
- In the Connect to KIC section, click Generate Script.
- Click Generate Certificate in step 3.
- Save the contents of Cluster Certificate in a file named
tls.crt
. Save the contents of Cluster Key in a file named tls.key
.
-
Create a Kubernetes secret containing the cluster certificate:
kubectl create secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key
- In the Install the KIC step 4, find the value of
runtimeGroupID
. Replace YOUR_CP_ID
with the control plane ID in the following manifest.
- In the Install the KIC step 4, find the value of
cluster_telemetry_endpoint
. The first segment of that value is the control plane endpoint for your cluster. For example, if the value of cluster_telemetry_endpoint
is 36fc5d01be.us.cp0.konghq.com
, then the control plane endpoint of the cluster is 36fc5d01be
. Replace YOUR_CP_ENDPOINT
with your control plane ID in the following manifest.
-
Deploy the data plane with kubectl apply
:
echo 'kind: GatewayConfiguration
apiVersion: gateway-operator.konghq.com/v1beta1
metadata:
name: kong
namespace: default
spec:
controlPlaneOptions:
deployment:
podTemplateSpec:
spec:
containers:
- name: controller
image: kong/kubernetes-ingress-controller:3.3.1
env:
- name: CONTROLLER_KONNECT_ADDRESS
value: https://us.kic.api.konghq.com
- name: CONTROLLER_KONNECT_LICENSING_ENABLED
value: "true"
- name: CONTROLLER_KONNECT_RUNTIME_GROUP_ID
value: YOUR_CP_ID
- name: CONTROLLER_KONNECT_SYNC_ENABLED
value: "true"
- name: CONTROLLER_KONNECT_TLS_CLIENT_CERT
valueFrom:
secretKeyRef:
key: tls.crt
name: konnect-client-tls
- name: CONTROLLER_KONNECT_TLS_CLIENT_KEY
valueFrom:
secretKeyRef:
key: tls.key
name: konnect-client-tls
volumeMounts:
- name: cluster-certificate
mountPath: /var/cluster-certificate
volumes:
- name: cluster-certificate
dataPlaneOptions:
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong/kong-gateway:3.8.1.0
readinessProbe:
initialDelaySeconds: 1
periodSeconds: 1
env:
- name: KONG_DATABASE
value: "off"
- name: KONG_CLUSTER_CONTROL_PLANE
value: YOUR_CP_ENDPOINT.us.cp0.konghq.com:443
- name: KONG_CLUSTER_SERVER_NAME
value: YOUR_CP_ENDPOINT.us.cp0.konghq.com
- name: KONG_CLUSTER_TELEMETRY_ENDPOINT
value: YOUR_CP_ENDPOINT.us.tp0.konghq.com:443
- name: KONG_CLUSTER_TELEMETRY_SERVER_NAME
value: YOUR_CP_ENDPOINT.us.tp0.konghq.com
- name: KONG_CLUSTER_MTLS
value: pki
- name: KONG_CLUSTER_CERT
value: /etc/secrets/konnect-client-tls/tls.crt
- name: KONG_CLUSTER_CERT_KEY
value: /etc/secrets/konnect-client-tls/tls.key
- name: KONG_LUA_SSL_TRUSTED_CERTIFICATE
value: system
- name: KONG_KONNECT_MODE
value: "on"
- name: KONG_VITALS
value: "off"
volumeMounts:
- name: cluster-certificate
mountPath: /var/cluster-certificate
- name: konnect-client-tls
mountPath: /etc/secrets/konnect-client-tls/
readOnly: true
volumes:
- name: cluster-certificate
- name: konnect-client-tls
secret:
secretName: konnect-client-tls
defaultMode: 420' | kubectl apply -f -
Use the following example to customize the log level of Kong Ingress Controller:
echo 'kind: GatewayConfiguration
apiVersion: gateway-operator.konghq.com/v1beta1
metadata:
name: kong
namespace: default
spec:
dataPlaneOptions:
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong:3.8.1
readinessProbe:
initialDelaySeconds: 1
periodSeconds: 1
controlPlaneOptions:
deployment:
podTemplateSpec:
spec:
containers:
- name: controller
image: kong/kubernetes-ingress-controller:3.3.1
env:
- name: CONTROLLER_LOG_LEVEL
value: debug' | kubectl apply -f -
The results should look like this:
gatewayconfiguration.gateway-operator.konghq.com/kong created
GatewayClass
To use the Gateway API resources to configure your routes, you need to create a GatewayClass
instance and create a Gateway
resource that listens on the ports that you need.
echo '
kind: GatewayClass
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: kong
spec:
controllerName: konghq.com/gateway-operator
parametersRef:
group: gateway-operator.konghq.com
kind: GatewayConfiguration
name: kong
namespace: default
---
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: kong
namespace: default
spec:
gatewayClassName: kong
listeners:
- name: http
protocol: HTTP
port: 80' | kubectl apply -f -
The results should look like this:
gatewayclass.gateway.networking.k8s.io/kong created
gateway.gateway.networking.k8s.io/kong created
You can verify that everything works by checking the Gateway
resource via kubectl
:
kubectl get gateway kong -o wide
You should see the following output:
NAME CLASS ADDRESS PROGRAMMED AGE
kong kong 172.18.0.102 True 9m5s
If the Gateway
has Programmed
condition set to True
then you can visit Konnect and see your configuration being synced by Kong Ingress Controller.