dbless config doesn't work, no documentation for details

[tirelibirefe]

Hello, I would like to install Kong with DB-less config within a POC evaluation. When I attempt to install Kong Helm Chart 2.31.0 on EKS 1.28, I get following error message:

helm upgrade --install kong -n kong . \
  --set dblessConfig.config=kong.yml \
  --create-namespace

k logs -n kong kong-kong-698cb54cb-qjjw4
Defaulted container "proxy" out of: proxy, clear-stale-pid (init)
2023/11/08 11:33:55 [warn] 1#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /kong_prefix/nginx.conf:7
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /kong_prefix/nginx.conf:7
2023/11/08 11:33:55 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:652: error parsing declarative config file /kong_dbless/kong.yml:
failed parsing declarative configuration: expected an object
stack traceback:
    [C]: in function 'error'
    /usr/local/share/lua/5.1/kong/init.lua:652: in function 'init'
    init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:652: error parsing declarative config file /kong_dbless/kong.yml:
failed parsing declarative configuration: expected an object
stack traceback:
    [C]: in function 'error'
    /usr/local/share/lua/5.1/kong/init.lua:652: in function 'init'
    init_by_lua:3: in main chunk

I see there are many complaints for DB-less configuration since 2019 but all workarounds are for Docker or linux installation. Unfortunately I couldn't have accessed to any workaround or solid solution.

There are mentions for kong.yml but it is not something configurable in Helm Chart. If it must prepared manually, all fields (url, path) are blury and not defined in any documentation properly.

  # # _format_version: "1.1"
  # # services:
  # #   # Example configuration
  # #   # - name: example.com
  # #   #   url: http://example.com
  # #   #   routes:
  # #   #   - name: example
  # #   #     paths:
  # #   #     - "/example"

could you please a workaround and indicate something I missed?

Thanks & Regards

[pmalek]

Hi @tirelibirefe

Do you mind attaching the config file that you're trying to use in this configuration so that we can assess what might be wrong with it?

You can always refer to https://docs.konghq.com/gateway/3.4.x/production/deployment-topologies/db-less-and-declarative-config/ for more information on the declarative config schema and how to manage it.

As mentioned in the docs, you can also use deck yourself to check via deck gateway validate what's wrong with your config.

[tirelibirefe]

Hello @pmalek Thanks for your response and feedback. Here is my values.yaml file:

deployment:
  kong:
    enabled: true
  serviceAccount:
    create: true
    automountServiceAccountToken: false
  test:
    enabled: false
  daemonset: false
  hostNetwork: false
  prefixDir:
    sizeLimit: 256Mi
  tmpDir:
    sizeLimit: 1Gi
env:
  database: "off"
  router_flavor: "traditional"
  nginx_worker_processes: "2"
  proxy_access_log: /dev/stdout
  admin_access_log: /dev/stdout
  admin_gui_access_log: /dev/stdout
  portal_api_access_log: /dev/stdout
  proxy_error_log: /dev/stderr
  admin_error_log: /dev/stderr
  admin_gui_error_log: /dev/stderr
  portal_api_error_log: /dev/stderr
  prefix: /kong_prefix/
  plugins: "bundled,oidc"
extraLabels: {}
image:
  repository: kong
  tag: "3.4"
  effectiveSemver:
  pullPolicy: IfNotPresent
admin:
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: false
    servicePort: 8001
    containerPort: 8001
    parameters: []
  tls:
    enabled: true
    servicePort: 8444
    containerPort: 8444
    parameters:
    - http2
    client:
      caBundle: ""
      secretName: ""
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
status:
  enabled: true
  http:
    enabled: true
    containerPort: 8100
    parameters: []
  tls:
    enabled: false
    containerPort: 8543
    parameters: []
clusterCaSecretName: ""
cluster:
  enabled: false
  annotations: {}
  labels: {}
  tls:
    enabled: false
    servicePort: 8005
    containerPort: 8005
    parameters: []
  type: ClusterIP
  loadBalancerClass:
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
proxy:
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  nameOverride: ""
  annotations: {}
  labels:
    enable-metrics: "true"
  http:
    enabled: true
    servicePort: 80
    containerPort: 8000
    parameters: []
  tls:
    enabled: true
    servicePort: 443
    containerPort: 8443
    parameters:
    - http2
  stream: []
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations: {}
    labels: {}
    hostname: newerapi.dev-hub.myawesomecompany.com
    path: /
    pathType: ImplementationSpecific
    hosts: []
udpProxy:
  enabled: false
  type: LoadBalancer
  loadBalancerClass:
  annotations: {}
  labels: {}
  stream: []
plugins: {}
secretVolumes: []
migrations:
  preUpgrade: true
  postUpgrade: true
  annotations:
    sidecar.istio.io/inject: false
  jobAnnotations: {}
  backoffLimit:
  resources: {}
dblessConfig:
  configMap: ""
  secret: ""
  config: |
  _format_version: "1.1"
  services:
    # Example configuration
    - name: noidea.com
      url: http://noidea.com
      routes:
      - name: whatroute
        paths:
        - "/whatpath"
  # Optionally specify any extra sidecar containers to be included in the
  # migration jobs
  # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
  sidecarContainers:
    - name: sidecar
      image: sidecar:latest
ingressController:
  enabled: false
  image:
    repository: kong/kubernetes-ingress-controller
    tag: "3.0"
    effectiveSemver:
  args: []
  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""
  watchNamespaces: []
  env:
    kong_admin_tls_skip_verify: true
  admissionWebhook:
    enabled: true
    failurePolicy: Ignore
    port: 8080
    certificate:
      provided: false
    namespaceSelector: {}
    service:
      labels: {}
  ingressClass: kong
  ingressClassAnnotations: {}
  rbac:
    create: true
  livenessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  readinessProbe:
    httpGet:
      path: "/readyz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  resources: {}
  konnect:
    enabled: false
    runtimeGroupID: ""
    apiHostname: "us.kic.api.konghq.com"
    tlsClientCertSecretName: "konnect-client-tls"
    license:
      enabled: false
  adminApi:
    tls:
      client:
        enabled: false
        certProvided: false
        secretName: ""
        caSecretName: ""
postgresql:
  enabled: false
  auth:
    username: kong
    database: kong
  image:
    tag: 13.11.0-debian-11-r20
  service:
    ports:
      postgresql: "5432"
certificates:
  enabled: false
  issuer: ""
  clusterIssuer: ""
  proxy:
    enabled: false
    issuer: ""
    clusterIssuer: ""
    commonName: "app.example"
    dnsNames: []
  admin:
    enabled: true
    issuer: ""
    clusterIssuer: ""
    commonName: "kong.example"
    dnsNames: []
  portal:
    enabled: true
    issuer: ""
    clusterIssuer: ""
    commonName: "developer.example"
    dnsNames: []
  cluster:
    enabled: true
    issuer: ""
    clusterIssuer: ""
    commonName: "kong_clustering"
    dnsNames: []
waitImage:
  enabled: true
  pullPolicy: IfNotPresent
updateStrategy: {}
resources: {}
readinessProbe:
  httpGet:
    path: "/status/ready"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3
livenessProbe:
  httpGet:
    path: "/status"
    port: status
    scheme: HTTP
  initialDelaySeconds: 5
  timeoutSeconds: 5
  periodSeconds: 10
  successThreshold: 1
  failureThreshold: 3
lifecycle:
  preStop:
    exec:
      command:
        - kong
        - quit
        - '--wait=15'
terminationGracePeriodSeconds: 30
tolerations: []
nodeSelector: {}
podAnnotations:
  kuma.io/gateway: enabled
  traffic.sidecar.istio.io/includeInboundPorts: ""
podLabels: {}
replicaCount: 1
deploymentAnnotations: {}
autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 5
  behavior: {}
  targetCPUUtilizationPercentage:
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 80
podDisruptionBudget:
  enabled: false
podSecurityPolicy:
  enabled: false
  labels: {}
  annotations: {}
  spec:
    privileged: false
    fsGroup:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    runAsGroup:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    volumes:
      - 'configMap'
      - 'secret'
      - 'emptyDir'
      - 'projected'
    allowPrivilegeEscalation: false
    hostNetwork: false
    hostIPC: false
    hostPID: false
    readOnlyRootFilesystem: true
priorityClassName: ""
securityContext: {}
containerSecurityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  runAsUser: 1000
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
    - ALL
serviceMonitor:
  enabled: false
enterprise:
  enabled: false
  vitals:
    enabled: true
  portal:
    enabled: false
  rbac:
    enabled: false
    admin_gui_auth: basic-auth
    session_conf_secret: kong-session-config
    admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
  smtp:
    enabled: false
    portal_emails_from: none@example.com
    portal_emails_reply_to: none@example.com
    admin_emails_from: none@example.com
    admin_emails_reply_to: none@example.com
    smtp_admin_emails: none@example.com
    smtp_host: smtp.example.com
    smtp_port: 587
    smtp_auth_type: ''
    smtp_ssl: nil
    smtp_starttls: true
    auth:
      smtp_username: ''  # e.g. postmaster@example.com
      smtp_password_secret: CHANGEME-smtp-password
manager:
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8002
    containerPort: 8002
    parameters: []
  tls:
    enabled: false
    servicePort: 8445
    containerPort: 8445
    parameters:
    - http2
  ingress:
    enabled: true
    ingressClassName: nginx
    hostname: kong.dev-hub.myawesomecompany.com
    annotations: {}
    path: /
    pathType: ImplementationSpecific
portal:
  enabled: false
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8003
    containerPort: 8003
    parameters: []
  tls:
    enabled: true
    servicePort: 8446
    containerPort: 8446
    parameters:
    - http2
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
portalapi:
  enabled: true
  type: ClusterIP
  loadBalancerClass:
  annotations: {}
  labels: {}
  http:
    enabled: true
    servicePort: 8004
    containerPort: 8004
    parameters: []
  tls:
    enabled: true
    servicePort: 8447
    containerPort: 8447
    parameters:
    - http2
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
clustertelemetry:
  enabled: false
  annotations: {}
  labels: {}
  tls:
    enabled: false
    servicePort: 8006
    containerPort: 8006
    parameters: []
  type: ClusterIP
  loadBalancerClass:
  ingress:
    enabled: false
    ingressClassName:
    hostname:
    annotations: {}
    path: /
    pathType: ImplementationSpecific
extraConfigMaps: []
extraSecrets: []
extraObjects: []

