4

I was trying to create an alb-ingress-controller and point to kong-proxy. Since kong controller supports only classic loadbalancer and network loadbalancer

I followed all the mentioned steps from [https://discuss.konghq.com/t/kong-with-aws-application-load-balancer/6568] and created an alb ingress which points to the kong-proxy service.

Suppose i want to create an ingress resource for some application, previously i was creating using the kong ingress for example like this

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: default
spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: foo-service
            port:
              number: 5000

Now since we have an alb infront of the kong proxy, i am creating the ingress like this

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: "certificate arn here"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/target-type: ip 
spec:
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: foo-service
            port:
              number: 5000

My doubt is how will this go through the kong gateway? Because it just seems like an another alb ingress resource.

I am new to this, so please enlighten me ,if i made any mistakes here

VINAY KUMAR RT
  • 43
  • 3

1 Answers1

2

Your alb ingress should point to the kong proxy. The request will go through your alb -> kong-proxy -> foo-service.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: "certificate arn here"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/target-type: ip 
spec:
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: kong-proxy 
            port:
              number: 80

The above ingress will mean that the ingress controller configures the alb with the following:

  • two listeners: HTTP : 80 and HTTPS : 443
  • HTTP : 80 rules that will forward traffic to the kong-target-group
  • the HTTPS : 443 will have the specified SSL certificate set
  • HTTPS : 443 rules that will forward traffic to the kong-target-group
  • the kong-target-group will use the NodePort of the kong-proxy service and will have your k8s cluster nodes as the registered targets
Cristian Pupazan
  • 36
  • 2
  • Hi Cristian, Thanks for the quick response. I have one doubt what if my ingress resource for the sample application is in different namespace. How will that ingress resource gets access to the kong-proxy service – VINAY KUMAR RT Jun 23 '22 at 10:14
  • 1
    And how will the kong-proxy get to know to point to that foo.service – VINAY KUMAR RT Jun 23 '22 at 10:14
  • 2
    You can configure kong-proxy via the kong-admin API or using an ingress. That is how you tell kong to route the requests to the foo.service. See kong ingress example [here](https://github.com/Kong/kubernetes-ingress-controller/blob/main/examples/ingress.yaml) and the admin API documentation [here](https://docs.konghq.com/gateway/latest/admin-api/) – Cristian Pupazan Jun 23 '22 at 20:20
  • Suppose I want to have two ALBs directing traffic to the same Kong service, should I provision two different Ingresses? Or is it better to provision a unique NLB declaring the Service type as LoadBalancer and then provision the two ALBs via Terraform, and direct them to the NLB? – manuelnucci Sep 07 '22 at 20:16