Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
|
search
Kong Ingress Controller
2.6.x
github-edit-pageEdit this page
report-issueReport an issue
You are browsing documentation for an outdated version. See the latest documentation here.

Exposing a TCP Service

Overview

Create TCP routing configuration for Kong Gateway in Kubernetes using either the TCPIngress custom resource or TCPRoute and TLSRoute Gateway APIs resource.

TCP-based Ingress means that Kong Gateway simply forwards the TCP stream to a Pod of a Service that’s running inside Kubernetes. Kong Gateway does not perform any sort of transformations.

There are two modes available:

  • Port based routing: Kong Gateway simply proxies all traffic it receives on a specific port to the Kubernetes Service. TCP connections are load balanced across all the available Pods of the Service.
  • SNI based routing: {site.base_gateway}} accepts a TLS-encrypted stream at the specified port and can route traffic to different services based on the SNI present in the TLS handshake. Kong Gateway also terminates the TLS handshake and forward the TCP stream to the Kubernetes Service.

Before you begin ensure that you have Installed Kong Ingress Controller in your Kubernetes cluster and are able to connect to Kong.

Prerequisites

Install Kong

You can install Kong in your Kubernetes cluster using Helm.

  1. Add the Kong Helm charts:

     helm repo add kong https://charts.konghq.com
 helm repo update

  2. Install Kong Ingress Controller and Kong Gateway with Helm:

     helm install kong kong/ingress -n kong --create-namespace

Test connectivity to Kong

Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:

  1. Populate $PROXY_IP for future commands:

     export PROXY_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" service -n kong kong-gateway-proxy)
    
 echo "Proxy IP: $PROXY_IP"

  2. Ensure that you can call the proxy IP:

     curl -i $PROXY_IP

    The results should look like this:

     HTTP/1.1 404 Not Found
 Content-Type: application/json; charset=utf-8
 Connection: keep-alive
 Content-Length: 48
 X-Kong-Response-Latency: 0
 Server: kong/3.0.0
  
 {"message":"no Route matched with those values"}

    If you are not able to connect to Kong, read the deployment guide.

Expose additional ports

Kong Gateway does not include any TCP listen configuration by default. To expose TCP listens, update the Deployment’s environment variables and port configuration.

  1. Update the Deployment. 
     kubectl patch deploy -n kong kong-gateway --patch '{
   "spec": {
     "template": {
       "spec": {
         "containers": [
           {
             "name": "proxy",
             "env": [
               {
                 "name": "KONG_STREAM_LISTEN",
                 "value": "0.0.0.0:9000, 0.0.0.0:9443 ssl"
               }
             ],
             "ports": [
               {
                 "containerPort": 9000,
                 "name": "stream9000",
                 "protocol": "TCP"
               },
               {
                 "containerPort": 9443,
                 "name": "stream9443",
                 "protocol": "TCP"
               }
             ]
           }
         ]
       }
     }
   }
 }'

    The results should look like this:

     deployment.apps/kong-gateway patched

    The ssl parameter after the 9443 listen instructs Kong Gateway to expect TLS-encrypted TCP traffic on that port. The 9000 listen has no parameters, and expects plain TCP traffic.

  2. Update the proxy Service to indicate the new ports.

    kubectl patch service -n kong kong-gateway-proxy --patch '{
  "spec": {
    "ports": [
      {
        "name": "stream9000",
        "port": 9000,
        "protocol": "TCP",
        "targetPort": 9000
      },
      {
        "name": "stream9443",
        "port": 9443,
        "protocol": "TCP",
        "targetPort": 9443
      }
    ]
  }
}'

    The results should look like this:

    service/kong-gateway-proxy patched

  3. Configure TCPRoute (Gateway API Only)

    If you are using the Gateway APIs (TCPRoute), your Gateway needs additional configuration under listeners.

    kubectl patch --type=json gateway kong -p='[
    {
        "op":"add",
        "path":"/spec/listeners/-",
        "value":{
            "name":"stream9000",
            "port":9000,
            "protocol":"TCP"
        }
    },
    {
        "op":"add",
        "path":"/spec/listeners/-",
        "value":{
            "name":"stream9443",
            "port":9443,
            "protocol":"TLS",
            "hostname":"tls9443.kong.example",
            "tls": {
                "certificateRefs":[{
                    "group":"",
                    "kind":"Secret",
                    "name":"tls9443.kong.example"
                 }]
            }
        }
    }
]'

    The results should look like this:

    gateway.gateway.networking.k8s.io/kong patched

Install TCP echo service

Install an example TCP service:

kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yaml

The results should look like this:

service/echo created
deployment.apps/echo created

Route based on ports

To expose the service to the outside world, create a TCPIngress resource.

echo "apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  name: echo-plaintext
  annotations:
    kubernetes.io/ingress.class: kong
spec:
  rules:
  - port: 9000
    backend:
      serviceName: echo
      servicePort: 1025
" | kubectl apply -f -

The results should look like this:

tcpingress.configuration.konghq.com/echo-plaintext created

echo "apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: echo-plaintext
spec:
  parentRefs:
  - name: kong
  rules:
  - backendRefs:
    - name: echo
      port: 1025
" | kubectl apply -f -

v1alpha2 TCPRoutes do not support separate proxy and upstream ports. Traffic is redirected to 1025 upstream via Service configuration.

