k8s 部署
kong-k8s.yaml
注意修改 pg_password 的信息
这里使用了 host 模式+ ClusterFirstWithHostNet 的配置 (因为 host 模式速度最快,性能也是最好的,可以兼顾 docker 部署 + k8s 部署)
数据库依旧是本机 127.0.0.1
因为 ui 界面是没有账号密码的,所以 需要使用 nginx 进行反代处理,所以除了 8000 端口全部是 127.0.0.1进行监听的。
python
# --- 第一部分:Secret (存储数据库密码) ---
apiVersion: v1
kind: Secret
metadata:
name: kong-db-secret
type: Opaque
stringData:
pg_password: "password"
---
# --- 第二部分:Kong 数据库初始化 (Job) ---
apiVersion: batch/v1
kind: Job
metadata:
name: kong-migration
spec:
template:
spec:
hostNetwork: true
containers:
- name: kong-migration
image: kong:latest
command: ["/bin/sh", "-c", "kong migrations bootstrap"]
env:
- name: KONG_DATABASE
value: "postgres"
- name: KONG_PG_HOST
value: "127.0.0.1"
- name: KONG_PG_PORT
value: "5432"
- name: KONG_PG_USER
value: "super_postgres"
- name: KONG_PG_DATABASE
value: "kong"
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: kong-db-secret
key: pg_password
restartPolicy: OnFailure
---
# --- 第三部分:Kong 网关本体 ---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong-gateway
spec:
replicas: 1
selector:
matchLabels:
app: kong
template:
metadata:
labels:
app: kong
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: kong
image: kong:latest
env:
- name: KONG_DATABASE
value: "postgres"
- name: KONG_PG_HOST
value: "127.0.0.1"
- name: KONG_PG_PASSWORD
valueFrom:
secretKeyRef:
name: kong-db-secret
key: pg_password
- name: KONG_PG_USER
value: "super_postgres"
- name: KONG_PG_DATABASE
value: "kong"
# --- 🔒 安全加固:管理端口只监听本地 (localhost) ---
# 禁止公网直接通过 IP:1337 或 IP:8001 访问
- name: KONG_ADMIN_GUI_LISTEN
value: "127.0.0.1:1337"
- name: KONG_ADMIN_LISTEN
value: "127.0.0.1:8001"
# --- UI 与 API 地址配置 (适配你的 Nginx 反代) ---
- name: KONG_ADMIN_GUI_URL
value: "https://kong-ui.jacin.me/manager-api"
- name: KONG_ADMIN_GUI_API_URL
value: "https://kong-ui.jacin.me/manager-api"
- name: KONG_ADMIN_GUI_SSL
value: "false"
- name: KONG_ADMIN_GUI_CORS_ALLOWED_ORIGINS
value: "*"
# --- 🚀 Proxy 流量配置:移除 8443,只留 8000 ---
- name: KONG_PROXY_LISTEN
value: "0.0.0.0:8000"
# --- 真实 IP 处理 ---
- name: KONG_TRUSTED_IPS
value: "0.0.0.0/0, ::/0"
- name: KONG_REAL_IP_FROM
value: "0.0.0.0/0, ::/0"
- name: KONG_REAL_IP_HEADER
value: "X-Forwarded-For"
kong-ui 的nginx 配置#
注意设置密码,否则都能查看了,因为默认是没有账号系统的。
python
server {
listen 80;
listen 443 ssl;
http2 on;
server_name kong-ui.jacin.me;
ssl_certificate /root/fast-proxy/ssl/origin.crt;
ssl_certificate_key /root/fast-proxy/ssl/origin.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location /manager-api/ {
proxy_pass http://localhost:8001/; # 注意这里的末尾斜杠,非常关键!
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location / {
proxy_pass http://localhost:1337;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# 禁用代理缓冲
proxy_buffering off;
# 允许大文件上传(50M)
client_max_body_size 0;
}
}
kong-api nginx#
python
server {
listen 80;
listen 443 ssl;
http2 on;
server_name api.jacin.me ;
ssl_certificate /root/fast-proxy/ssl/origin.crt;
ssl_certificate_key /root/fast-proxy/ssl/origin.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# 禁用代理缓冲
proxy_buffering off;
# 允许大文件上传(50M)
client_max_body_size 50M;
}
}
评论
还没有评论,来发第一个吧