feat(kong): add additionalProxies support for multiple proxy services#1493
Open
feat(kong): add additionalProxies support for multiple proxy services#1493
Conversation
|
|
|
|
Add support for defining multiple proxy Kubernetes Services from a single Helm values configuration via the new additionalProxies map in values.yaml. Each entry in additionalProxies creates a separate Kubernetes Service that routes to the same Kong proxy container, enabling use cases such as exposing Kong through both an external LoadBalancer (with proxy_protocol for AWS NLB) and an internal ClusterIP service (without proxy_protocol) simultaneously. Changes: - values.yaml: add additionalProxies configuration section - templates/service-kong-proxy-additional.yaml: new template that renders additional proxy services with optional ingress support - templates/_helpers.tpl: include additional proxy listeners in KONG_PROXY_LISTEN and KONG_PORT_MAPS environment variables - templates/deployment.yaml: expose additional proxy container ports - README.md: document additionalProxies usage and configuration - ci/additional-proxy-services-values.yaml: CI test values Fix Kong#1492
maratsal
force-pushed
the
feat/kong-additional-proxy-services
branch
from
adb75f1 to
9e38666
Compare
Kubernetes limits container port names to 15 characters. Shorten the additional proxy port name prefix from "aprx-" to "px-" and apply trunc to ensure names never exceed the limit. Fix Kong#1492
| {{- $_ := set $serviceConfig "namespace" (include "kong.namespace" $) -}} | ||
| {{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" $) -}} | ||
| {{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" $) -}} | ||
| {{- $_ := set $serviceConfig "serviceName" (printf "proxy-%s" $name) }} |
Member
There was a problem hiding this comment.
I'm concerned about the length here; let me double-check the details.
Member
There was a problem hiding this comment.
The final Service name rendered by kong.service is
charts/charts/kong/templates/_helpers.tpl
Lines 172 to 176 in f0dfb5f
where .fullName itself is already {{ .Release.Name }}-{{ .Chart.Name }}. Kubernetes limits Service names to 63 characters, so a long release name combined with a long $name key could exceed this limit.
The chart already applies trunc 63 | trimSuffix "-" in similar places, for example
charts/charts/kong/templates/_helpers.tpl
Line 21 in f0dfb5f
I think we should do the same here. Something like:
{{- $_ := set $serviceConfig "serviceName" (printf "proxy-%s" $name | trunc 63 | trimSuffix "-") }}
Comment on lines
+1107
to
+1117
| {{- $portMapStrings := list -}} | ||
| {{- $portMapStrings = append $portMapStrings (include "kong.port_maps" .Values.proxy) -}} | ||
| {{- range $name, $svcConfig := .Values.additionalProxies -}} | ||
| {{- if $svcConfig.enabled -}} | ||
| {{- $additionalPortMaps := (include "kong.port_maps" $svcConfig) -}} | ||
| {{- if (ne (len $additionalPortMaps) 0) -}} | ||
| {{- $portMapStrings = append $portMapStrings $additionalPortMaps -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- $_ := set $autoEnv "KONG_PORT_MAPS" ($portMapStrings | join ", ") -}} |
Member
There was a problem hiding this comment.
additionalProxies streams are added to the deployment container ports, but are not included in KONG_STREAM_LISTEN here. This means Kong won't actually listen on those stream ports even though the container exposes them.
Should add something similar to what was done for KONG_PROXY_LISTEN above:
{{- range $name, $svcConfig := .Values.additionalProxies -}}
{{- if $svcConfig.enabled -}}
{{- $additionalStream := (include "kong.streamListen" $svcConfig) -}}
{{- if (not (eq $additionalStream "")) -}}
{{- $streamStrings = (append $streamStrings $additionalStream) -}}
{{- end -}}
{{- end -}}
{{- end -}}
…ong#1490) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](zgosalvez/github-actions-ensure-sha-pinned-actions@d5d20e1...70c4af2) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ong#1488) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.2 to 2.15.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@5ef0c07...a90bcbc) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jdx/mise-action](https://github.com/jdx/mise-action) from 3.6.1 to 3.6.2. - [Release notes](https://github.com/jdx/mise-action/releases) - [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md) - [Commits](jdx/mise-action@6d1e696...e79ddf6) --- updated-dependencies: - dependency-name: jdx/mise-action dependency-version: 3.6.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ong#1495) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.15.0 to 2.15.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@a90bcbc...58077d3) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.15.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jdx/mise-action](https://github.com/jdx/mise-action) from 3.6.2 to 3.6.3. - [Release notes](https://github.com/jdx/mise-action/releases) - [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md) - [Commits](jdx/mise-action@e79ddf6...5228313) --- updated-dependencies: - dependency-name: jdx/mise-action dependency-version: 3.6.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat(kong): apply objectSelector to all admission webhooks Previously, admissionWebhook.objectSelector only applied to webhook 2 (CRD validation). Webhooks 0 (credentials) and 1 (plugins) had hardcoded objectSelectors that ignored user configuration, causing conflicts in multi-instance clusters where each instance's webhooks intercept all matching secrets cluster-wide. Now objectSelector applies to all 3 webhooks. For secrets webhooks, user-provided matchLabels and matchExpressions are merged with chart-required functional expressions (credential filtering, konnect exclusion). A shared helper in _helpers.tpl reduces duplication. * chore(kong): bump to 3.1.0, add CHANGELOG, regenerate snapshots Bump chart version to 3.1.0 for the objectSelector admission webhook feature. Add CHANGELOG entry and regenerate golden test snapshots with Helm 3.19.2 to fix CI drift.
Bumps [jdx/mise-action](https://github.com/jdx/mise-action) from 3.6.3 to 4.0.0. - [Release notes](https://github.com/jdx/mise-action/releases) - [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md) - [Commits](jdx/mise-action@5228313...c1ecc8f) --- updated-dependencies: - dependency-name: jdx/mise-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Include additional proxy stream listeners in KONG_STREAM_LISTEN, truncate additional proxy service names to fit Kubernetes limits, and handle missing tls.parameters when generating TLS listens.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Support multiple proxy services when in addition to default proxy service, users want to deploy extra service with different config.
Which issue this PR fixes
Add support for defining multiple proxy services from a single Helm values configuration via the new 'additionalProxies' map in values.yaml.
Each entry in additionalProxies creates a separate Kubernetes Service that routes to the same Kong proxy container, enabling use cases like:
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
mainbranch.