feat(compose): introduce hybrid mode

Signed-off-by: Joshua Schmid <[email protected]>

compose/Makefile

@@ -1,9 +1,19 @@
+# Determine whether to use 'docker-compose' or 'docker compose'
+DOCKER_COMPOSE := $(shell command -v docker-compose || echo docker compose)
+
 kong-postgres:
-	COMPOSE_PROFILES=database KONG_DATABASE=postgres docker-compose up -d
+	@COMPOSE_PROFILES=database,traditional KONG_DATABASE=postgres $(DOCKER_COMPOSE) up -d
+
+# Alias for kong-postgres
+kong-traditional: kong-postgres
 
 kong-dbless:
-	docker-compose up -d
+	@COMPOSE_PROFILES=traditional $(DOCKER_COMPOSE) up -d
+
+kong-hybrid:
+	@COMPOSE_PROFILES=hybrid,database KONG_DATABASE=postgres $(DOCKER_COMPOSE) up -d
+
 
 clean:
-	docker-compose kill
-	docker-compose rm -f
+	@$(DOCKER_COMPOSE) kill
+	@$(DOCKER_COMPOSE) rm -f

compose/README.md

@@ -8,20 +8,26 @@ The official Docker Compose template for Kong Gateway.
 
 ## What is Kong?
 
-Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API 
+Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API
 Gateway distinguished for its high performance and extensibility via plugins.
 
 - Kong's Official documentation can be found at [docs.konghq.com][kong-docs-url].
 - You can find the official Docker distribution for Kong on [Docker Hub][kong-docker-url].
 
 ## How to use this Compose file
 
-Kong Gateway can be deployed in different ways. This Docker Compose file provides 
-support for running Kong in [db-less][kong-docs-dbless] mode, in which only a Kong 
+Kong Gateway can be deployed in different ways. This Docker Compose file provides
+support for running Kong in [db-less][kong-docs-dbless] mode, in which only a Kong
 container is spun up, or with a backing database. The default is db-less mode:
 
 ```shell
-$ docker compose up -d
+make kong-dbless
+```
+
+or
+
+```shell
+COMPOSE_PROFILES=traditional docker-compose up -d
 ```
 
 This command will result in a single Kong Docker container:
@@ -36,11 +42,16 @@ $ docker ps
 Kong entities can be configured through the `config/kong.yaml` declarative config
 file. Its format is further described [here][kong-docs-dbless-file].
 
-You can also run Kong with a backing Postgres database:
+You can also run Kong with a backing Postgres database, also known as "traditional mode".
 
-```shell
-$ KONG_DATABASE=postgres docker compose --profile database up -d
+``` shell
+make kong-postgres
+```
+
+or
 
+```shell
+COMPOSE_PROFILES=traditional KONG_DATABASE=postgres docker compose --profile database up -d
 ```
 
 Which will result in two Docker containers running -- one for Kong itself, and
@@ -53,24 +64,46 @@ compose-db-1        postgres:9.5        "docker-entrypoint.s…"   db
 compose-kong-1      kong:latest         "/docker-entrypoint.…"   kong                About a minute ago   Up About a minute (healthy)   0.0.0.0:8000->8000/tcp, 127.0.0.1:8001->8001/tcp, 0.0.0.0:8443->8443/tcp, 127.0.0.1:8444->8444/tcp
 ```
 
-Kong will be available on port `8000` and `8001`. You can customize the template 
+Kong can also be run in [hybrid mode](https://docs.konghq.com/gateway/latest/production/deployment-topologies/hybrid-mode/) which also uses "postgres" as the database but spawns two distinct containers.
+
+``` shell
+make kong-hybrid
+```
+
+or
+
+``` shell
+COMPOSE_PROFILES=hybrid,database KONG_DATABASE=postgres docker compose up -d
+```
+
+Which will result in three Docker containers running -- two for Kong itself, and
+another for the Postgres instance it uses to store its configuration entities:
+
+``` shell
+NAME                IMAGE          COMMAND                  SERVICE   CREATED          STATUS                            PORTS
+compose-db-1        postgres:9.5   "docker-entrypoint.s…"   db        41 seconds ago   Up 4 seconds (health: starting)   5432/tcp
+compose-kong-cp-1   kong:latest    "/docker-entrypoint.…"   kong-cp   41 seconds ago   Up 3 seconds (health: starting)   127.0.0.1:8001-8002->8001-8002/tcp, 8000/tcp, 127.0.0.1:8005-8006->8005-8006/tcp, 8443/tcp, 127.0.0.1:8444->8444/tcp
+compose-kong-dp-1   kong:latest    "/docker-entrypoint.…"   kong-dp   41 seconds ago   Up 2 seconds (health: starting)   0.0.0.0:8000->8000/tcp, 8001/tcp, 0.0.0.0:8443->8443/tcp, 8444/tcp
+```
+
+Kong will be available on port `8000` and `8001`. You can customize the template
 with your own environment variables or datastore configuration.
 
