Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admin: disabled but manager tries to access services via 8444 #11995

Closed
1 task done
tirelibirefe opened this issue Nov 10, 2023 · 13 comments
Closed
1 task done

admin: disabled but manager tries to access services via 8444 #11995

tirelibirefe opened this issue Nov 10, 2023 · 13 comments
Assignees
@sumimakito
Labels
area/ingress-controller Issues where Kong is running as a Kubernetes Ingress Controller area/kubernetes Issues where Kong is running on top of Kubernetes pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc...

Comments

@tirelibirefe
Copy link

tirelibirefe commented Nov 10, 2023
edited by Leopoldthecoder
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

3.4

Current Behavior

I have EKS 1.27 and trying to install Kong via Helm Chart 2.31.0.
I need to gateway and manager, no need to anything else.
External Postgres enabled.
Manager ingress and proxy ingress is enabled.
SSL offloading ALB level; so "certificates:" are not enabled.

helm upgrade --install kong -n kong . \
  --set env.database="postgres" \
  --set env.pg_host="****" \
  --set env.pg_port="5432" \
  --set env.pg_user="****" \
  --set env.pg_password="****" \
  --set env.pg_database="****" \
  --set env.pg_ssl="on" \
  --set env.pg_ssl_verify="off"

After the installation I see that kong pod is running and migrations had been completed successfully.
Only default page (overciew) can be accessible on Manager UI; the problem is that /services /routes /consumers etc. cannot be accessed.
image

When I inspect the page, I see that Manager is trying to access /services by using 8444.

image

Expected Behavior

My values.yml file is below:

# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
# Sections:
# - Deployment parameters
# - Kong parameters
# - Ingress Controller parameters
# - Postgres sub-chart parameters
# - Miscellaneous parameters
# - Kong Enterprise parameters

# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------

deployment:
  kong:
    # Enable or disable Kong itself
    # Setting this to false with ingressController.enabled=true will create a
    # controller-only release.
    enabled: true
  ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
  ## for it to be considered available.
  # minReadySeconds: 60
  ## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
  serviceAccount:
    create: true
    # Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
    # container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
    # Lua code, increasing potential attack surface.
    automountServiceAccountToken: false
  ## Optionally specify the name of the service account to create and the annotations to add.
  #  name:
  #  annotations: {}

  ## Optionally specify any extra sidecar containers to be included in the deployment
  ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
  # sidecarContainers:
  #   - name: sidecar
  #     image: sidecar:latest
  # initContainers:
  # - name: initcon
  #   image: initcon:latest
  # hostAliases:
  # - ip: "127.0.0.1"
  #   hostnames:
  #   - "foo.local"
  #   - "bar.local"

  ## Define any volumes and mounts you want present in the Kong proxy container
  # userDefinedVolumes:
  # - name: "volumeName"
  #   emptyDir: {}
  # userDefinedVolumeMounts:
  # - name: "volumeName"
  #   mountPath: "/opt/user/dir/mount"
  test:
    # Enable creation of test resources for use with "helm test"
    enabled: false
  # Use a DaemonSet controller instead of a Deployment controller
  daemonset: false
  hostNetwork: false
  # kong_prefix empty dir size
  prefixDir:
    sizeLimit: 256Mi
  # tmp empty dir size
  tmpDir:
    sizeLimit: 1Gi
# Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace.
# This may not be desirable when using this chart as a dependency.
# namespace: "example"

# -----------------------------------------------------------------------------
# Kong parameters
# -----------------------------------------------------------------------------

# Specify Kong configuration
# This chart takes all entries defined under `.env` and transforms them into into `KONG_*`
# environment variables for Kong containers.
# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default
# See https://docs.konghq.com/latest/configuration also for additional details
# Values here take precedence over values from other sections of values.yaml,
# e.g. setting pg_user here will override the value normally set when postgresql.enabled
# is set below. In general, you should not set values here if they are set elsewhere.
env:
  database: "off"
  # the chart uses the traditional router (for Kong 3.x+) because the ingress
  # controller generates traditional routes. if you do not use the controller,
  # you may set this to "traditional_compatible" or "expressions" to use the new
  # DSL-based router
  router_flavor: "expressions"
  nginx_worker_processes: "2"
  proxy_access_log: /dev/stdout
  admin_access_log: /dev/stdout
  admin_gui_access_log: /dev/stdout
  portal_api_access_log: /dev/stdout
  proxy_error_log: /dev/stderr
  admin_error_log: /dev/stderr
  admin_gui_error_log: /dev/stderr
  portal_api_error_log: /dev/stderr
  prefix: /kong_prefix/

# This section is any customer specific environments variables that doesn't require KONG_ prefix.
# These custom environment variables are typicall used in custom plugins or serverless plugins to
# access environment specific credentials or tokens.
# Example as below, uncomment if required and add additional attributes as required.
# Note that these environment variables will only apply to the proxy and init container. The ingress-controller
# container has its own customEnv section.

# customEnv:
#   api_token:
#     valueFrom:
#       secretKeyRef:
#         key: token
#         name: api_key
#   client_name: testClient

# This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
extraLabels: {}

# Specify Kong's Docker image and repository details here
image:
  repository: kong
  tag: "3.4"
  # Kong Enterprise
  # repository: kong/kong-gateway
  # tag: "3.4"

  # Specify a semver version if your image tag is not one (e.g. "nightly")
  effectiveSemver:
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
  ## Secrets must be manually created in the namespace.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  # pullSecrets:
  #   - myRegistrKeySecretName

# Specify Kong admin API service and listener configuration
admin:
  # Enable creating a Kubernetes service for the admin API
  # Disabling this is recommended for most ingress controller configurations
  # Enterprise users that wish to use Kong Manager with the controller should enable this
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  # To specify annotations or labels for the admin service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  http:
    # Enable plaintext HTTP listen for the admin API
    # Disabling this and using a TLS listen only is recommended for most configuration
    enabled: false
    servicePort: 8001
    containerPort: 8001
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32080
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters: []

  tls:
    # Enable HTTPS listen for the admin API
    enabled: true
    servicePort: 8444
    containerPort: 8444
    # Set a target port for the TLS port in the admin API service, useful when using TLS
    # termination on an ELB.
    # overrideServiceTargetPort: 8000
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32443
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters:
    - http2