[pmalek]

Thanks for sending that over. I'll just comment that helm's values provided by the user are meant to just specify the fields that you want to override. As I can see from the file that you've sent, that seem to be the full (or at least a big portion of it) values.yaml that we provide, with some customizations.

That's not following the best practices of using helm because you may e.g. easily drift with your values and defaults provided by chart maintainers.

So e.g. the last 3 values (and most of the rest as well) don't need to be specified because they are already set to the same values in the chart

https://github.com/Kong/charts/blob/136deb54ee395e1f29d306419949c599f6dbd49f/charts/kong/values.yaml#L1216-L1236

This way it's also hard to figure out what are the actual user provided values and which are "copy pasted".

[tirelibirefe]

Hello @pmalek Currently I don't need to add anything under extraSecrets, extraConfigMaps, extraObjects etc.

Pods stuck initial state and installation cannot be completed.

The point I would like to access is just to have a working "db-less Kong installation"; "running" pods. I don't want to define any routing, any forwarding, any authentication, any fancy stuff, I don't want to configure anything else at beginning.

Regarding to my minimal expectation, could pls advise a minimal configuration sample? I will be very appreciated.

Thanks

[pmalek]

I you want "nothing fancy" and "just make it work" then ingress chart is the way to go:

helm upgrade --install --create-namespace -n kong kong  kong/ingress

Should work out of the box. This will install KIC + Kong Gateway in a dbless setting.

[pmalek]

If you'd like to explore example values for either of our charts you can find those in

• https://github.com/Kong/charts/tree/main/charts/kong/example-values for kong chart
• https://github.com/Kong/charts/tree/main/charts/ingress/example-values for ingress chart.

[tirelibirefe]

Hello @pmalek thanks again for your kindly feedback even if you were mad at me.

this chart enables ingress controller. I don't want to enable ingress controller.

I think I was misunderstood. I would like to evaluate "apigateway / api management" features of Kong. My purpose is not to have an ingress controller. As I assumed "proxy" is the Kong itself, I don't want to exclude it in my installation.

...anyway, I found the problem.

Indentation is wrong in the example config, I fixed it and it works now.

Thanks & Regards

[pmalek]

A simple values file like so should get you going:

image:
  repository: kong/kong-gateway
  tag: "3.4"

admin:
  # Enable creating a Kubernetes service for the admin API
  # Enterprise users that wish to use Kong Manager with the controller should enable this
  enabled: true
  type: NodePort

readinessProbe:
  httpGet:
    # Configure this to get Kong Gateway immediately ready. By default /status/ready is used
    # ref: https://docs.konghq.com/gateway/latest/production/monitoring/readiness-check
    path: "/status"
    port: status
    scheme: HTTP

env:
  database: "off"

ingressController:
  enabled: false

Please note that you have to decide what's your preferred way of configuring the Gateway. This way you can configure it through the Admin API (which in this values.yaml file is configure to be exposed as a NodePort Service).

I hope that helps. Let us know if you have any other questions.

[tirelibirefe]

Thank you @pmalek DBless works and now I am working on "...with external Postgres" option. I have a problem here which I am looking for help.

[pmalek]

👍

Can we close this one then?

[tirelibirefe]

sure

[rsouzabossabox]

Obrigado DBless funciona e agora estou trabalhando em "... com Postgres externo". Eu tenho um problema aqui que estou procurando ajuda.

@tirelibirefe Could you leave an example of the error, I'm having the same problem. What example worked?