First pass at kong config system to allow hybrid mode deployments as …

…well as embedded (#19)
dwp · Mar 1, 2021 · 4b50662 · 4b50662
1 parent 8c8db7e
commit 4b50662
Show file tree

Hide file tree

Showing 14 changed files with 843 additions and 304 deletions.
diff --git a/examples/hybrid/lb.tf b/examples/hybrid/lb.tf
@@ -87,8 +87,13 @@ resource "aws_lb_target_group" "external-admin-api" {
 }
 
 locals {
-  target_groups = [
+  target_group_cp = [
     aws_lb_target_group.external-admin-api.arn,
+    aws_lb_target_group.internal-cluster.arn,
+    aws_lb_target_group.internal-telemetry.arn,
+    aws_lb_target_group.internal-admin-api.arn
+  ]
+  target_group_dp = [
     aws_lb_target_group.external-proxy.arn
   ]
 }
@@ -115,3 +120,91 @@ resource "aws_lb_listener" "admin" {
   }
 }
 
+resource "aws_lb" "internal" {
+
+  name               = "kong-internal-lb"
+  internal           = true
+  subnets            = module.create_kong_dp.private_subnet_ids
+  load_balancer_type = "network"
+  idle_timeout       = 60
+  tags               = var.tags
+}
+
+resource "aws_lb_target_group" "internal-cluster" {
+  name     = "internal-cluster-8005"
+  port     = 8005
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8005
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_target_group" "internal-telemetry" {
+  name     = "internal-telemetry-8006"
+  port     = 8006
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8006
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_target_group" "internal-admin-api" {
+  name     = "internal-admin-api-8001" # FIX
+  port     = 8001
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8001
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_listener" "cluster" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8005
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-cluster.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "telemetry" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8006
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-telemetry.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "internal-admin" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8001
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-admin-api.arn
+    type             = "forward"
+  }
+}
diff --git a/examples/hybrid/main.tf b/examples/hybrid/main.tf
@@ -32,11 +32,42 @@ resource "aws_eip" "nat_eip" {
   depends_on = [aws_internet_gateway.ig]
 }
 
+resource "aws_security_group" "allow_postgres" {
+  name        = "allow_postgres"
+  description = "Allow postgres inbound traffic"
+  vpc_id      = aws_vpc.vpc.id
+
+  ingress {
+    description = "postgresql from VPC"
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "TCP"
+    cidr_blocks = [aws_vpc.vpc.cidr_block]
+  }
+
+  ingress {
+    description = "postgresql from VPC"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "TCP"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = var.tags
+}
+
 resource "aws_subnet" "public_subnets" {
-  count                   = length(module.create_kong_asg.private_subnet_azs)
+  count                   = length(module.create_kong_cp.private_subnet_azs)
   vpc_id                  = aws_vpc.vpc.id
   cidr_block              = "10.0.${4 + count.index}.0/24"
-  availability_zone       = module.create_kong_asg.private_subnet_azs[count.index]
+  availability_zone       = module.create_kong_cp.private_subnet_azs[count.index]
   map_public_ip_on_launch = true
 }
 
@@ -66,18 +97,46 @@ resource "aws_route_table_association" "public" {
   route_table_id = aws_route_table.public.id
 }
 
-module "create_kong_asg" {
-  source                    = "../../"
+locals {
+
+  kong_control_plane_config = {
+    "KONG_ROLE"              = "control_plane"
+    "KONG_PROXY_LISTEN"      = "off"
+    "KONG_ANONYMOUS_REPORTS" = "off"
+    "KONG_PORTAL"            = "on"
+    "KONG_VITALS"            = "on"
+    "KONG_AUDIT_LOG"         = "on"
+    "KONG_LOG_LEVEL"         = "debug"
+  }
+
+  kong_data_plane_config = {
+    "KONG_ROLE"              = "data_plane"
+    "KONG_DATABASE"          = "off"
+    "KONG_LOG_LEVEL"         = "debug"
+    "KONG_ANONYMOUS_REPORTS" = "off"
+  }
+
+  kong_hybrid_conf = {
+    cluster_cert = tls_locally_signed_cert.cert.cert_pem
+    cluster_key  = tls_private_key.cert.private_key_pem
+    endpoint     = aws_lb.internal.dns_name
+  }
+}
+
+module "create_kong_cp" {
+  source = "../../"
+
+  instance_type             = var.instance_type
   vpc_id                    = aws_vpc.vpc.id
   ami_id                    = data.aws_ami.ubuntu.id
   key_name                  = var.key_name
   region                    = var.region
   vpc_cidr_block            = aws_vpc.vpc.cidr_block
-  environment               = var.environment
-  service                   = var.service
-  description               = var.description
   iam_instance_profile_name = aws_iam_instance_profile.kong.name
-  asg_desired_capacity      = var.asg_desired_capacity
+
+  asg_desired_capacity = var.asg_desired_capacity
+  asg_max_size         = var.asg_max_size
+  asg_min_size         = var.asg_min_size
 
   postgres_config = {
     master_user     = var.postgres_master_user
@@ -90,9 +149,47 @@ module "create_kong_asg" {
     password = var.kong_database_password
   }
 