    # Specify the CA certificate to use for TLS verification of the Admin API client by:
    # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
    # - caBundle (PEM-encoded certificate string).
    # If both are set, caBundle takes precedence.
    client:
      caBundle: ""
      secretName: ""

  # Kong admin ingress settings. Useful if you want to expose the Admin
  # API of Kong outside the k8s cluster.
  ingress:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
    # TLS secret name.
    # tls: kong-admin.example.com-tls
    # Ingress hostname
    hostname:
    # Map of ingress annotations.
    annotations: {}
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

# Specify Kong status listener configuration
# This listen is internal-only. It cannot be exposed through a service or ingress.
status:
  enabled: true
  http:
    # Enable plaintext HTTP listen for the status listen
    enabled: true
    containerPort: 8100
    parameters: []

  tls:
    # Enable HTTPS listen for the status listen
    # Kong versions prior to 2.1 do not support TLS status listens.
    # This setting must remain false on those versions
    enabled: false
    containerPort: 8543
    parameters: []

# Name the kong hybrid cluster CA certificate secret
clusterCaSecretName: ""

# Specify Kong cluster service and listener configuration
#
# The cluster service *must* use TLS. It does not support the "http" block
# available on other services.
#
# The cluster service cannot be exposed through an Ingress, as it must perform
# TLS client validation directly and is not compatible with TLS-terminating
# proxies. If you need to expose it externally, you must use "type:
# LoadBalancer" and use a TCP-only load balancer (check your Kubernetes
# provider's documentation, as the configuration required for this varies).
cluster:
  enabled: false
  # To specify annotations or labels for the cluster service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  tls:
    enabled: false
    servicePort: 8005
    containerPort: 8005
    parameters: []

  type: ClusterIP
  loadBalancerClass:

  # Kong cluster ingress settings. Useful if you want to split CP and DP
  # in different clusters.
  ingress:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
    # TLS secret name.
    # tls: kong-cluster.example.com-tls
    # Ingress hostname
    hostname:
    # Map of ingress annotations.
    annotations: {}
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

# Specify Kong proxy service configuration
proxy:
  # Enable creating a Kubernetes service for the proxy
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  # Override proxy Service name
  nameOverride: ""
  # To specify annotations or labels for the proxy service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  # If terminating TLS at the ELB, the following annotations can be used
  # "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*",
  # "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true",
  # "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX",
  # "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls",
  # "service.beta.kubernetes.io/aws-load-balancer-type": "elb"
  labels:
    enable-metrics: "true"

  http:
    # Enable plaintext HTTP listen for the proxy
    enabled: true
    servicePort: 80
    containerPort: 8000
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32080
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters: []

  tls:
    # Enable HTTPS listen for the proxy
    enabled: true
    servicePort: 443
    containerPort: 8443
    # Set a target port for the TLS port in proxy service
    # overrideServiceTargetPort: 8000
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32443
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters:
    - http2

  # Define stream (TCP) listen
  # To enable, remove "[]", uncomment the section below, and select your desired
  # ports and parameters. Listens are dynamically named after their containerPort,
  # e.g. "stream-9000" for the below.
  # Note: although you can select the protocol here, you cannot set UDP if you
  # use a LoadBalancer Service due to limitations in current Kubernetes versions.
  # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
  # in the next section and place all UDP stream listen configuration under it.
  stream: []
    #   # Set the container (internal) and service (external) ports for this listen.
    #   # These values should normally be the same. If your environment requires they
    #   # differ, note that Kong will match routes based on the containerPort only.
    # - containerPort: 9000
    #   servicePort: 9000
    #   protocol: TCP
    #   # Optionally set a static nodePort if the service type is NodePort
    #   # nodePort: 32080
    #   # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
    #   # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
    #   parameters: []

  # Kong proxy ingress settings.
  # Note: You need this only if you are using another Ingress Controller
  # to expose Kong outside the k8s cluster.
  ingress:
    # Enable/disable exposure using ingress.
    enabled: true
    ingressClassName: nginx
    # To specify annotations or labels for the ingress, add them to the respective
    # "annotations" or "labels" dictionaries below.
    annotations: {}
    labels: {}
    # Ingress hostname
    hostname: newerapi.dev-hub.myawesomecompany.com
    # Ingress path (when used with hostname above).
    path: /
    # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific
    # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
    hosts: []
    # - host: kong-proxy.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /*
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    # - host: kong-proxy-other.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /other
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    #     backend:
    #       service:
    #         name: kong-other-proxy
    #         port:
    #           number: 80
    #
    # TLS secret(s)
    # tls: kong-proxy.example.com-tls
    # Or if multiple hosts/secrets needs to be configured:
    # tls:
    # - secretName: kong-proxy.example.com-tls
    #   hosts:
    #   - kong-proxy.example.com
    # - secretName: kong-proxy-other.example.com-tls
    #   hosts:
    #   - kong-proxy-other.example.com

  # Optionally specify a static load balancer IP.
  # loadBalancerIP:

# Specify Kong UDP proxy service configuration
# Currently, LoadBalancer type Services are generally limited to a single transport protocol
# Multi-protocol Services are an alpha feature as of Kubernetes 1.20:
# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types
# You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it
udpProxy:
  # Enable creating a Kubernetes service for UDP proxying
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  # To specify annotations or labels for the proxy service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}
  # Optionally specify a static load balancer IP.
  # loadBalancerIP:

  # Define stream (UDP) listen
  # To enable, remove "[]", uncomment the section below, and select your desired
  # ports and parameters. Listens are dynamically named after their servicePort,
  # e.g. "stream-9000" for the below.
  stream: []
    #   # Set the container (internal) and service (external) ports for this listen.
    #   # These values should normally be the same. If your environment requires they
    #   # differ, note that Kong will match routes based on the containerPort only.
    # - containerPort: 9000
    #   servicePort: 9000
    #   protocol: UDP
    #   # Optionally set a static nodePort if the service type is NodePort
    #   # nodePort: 32080
    #   # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
    #   # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
    #   parameters: []