 ## Issues
 
-If you have any problems with or questions about this image, please contact us 
+If you have any problems with or questions about this image, please contact us
 through a [GitHub issue][github-new-issue].
 
 ## Contributing
 
-You are invited to contribute new features, fixes, or updates, large or small; 
-we are always thrilled to receive pull requests, and do our best to process them 
+You are invited to contribute new features, fixes, or updates, large or small;
+we are always thrilled to receive pull requests, and do our best to process them
 as fast as we can.
 
-Before you start to code, we recommend discussing your plans through a [GitHub 
-issue][github-new-issue], especially for more ambitious contributions. This 
-gives other contributors a chance to point you in the right direction, give you 
-feedback on your design, and help you find out if someone else is working on the 
+Before you start to code, we recommend discussing your plans through a [GitHub
+issue][github-new-issue], especially for more ambitious contributions. This
+gives other contributors a chance to point you in the right direction, give you
+feedback on your design, and help you find out if someone else is working on the
 same thing.
 
 [kong-docs-url]: https://docs.konghq.com/

compose/certs/cluster.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBVzCB3wIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA9rb25nX2NsdXN0ZXJp
+bmcwHhcNMjQwNDI5MDg1MzAwWhcNMjcwNDI5MDg1MzAwWjAaMRgwFgYDVQQDDA9r
+b25nX2NsdXN0ZXJpbmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASKasXr38/wTQHU
+o9ksCY6OVsQ0WnkyftA8moYRbjxshpDHMYeC2vZWktc0W6ZOblIBoBpq1G53Aocj
+/wI2aMzUerTHwnZZPvzvr3WuATylEXtLz3oH+XT1JRnai9HP3l4wCgYIKoZIzj0E
+AwIDZwAwZAIwH8OHm5S10GkxwJ8aUy4ojxrI5Xuq4M5H7b0qsu0b2YjHnfK6nIC2
+BptoQrtkZdBJAjBCJTOVmob4vUQ4/hzg4NIXmPZ9q5dnFtaDtdkwKQ7XE+xnhzhY
+S/7lFNVai7VSfIQ=
+-----END CERTIFICATE-----

compose/certs/cluster.key

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCZetgpP2raNWdy1CPU
+k6G7t0b7mpf+IRkSNvjLo1sbEqnex5MRlFr81/qicvopAAWhZANiAASKasXr38/w
+TQHUo9ksCY6OVsQ0WnkyftA8moYRbjxshpDHMYeC2vZWktc0W6ZOblIBoBpq1G53
+Aocj/wI2aMzUerTHwnZZPvzvr3WuATylEXtLz3oH+XT1JRnai9HP3l4=
+-----END PRIVATE KEY-----

compose/docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3.9'
 
 x-kong-config:
   &kong-env
@@ -27,7 +26,7 @@ services:
   kong-migrations:
     image: "${KONG_DOCKER_TAG:-kong:latest}"
     command: kong migrations bootstrap
-    profiles: [ "database" ]
+    profiles: [ "database", "hybrid" ]
     depends_on:
       - db
     environment:
@@ -41,7 +40,7 @@ services:
   kong-migrations-up:
     image: "${KONG_DOCKER_TAG:-kong:latest}"
     command: kong migrations up && kong migrations finish
-    profiles: [ "database" ]
+    profiles: [ "database", "hybrid" ]
     depends_on:
       - db
     environment:
@@ -52,9 +51,116 @@ services:
       - kong-net
     restart: on-failure
 
