Skip to content

Instantly share code, notes, and snippets.

@ewinds

ewinds/kong-all-in-one-postgres.yaml

Last active December 24, 2019 03:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ewinds/37d9c96266fea5083064637b85a1eeee to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ewinds/37d9c96266fea5083064637b85a1eeee to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kong-all-in-one-postgres.yaml
apiVersion: v1
kind: Namespace
metadata:
name: kong
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongconsumers.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .username
description: Username of a Kong Consumer
name: Username
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
group: configuration.konghq.com
names:
kind: KongConsumer
plural: kongconsumers
shortNames:
- kc
scope: Namespaced
validation:
openAPIV3Schema:
properties:
credentials:
items:
type: string
type: array
custom_id:
type: string
username:
type: string
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongcredentials.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .type
description: Type of credential
name: Credential-type
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
- JSONPath: .consumerRef
description: Owner of the credential
name: Consumer-Ref
type: string
group: configuration.konghq.com
names:
kind: KongCredential
plural: kongcredentials
scope: Namespaced
validation:
openAPIV3Schema:
properties:
consumerRef:
type: string
type:
type: string
required:
- consumerRef
- type
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongingresses.configuration.konghq.com
spec:
group: configuration.konghq.com
names:
kind: KongIngress
plural: kongingresses
shortNames:
- ki
scope: Namespaced
validation:
openAPIV3Schema:
properties:
proxy:
properties:
connect_timeout:
minimum: 0
type: integer
path:
pattern: ^/.*$
type: string
protocol:
enum:
- http
- https
- grpc
- grpcs
type: string
read_timeout:
minimum: 0
type: integer
retries:
minimum: 0
type: integer
write_timeout:
minimum: 0
type: integer
type: object
route:
properties:
headers:
additionalProperties:
items:
type: string
type: array
type: object
https_redirect_status_code:
type: integer
methods:
items:
type: string
type: array
preserve_host:
type: boolean
protocols:
items:
enum:
- http
- https
- grpc
- grpcs
type: string
type: array
regex_priority:
type: integer
strip_path:
type: boolean
upstream:
properties:
algorithm:
enum:
- round-robin
- consistent-hashing
- least-connections
type: string
hash_fallback:
type: string
hash_fallback_header:
type: string
hash_on:
type: string
hash_on_cookie:
type: string
hash_on_cookie_path:
type: string
hash_on_header:
type: string
healthchecks:
properties:
active:
properties:
concurrency:
minimum: 1
type: integer
healthy:
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
http_path:
pattern: ^/.*$
type: string
timeout:
minimum: 0
type: integer
unhealthy:
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeout:
minimum: 0
type: integer
type: object
type: object
passive:
properties:
healthy:
properties:
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
successes:
minimum: 0
type: integer
type: object
unhealthy:
properties:
http_failures:
minimum: 0
type: integer
http_statuses:
items:
type: integer
type: array
interval:
minimum: 0
type: integer
tcp_failures:
minimum: 0
type: integer
timeout:
minimum: 0
type: integer
type: object
type: object
type: object
host_header:
type: string
slots:
minimum: 10
type: integer
type: object
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: kongplugins.configuration.konghq.com
spec:
additionalPrinterColumns:
- JSONPath: .plugin
description: Name of the plugin
name: Plugin-Type
type: string
- JSONPath: .metadata.creationTimestamp
description: Age
name: Age
type: date
- JSONPath: .disabled
description: Indicates if the plugin is disabled
name: Disabled
priority: 1
type: boolean
- JSONPath: .config
description: Configuration of the plugin
name: Config
priority: 1
type: string
group: configuration.konghq.com
names:
kind: KongPlugin
plural: kongplugins
shortNames:
- kp
scope: Namespaced
validation:
openAPIV3Schema:
properties:
config:
type: object
disabled:
type: boolean
plugin:
type: string
protocols:
items:
enum:
- http
- https
- tcp
- tls
type: string
type: array
run_on:
enum:
- first
- second
- all
type: string
required:
- plugin
version: v1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kong-serviceaccount
namespace: kong
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kong-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
- kongcredentials
- kongconsumers
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kong-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kong-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: kong-serviceaccount