# Custom Kong plugins can be loaded into Kong by mounting the plugin code
# into the file-system of Kong container.
# The plugin code should be present in ConfigMap or Secret inside the same
# namespace as Kong is being installed.
# The `name` property refers to the name of the ConfigMap or Secret
# itself, while the pluginName refers to the name of the plugin as it appears
# in Kong.
# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins: {}
  # configMaps:
  # - pluginName: rewriter
  #   name: kong-plugin-rewriter
  #   subdirectories:
  #   - name: kong-plugin-rewriter-migrations
  #     path: migrations
  # secrets:
  # - pluginName: rewriter
  #   name: kong-plugin-rewriter
# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
# This can be used to override default SSL certificates.
# Be aware that the secret name will be used verbatim, and that certain types
# of punctuation (e.g. `.`) can cause issues.
# Example configuration
# secretVolumes:
# - kong-proxy-tls
# - kong-admin-tls
secretVolumes: []

# Enable/disable migration jobs, and set annotations for them
migrations:
  # Enable pre-upgrade migrations (run "kong migrations up")
  preUpgrade: true
  # Enable post-upgrade migrations (run "kong migrations finish")
  postUpgrade: true
  # Annotations to apply to migrations job pods
  # By default, these disable service mesh sidecar injection for Istio and Kuma,
  # as the sidecar containers do not terminate and prevent the jobs from completing
  annotations:
    sidecar.istio.io/inject: false
  # Additional annotations to apply to migration jobs
  # This is helpful in certain non-Helm installation situations such as GitOps
  # where additional control is required around this job creation.
  jobAnnotations: {}
  # Optionally set a backoffLimit. If none is set, Jobs will use the cluster default
  backoffLimit:
  resources: {}
  # Example reasonable setting for "resources":
  # resources:
  #   limits:
  #     cpu: 100m
  #     memory: 256Mi
  #   requests:
  #     cpu: 50m
  #     memory: 128Mi
  ## Optionally specify any extra sidecar containers to be included in the deployment
  ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
  ## Keep in mind these containers should be terminated along with the main
  ## migration containers
  # sidecarContainers:
  #   - name: sidecar
  #     image: sidecar:latest

# Kong's configuration for DB-less mode
# Note: Use this section only if you are deploying Kong in DB-less mode
# and not as an Ingress Controller.
dblessConfig:
  # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
  configMap: ""
  # Or Kong's configuration is managed from an existing Secret (with Key: kong.yml)
  secret: ""
  # Or the configuration is passed in full-text below
  config: |
  # # _format_version: "1.1"
  # # services:
  # #   # Example configuration
  # #   # - name: example.com
  # #   #   url: http://example.com
  # #   #   routes:
  # #   #   - name: example
  # #   #     paths:
  # #   #     - "/example"
  ## Optionally specify any extra sidecar containers to be included in the
  ## migration jobs
  ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
  # sidecarContainers:
  #   - name: sidecar
  #     image: sidecar:latest

# -----------------------------------------------------------------------------
# Ingress Controller parameters
# -----------------------------------------------------------------------------

# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
  enabled: false
  image:
    repository: kong/kubernetes-ingress-controller
    tag: "3.0"
    # Optionally set a semantic version for version-gated features. This can normally
    # be left unset. You only need to set this if your tag is not a semver string,
    # such as when you are using a "next" tag. Set this to the effective semantic
    # version of your tag: for example if using a "next" image for an unreleased 3.1.0
    # version, set this to "3.1.0".
    effectiveSemver:
  args: []

  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""

  # Specify individual namespaces to watch for ingress configuration. By default,
  # when no namespaces are set, the controller watches all namespaces and uses a
  # ClusterRole to grant access to Kubernetes resources. When you list specific
  # namespaces, the controller will watch those namespaces only and will create
  # namespaced-scoped Roles for each of them. The controller will still use a
  # ClusterRole for cluster-scoped resources.
  # Requires controller 2.0.0 or newer.
  watchNamespaces: []

  # Specify Kong Ingress Controller configuration via environment variables
  env:
    # The controller disables TLS verification by default because Kong
    # generates self-signed certificates by default. Set this to false once you
    # have installed CA-signed certificates.
    kong_admin_tls_skip_verify: true
    # If using Kong Enterprise with RBAC enabled, uncomment the section below
    # and specify the secret/key containing your admin token.
    # kong_admin_token:
    #   valueFrom:
    #     secretKeyRef:
    #        name: CHANGEME-admin-token-secret
    #        key: CHANGEME-admin-token-key

  # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
  # Example as below, uncomment if required and add additional attributes as required.
  # customEnv:
  #   TZ: "Europe/Berlin"

  admissionWebhook:
    enabled: true
    failurePolicy: Ignore
    port: 8080
    certificate:
      provided: false
    namespaceSelector: {}
    # Specifiy the secretName when the certificate is provided via a TLS secret
    # secretName: ""
    # Specifiy the CA bundle of the provided certificate.
    # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
    # caBundle:
    #   | Add the CA bundle content here.
    service:
      # Specify custom labels for the validation webhook service.
      labels: {}
    # Tune the default Kubernetes timeoutSeconds of 10 seconds
    # timeoutSeconds: 10

  ingressClass: kong
  # annotations for IngressClass resource (Kubernetes 1.18+)
  ingressClassAnnotations: {}

  ## Define any volumes and mounts you want present in the ingress controller container
  ## Volumes are defined above in deployment.userDefinedVolumes
  # userDefinedVolumeMounts:
  # - name: "volumeName"
  #   mountPath: "/opt/user/dir/mount"

  rbac:
    # Specifies whether RBAC resources should be created
    create: true

  # general properties
  livenessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  readinessProbe:
    httpGet:
      path: "/readyz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  resources: {}
  # Example reasonable setting for "resources":
  # resources:
  #   limits:
  #     cpu: 100m
  #     memory: 256Mi
  #   requests:
  #     cpu: 50m
  #     memory: 128Mi

  konnect:
    enabled: false

    # Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
    runtimeGroupID: ""

    # Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
    # By default, this is set to US region's production API hostname.
    # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
    apiHostname: "us.kic.api.konghq.com"

    # Specifies a secret that contains a client TLS certificate that the controller
    # will use to authenticate against Konnect APIs.
    tlsClientCertSecretName: "konnect-client-tls"

    license:
      # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
      enabled: false

  adminApi:
    tls:
      client:
        # Enable TLS client authentication for the Admin API.
        enabled: false

        # If set to false, Helm will generate certificates for you.
        # If set to true, you are expected to provide your own secret (see secretName, caSecretName).
        certProvided: false

        # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
        # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
        # a specific secret name).
        secretName: ""

        # CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
        # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
        # a specific secret name).
        caSecretName: ""


# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# -----------------------------------------------------------------------------

# Kong can run without a database or use either Postgres or Cassandra
# as a backend datatstore for it's configuration.
# By default, this chart installs Kong without a database.

