From f019779afe821e3ef7a0b3505df2de0efbdad99f Mon Sep 17 00:00:00 2001 From: Joshua Schmid Date: Thu, 2 May 2024 16:09:34 +0200 Subject: [PATCH] feat(compose): introduce hybrid mode Signed-off-by: Joshua Schmid --- compose/Makefile | 18 ++++-- compose/README.md | 63 +++++++++++++++----- compose/certs/cluster.crt | 10 ++++ compose/certs/cluster.key | 6 ++ compose/docker-compose.yml | 118 +++++++++++++++++++++++++++++++++++-- 5 files changed, 192 insertions(+), 23 deletions(-) create mode 100644 compose/certs/cluster.crt create mode 100644 compose/certs/cluster.key diff --git a/compose/Makefile b/compose/Makefile index b9a63983..b67782f3 100644 --- a/compose/Makefile +++ b/compose/Makefile @@ -1,9 +1,19 @@ +# Determine whether to use 'docker-compose' or 'docker compose' +DOCKER_COMPOSE := $(shell command -v docker-compose || echo docker compose) + kong-postgres: - COMPOSE_PROFILES=database KONG_DATABASE=postgres docker-compose up -d + @COMPOSE_PROFILES=database,traditional KONG_DATABASE=postgres $(DOCKER_COMPOSE) up -d + +# Alias for kong-postgres +kong-traditional: kong-postgres kong-dbless: - docker-compose up -d + @COMPOSE_PROFILES=traditional $(DOCKER_COMPOSE) up -d + +kong-hybrid: + @COMPOSE_PROFILES=hybrid,database KONG_DATABASE=postgres $(DOCKER_COMPOSE) up -d + clean: - docker-compose kill - docker-compose rm -f + @$(DOCKER_COMPOSE) kill + @$(DOCKER_COMPOSE) rm -f diff --git a/compose/README.md b/compose/README.md index 5799c89d..7a538e1b 100644 --- a/compose/README.md +++ b/compose/README.md @@ -8,7 +8,7 @@ The official Docker Compose template for Kong Gateway. ## What is Kong? -Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API +Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API Gateway distinguished for its high performance and extensibility via plugins. - Kong's Official documentation can be found at [docs.konghq.com][kong-docs-url]. @@ -16,12 +16,18 @@ Gateway distinguished for its high performance and extensibility via plugins. ## How to use this Compose file -Kong Gateway can be deployed in different ways. This Docker Compose file provides -support for running Kong in [db-less][kong-docs-dbless] mode, in which only a Kong +Kong Gateway can be deployed in different ways. This Docker Compose file provides +support for running Kong in [db-less][kong-docs-dbless] mode, in which only a Kong container is spun up, or with a backing database. The default is db-less mode: ```shell -$ docker compose up -d +make kong-dbless +``` + +or + +```shell +COMPOSE_PROFILES=traditional docker-compose up -d ``` This command will result in a single Kong Docker container: @@ -36,11 +42,16 @@ $ docker ps Kong entities can be configured through the `config/kong.yaml` declarative config file. Its format is further described [here][kong-docs-dbless-file]. -You can also run Kong with a backing Postgres database: +You can also run Kong with a backing Postgres database, also known as "traditional mode". -```shell -$ KONG_DATABASE=postgres docker compose --profile database up -d +``` shell +make kong-postgres +``` + +or +```shell +COMPOSE_PROFILES=traditional KONG_DATABASE=postgres docker compose --profile database up -d ``` Which will result in two Docker containers running -- one for Kong itself, and @@ -53,24 +64,46 @@ compose-db-1 postgres:9.5 "docker-entrypoint.s…" db compose-kong-1 kong:latest "/docker-entrypoint.…" kong About a minute ago Up About a minute (healthy) 0.0.0.0:8000->8000/tcp, 127.0.0.1:8001->8001/tcp, 0.0.0.0:8443->8443/tcp, 127.0.0.1:8444->8444/tcp ``` -Kong will be available on port `8000` and `8001`. You can customize the template +Kong can also be run in [hybrid mode](https://docs.konghq.com/gateway/latest/production/deployment-topologies/hybrid-mode/) which also uses "postgres" as the database but spawns two distinct containers. + +``` shell +make kong-hybrid +``` + +or + +``` shell +COMPOSE_PROFILES=hybrid,database KONG_DATABASE=postgres docker compose up -d +``` + +Which will result in three Docker containers running -- two for Kong itself, and +another for the Postgres instance it uses to store its configuration entities: + +``` shell +NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS +compose-db-1 postgres:9.5 "docker-entrypoint.s…" db 41 seconds ago Up 4 seconds (health: starting) 5432/tcp +compose-kong-cp-1 kong:latest "/docker-entrypoint.