feat: add service discovery for kong admin service

Kong · Jan 31, 2023 · fe5bd66 · fe5bd66
1 parent 3ce7c14
commit fe5bd66
Show file tree

Hide file tree

Showing 45 changed files with 838 additions and 79 deletions.
diff --git a/Makefile b/Makefile
@@ -463,9 +463,12 @@ _ensure-namespace:
 
 .PHONY: debug
 debug: install _ensure-namespace
-	$(DLV) debug ./internal/cmd/main.go -- \
+	$(DLV) debug \
+		--headless --listen 127.0.0.1:40000 --continue --accept-multiclient \
+		./internal/cmd/main.go -- \
 		--anonymous-reports=false \
 		--kong-admin-url $(KONG_ADMIN_URL) \
+		--kong-admin-svc $(KONG_NAMESPACE)/$(KONG_ADMIN_SERVICE) \
 		--publish-service $(KONG_NAMESPACE)/$(KONG_PROXY_SERVICE) \
 		--publish-service-udp $(KONG_NAMESPACE)/$(KONG_PROXY_UDP_SERVICE) \
 		--kubeconfig $(KUBECONFIG) \
@@ -490,9 +493,10 @@ SKAFFOLD_DEBUG_PROFILE ?= debug
 # This will port-forward 40000 from KIC's debugger to localhost. Connect to that
 # port with debugger/IDE of your choice
 .PHONY: debug.skaffold
-debug.skaffold: skaffold
+debug.skaffold:
 	TAG=$(TAG)-debug REPO_INFO=$(REPO_INFO) COMMIT=$(COMMIT) \
-		CMD=debug SKAFFOLD_PROFILE=$(SKAFFOLD_DEBUG_PROFILE) \
+		CMD=debug \
+		SKAFFOLD_PROFILE=$(SKAFFOLD_DEBUG_PROFILE) \
 		$(MAKE) _skaffold
 
 # This will port-forward 40000 from KIC's debugger to localhost. Connect to that
@@ -504,18 +508,22 @@ debug.skaffold: skaffold
 #   * `tls.crt` and `tls.key` with TLS client cerificate and its key (generated by Konnect).
 .PHONY: debug.skaffold.konnect
 debug.skaffold.konnect: skaffold
-	SKAFFOLD_DEBUG_PROFILE=debug-konnect $(MAKE) debug.skaffold
+	SKAFFOLD_DEBUG_PROFILE=debug-konnect \
+		$(MAKE) debug.skaffold
 
 # This will port-forward 40000 from KIC's debugger to localhost. Connect to that
 # port with debugger/IDE of your choice
 .PHONY: debug.skaffold.sync
-debug.skaffold.sync: skaffold
-	@$(MAKE) debug.skaffold SKAFFOLD_FLAGS="--auto-build --auto-deploy --auto-sync"
+debug.skaffold.sync:
+	$(MAKE) debug.skaffold SKAFFOLD_FLAGS="--auto-build --auto-deploy --auto-sync"
+
+SKAFFOLD_RUN_PROFILE ?= dev
 
 .PHONY: run.skaffold
 run.skaffold:
 	TAG=$(TAG) REPO_INFO=$(REPO_INFO) COMMIT=$(COMMIT) \
-		CMD=dev SKAFFOLD_PROFILE=$(SKAFFOLD_RUN_PROFILE) \
+		CMD=dev \
+		SKAFFOLD_PROFILE=$(SKAFFOLD_RUN_PROFILE) \
 		$(MAKE) _skaffold
 
 .PHONY: _skaffold
@@ -533,7 +541,8 @@ run: install _ensure-namespace
 _run:
 	go run ./internal/cmd/main.go \
 		--anonymous-reports=false \
-		--kong-admin-url $(KONG_ADMIN_URL) \
+		--kong-admin-url $(KONG_NAMESPACE)/$(KONG_ADMIN_URL) \
+		--kong-admin-svc $(KONG_NAMESPACE)/$(KONG_ADMIN_SERVICE) \
 		--publish-service $(KONG_NAMESPACE)/$(KONG_PROXY_SERVICE) \
 		--publish-service-udp $(KONG_NAMESPACE)/$(KONG_PROXY_UDP_SERVICE) \
 		--kubeconfig $(KUBECONFIG) \