# If you would like to use a database, there are two options:
# - (recommended) Deploy and maintain a database and pass the connection
#   details to Kong via the `env` section.
# - You can use the below `postgresql` sub-chart to deploy a database
#   along-with Kong as part of a single Helm release. Running a database
#   independently is recommended for production, but the built-in Postgres is
#   useful for quickly creating test instances.

# PostgreSQL chart documentation:
# https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
#
# WARNING: by default, the Postgres chart generates a random password each
# time it upgrades, which breaks access to existing volumes. You should set a
# password explicitly:
# https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do

postgresql:
  enabled: false
  auth:
    username: kong
    database: kong
  image:
    # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
    # enterprise (kong-gateway) supports postgres 14
    tag: 13.11.0-debian-11-r20
  service:
    ports:
      postgresql: "5432"

# -----------------------------------------------------------------------------
# Configure cert-manager integration
# -----------------------------------------------------------------------------

certificates:
  enabled: false

  # Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer
  # If left blank a built in self-signed issuer will be created and utilized
  issuer: ""
  clusterIssuer: ""

  # Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager
  proxy:
    enabled: true
    # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
    # self-signed issuer.
    issuer: ""
    clusterIssuer: ""
    # Use commonName and dnsNames to set the common name and dns alt names which this
    # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
    commonName: "app.example"
    # Remove the "[]" and uncomment/change the examples to add SANs
    dnsNames: []
    # - "app.example"
    # - "*.apps.example"
    # - "*.kong.example"

  # Set admin.enabled true to issue kong admin api and manager certificate with cert-manager
  admin:
    enabled: true
    # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
    # self-signed issuer.
    issuer: ""
    clusterIssuer: ""
    # Use commonName and dnsNames to set the common name and dns alt names which this
    # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
    commonName: "kong.example"
    # Remove the "[]" and uncomment/change the examples to add SANs
    dnsNames: []
    # - "manager.kong.example"

  # Set portal.enabled to true to issue a developer portal certificate with cert-manager
  portal:
    enabled: true
    # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
    # self-signed issuer.
    issuer: ""
    clusterIssuer: ""
    # Use commonName and dnsNames to set the common name and dns alt names which this
    # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
    commonName: "developer.example"
    # Remove the "{}" and uncomment/change the examples to add SANs
    dnsNames: []
    # - "manager.kong.example"

  # Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager
  cluster:
    enabled: true
    # Issuers used by the control and data plane releases must match for this certificate.
    issuer: ""
    clusterIssuer: ""
    commonName: "kong_clustering"
    dnsNames: []

# -----------------------------------------------------------------------------
# Miscellaneous parameters
# -----------------------------------------------------------------------------

waitImage:
  # Wait for the database to come online before starting Kong or running migrations
  # If Kong is to access the database through a service mesh that injects a sidecar to
  # Kong's container, this must be disabled. Otherwise there'll be a deadlock:
  # InitContainer waiting for DB access that requires the sidecar, and the sidecar
  # waiting for InitContainers to finish.
  enabled: true
  # Optionally specify an image that provides bash for pre-migration database
  # checks. If none is specified, the chart uses the Kong image. The official
  # Kong images provide bash
  # repository: bash
  # tag: 5
  pullPolicy: IfNotPresent

# update strategy
updateStrategy: {}
  # type: RollingUpdate
  # rollingUpdate:
  #   maxSurge: "100%"
  #   maxUnavailable: "0%"

# If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources: {}
  # limits:
  #  cpu: 1
  #  memory: 2G
  # requests:
  #  cpu: 1
  #  memory: 2G

# readinessProbe for Kong pods
readinessProbe:
  httpGet:
    path: "/status/ready"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3

# livenessProbe for Kong pods
livenessProbe:
  httpGet:
    path: "/status"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3

# startupProbe for Kong pods
# startupProbe:
#   httpGet:
#     path: "/status"
#     port: status
#     scheme: HTTP
#   initialDelaySeconds: 5
#   timeoutSeconds: 5
#   periodSeconds: 2
#   successThreshold: 1
#   failureThreshold: 40

# Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
  preStop:
    exec:
      # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds.
      # Note: together they should be less than the terminationGracePeriodSeconds setting below.
      command:
        - kong
        - quit
        - '--wait=15'

# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
terminationGracePeriodSeconds: 30

# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}

# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19)
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# topologySpreadConstraints: []

# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}

# Annotation to be added to Kong pods
podAnnotations:
  kuma.io/gateway: enabled
  traffic.sidecar.istio.io/includeInboundPorts: ""

# Labels to be added to Kong pods
podLabels: {}

# Kong pod count.
# It has no effect when autoscaling.enabled is set to true
replicaCount: 1

# Annotations to be added to Kong deployment
deploymentAnnotations: {}

# Enable autoscaling using HorizontalPodAutoscaler
# When configuring an HPA, you must set resource requests on all containers via
# "resources" and, if using the controller, "ingressController.resources" in values.yaml
autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 5
  behavior: {}
  ## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta
  targetCPUUtilizationPercentage:
  ## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 80

# Kong Pod Disruption Budget
podDisruptionBudget:
  enabled: false
  # Uncomment only one of the following when enabled is set to true
  # maxUnavailable: "50%"
  # minAvailable: "50%"

podSecurityPolicy:
  enabled: false
  labels: {}
  annotations: {}
  spec:
    privileged: false
    fsGroup:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    runAsGroup:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    volumes:
      - 'configMap'
      - 'secret'
      - 'emptyDir'
      - 'projected'
    allowPrivilegeEscalation: false
    hostNetwork: false
    hostIPC: false
    hostPID: false
    # Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5.
    # If you use Kong Enterprise <1.5, this must be set to false.
    readOnlyRootFilesystem: true


priorityClassName: ""

