21253a1768
* Add title to VPC-SC directional policies * Ignore versions.tf in diffs * Update versions.tf * Fail if a perimeter uses unknown directional policies
Kong Gateway on GKE offloading to Cloud Run
Introduction
This blueprint deploys the Kong API Gateway on GKE with a workload running on Cloud Run. Usually workloads will run on GKE together with the gateway, but some use cases may benefit from running on Cloud Run like handling spiky workloads or for cost optimization.
Requirements
This blueprint assumes the GKE cluster already exists. We recommend using the accompanying Autopilot Cluster Pattern to deploy a cluster according to Google's best practices. Once you have the cluster up and running, you can use this blueprint to deploy Kong on it.
Kong Gateway Configuration
This blueprint deploys Kong following the instructions in the official documentation. These instructions configure Kong Gateway to use separate control plane and data plane deployments. You can adjust this configuration by directly modifying the YAML manifests under the manifest-templates directory.
The Cloud Run service is exposed behind an Internal Application Load Balancer to provide a custom domain and an HTTPS certificate to Kong. The LB certificate is managed through Google Cloud Certificate Authority Service. The CA Service allows you to better integrate Kong with Google Cloud managing your own private PKI.
To ease deployment and use of this blueprint, a kubernetes job is created to automatically configure Kong HTTP routing via its admin API to point to Cloud Run. Once deployed, you can use the following command to get the public IP of the Kong gateway, a LoadBalancer service IP. Simply point your browser to that IP to visit the web page offered by Cloud Run. For a production-ready installation please refer to the official Kong Gateway documentation.
$ kubectl get service --namespace kong kong-dp-kong-proxy
Sample Configuration
Use the following template as a starting point for your terraform.tfvars
created_resources = {
vpc_id = "projects/prj-host/global/networks/cluster-vpc"
subnet_id = "projects/prj-host/regions/europe-west1/subnetworks/cluster-default"
}
credentials_config = {
kubeconfig = {
path = "~/.kube/config"
}
}
prefix = "prj"
service_project = {
project_id = "kong-hello"
}
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| created_resources | IDs of the resources created by autopilot cluster to be consumed here. | object({…}) |
✓ | |
| credentials_config | Configure how Terraform authenticates to the cluster. | object({…}) |
✓ | |
| prefix | Prefix used for project names. | string |
✓ | |
| project_id | Host project with autopilot cluster. | string |
✓ | |
| service_project | Service project for Cloud Run service. | object({…}) |
✓ | |
| cloudrun_svcname | Name of the Cloud Run service. | string |
"hello-kong" |
|
| custom_domain | Custom domain for the Load Balancer. | string |
"acme.org" |
|
| image | Container image for Cloud Run services. | string |
"us-docker.pkg.dev/cloudrun/container/hello" |
|
| namespace | Namespace used for Kong cluster resources. | string |
"kong" |
|
| region | Cloud region where resources will be deployed. | string |
"europe-west1" |
|
| templates_path | Path where manifest templates will be read from. Set to null to use the default manifests. | string |
null |