+  kong-cp:
+    image: "${KONG_DOCKER_TAG:-kong:latest}"
+    user: "${KONG_USER:-kong}"
+    profiles: [ "hybrid" ]
+    depends_on:
+      - kong-migrations
+      - kong-migrations-up
+    environment:
+      <<: *kong-env
+      KONG_DATABASE: "postgres"
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_ROLE: "control_plane"
+      KONG_ADMIN_LISTEN: "${KONG_ADMIN_LISTEN:-0.0.0.0:8001}"
+      KONG_ADMIN_GUI_LISTEN: "${KONG_ADMIN_GUI_LISTEN:-0.0.0.0:8002}"
+      KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong-cp}
+      KONG_CLUSTER_CERT: /run/secrets/kong_cluster_cert
+      KONG_CLUSTER_CERT_KEY: /run/secrets/kong_cluster_cert_key
+    secrets:
+      - kong_postgres_password
+      - kong_cluster_cert
+      - kong_cluster_cert_key
+    networks:
+      - kong-net
+    ports:
+      # The following two environment variables default to an insecure value (0.0.0.0)
+      # according to the CIS Security test.
+      # - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp"
+      # - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp"
+      # Making them mandatory but undefined, like so would be backwards-breaking:
+      # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp"
+      # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp"
+      # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here
+
+      - "127.0.0.1:8001:8001/tcp"
+      - "127.0.0.1:8444:8444/tcp"
+      - "127.0.0.1:8002:8002/tcp"
+      # Cluster communication
+      - "127.0.0.1:8005:8005/tcp"
+      # Telemetry
+      - "127.0.0.1:8006:8006/tcp"
+
+    healthcheck:
+      test: [ "CMD", "kong", "health" ]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+    restart: on-failure:5
+    read_only: true
+    volumes:
+      - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong-cp}
+      - kong_tmp_vol:/tmp
+      - ./config:/opt/kong
+    security_opt:
+      - no-new-privileges
+
+  kong-dp:
+    image: "${KONG_DOCKER_TAG:-kong:latest}"
+    user: "${KONG_USER:-kong}"
+    profiles:
+      - hybrid
+    depends_on:
+      - kong-cp
+    environment:
+      KONG_DATABASE: "off"
+      KONG_ROLE: "data_plane"
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_CLUSTER_CONTROL_PLANE: kong-cp:8005
+      KONG_CLUSTER_TELEMETRY_ENDPOINT: kong-cp:8006
+      KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}"
+      KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong-dp}
+      KONG_CLUSTER_CERT: /run/secrets/kong_cluster_cert
+      KONG_CLUSTER_CERT_KEY: /run/secrets/kong_cluster_cert_key
+    secrets:
+      - kong_cluster_cert
+      - kong_cluster_cert_key
+    networks:
+      - kong-net
+    ports:
+      # The following two environment variables default to an insecure value (0.0.0.0)
+      # according to the CIS Security test.
+      - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp"
+      - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp"
+      # Making them mandatory but undefined, like so would be backwards-breaking:
+      # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp"
+      # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp"
+      # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here
+      # - "127.0.0.1:8001:8001/tcp"
+      # - "127.0.0.1:8444:8444/tcp"
+      # - "127.0.0.1:8002:8002/tcp"
+    healthcheck:
+      test: [ "CMD", "kong", "health" ]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+    restart: on-failure:5
+    read_only: true
+    volumes:
+      - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong-dp}
+      - kong_tmp_vol:/tmp
+      - ./config:/opt/kong
+    security_opt:
+      - no-new-privileges
+
   kong:
     image: "${KONG_DOCKER_TAG:-kong:latest}"
     user: "${KONG_USER:-kong}"
+    profiles:
+      - traditional
     environment:
       <<: *kong-env
       KONG_ADMIN_ACCESS_LOG: /dev/stdout
@@ -99,7 +205,7 @@ services:
 
   db:
     image: postgres:9.5
-    profiles: [ "database" ]
+    profiles: [ "database", "hybrid" ]
     environment:
       POSTGRES_DB: ${KONG_PG_DATABASE:-kong}
       POSTGRES_USER: ${KONG_PG_USER:-kong}
@@ -130,3 +236,7 @@ services:
 secrets:
   kong_postgres_password:
     file: ./POSTGRES_PASSWORD
+  kong_cluster_cert:
+    file: ./certs/cluster.crt
+  kong_cluster_cert_key:
+    file: ./certs/cluster.key