# securityContext for Kong pods.
securityContext: {}

# securityContext for containers.
containerSecurityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  runAsUser: 1000
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
    - ALL

## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
# dnsConfig:
#   nameservers:
#   - "10.100.0.10"
#   options:
#   - name: ndots
#     value: "5"
#   searches:
#   - default.svc.cluster.local
#   - svc.cluster.local
#   - cluster.local
#   - us-east-1.compute.internal

serviceMonitor:
  # Specifies whether ServiceMonitor for Prometheus operator should be created
  # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
  # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
  enabled: false
  # interval: 10s
  # Specifies namespace, where ServiceMonitor should be installed
  # namespace: monitoring
  # labels:
  #   foo: bar
  # targetLabels:
  #   - foo

  # honorLabels: false
  # metricRelabelings: []

# -----------------------------------------------------------------------------
# Kong Enterprise parameters
# -----------------------------------------------------------------------------

# Toggle Kong Enterprise features on or off
# RBAC and SMTP configuration have additional options that must all be set together
# Other settings should be added to the "env" settings below
enterprise:
  enabled: false
  # Kong Enterprise license secret name
  # This secret must contain a single 'license' key, containing your base64-encoded license data
  # The license secret is required to unlock all Enterprise features. If you omit it,
  # Kong will run in free mode, with some Enterprise features disabled.
  # license_secret: kong-enterprise-license
  vitals:
    enabled: true
  portal:
    enabled: false
  rbac:
    enabled: false
    admin_gui_auth: basic-auth
    # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
    # The key value must be a secret configuration, following the example at
    # https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions
    session_conf_secret: kong-session-config
    # If admin_gui_auth is not set to basic-auth, provide a secret name which
    # has an admin_gui_auth_conf key containing the plugin config JSON
    admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
  # For configuring emails and SMTP, please read through:
  # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp
  # https://docs.konghq.com/enterprise/latest/kong-manager/networking/email
  smtp:
    enabled: false
    portal_emails_from: none@example.com
    portal_emails_reply_to: none@example.com
    admin_emails_from: none@example.com
    admin_emails_reply_to: none@example.com
    smtp_admin_emails: none@example.com
    smtp_host: smtp.example.com
    smtp_port: 587
    smtp_auth_type: ''
    smtp_ssl: nil
    smtp_starttls: true
    auth:
      # If your SMTP server does not require authentication, this section can
      # be left as-is. If smtp_username is set to anything other than an empty
      # string, you must create a Secret with an smtp_password key containing
      # your SMTP password and specify its name here.
      smtp_username: ''  # e.g. postmaster@example.com
      smtp_password_secret: CHANGEME-smtp-password

manager:
  # Enable creating a Kubernetes service for Kong Manager
  enabled: true
  type: ClusterIP
  loadBalancerClass: 
  # To specify annotations or labels for the Manager service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  http:
    # Enable plaintext HTTP listen for Kong Manager
    enabled: true
    servicePort: 8002
    containerPort: 8002
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32080
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters: []

  tls:
    # Enable HTTPS listen for Kong Manager
    enabled: true
    servicePort: 8445
    containerPort: 8445
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32443
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters:
    - http2

  ingress:
    # Enable/disable exposure using ingress.
    enabled: true
    ingressClassName: nginx
    # TLS secret name.
    # tls: kong-manager.example.com-tls
    # Ingress hostname
    hostname: kong.dev-hub.myawesomecompany.com
    # Map of ingress annotations.
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

portal:
  # Enable creating a Kubernetes service for the Developer Portal
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  # To specify annotations or labels for the Portal service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  http:
    # Enable plaintext HTTP listen for the Developer Portal
    enabled: true
    servicePort: 8003
    containerPort: 8003
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32080
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters: []

  tls:
    # Enable HTTPS listen for the Developer Portal
    enabled: true
    servicePort: 8446
    containerPort: 8446
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32443
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters:
    - http2

  ingress:
    # Enable/disable exposure using ingress.
    enabled: true
    ingressClassName: nginx
    # TLS secret name.
    # tls: kong-portal.example.com-tls
    # Ingress hostname
    hostname: kongportal.dev-hub.myawesomecompany.com
    # Map of ingress annotations.
    annotations: {}
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

portalapi:
  # Enable creating a Kubernetes service for the Developer Portal API
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  # To specify annotations or labels for the Portal API service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  http:
    # Enable plaintext HTTP listen for the Developer Portal API
    enabled: true
    servicePort: 8004
    containerPort: 8004
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32080
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters: []

  tls:
    # Enable HTTPS listen for the Developer Portal API
    enabled: true
    servicePort: 8447
    containerPort: 8447
    # Set a nodePort which is available if service type is NodePort
    # nodePort: 32443
    # Additional listen parameters, e.g. "reuseport", "backlog=16384"
    parameters:
    - http2

  ingress:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
    # TLS secret name.
    # tls: kong-portalapi.example.com-tls
    # Ingress hostname
    hostname:
    # Map of ingress annotations.
    annotations: {}
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

clustertelemetry:
  enabled: false
  # To specify annotations or labels for the cluster telemetry service, add them to the respective
  # "annotations" or "labels" dictionaries below.
  annotations: {}
  #  service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  labels: {}

  tls:
    enabled: false
    servicePort: 8006
    containerPort: 8006
    parameters: []

  type: ClusterIP
  loadBalancerClass:

  # Kong clustertelemetry ingress settings. Useful if you want to split
  # CP and DP in different clusters.
  ingress:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
    # TLS secret name.
    # tls: kong-clustertelemetry.example.com-tls
    # Ingress hostname
    hostname:
    # Map of ingress annotations.
    annotations: {}
    # Ingress path.
    path: /
    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific

extraConfigMaps: []
# extraConfigMaps:
# - name: my-config-map
#   mountPath: /mount/to/my/location
#   subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap

extraSecrets: []
# extraSecrets:
# - name: my-secret
#   mountPath: /mount/to/my/location
#   subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap

extraObjects: []
# extraObjects:
# - apiVersion: configuration.konghq.com/v1
#   kind: KongClusterPlugin
#   metadata:
#     name: prometheus
#   config:
#     per_consumer: false
#   plugin: prometheus

Steps To Reproduce

No response

Anything else?