The results should look like this:

tcproute.gateway.networking.k8s.io/echo-plaintext created

This configuration instructs Kong Gateway to forward all traffic it receives on port 9000 to echo service on port 1025.

Test the configuration

  1. Check if the Service is ready on the route.

    kubectl get tcpingress
    kubectl get tcproute echo-plaintext -ojsonpath='{.status.parents[0].conditions[?(@.reason=="Accepted")]}'

    The results should look like this:

    NAME             ADDRESS        AGE
echo-plaintext   <PROXY_IP>   3m18s

    {"lastTransitionTime":"2022-11-14T19:48:51Z","message":"","observedGeneration":2,"reason":"Accepted","status":"True","type":"Accepted"}

  2. Connect to this service using telnet.

     $ telnet $PROXY_IP 9000

    After you connect, type some text that you want as a response from the echo Service. To exit, press ctrl+] then ctrl+d.

     Trying 35.247.39.83...
 Connected to 35.247.39.83.
 Escape character is '^]'.
 Welcome, you are connected to node gke-harry-k8s-dev-pool-1-e9ebab5e-c4gw.
 Running on Pod echo-844545646c-gvmkd.
 In namespace default.
 With IP address 10.60.1.17.
 This text will be echoed back.
 This text will be echoed back.
 ^]
 telnet> Connection closed.

    The echo Service is now available outside the Kubernetes cluster through Kong Gateway.

Route based on SNI

The routing configuration can include a certificate to present when clients connect over HTTPS. This is not required, as Kong Gateway will serve a default certificate if it cannot find another, but including TLS configuration along with routing configuration is typical.

  1. Create a test certificate for the tls9443.kong.example hostname.

    openssl req -subj '/CN=tls9443.kong.example' -new -newkey rsa:2048 -sha256 \
  -days 365 -nodes -x509 -keyout server.key -out server.crt \
  -addext "subjectAltName = DNS:tls9443.kong.example" \
  -addext "keyUsage = digitalSignature" \
  -addext "extendedKeyUsage = serverAuth" 2> /dev/null;
  openssl x509 -in server.crt -subject -noout
    openssl req -subj '/CN=tls9443.kong.example' -new -newkey rsa:2048 -sha256 \
  -days 365 -nodes -x509 -keyout server.key -out server.crt \
  -extensions EXT -config <( \
   printf "[dn]\nCN=tls9443.kong.example\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:tls9443.kong.example\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 2>/dev/null;
  openssl x509 -in server.crt -subject -noout

    The results should look like this:

    subject=CN = tls9443.kong.example
    subject=CN = tls9443.kong.example

    Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.

  2. Create a Secret containing the certificate. 
     kubectl create secret tls tls9443.kong.example --cert=./server.crt --key=./server.key

    The results should look like this:

     secret/tls9443.kong.example created

  3. Create the TCPIngress resource to route TLS-encrypted traffic to the echo service.

    echo "apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  name: echo-tls
  annotations:
    kubernetes.io/ingress.class: kong
spec:
  tls:
  - hosts:
    - tls9443.kong.example
    secretName: tls9443.kong.example
  rules:
  - host: tls9443.kong.example
    port: 9443
    backend:
      serviceName: echo
      servicePort: 1025
" | kubectl apply -f -
    echo "apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: echo-tls
spec:
  parentRefs:
  - name: kong
  hostnames:
  - tls9443.kong.example
  rules:
  - backendRefs:
    - name: echo
      port: 9443
" | kubectl apply -f -

    The results should look like this:

    tcpingress.configuration.konghq.com/echo-tls created
    tcproute.gateway.networking.k8s.io/echo-tls created

Test the configuration

You can now access the echo service on port 9443 with SNI tls9443.kong.example.

In real-world usage, you would create a DNS record for tls9443.kong.examplepointing to your proxy Service’s public IP address, which causes TLS clients to add SNI automatically. For this demo, add it manually using the OpenSSL CLI.

echo "hello" | openssl s_client -connect $PROXY_IP:9443 -servername tls9443.kong.example -quiet 2>/dev/null

Press Ctrl+C to exit.

The results should look like this:

Welcome, you are connected to node kind-control-plane.
Running on Pod echo-5f44d4c6f9-krnhk.
In namespace default.
With IP address 10.244.0.26.
hello