diff --git a/kong/templates/certs.yaml b/kong/templates/certs.yaml new file mode 100644 index 0000000..0951ce0 --- /dev/null +++ b/kong/templates/certs.yaml @@ -0,0 +1,32 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: quickstart-kong-selfsigned-issuer-root +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: quickstart-kong-selfsigned-issuer-ca +spec: + commonName: quickstart-kong-selfsigned-issuer-ca + duration: 2160h0m0s + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: quickstart-kong-selfsigned-issuer-root + privateKey: + algorithm: ECDSA + size: 256 + renewBefore: 360h0m0s + secretName: quickstart-kong-selfsigned-issuer-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: quickstart-kong-selfsigned-issuer +spec: + ca: + secretName: quickstart-kong-selfsigned-issuer-ca diff --git a/kong/templates/secrets.yaml b/kong/templates/secrets.yaml index 6039c00..03fe609 100644 --- a/kong/templates/secrets.yaml +++ b/kong/templates/secrets.yaml @@ -45,3 +45,37 @@ spec: kubernetes: mountPath: "kubernetes" role: "external-secrets" + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: kong-config-secret +spec: + secretStoreRef: + name: vault-kong + kind: SecretStore + target: + name: kong-config-secret + data: + - secretKey: admin_gui_session_conf + remoteRef: + key: secrets/kong/config + property: admin_gui_session_conf + - secretKey: kong_admin_password + remoteRef: + key: secrets/kong/config + property: kong_admin_password + - secretKey: password + remoteRef: + key: secrets/kong/config + property: password + - secretKey: pg_host + remoteRef: + key: secrets/kong/config + property: pg_host + - secretKey: portal_session_conf + remoteRef: + key: secrets/kong/config + property: portal_session_conf diff --git a/kong/values.yaml b/kong/values.yaml index 5f3b768..942de08 100644 --- a/kong/values.yaml +++ b/kong/values.yaml @@ -1,28 +1,309 @@ kong: + admin: + annotations: + konghq.com/protocol: https + enabled: true + http: + enabled: false + ingress: + annotations: + konghq.com/https-redirect-status-code: "301" + konghq.com/protocols: https + konghq.com/strip-path: "true" + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/app-root: / + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/permanent-redirect-code: "301" + enabled: true + hostname: kong.durp.info + path: /api + tls: quickstart-kong-admin-cert + tls: + containerPort: 8444 + enabled: true + parameters: + - http2 + servicePort: 8444 + type: ClusterIP + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - dataplane + topologyKey: kubernetes.io/hostname + weight: 100 + certificates: + enabled: true + issuer: quickstart-kong-selfsigned-issuer + cluster: + enabled: true + admin: + enabled: true + commonName: kong.durp.info + portal: + enabled: true + commonName: developer.durp.info + proxy: + enabled: true + commonName: durp.info + dnsNames: + - '*.durp.info' + cluster: + enabled: true + labels: + konghq.com/service: cluster + tls: + containerPort: 8005 + enabled: true + servicePort: 8005 + type: ClusterIP + clustertelemetry: + enabled: true + tls: + containerPort: 8006 + enabled: true + servicePort: 8006 + type: ClusterIP + deployment: + kong: + daemonset: false + enabled: true + enterprise: + enabled: true + license_secret: kong-enterprise-license + portal: + enabled: true + rbac: + admin_api_auth: basic-auth + admin_gui_auth_conf_secret: kong-config-secret + enabled: true + session_conf_secret: kong-config-secret + smtp: + enabled: false + vitals: + enabled: true + env: + admin_access_log: /dev/stdout + admin_api_uri: https://kong.durp.info/api + admin_error_log: /dev/stdout + admin_gui_access_log: /dev/stdout + admin_gui_error_log: /dev/stdout + admin_gui_host: kong.durp.info + admin_gui_protocol: https + admin_gui_url: https://kong.durp.info/ + cluster_data_plane_purge_delay: 60 + cluster_listen: 0.0.0.0:8005 + cluster_telemetry_listen: 0.0.0.0:8006 + database: postgres + log_level: debug + lua_package_path: /opt/?.lua;; + nginx_worker_processes: "2" + password: + valueFrom: + secretKeyRef: + key: kong_admin_password + name: kong-config-secret + pg_database: kong + pg_host: + valueFrom: + secretKeyRef: + key: pg_host + name: kong-config-secret + pg_ssl: "off" + pg_ssl_verify: "off" + pg_user: kong + plugins: bundled,openid-connect + portal: true + portal_api_access_log: /dev/stdout + portal_api_error_log: /dev/stdout + portal_api_url: https://developer.durp.info/api + portal_auth: basic-auth + portal_cors_origins: '*' + portal_gui_access_log: /dev/stdout + portal_gui_error_log: /dev/stdout + portal_gui_host: developer.durp.info + portal_gui_protocol: https + portal_gui_url: https://developer.durp.info/ + portal_session_conf: + valueFrom: + secretKeyRef: + key: portal_session_conf + name: kong-config-secret + prefix: /kong_prefix/ + proxy_access_log: /dev/stdout + proxy_error_log: /dev/stdout + proxy_stream_access_log: /dev/stdout + proxy_stream_error_log: /dev/stdout + smtp_mock: "on" + status_listen: 0.0.0.0:8100 + trusted_ips: 0.0.0.0/0,::/0 + vitals: true + extraLabels: + konghq.com/component: quickstart image: repository: kong/kong-gateway tag: "3.3" - - secretVolumes: - - kong-cluster-cert - - admin: - enabled: false - - env: - role: data_plane - database: "off" - cluster_mtls: pki - cluster_control_plane: a0791ed975.us.cp0.konghq.com:443 - cluster_server_name: a0791ed975.us.cp0.konghq.com - cluster_telemetry_endpoint: a0791ed975.us.tp0.konghq.com:443 - cluster_telemetry_server_name: a0791ed975.us.tp0.konghq.com - cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt - cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key - lua_ssl_trusted_certificate: system - konnect_mode: "on" - vitals: "off" - ingressController: - enabled: false + enabled: true + env: + kong_admin_filter_tag: ingress_controller_default + kong_admin_tls_skip_verify: true + kong_admin_token: + valueFrom: + secretKeyRef: + key: password + name: kong-config-secret + kong_admin_url: https://localhost:8444 + kong_workspace: default + publish_service: kong/quickstart-kong-proxy + image: + repository: docker.io/kong/kubernetes-ingress-controller + tag: "2.10" + ingressClass: default installCRDs: false + manager: + annotations: + konghq.com/protocol: https + enabled: true + http: + containerPort: 8002 + enabled: false + servicePort: 8002 + ingress: + annotations: + konghq.com/https-redirect-status-code: "301" + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + enabled: true + hostname: kong.durp.info + path: / + tls: quickstart-kong-admin-cert + tls: + containerPort: 8445 + enabled: true + parameters: + - http2 + servicePort: 8445 + type: ClusterIP + migrations: + enabled: true + postUpgrade: true + preUpgrade: true + namespace: kong + podAnnotations: + kuma.io/gateway: enabled + portal: + annotations: + konghq.com/protocol: https + enabled: true + http: + containerPort: 8003 + enabled: false + servicePort: 8003 + ingress: + annotations: + konghq.com/https-redirect-status-code: "301" + konghq.com/protocols: https + konghq.com/strip-path: "false" + kubernetes.io/ingress.class: default + enabled: true + hostname: developer.durp.info + path: / + tls: quickstart-kong-portal-cert + tls: + containerPort: 8446 + enabled: true + parameters: + - http2 + servicePort: 8446 + type: ClusterIP + portalapi: + annotations: + konghq.com/protocol: https + enabled: true + http: + enabled: false + ingress: + annotations: + konghq.com/https-redirect-status-code: "301" + konghq.com/protocols: https + konghq.com/strip-path: "true" + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/app-root: / + enabled: true + hostname: developer.durp.info + path: /api + tls: quickstart-kong-portal-cert + tls: + containerPort: 8447 + enabled: true + parameters: + - http2 + servicePort: 8447 + type: ClusterIP + postgresql: + enabled: true + auth: + database: kong + username: kong + proxy: + annotations: + prometheus.io/port: "9542" + prometheus.io/scrape: "true" + enabled: true + http: + containerPort: 8080 + enabled: true + hostPort: 80 + ingress: + enabled: false + labels: + enable-metrics: true + tls: + containerPort: 8443 + enabled: true + hostPort: 443 + type: LoadBalancer + replicaCount: 1 + secretVolumes: [] + status: + enabled: true + http: + containerPort: 8100 + enabled: true + tls: + containerPort: 8543 + enabled: false + + #image: + # repository: kong/kong-gateway + # tag: "3.3" + + #secretVolumes: + #- kong-cluster-cert + + #admin: + # enabled: false + + #env: + # role: data_plane + # database: "off" + # cluster_mtls: pki + # cluster_control_plane: a0791ed975.us.cp0.konghq.com:443 + # cluster_server_name: a0791ed975.us.cp0.konghq.com + # cluster_telemetry_endpoint: a0791ed975.us.tp0.konghq.com:443 + # cluster_telemetry_server_name: a0791ed975.us.tp0.konghq.com + # cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt + # cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key + # lua_ssl_trusted_certificate: system + # konnect_mode: "on" + # vitals: "off" + + #ingressController: + # enabled: false + # installCRDs: false