Could you please advise me where does 8444 come from although admin api is disabled? Why does manager try to access /services by using 8444?

...any help will be very appreciated.

Thakns & Regards
@jschmid1 jschmid1 added area/kubernetes Issues where Kong is running on top of Kubernetes area/ingress-controller Issues where Kong is running as a Kubernetes Ingress Controller labels Nov 12, 2023
@sumimakito
Copy link
Member

Hello @tirelibirefe, thanks for reporting this. Kong Manager relies on the Admin API to work, and :8444 is the default TLS port for the Admin API. You can enable the Admin API via the following change:

admin:
-  enabled: false
+  enabled: true

@guanlan guanlan added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label Nov 13, 2023
@tirelibirefe
Copy link
Author

Hello @sumimakito
Thanks for the feedback.
The problem is not the existence of admin-api; the problem is that Kong-Manager Ingress is trying to access backend 8444.

The relevant ingress something like below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    meta.helm.sh/release-name: kong
    meta.helm.sh/release-namespace: kong
  generation: 1
  labels:
    app.kubernetes.io/instance: kong
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kong
    app.kubernetes.io/version: "3.4"
    helm.sh/chart: kong-2.31.0
  name: kong-kong-manager
  namespace: kong
spec:
  ingressClassName: nginx
  rules:
  - host: kong.myawesomedomain.com
    http:
      paths:
      - backend:
          service:
            name: kong-kong-manager
            port:
              number: 8002
        path: /
        pathType: ImplementationSpecific
status:
  loadBalancer:
    ingress:
    - ip: 172.54.54.54

Browser redirects https://kong.myawesomedomain.com requests to https://kong.myawesomedomain.com:8444 for an element. Even admin-api is installed at backend, it cannot be accessed as https://kong.myawesomedomain.com:8444. (I tried).

Thanks & Regards

@tirelibirefe
Copy link
Author

tirelibirefe commented Nov 13, 2023
edited
Loading

here...
I enabled admin.

k get svc -n kong
NAME                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
kong-kong-admin     ClusterIP   172.11.79.39    <none>        8001/TCP,8444/TCP   55m
kong-kong-manager   ClusterIP   172.11.38.71    <none>        8002/TCP            55m
kong-kong-proxy     ClusterIP   172.11.170.80   <none>        80/TCP,443/TCP      55m

..same result normally. Port 8444 is not open publicly.

This was referenced Nov 13, 2023
Closed
Closed
@sumimakito
Copy link
Member

@tirelibirefe Could you provide the values.yml that you are currently using so that I can try to reproduce your issue?

Browser redirects https://kong.myawesomedomain.com requests to https://kong.myawesomedomain.com:8444 for an element.

Do you mean that accessing https://kong.myawesomedomain.com (is this URL intended for Kong Manager?) in the browser directly brings you to https://kong.myawesomedomain.com:8444?

Even admin-api is installed at backend, it cannot be accessed as https://kong.myawesomedomain.com:8444. (I tried).

From the ingress you shared, it seems that you are hosting Kong Manager (front-end) on kong.myawesomedomain.com:80 (HTTP). Do you have a similar ingress for kong-kong-admin?

By the way, could you also verify that the kong-kong-admin is up and accessible via kubectl -n kong port-forward service/kong-kong-admin 8444:8444 or something else?

@tirelibirefe
Copy link
Author

Hello @sumimakito

My values.yaml file is above.

https://kong.myawesomedomain.com (I mean something like that) is my domain, browser doesn't redirect the all URL, just the "/select" element/query/piece(or whatever its name) redirects to https://kong.myawesomedomain.com:8444/services?sort_desc=1&size=30

image

From the ingress I shared, yes I host Kong Manager (front-end) on kong.myawesomedomain.com:80 (HTTP).
I tried, enabling or not-enabling kong-kong-admin doesn't change anything. Because when I enable it, Its ingress is exposed only port 443 naturally, not port 8444.

I do not use port-forward, I use ClusterIP&Ingress. If admin-api is enabled, It can be accessed from a pod which is inside of Kubernetes by using its service endpoint.

It looks like the problem is in Kong Manager itself. Browser redirects /services to /:8444/services?sort_desc=1&size=30 . It doesn't work even if admin-api is installed at backend. Because 8444 is not an enabled port on kong manager ingress.

Thanks & Regards

@tirelibirefe
Copy link
Author

image

@sumimakito
Copy link
Member

sumimakito commented Nov 15, 2023
edited
Loading

Hello @tirelibirefe - Thank you for providing these details.

I noticed that the admin.ingress.hostname is empty in the YAML you provided. For example, if your Admin API is accessible from https://admin-api.yourdomain.com:8444, you can update your values by:

# ...
admin:
  # ...
  ingress:
    enabled: true
    hostname: admin-api.yourdomain.com
    path: /
    # ...
# ...

And here's why…

First, Kong Manager will request for https://kong-manager.yourdomain.com/kconfig.js and use the ADMIN_API_URL inside as the base URL for subsequent Admin API requests. If admin.ingress.hostname is left empty, ADMIN_API_URL in the kconfig.js will also be empty.

In your scenario, Kong Manager will try to send Admin API requests using the current hostname kong-manager.yourdomain.com (because ADMIN_API_URL is empty) and ADMIN_API_PORT: 8444–which is https://kong-manager.yourdomain.com:8444 (it should be https://admin-api.yourdomain.com:8444 or something else).

@tirelibirefe
Copy link
Author

Thanks for advises dear @sumimakito
Optionally I didn't enabled enabled admin-api ingress, because I didn't want to expose its port outside of Kubernetes.
After your message I enabled admin-api ingress.
Things changed a bit.
image
and
image

@tirelibirefe
Copy link
Author

tirelibirefe commented Nov 15, 2023
edited
Loading

(pls ignore my previous message above)
well...
1)
I enabled tls and http for both manager and admin. Also I enabled "certificates" and set cert-manager integration.
2)
I added following annotation to both admin and manager ingress configs:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

I added 2 example services to Kong by using admin api cli.

...the problem is that:
image

if I try to access http://myawesomedomain.com/services?sort_desc=1&size=30 by using browser, browser redirects http to https and traffic is transferred properly.

image

Also, when I send curl request to admin api via httpS, it works too.

curl https://kongadminapi.myawesomedomain.com/ |jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14165  100 14165    0     0  35012      0 --:--:-- --:--:-- --:--:-- 35236
{
  "pids": {
    "master": 1,
    "workers": [
      1262,
      1263
    ]
  },
  "plugins": {
    "available_on_server": {
      "azure-functions": {
...
...

and

curl http://kongadminapi.myawesomedomain.com/services
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>

It looks like we are very close to the solution.

I use nginx ingress controller and AWS ALB .

How can I force "manager" redirect to HTTPS instead of HTTP ?

...and here my udpated values.yaml file below:

deployment:
  kong:
    enabled: true
  serviceAccount:
    create: true
    automountServiceAccountToken: false
  test:
    enabled: false
  daemonset: false
  hostNetwork: false
  prefixDir:
    sizeLimit: 256Mi
  tmpDir:
    sizeLimit: 1Gi
env:
  database: "off"
  router_flavor: "expressions"
  nginx_worker_processes: "2"
  proxy_access_log: /dev/stdout
  admin_access_log: /dev/stdout
  admin_gui_access_log: /dev/stdout
  portal_api_access_log: /dev/stdout
  proxy_error_log: /dev/stderr
  admin_error_log: /dev/stderr
  admin_gui_error_log: /dev/stderr
  portal_api_error_log: /dev/stderr
  prefix: /kong_prefix/

extraLabels: {}
image:
  repository: kong
  tag: "3.4"
  effectiveSemver:
  pullPolicy: IfNotPresent
admin:
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8001
    containerPort: 8001
    parameters: []
  tls:
    enabled: true
    servicePort: 8444
    containerPort: 8444
    parameters:
    - http2
    client:
      caBundle: ""
      secretName: ""
  ingress:
    enabled: true
    ingressClassName: nginx
    hostname: kongadminapi.myawesomedomain.com
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    path: /
    pathType: ImplementationSpecific
status:
  enabled: true
  http:
    enabled: true
    containerPort: 8100
    parameters: []
  tls:
    enabled: true
    containerPort: 8543
    parameters: []
clusterCaSecretName: ""
cluster:
  enabled: false
  annotations: {}
  labels: {}
  tls:
    enabled: false
    servicePort: 8005
    containerPort: 8005
    parameters: []
  type: ClusterIP
  loadBalancerClass:
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
proxy:
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  nameOverride: ""
  annotations: {}
  labels:
    enable-metrics: "true"
  http:
    enabled: true
    servicePort: 80
    containerPort: 8000
    parameters: []
  tls:
    enabled: false
    servicePort: 443
    containerPort: 8443
    parameters:
    - http2
  stream: []
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations: {}
    labels: {}
    hostname: newerapi.myawesomedomain.com
    path: /
    pathType: ImplementationSpecific
    hosts: []
udpProxy:
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  stream: []
plugins: {}
secretVolumes: []
migrations:
  preUpgrade: true
  postUpgrade: true
  annotations:
    sidecar.istio.io/inject: false
  jobAnnotations: {}
  backoffLimit:
  resources: {}
dblessConfig:
  configMap: ""
  secret: ""
  config: |
ingressController:
  enabled: false
  image:
    repository: kong/kubernetes-ingress-controller
    tag: "3.0"
    effectiveSemver:
  args: []
  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""
  watchNamespaces: []
  env:
    kong_admin_tls_skip_verify: true
  admissionWebhook:
    enabled: true
    failurePolicy: Ignore
    port: 8080
    certificate:
      provided: false
    namespaceSelector: {}
    service:
      labels: {}
  ingressClass: kong
  ingressClassAnnotations: {}
  rbac:
    create: true
  livenessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  readinessProbe:
    httpGet:
      path: "/readyz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  resources: {}
  konnect:
    enabled: false
    runtimeGroupID: ""
    apiHostname: "us.kic.api.konghq.com"
    tlsClientCertSecretName: "konnect-client-tls"
    license:
      enabled: false
  adminApi:
    tls:
      client:
        enabled: false
        certProvided: false
        secretName: ""
        caSecretName: ""
postgresql:
  enabled: false
  auth:
    username: kong
    database: kong
  image:
    tag: 13.11.0-debian-11-r20
  service:
    ports:
      postgresql: "5432"
certificates:
  enabled: true
  issuer: ""
  clusterIssuer: "cluster-issuer"
  proxy:
    enabled: false
    issuer: ""
    clusterIssuer: ""
    commonName: "app.example"
    dnsNames: []
  admin:
    enabled: true
    issuer: ""
    clusterIssuer: ""
    commonName: "myawesomedomain.com"
    dnsNames:
    - "kong.kongadminapi.myawesomedomain.com"
    - "kongadminapi.myawesomedomain.com"
    - "kong.myawesomedomain.com"
    - "kong-kong-admin.myawesomedomain.com"
    - "kong-kong-manager.myawesomedomain.com"
  portal:
    enabled: false
    issuer: ""
    clusterIssuer: ""
    commonName: "developer.example"
    dnsNames: []
  cluster:
    enabled: false
    issuer: ""
    clusterIssuer: ""
    commonName: "kong_clustering"
    dnsNames: []
waitImage:
  enabled: false
  pullPolicy: IfNotPresent
updateStrategy: {}
resources: {}
readinessProbe:
  httpGet:
    path: "/status/ready"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3
livenessProbe:
  httpGet:
    path: "/status"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3
lifecycle:
  preStop:
    exec:
      command:
        - kong
        - quit
        - '--wait=15'
terminationGracePeriodSeconds: 30
tolerations: []
nodeSelector: {}
podAnnotations:
  kuma.io/gateway: enabled
  traffic.sidecar.istio.io/includeInboundPorts: ""
podLabels: {}
replicaCount: 1
deploymentAnnotations: {}
autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 5
  behavior: {}
  targetCPUUtilizationPercentage:
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 80
podDisruptionBudget:
  enabled: false
podSecurityPolicy:
  enabled: false
  labels: {}
  annotations: {}
  spec:
    privileged: false
    fsGroup:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    runAsGroup:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    volumes:
      - 'configMap'
      - 'secret'
      - 'emptyDir'
      - 'projected'
    allowPrivilegeEscalation: false
    hostNetwork: false
    hostIPC: false
    hostPID: false
    readOnlyRootFilesystem: true
priorityClassName: ""
securityContext: {}
containerSecurityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  runAsUser: 1000
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
    - ALL
serviceMonitor:
  enabled: false
enterprise:
  enabled: false
  vitals:
    enabled: true
  portal:
    enabled: false
  rbac:
    enabled: false
    admin_gui_auth: basic-auth
    session_conf_secret: kong-session-config
    admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
  smtp:
    enabled: false
    portal_emails_from: none@example.com
    portal_emails_reply_to: none@example.com
    admin_emails_from: none@example.com
    admin_emails_reply_to: none@example.com
    smtp_admin_emails: none@example.com
    smtp_host: smtp.example.com
    smtp_port: 587
    smtp_auth_type: ''
    smtp_ssl: nil
    smtp_starttls: true
    auth:
      smtp_password_secret: CHANGEME-smtp-password
manager:
  enabled: true
  type: ClusterIP
  loadBalancerClass: 
  annotations: {}
  labels: {}
  http:
    enabled: false
    servicePort: 8002
    containerPort: 8002
    parameters: []
  tls:
    enabled: true
    servicePort: 8445
    containerPort: 8445
    parameters:
    - http2
  ingress:
    enabled: true
    ingressClassName: nginx
    hostname: kong.myawesomedomain.com
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    path: /
    pathType: ImplementationSpecific
portal:
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8003
    containerPort: 8003
    parameters: []
  tls:
    enabled: true
    servicePort: 8446
    containerPort: 8446
    parameters:
    - http2
  ingress:
    enabled: true
    ingressClassName: nginx
    hostname: kongportal.myawesomedomain.com
    annotations: {}
    path: /
    pathType: ImplementationSpecific
portalapi:
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8004
    containerPort: 8004
    parameters: []
  tls:
    enabled: true
    servicePort: 8447
    containerPort: 8447
    parameters:
    - http2
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
clustertelemetry:
  enabled: false
  annotations: {}
  labels: {}
  tls:
    enabled: false
    servicePort: 8006
    containerPort: 8006
    parameters: []
  type: ClusterIP
  loadBalancerClass:
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
extraConfigMaps: []
extraSecrets: []
extraObjects: []