namespace: kong
---
apiVersion: batch/v1
kind: Job
metadata:
name: kong-migrations
namespace: kong
spec:
template:
metadata:
name: kong-migrations
spec:
initContainers:
- name: wait-for-postgres
image: busybox
env:
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
containers:
- name: kong-migrations
image: kong:1.3
env:
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
command: [ "/bin/sh", "-c", "kong migrations bootstrap" ]
restartPolicy: OnFailure
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-proxy
namespace: kong
spec:
type: ClusterIP
ports:
- name: kong-proxy
port: 80
targetPort: 80
protocol: TCP
- name: kong-proxy-ssl
port: 443
targetPort: 443
protocol: TCP
selector:
app: kong-ingres-proxy
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kong-ingress-proxy
namespace: kong
labels:
app: kong-ingress-proxy
spec:
selector:
matchLabels:
name: kong-ingress-proxy
template:
metadata:
labels:
name: kong-ingress-proxy
app: kong-ingress-proxy
spec:
# 共享宿主机网络栈
hostNetwork: true
# 选择节点标签为node-role=kong的节点
nodeSelector:
node-role: kong
# 容忍node-role=kong的污点
tolerations:
- effect: NoSchedule
key: "node-role"
operator: "Equal"
value: "kong"
dnsPolicy: ClusterFirstWithHostNet
initContainers:
# hack to verify that the DB is up to date or not
# TODO remove this for Kong >= 0.15.0
- name: wait-for-migrations
image: kong:1.3
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
containers:
- name: kong-proxy
image: kong:1.3
env:
- name: KONG_NGINX_DAEMON
value: "off"
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: '0.0.0.0:80, 0.0.0.0:443 ssl'
- name: KONG_SSL_CIPHER_SUITE
value: "modern"
# - name: KONG_SSL_CERT
# value: "/opt/tls/tls.crt"
# - name: KONG_SSL_CERT_KEY
# value: "/opt/tls/tls.key"
- name: KONG_CLIENT_MAX_BODY_SIZE
value: "0"
- name: KONG_CLIENT_BODY_BUFFER_SIZE
value: "16k"
- name: KONG_UPSTREAM_KEEPALIVE
value: "60"
- name: KONG_REAL_IP_HEADER
value: "X-Real-IP"
- name: KONG_DB_UPDATE_FREQUENCY
value: "5"
#- name: KONG_MEM_CACHE_SIZE
# value: "128m"
command:
- /usr/local/bin/kong
- start
#securityContext:
# capabilities:
# add:
# - NET_BIND_SERVICE
ports:
- name: proxy
containerPort: 8000
protocol: TCP
- name: proxy-ssl
containerPort: 8443
protocol: TCP
lifecycle:
preStop:
exec:
command: [ "/bin/sh", "-c", "kong quit" ]
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
volumes:
- name: timezone-volume
hostPath:
path: /usr/share/zoneinfo/Asia/Tokyo
---
apiVersion: v1
kind: Service
metadata:
name: kong-ingress-controller
namespace: kong
spec:
type: ClusterIP
ports:
- name: kong-admin
port: 8001
targetPort: 8001
protocol: TCP
selector:
app: ingress-kong
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: kong-ingress-controller
namespace: kong
spec:
selector:
matchLabels:
app: ingress-kong
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
# the returned metrics are related to the kong ingress controller not kong itself
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app: ingress-kong
spec:
serviceAccountName: kong-serviceaccount
initContainers:
- name: wait-for-migrations
image: kong:1.3
command: [ "/bin/sh", "-c", "kong migrations list" ]
env:
- name: KONG_ADMIN_LISTEN
value: 'off'
- name: KONG_PROXY_LISTEN
value: 'off'
- name: KONG_PROXY_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_PROXY_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
containers:
- name: admin-api
image: kong:1.3
env:
- name: KONG_NGINX_DAEMON
value: "off"
- name: KONG_PG_HOST
value: "postgresql.postgresql.svc.cluster.local"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_USER
value: "kong"
- name: KONG_PG_PASSWORD
value: "kong"
- name: KONG_ADMIN_ACCESS_LOG
value: "/dev/stdout"
- name: KONG_ADMIN_ERROR_LOG
value: "/dev/stderr"
- name: KONG_ADMIN_LISTEN
value: "0.0.0.0:8001, 0.0.0.0:8444 ssl"
- name: KONG_PROXY_LISTEN
value: 'off'
ports:
- name: kong-admin
containerPort: 8001
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8001
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
- name: ingress-controller
args:
- /kong-ingress-controller
# the kong URL points to the kong admin api server
- --kong-url=https://localhost:8444
- --admin-tls-skip-verify
# Service from were we extract the IP address/es to use in Ingress status
- --publish-service=kong/kong-ingress-proxy
- --sync-period=10m0s
- --v=2
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.6.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: timezone-volume
mountPath: /etc/localtime
readOnly: true
volumes:
- name: timezone-volume
hostPath:
path: /usr/share/zoneinfo/Asia/Tokyo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment