Configure the Admin API

Kong Gateway is now running on Kubernetes. The Admin API is a NodePort service, which means it’s not publicly available. The proxy service is a LoadBalancer which provides a public address.

To make the admin API accessible without using kubectl port-forward, you can create an internal load balancer on your chosen cloud. This is required to use Kong Manager to view or edit your configuration.

Update your values-cp.yaml file with the following Ingress configuration.

  1. Configure your Ingress Controller:

    EKS

    AKS

    GKE

    KIC

    You need the aws-load-balancer-controller installed in your cluster to configure Ingress resources on EKS.

    After installing, check that your cluster is running the aws-load-balancer-controller.

    1. kubectl get deployments.apps -n kube-system aws-load-balancer-controller

    You need application-gateway-kubernetes-ingress installed in your cluster to configure Ingress resources on AKS.

    After installing, check that your cluster is running the ingress-appgw-deployment.

    1. kubectl get deployments.apps -n kube-system ingress-appgw-deployment

    Clusters running GKE versions 1.18 and later automatically provision load balancers in response to Ingress resources being created.

    GKE requires a BackendConfig resource to be created for Kong deployments to be marked as healthy.

    1. Create a BackendConfig resource to configure health checks.

      1.  echo "apiVersion: cloud.google.com/v1
      2.  kind: BackendConfig
      3.  metadata:
      4.    name: kong-hc
      5.    namespace: kong
      6.  spec:
      7.    healthCheck:
      8.      checkIntervalSec: 15
      9.      port: 8100
      10.      type: HTTP
      11.      requestPath: /status" | kubectl apply -f -

    2. This BackendConfig is attached to the admin service using the annotations key in values-cp.yaml

    GKE provisions one load balancer per Ingress definition. Following this guide will result in multiple load balancers being created.

    Set ingressController.enabled to true in your values-cp.yaml file to enable Kong Ingress Controller. When enabling the ingress controller, set env.publish_service to ensure that Kong Ingress Controller populates the address field in the managed Ingress resources.

    You must also set ingressController.env.kong_admin_token to the value stored in env.password to enable communication between Kong Ingress Controller and the Kong Gateway Admin API.

    1. ingressController:
    2.   enabled: true
    3.   env:
    4.     publish_service: kong/kong-dp-kong-proxy
    5.     kong_admin_token: kong_admin_password

  2. Configure the admin section in values-cp.yaml. Replace example.com with your custom domain name.

    EKS

    AKS

    GKE

    KIC

    If you are testing and do not have a VPN set up for your VPC, you may change the alb.ingress.kubernetes.io/scheme annotation to internet-facing to add a public IP address. This is not recommended for long running deployments

    1. admin:
    2.   enabled: true
    3.   http:
    4.     enabled: true
    5.   tls:
    6.     enabled: false
    8.   ingress:
    9.     enabled: true
    10.     hostname: admin.example.com
    11.     path: /
    12.     pathType: Prefix
    13.     ingressClassName: alb
    14.     annotations:
    15.       alb.ingress.kubernetes.io/load-balancer-name: kong-alb-private
    16.       alb.ingress.kubernetes.io/group.name: demo.kong-alb-private
    17.       alb.ingress.kubernetes.io/target-type: instance
    18.       alb.ingress.kubernetes.io/scheme: internal
    19.       alb.ingress.kubernetes.io/healthcheck-path: /
    20.       alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'

    If you are testing and do not have a VPN set up, you may change the appgw.ingress.kubernetes.io/use-private-ip annotation to false to add a public IP address. This is not recommended for long running deployments

    1. admin:
    2.   enabled: true
    3.   http:
    4.     enabled: true
    5.   tls:
    6.     enabled: false
    8.   ingress:
    9.     enabled: true
    10.     hostname: admin.example.com
    11.     path: /
    12.     pathType: Prefix
    13.     ingressClassName: azure-application-gateway
    14.     annotations:
    15.       appgw.ingress.kubernetes.io/use-private-ip: "true"

    If you are testing and do not have a VPN set up, you may change the kubernetes.io/ingress.class annotation to gce to add a public IP address. This is not recommended for long running deployments

    1. admin:
    2.   enabled: true
    3.   http:
    4.     enabled: true
    5.   tls:
    6.     enabled: false
    7.   annotations:
    8.     beta.cloud.google.com/backend-config: '{"default":"kong-hc"}'
    9.   ingress:
    10.     enabled: true
    11.     hostname: admin.example.com
    12.     path: /
    13.     pathType: Prefix
    14.     annotations:
    15.       kubernetes.io/ingress.class: gce-internal

    All endpoints proxied by Kong Ingress Controller will be publicly accessible. Use an authentication plugin to secure your API

    1. admin:
    2.   enabled: true
    3.   http:
    4.     enabled: true
    5.   tls:
    6.     enabled: false
    8.   ingress:
    9.     enabled: true
    10.     hostname: admin.example.com
    11.     path: /
    12.     pathType: Prefix
    13.     ingressClassName: kong

  3. Run helm upgrade to update the release.

    1.  helm upgrade kong-cp kong/kong -n kong --values ./values-cp.yaml

  4. Fetch the Ingress IP address and update your DNS records to point at the Ingress address. You can configure DNS manually, or use a tool like external-dns to automate DNS configuration.

    1.  kubectl get ingress -n kong kong-cp-kong-admin -o jsonpath='{.spec.rules[0].host}{": "}{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}'

Previous Install Kong Gateway

Next Install Kong Manager