Thanks & Regards

@tirelibirefe
Copy link
Author

tirelibirefe commented Nov 15, 2023
edited
Loading

Also,
If I set admin.http.enabled=false and admin.tls.enabled=true , nothing changes. Manager still tries to access http instead of https .

@sumimakito
Copy link
Member

sumimakito commented Nov 16, 2023
edited
Loading

@tirelibirefe tl;dr It looks like the HTTPS Admin API and the HTTP to HTTPS redirection are working fine. I think the issue should be caused by the missing tls under admin.ingress. You can update your values like the example shown below:

admin:
  enabled: true
  # ...
  ingress:
    enabled: true
+   tls: true
    ingressClassName: nginx
    hostname: kongadminapi.myawesomedomain.com
    # ...

With the above change, Kong Manager should try to request the Admin API from the HTTPS endpoint instead this time.

From Kong charts files, it seems that the protocol in the Admin API base is determined by admin.ingress.tls:

https://github.com/Kong/charts/blob/663deb07cba098f736a37c69021ae0c8e2917854/charts/kong/templates/_helpers.tpl#L1017-L1020

{{- if .Values.admin.ingress.enabled }}
  {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
  {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
{{- end -}}

https://github.com/Kong/charts/blob/663deb07cba098f736a37c69021ae0c8e2917854/charts/kong/templates/_helpers.tpl#L434-L440

{{- define "kong.ingress.serviceUrl" -}}
{{- if .tls -}}
    https://{{ .hostname }}{{ .path | trimSuffix "/" }}
{{- else -}}
    http://{{ .hostname }}{{ .path | trimSuffix "/" }}
{{- end -}}
{{- end -}}

Meanwhile, I think we should also add more examples for setting up Kong Manager with Helm charts as the mechanism shown above is not very easy to be discovered for normal users. Thanks again for bringing this up.

@tirelibirefe
Copy link
Author

Hello @sumimakito
I spent hours yesterday because of the tls problem you indicated.

In the original Helm Chart, there is no "admin.ingress.tls:"
image

Apparently there are relevant codes in _helpers.tpl but I didn't notice/check it before.

When I just saw your message, I added admin.ingress.tls: true .
image

...and the problem is fixed.
I am very appreciated, thank you very much for your help.

@sumimakito
Copy link
Member

You're welcome @tirelibirefe. I'm glad that it is working normally now.

@sumimakito sumimakito self-assigned this Nov 17, 2023
@nekolab nekolab mentioned this issue Nov 20, 2023
Merged
3 tasks
@nekolab nekolab mentioned this issue Nov 21, 2023
Merged
3 tasks
nekolab added a commit that referenced this issue Nov 27, 2023
@nekolab
chore: display a warning message when Kong Manager is enabled but the…
005a993 
… Admin API is not enabled

Feedback from issue #11995 highlighted potential user confusion
due to the internal connection between Kong Manager and the Admin API.

To address this, a warning message will now be displayed to notify users
that the current configuration combination will not function as expected.

This resolves KAG-3158
windmgc pushed a commit that referenced this issue Nov 27, 2023
@nekolab
feat(configuration): display a warning message when Kong Manager is e…
f920f1f 
…nabled but the Admin API is not enabled (#12071)

Feedback from issue #11995 highlighted potential user confusion
due to the internal connection between Kong Manager and the Admin API.

To address this, a warning message will now be displayed to notify users
that the current configuration combination will not function as expected.

This resolves KAG-3158
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumimakito sumimakito

Labels
area/ingress-controller Issues where Kong is running as a Kubernetes Ingress Controller area/kubernetes Issues where Kong is running on top of Kubernetes pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc...
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@guanlan @sumimakito @jschmid1 @tirelibirefe