Skip to main content

Kong, backed by PostgreSQL

Kong can run config-only ("DB-less") or backed by a database. I chose DB-backed, against the existing PostgreSQL server, for two reasons: it exercises the database layer the lab already has, and it's the mode that supports runtime configuration and the admin workflow.

Per the lab's own rule (every app gets its own database identity — see the Data book), Kong does not use the Postgres admin account. It gets a dedicated kong database and a dedicated kong user with its own password (<REDACTED>), and connects from inside the cluster to 10.100.100.13:5432.

Kong pods  --(as user 'kong')-->  PostgreSQL 10.100.100.13 / db 'kong'

It's installed with Helm as an Ingress Controller, proxy exposed as a LoadBalancer (which is how it got 10.100.100.100 from MetalLB). The proxy listens on port 80 only — TLS is somebody else's job (the edge; see the next page).

One thing I locked down immediately: the Helm chart exposes Kong Manager (a web UI) as an unauthenticated NodePort by default. That's an open management surface. I disabled it, then re-introduced it deliberately and behind authentication (next page).

No comments to display

Back to top