tjtjtjのメモ

自分のためのメモです

kong2.0 ハイブリッドモード

kong2.0 が出ていた。ポイントは次の3点。

ハイブリッドモード

https://docs.konghq.com/2.0.x/hybrid-mode/

  • コントロールプレーン/データプレーン分離
  • コントロールプレーン(cp)のkong
    • db アクセス有
    • KONG_ROLE=control_plane
  • データプレーン(dp)のkong
    • db アクセス無
    • db-less モードで cp から情報引っ張ってくる感じ?
    • KONG_ROLE=data_plane
  • cp/dpのセキュリティ
    • 証明書/キーペアが必要

証明書/キーペアを生成

だいぶ忘れている。。。雑にやってみる。。。

dbレスモードのkong 起動

$ docker run -d --name kong-less \
     -v "kong-vol:/usr/local/kong" \
     -e "KONG_DATABASE=off" \
     -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
     -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
     -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
     -p 8000:8000 \
     -p 8443:8443 \
     -p 8001:8001 \
     -p 8444:8444 \
     kong:2.0.0

証明書/キーペアを生成

$ docker exec -it kong-less sh
/ $ cd /usr/local/kong/
/usr/local/kong $ mkdir cert
/usr/local/kong $ cd cert
/usr/local/kong/cert $ kong hybrid gen_cert
Successfully generated certificate/key pairs, they have been written to: '/usr/local/kong/cert/cluster.crt' and '/usr/local/kong /cert/cluster.key'.
/usr/local/kong/cert $ ls -al
total 16
drwxr-xr-x    2 kong     nogroup       4096 Jan 23 11:31 .
drwxrwxr-x   14 kong     root          4096 Jan 23 11:31 ..
-rw-r--r--    1 kong     nogroup        526 Jan 23 11:31 cluster.crt
-rw-------    1 kong     nogroup        306 Jan 23 11:31 cluster.key
/usr/local/kong/cert $ exit

$ docker stop kong-less
$ docker rm kong-less

コントロールプレーンのkong起動

network 作って, cassandra 立ち上げて, マイグレーションして, kong 起動。kong-vol にはさっき作った証明書が入っている。

$ docker network create kong-net
$ docker run -d --name kong-database \
               --network=kong-net \
               -p 9042:9042 \
               cassandra:3

$ docker run --rm \
     --network=kong-net \
     -e "KONG_DATABASE=cassandra" \
     -e "KONG_PG_HOST=kong-database" \
     -e "KONG_CASSANDRA_CONTACT_POINTS=kong-database" \
     kong:2.0.0 kong migrations bootstrap
:
23 migrations processed
23 executed
Database is up-to-date

$ docker run -d --name kong-cp \
     --network=kong-net \
     -v "kong-vol:/usr/local/kong" \
     -e "KONG_ROLE=control_plane" \
     -e "KONG_CLUSTER_CERT=/usr/local/kong/cert/cluster.crt" \
     -e "KONG_CLUSTER_CERT_KEY=/usr/local/kong/cert/cluster.key" \
     -e "KONG_DATABASE=cassandra" \
     -e "KONG_CASSANDRA_CONTACT_POINTS=kong-database" \
     -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
     -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
     -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
     -p 8000:8000 \
     -p 8443:8443 \
     -p 8001:8001 \
     -p 8444:8444 \
     -p 8005:8005 \
     kong:2.0.0

データプレーンのkong

$ docker run -d --name kong-dp \
     --network=kong-net \
     -v "kong-vol:/usr/local/kong" \
     -e "KONG_ROLE=data_plane" \
     -e "KONG_CLUSTER_CONTROL_PLANE=kong-cp:8005" \
     -e "KONG_CLUSTER_CERT=/usr/local/kong/cert/cluster.crt" \
     -e "KONG_CLUSTER_CERT_KEY=/usr/local/kong/cert/cluster.key" \
     -e "KONG_LUA_SSL_TRUSTED_CERTIFICATE=/usr/local/kong/cert/cluster.crt" \
     -e "KONG_DATABASE=off" \
     -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
     -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
     -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
     -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
     -p 9000:8000 \
     -p 9443:8443 \
     -p 9001:8001 \
     -p 9444:8444 \
     kong:2.0.0

クラスターの状態を確認

コンテナ確認

# docker ps
CONTAINER ID  IMAGE        COMMAND                  NAMES
2ff26508e7a2  kong:2.0.0   "/docker-entrypoint.…"  kong-dp
5b597f17cb3a  kong:2.0.0   "/docker-entrypoint.…"  kong-cp
028369c521c1  cassandra:3  "docker-entrypoint.s…"  kong-database

コントロールプレーンからクラスタを確認。kong-dp がいる。

curl http://localhost:8001/clustering/status | jq
{
  "cf749b5e-0463-4142-8f26-86bd8343c915": {
    "config_hash": "f8adac67f709388993f9c8b52fe5f6ca",
    "last_seen": 1580380612,
    "ip": "172.19.0.4",
    "hostname": "2ff26508e7a2"
  }
}

Configuring a Service を試す

https://docs.konghq.com/2.0.x/getting-started/configuring-a-service/

1. Add your Service using the Admin API

サービス追加

$ curl -i -X POST \
  --url http://localhost:8001/services/ \
  --data 'name=example-service' \
  --data 'url=http://mockbin.org'

HTTP/1.1 201 Created
Date: Thu, 30 Jan 2020 10:45:27 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.0
Content-Length: 296
X-Kong-Admin-Latency: 127

{"host":"mockbin.org",
"created_at":1580381127,
"connect_timeout":60000,
"id":"779925da-191c-487a-9666-5982f00b3fec",
"protocol":"http",
"name":"example-service",
"read_timeout":60000,
"port":80,
"path":null,
"updated_at":1580381127,
"retries":5,
"write_timeout":60000,
"tags":null,
"client_certificate":null}

サービス確認

$ curl -s http://localhost:8001/services | jq .
{
  "next": null,
  "data": [
    {
      "host": "mockbin.org",
      "created_at": 1580381127,
      "connect_timeout": 60000,
      "id": "779925da-191c-487a-9666-5982f00b3fec",
      "protocol": "http",
      "name": "example-service",
      "read_timeout": 60000,
      "port": 80,
      "path": null,
      "updated_at": 1580381127,
      "retries": 5,
      "write_timeout": 60000,
      "tags": null,
      "client_certificate": null
    }
  ]
}

2. Add a Route for the Service

ルート追加

$ curl -i -X POST \
  --url http://localhost:8001/services/example-service/routes \
  --data 'hosts[]=example.com'

HTTP/1.1 201 Created
Date: Thu, 30 Jan 2020 10:46:43 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.0
Content-Length: 429
X-Kong-Admin-Latency: 67

{"id":"59d80700-d503-4b1a-bafe-d5bdaa92cb0f",
"path_handling":"v0",
"paths":null,
"destinations":null,
"headers":null,
"protocols":["http","https"],
"methods":null,
"snis":null,
"service":{"id":"779925da-191c-487a-9666-5982f00b3fec"},
"name":null,
"strip_path":true,
"preserve_host":false,
"regex_priority":0,
"updated_at":1580381203,
"sources":null,
"hosts":["example.com"],
"https_redirect_status_code":426,
"tags":null,
"created_at":1580381203}

ルート確認

$ curl -s http://localhost:8001/services | jq .
{
  "next": null,
  "data": [
    {
      "host": "mockbin.org",
      "created_at": 1580381127,
      "connect_timeout": 60000,
      "id": "779925da-191c-487a-9666-5982f00b3fec",
      "protocol": "http",
      "name": "example-service",
      "read_timeout": 60000,
      "port": 80,
      "path": null,
      "updated_at": 1580381127,
      "retries": 5,
      "write_timeout": 60000,
      "tags": null,
      "client_certificate": null
    }
  ]
}

3. Forward your requests through Kong

curl -i -X GET \
  --url http://localhost:9000/ \
  --header 'Host: example.com'

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 10695
Connection: keep-alive
Server: Cowboy
Etag: W/"29c7-XG+PICJmz/J+UYWt5gkKqqAUXjc"
Vary: Accept-Encoding
Date: Thu, 30 Jan 2020 10:47:58 GMT
Via: kong/2.0.0
X-Kong-Upstream-Status: 200
X-Kong-Upstream-Latency: 367
X-Kong-Proxy-Latency: 70
Kong-Cloud-Request-ID: 782983cc8a4bdd4fb240efcfcf3546f1

<!DOCTYPE html><html><head><meta charset="utf-8"><title>Mockbin by Kong</title>...

あっさりできて不安になる。プラグイン、コンシューマ、プラグインはどう使うのか?