Configure externalTrafficPolicy: Local in your GatewayConfiguration.
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com
helm repo update
Install Kong Operator using Helm:
helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1.0 \
--set env.ENABLE_CONTROLLER_KONNECT=true
helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1.0
If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=true
If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates.
Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane.
This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the certificateAuthority section
in the values.yaml of the Helm chart to learn how to create and reference your own CA certificate.
This tutorial doesn’t require a license, but you can add one using KongLicense. This assumes that your license is available in ./license.json.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongLicense
metadata:
name: kong-license
rawLicenseString: '$(cat ./license.json)'
" | kubectl apply -f -
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com
helm repo update
Install Kong Operator using Helm:
helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1.0 \
--set env.ENABLE_CONTROLLER_KONNECT=true
helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1.0
If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=true
If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates.
Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane.
This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the certificateAuthority section
in the values.yaml of the Helm chart to learn how to create and reference your own CA certificate.
This tutorial doesn’t require a license, but you can add one using KongLicense. This assumes that your license is available in ./license.json.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongLicense
metadata:
name: kong-license
rawLicenseString: '$(cat ./license.json)'
" | kubectl apply -f -
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: gateway-control-plane
namespace: kong
spec:
createControlPlaneRequest:
name: gateway-control-plane
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
By default, when traffic enters a Kubernetes cluster through a Service of type LoadBalancer, the source IP is often replaced with the IP of the node (SNAT). This means your applications and access logs see the node’s IP instead of the client’s IP.
To preserve the client IP, you can configure the underlying Service to use externalTrafficPolicy: Local.
kong namespaceCreate the kong namespace in your Kubernetes cluster, which is where the demo will run:
kubectl create namespace kong
Create a GatewayConfiguration that sets the externalTrafficPolicy to Local in the dataPlaneOptions:
echo '
apiVersion: gateway-operator.konghq.com/v2beta1
kind: GatewayConfiguration
metadata:
name: preserve-client-ip
namespace: kong
spec:
dataPlaneOptions:
network:
services:
ingress:
externalTrafficPolicy: Local
type: LoadBalancer' | kubectl apply -f -
Create a GatewayClass resource that references the GatewayConfiguration, and a Gateway that references the GatewayClass:
echo '
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kong-external-traffic
spec:
controllerName: konghq.com/gateway-operator
parametersRef:
group: gateway-operator.konghq.com
kind: GatewayConfiguration
name: preserve-client-ip
namespace: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong-external-traffic
namespace: kong
spec:
gatewayClassName: kong-external-traffic
listeners:
- name: http
protocol: HTTP
port: 80' | kubectl apply -f -
Check the generated Service for the externalTrafficPolicy setting:
kubectl get service -n kong -l gateway-operator.konghq.com/dataplane-service-type=ingress -o jsonpath='{.items[0].spec.externalTrafficPolicy}'
The output should be Local.