diff --git a/config/debug/kustomization.yaml → config/debug/base/kustomization.yaml b/config/debug/kustomization.yaml → config/debug/base/kustomization.yaml
@@ -1,8 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+# namespace: kong
+
 resources:
-- ../base
+- ../../base/
 
 patchesStrategicMerge:
 - manager_debug.yaml
diff --git a/config/debug/manager_debug.yaml → config/debug/base/manager_debug.yaml b/config/debug/manager_debug.yaml → config/debug/base/manager_debug.yaml
diff --git a/config/debug/multi_gw/gateway_admin_service.yaml b/config/debug/multi_gw/gateway_admin_service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kong-admin
+  namespace: kong
+spec:
+  clusterIP: "None"
+  selector:
+    app: proxy-kong
+  ports:
+  - name: admin
+    port: 8444
+    targetPort: 8444
+    protocol: TCP
diff --git a/config/debug/multi_gw/gateway_deployment.yaml b/config/debug/multi_gw/gateway_deployment.yaml
@@ -0,0 +1,102 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: proxy-kong
+  name: proxy-kong
+  namespace: kong
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: proxy-kong
+  template:
+    metadata:
+      annotations:
+        traffic.sidecar.istio.io/includeInboundPorts: ""
+        kuma.io/gateway: enabled
+        kuma.io/service-account-token-volume: kong-serviceaccount-token
+      labels:
+        app: proxy-kong
+    spec:
+      serviceAccountName: kong-serviceaccount
+      automountServiceAccountToken: false
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          secretName: kong-serviceaccount-token
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
+          - key: namespace
+            path: namespace
+      containers:
+      - name: proxy
+        image: kong-placeholder:placeholder # This is replaced by the config/image.yaml component
+        env:
+          # servers
+        - name: KONG_PROXY_LISTEN
+          value: 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384
+        - name: KONG_PORT_MAPS
+          value: "80:8000, 443:8443"
+        - name: KONG_ADMIN_LISTEN
+          value: 0.0.0.0:8444 http2 ssl reuseport backlog=16384
+        - name: KONG_STATUS_LISTEN
+          value: 0.0.0.0:8100
+          # DB
+        - name: KONG_DATABASE
+          value: "off"
+          # runtime tweaks
+        - name: KONG_NGINX_WORKER_PROCESSES
+          value: "2"
+        - name: KONG_KIC
+          value: "on"
+          # logging
+        - name: KONG_ADMIN_ACCESS_LOG
+          value: /dev/stdout
+        - name: KONG_ADMIN_ERROR_LOG
+          value: /dev/stderr
+        # - name: KONG_PROXY_ACCESS_LOG
+        # - value: /dev/stdout
+        - name: KONG_PROXY_ERROR_LOG
+          value: /dev/stderr
+        # router mode in 3.0.0. use `traditional` here for full compatibility.
+        - name: KONG_ROUTER_FLAVOR
+          value: traditional
+        lifecycle:
+          preStop:
+            exec:
+              command: [ "/bin/bash", "-c", "kong quit" ]
+        ports:
+        - name: proxy
+          containerPort: 8000
+          protocol: TCP
+        - name: proxy-ssl
+          containerPort: 8443
+          protocol: TCP
+        - name: metrics
+          containerPort: 8100
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /status
+            port: 8100
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /status
+            port: 8100
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
diff --git a/config/debug/multi_gw/gateway_service_patch.yaml b/config/debug/multi_gw/gateway_service_patch.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kong-proxy
+  namespace: kong
+spec:
+  selector:
+    app: proxy-kong
diff --git a/config/debug/multi_gw/kustomization.yaml b/config/debug/multi_gw/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kong
+
+resources:
+- ../base
+- gateway_deployment.yaml
+- gateway_admin_service.yaml
+
+components:
+  - ../../image/oss
+
+patchesStrategicMerge:
+- manager_multi_gateway_patch.yaml
+- gateway_service_patch.yaml
+
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: ingress-kong
+  path: ./remove_proxy_container.yaml
diff --git a/config/debug/multi_gw/manager_multi_gateway_patch.yaml b/config/debug/multi_gw/manager_multi_gateway_patch.yaml
@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ingress-kong
+  name: ingress-kong
+  namespace: kong
+spec:
+  template:
+    spec:
+      containers:
+      - name: ingress-controller
+        env:
+        - name: CONTROLLER_LOG_LEVEL
+          value: debug
+        - name: CONTROLLER_KONG_ADMIN_SVC
+          value: kong/kong-admin
+        image: kic-placeholder:placeholder
diff --git a/config/debug/multi_gw/remove_proxy_container.yaml b/config/debug/multi_gw/remove_proxy_container.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/containers/1"
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -177,6 +177,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions
   resources:

diff --git a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml
@@ -1337,6 +1337,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions
   resources:

diff --git a/deploy/single/all-in-one-dbless.yaml b/deploy/single/all-in-one-dbless.yaml
@@ -1337,6 +1337,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions
   resources:

diff --git a/deploy/single/all-in-one-postgres-enterprise.yaml b/deploy/single/all-in-one-postgres-enterprise.yaml
@@ -1337,6 +1337,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions
   resources:

diff --git a/deploy/single/all-in-one-postgres.yaml b/deploy/single/all-in-one-postgres.yaml
@@ -1337,6 +1337,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions
   resources:

diff --git a/examples/gateway-httproute.yaml b/examples/gateway-httproute.yaml
@@ -32,6 +32,8 @@ metadata:
   labels:
     app: httpbin
   name: httpbin
+  annotations:
+    konghq.com/retries: "3"
 spec:
   ports:
   - port: 80
@@ -68,6 +70,8 @@ metadata:
   labels:
     app: nginx
   name: nginx
+  annotations:
+    konghq.com/retries: "3"
 spec:
   ports:
   - port: 8080

diff --git a/internal/adminapi/kong.go b/internal/adminapi/kong.go
@@ -8,8 +8,10 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/kong/go-kong/kong"
+	"github.com/samber/lo"
 )
 
 // NewKongClientForWorkspace returns a Kong API client for a given root API URL and workspace.
@@ -66,7 +68,7 @@ type HTTPClientOpts struct {
 }
 
 // MakeHTTPClient returns an HTTP client with the specified mTLS/headers configuration.
-func MakeHTTPClient(opts *HTTPClientOpts) (*http.Client, error) {
+func MakeHTTPClient(opts *HTTPClientOpts, kongAdminToken string) (*http.Client, error) {
 	var tlsConfig tls.Config
 
 	if opts.TLSSkipVerify {
@@ -103,6 +105,16 @@ func MakeHTTPClient(opts *HTTPClientOpts) (*http.Client, error) {
 		tlsConfig.RootCAs = certPool
 	}
 
+	if kongAdminToken != "" {
+		contains := lo.ContainsBy(opts.Headers, func(header string) bool {
+			return strings.HasPrefix(header, "kong-admin-token:")
+		})
+
+		if !contains {
+			opts.Headers = append(opts.Headers, "kong-admin-token:"+kongAdminToken)
+		}
+	}
+
 	clientCertificates, err := extractClientCertificates(opts.TLSClient)
 	if err != nil {
 		return nil, fmt.Errorf("failed to extract client certificates: %w", err)

diff --git a/internal/adminapi/kong_test.go b/internal/adminapi/kong_test.go
@@ -46,7 +46,7 @@ func TestMakeHTTPClientWithTLSOpts(t *testing.T) {
 		},
 	}
 
-	httpclient, err := MakeHTTPClient(&opts)
+	httpclient, err := MakeHTTPClient(&opts, "")
 	require.NoError(t, err)
 
 	assert.NotNil(t, httpclient)
@@ -99,7 +99,7 @@ func TestMakeHTTPClientWithTLSOptsAndFilePaths(t *testing.T) {
 		},
 	}
 
-	httpclient, err := MakeHTTPClient(&opts)
+	httpclient, err := MakeHTTPClient(&opts, "")
 	require.NoError(t, err)
 
 	assert.NotNil(t, httpclient)