-  target_group_arns = local.target_groups
+  target_group_arns = local.target_group_cp
 
-  tags = var.tags
+  kong_config      = local.kong_control_plane_config
+  kong_hybrid_conf = local.kong_hybrid_conf
+
+  environment = var.environment
+  service     = var.service
+  description = var.description
+  tags        = var.tags
+}
+
+module "create_kong_dp" {
+  source = "../../"
+
+  instance_type  = var.instance_type
+  vpc_id         = aws_vpc.vpc.id
+  ami_id         = data.aws_ami.ubuntu.id
+  key_name       = var.key_name
+  region         = var.region
+  vpc_cidr_block = aws_vpc.vpc.cidr_block
+
+  iam_instance_profile_name = aws_iam_instance_profile.kong.name
+
+
+  asg_desired_capacity = var.asg_desired_capacity
+  asg_max_size         = var.asg_max_size
+  asg_min_size         = var.asg_min_size
+
+  target_group_arns = local.target_group_dp
+
+  skip_rds_creation = true
+  kong_config       = local.kong_data_plane_config
+  kong_hybrid_conf  = local.kong_hybrid_conf
+
+  private_subnets    = module.create_kong_cp.private_subnet_ids
+  availability_zones = module.create_kong_cp.private_subnet_azs
+
+  environment = var.environment
+  service     = var.service
+  description = var.description
+  tags        = var.tags
 }
 
 resource "aws_route_table" "private" {
@@ -106,7 +203,7 @@ resource "aws_route" "private_nat_gateway" {
 }
 
 resource "aws_route_table_association" "private" {
-  count          = length(module.create_kong_asg.private_subnet_ids)
-  subnet_id      = element(module.create_kong_asg.private_subnet_ids, count.index)
+  count          = length(module.create_kong_cp.private_subnet_ids)
+  subnet_id      = element(module.create_kong_cp.private_subnet_ids, count.index)
   route_table_id = aws_route_table.private.id
 }
diff --git a/examples/hybrid/outputs.tf b/examples/hybrid/outputs.tf
@@ -1,6 +1,8 @@
 locals {
   proxy     = "http://${aws_lb.external.dns_name}:8000"
   admin_api = "http://${aws_lb.external.dns_name}:8001"
+  cluster   = "http://${aws_lb.internal.dns_name}:8005"
+  telemetry = "http://${aws_lb.internal.dns_name}:8006"
 }
 
 output "kong-proxy-endpoint" {
@@ -10,3 +12,11 @@ output "kong-proxy-endpoint" {
 output "kong-api-endpoint" {
   value = local.admin_api
 }
+
+output "kong-cluster-endpoint" {
+  value = local.cluster
+}
+
+output "kong-telemetry-endpoint" {
+  value = local.telemetry
+}
diff --git a/examples/hybrid/tls_shared.tf b/examples/hybrid/tls_shared.tf
@@ -0,0 +1,50 @@
+# generate certificates for Kong
+resource "tls_private_key" "ca" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_self_signed_cert" "ca" {
+  key_algorithm     = tls_private_key.ca.algorithm
+  private_key_pem   = tls_private_key.ca.private_key_pem
+  is_ca_certificate = true
+
+  validity_period_hours = "12"
+  allowed_uses = [
+    "cert_signing",
+    "key_encipherment",
+    "digital_signature",
+  ]
+
+  subject {
+    common_name = "kong_clustering"
+  }
+
+}
+
+resource "tls_private_key" "cert" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_cert_request" "cert" {
+  key_algorithm   = tls_private_key.cert.algorithm
+  private_key_pem = tls_private_key.cert.private_key_pem
+
+  subject {
+    common_name = "kong_clustering"
+  }
+}
+
+resource "tls_locally_signed_cert" "cert" {
+  cert_request_pem = tls_cert_request.cert.cert_request_pem
+
+  ca_key_algorithm   = tls_private_key.ca.algorithm
+  ca_private_key_pem = tls_private_key.ca.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.ca.cert_pem
+
+  validity_period_hours = "12"
+  allowed_uses = [
+  ]
+
+}