…" kong-cp 41 seconds ago Up 3 seconds (health: starting) 127.0.0.1:8001-8002->8001-8002/tcp, 8000/tcp, 127.0.0.1:8005-8006->8005-8006/tcp, 8443/tcp, 127.0.0.1:8444->8444/tcp +compose-kong-dp-1 kong:latest "/docker-entrypoint.…" kong-dp 41 seconds ago Up 2 seconds (health: starting) 0.0.0.0:8000->8000/tcp, 8001/tcp, 0.0.0.0:8443->8443/tcp, 8444/tcp +``` + +Kong will be available on port `8000` and `8001`. You can customize the template with your own environment variables or datastore configuration. ## Issues -If you have any problems with or questions about this image, please contact us +If you have any problems with or questions about this image, please contact us through a [GitHub issue][github-new-issue]. ## Contributing -You are invited to contribute new features, fixes, or updates, large or small; -we are always thrilled to receive pull requests, and do our best to process them +You are invited to contribute new features, fixes, or updates, large or small; +we are always thrilled to receive pull requests, and do our best to process them as fast as we can. -Before you start to code, we recommend discussing your plans through a [GitHub -issue][github-new-issue], especially for more ambitious contributions. This -gives other contributors a chance to point you in the right direction, give you -feedback on your design, and help you find out if someone else is working on the +Before you start to code, we recommend discussing your plans through a [GitHub +issue][github-new-issue], especially for more ambitious contributions. This +gives other contributors a chance to point you in the right direction, give you +feedback on your design, and help you find out if someone else is working on the same thing. [kong-docs-url]: https://docs.konghq.com/ diff --git a/compose/certs/cluster.crt b/compose/certs/cluster.crt new file mode 100644 index 00000000..7ce220ba --- /dev/null +++ b/compose/certs/cluster.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBVzCB3wIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA9rb25nX2NsdXN0ZXJp +bmcwHhcNMjQwNDI5MDg1MzAwWhcNMjcwNDI5MDg1MzAwWjAaMRgwFgYDVQQDDA9r +b25nX2NsdXN0ZXJpbmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASKasXr38/wTQHU +o9ksCY6OVsQ0WnkyftA8moYRbjxshpDHMYeC2vZWktc0W6ZOblIBoBpq1G53Aocj +/wI2aMzUerTHwnZZPvzvr3WuATylEXtLz3oH+XT1JRnai9HP3l4wCgYIKoZIzj0E +AwIDZwAwZAIwH8OHm5S10GkxwJ8aUy4ojxrI5Xuq4M5H7b0qsu0b2YjHnfK6nIC2 +BptoQrtkZdBJAjBCJTOVmob4vUQ4/hzg4NIXmPZ9q5dnFtaDtdkwKQ7XE+xnhzhY +S/7lFNVai7VSfIQ= +-----END CERTIFICATE----- diff --git a/compose/certs/cluster.key b/compose/certs/cluster.key new file mode 100644 index 00000000..37bccb1f --- /dev/null +++ b/compose/certs/cluster.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCZetgpP2raNWdy1CPU +k6G7t0b7mpf+IRkSNvjLo1sbEqnex5MRlFr81/qicvopAAWhZANiAASKasXr38/w +TQHUo9ksCY6OVsQ0WnkyftA8moYRbjxshpDHMYeC2vZWktc0W6ZOblIBoBpq1G53 +Aocj/wI2aMzUerTHwnZZPvzvr3WuATylEXtLz3oH+XT1JRnai9HP3l4= +-----END PRIVATE KEY----- diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index 3493237a..10a10b4f 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3.9' x-kong-config: &kong-env @@ -27,7 +26,7 @@ services: kong-migrations: image: "${KONG_DOCKER_TAG:-kong:latest}" command: kong migrations bootstrap - profiles: [ "database" ] + profiles: [ "database", "hybrid" ] depends_on: - db environment: @@ -41,7 +40,7 @@ services: kong-migrations-up: image: "${KONG_DOCKER_TAG:-kong:latest}" command: kong migrations up && kong migrations finish - profiles: [ "database" ] + profiles: [ "database", "hybrid" ] depends_on: - db environment: @@ -52,9 +51,116 @@ services: - kong-net restart: on-failure + kong-cp: + image: "${KONG_DOCKER_TAG:-kong:latest}" + user: "${KONG_USER:-kong}" + profiles: [ "hybrid" ] + depends_on: + - kong-migrations + - kong-migrations-up + environment: + <<: *kong-env + KONG_DATABASE: "postgres" + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_ROLE: "control_plane" + KONG_ADMIN_LISTEN: "${KONG_ADMIN_LISTEN:-0.0.0.0:8001}" + KONG_ADMIN_GUI_LISTEN: "${KONG_ADMIN_GUI_LISTEN:-0.0.0.0:8002}" + KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong-cp} + KONG_CLUSTER_CERT: /run/secrets/kong_cluster_cert + KONG_CLUSTER_CERT_KEY: /run/secrets/kong_cluster_cert_key + secrets: + - kong_postgres_password + - kong_cluster_cert + - kong_cluster_cert_key + networks: + - kong-net + ports: + # The following two environment variables default to an insecure value (0.0.0.0) + # according to the CIS Security test. + # - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp" + # - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp" + # Making them mandatory but undefined, like so would be backwards-breaking: + # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp" + # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp" + # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here + + - "127.0.0.1:8001:8001/tcp" + - "127.0.0.1:8444:8444/tcp" + - "127.0.0.1:8002:8002/tcp" + # Cluster communication + - "127.0.0.1:8005:8005/tcp" + # Telemetry + - "127.0.0.1:8006:8006/tcp" + + healthcheck: + test: [ "CMD", "kong", "health" ] + interval: 10s + timeout: 10s + retries: 10 + restart: on-failure:5 + read_only: true + volumes: + - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong-cp} + - kong_tmp_vol:/tmp + - ./config:/opt/kong + security_opt: + - no-new-privileges + + kong-dp: + image: "${KONG_DOCKER_TAG:-kong:latest}" + user: "${KONG_USER:-kong}" + profiles: + - hybrid + depends_on: + - kong-cp + environment: + KONG_DATABASE: "off" + KONG_ROLE: "data_plane" + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_CLUSTER_CONTROL_PLANE: kong-cp:8005 + KONG_CLUSTER_TELEMETRY_ENDPOINT: kong-cp:8006 + KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}" + KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong-dp} + KONG_CLUSTER_CERT: /run/secrets/kong_cluster_cert + KONG_CLUSTER_CERT_KEY: /run/secrets/kong_cluster_cert_key + secrets: + - kong_cluster_cert + - kong_cluster_cert_key + networks: + - kong-net + ports: + # The following two environment variables default to an insecure value (0.0.0.0) + # according to the CIS Security test. + - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp" + - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp" + # Making them mandatory but undefined, like so would be backwards-breaking: + # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp" + # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp" + # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here + # - "127.0.0.1:8001:8001/tcp" + # - "127.0.0.1:8444:8444/tcp" + # - "127.0.0.1:8002:8002/tcp" + healthcheck: + test: [ "CMD", "kong", "health" ] + interval: 10s + timeout: 10s + retries: 10 + restart: on-failure:5 + read_only: true + volumes: + - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong-dp} + - kong_tmp_vol:/tmp + - ./config:/opt/kong + security_opt: + - no-new-privileges + kong: image: "${KONG_DOCKER_TAG:-kong:latest}" user: "${KONG_USER:-kong}" + profiles: + - traditional environment: <<: *kong-env KONG_ADMIN_ACCESS_LOG: /dev/stdout @@ -99,7 +205,7 @@ services: db: image: postgres:9.5 - profiles: [ "database" ] + profiles: [ "database", "hybrid" ] environment: POSTGRES_DB: ${KONG_PG_DATABASE:-kong} POSTGRES_USER: ${KONG_PG_USER:-kong} @@ -130,3 +236,7 @@ services: secrets: kong_postgres_password: file: ./POSTGRES_PASSWORD + kong_cluster_cert: + file: ./certs/cluster.crt + kong_cluster_cert_key: + file: ./certs/cluster.key