feat: add offline package workflow for kong gateway

2025-09-13 15:14:25 +08:00 · 2025-09-13 15:14:25 +08:00 · 1c2f62f10c
commit 1c2f62f10c
parent 7e2c8112c7
2 changed files with 267 additions and 0 deletions
--- a/.github/workflows/offline-package-kong-gateway.yaml
+++ b/.github/workflows/offline-package-kong-gateway.yaml
@ -0,0 +1,104 @@
+name: Build Offline Kong Gateway Installer
+
+on:
+  push:
+    paths:
+      - 'gitops/scripts/kong-gateway/deploy-kong-gateway.sh'
+      - '.github/workflows/offline-package-kong-gateway.yaml'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag to use/sync (e.g., v0.1.0). Leave empty to use offline-kong-gateway-<run_number>"
+        required: false
+        type: string
+      gateway_tag:
+        description: "Kong Gateway image tag. Default: 3.7"
+        required: false
+        type: string
+      kic_tag:
+        description: "Kubernetes Ingress Controller image tag. Default: 3.2"
+        required: false
+        type: string
+      chart_version:
+        description: "Override helm chart version for kong/ingress"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+
+concurrency:
+  group: build-offline-kong-gateway
+  cancel-in-progress: false
+
+jobs:
+  build-offline-installer:
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    runs-on: ubuntu-latest
+    env:
+      GATEWAY_TAG: ${{ github.event.inputs.gateway_tag || '3.7' }}
+      KIC_TAG: ${{ github.event.inputs.kic_tag || '3.2' }}
+      CHART_VERSION: ${{ github.event.inputs.chart_version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install deps (curl, helm)
+        run: |
+          set -euo pipefail
+          sudo apt-get update -y
+          sudo apt-get install -y curl
+          curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          helm version
+
+      - name: Add helm repo
+        run: |
+          set -euo pipefail
+          helm repo add kong https://charts.konghq.com
+          helm repo update
+
+      - name: Prepare directories
+        run: |
+          set -euo pipefail
+          mkdir -p offline-installer/{images,charts,scripts,bin}
+
+      - name: Stage deploy script
+        run: |
+          set -euo pipefail
+          cp gitops/scripts/kong-gateway/deploy-kong-gateway.sh offline-installer/scripts/
+          chmod +x offline-installer/scripts/deploy-kong-gateway.sh
+
+      - name: Download nerdctl binary for ${{ matrix.arch }}
+        run: |
+          set -euo pipefail
+          wget https://github.com/containerd/nerdctl/releases/download/v2.0.3/nerdctl-2.0.3-linux-${{ matrix.arch }}.tar.gz -O offline-installer/nerdctl.tar.gz
+
+      - name: Pull & export required images
+        run: |
+          set -euo pipefail
+          docker pull "kong/kong-gateway:${GATEWAY_TAG}"
+          docker pull "kong/kubernetes-ingress-controller:${KIC_TAG}"
+
+          docker save "kong/kong-gateway:${GATEWAY_TAG}" -o offline-installer/images/kong-gateway.tar
+          docker save "kong/kubernetes-ingress-controller:${KIC_TAG}" -o offline-installer/images/kic.tar
+
+      - name: Download Helm Chart (kong/ingress)
+        run: |
+          set -euo pipefail
+          if [ -n "${CHART_VERSION}" ]; then
+            helm pull kong/ingress --version="${CHART_VERSION}" --untar --untardir offline-installer/charts
+          else
+            helm pull kong/ingress --untar --untardir offline-installer/charts
+          fi
+
+      - name: Create offline package
+        run: |
+          set -euo pipefail
+          tar -C offline-installer -czf offline-setup-kong-gateway-${{ matrix.arch }}.tar.gz .
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: offline-setup-kong-gateway-${{ matrix.arch }}
+          path: offline-setup-kong-gateway-${{ matrix.arch }}.tar.gz
--- a/gitops/scripts/kong-gateway/deploy-kong-gateway.sh
+++ b/gitops/scripts/kong-gateway/deploy-kong-gateway.sh
@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Install Gateway API CRDs
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
+
+# Setup Helm repository and values
+helm repo add kong https://charts.konghq.com
+helm repo update
+cat > kong-values.yaml <<'VEOF'
+kong:
+  secretVolumes:
+    - onwalk-tls
+  env:
+    ssl_cert: /etc/secrets/onwalk-tls/tls.crt
+    ssl_cert_key: /etc/secrets/onwalk-tls/tls.key
+VEOF
+
+kubectl create ns kong || true
+kubectl create secret tls onwalk-tls --cert=/etc/ssl/onwalk.net.pem --key=/etc/ssl/onwalk.net.key -n kong
+helm upgrade --install kong kong/ingress -n kong --create-namespace -f kong-values.yaml
+
+# Expose Kong proxy via NodePort and external IP
+kubectl patch svc kong-gateway-proxy -n kong \
+  --type='merge' \
+  -p '{
+    "spec": {
+      "type": "NodePort",
+      "ports": [
+        {
+          "port": 80,
+          "targetPort": 8000,
+          "protocol": "TCP",
+          "name": "http",
+          "nodePort": 80
+        },
+        {
+          "port": 443,
+          "targetPort": 8443,
+          "protocol": "TCP",
+          "name": "https",
+          "nodePort": 443
+        }
+      ]
+    }
+  }'
+
+kubectl patch svc kong-gateway-proxy -n kong \
+  --type='merge' \
+  -p '{
+    "spec": {
+      "externalIPs": [
+        "47.120.61.35"
+      ]
+    }
+  }'
+
+kubectl patch deployment kong-gateway -n kong \
+  --type='merge' \
+  -p '{
+    "spec": {
+      "template": {
+        "spec": {
+          "nodeName": "icp-aliyun.svc.plus"
+        }
+      }
+    }
+  }'
+
+# Configure GatewayClass and example application
+cat <<'YEOF' | kubectl apply -f -
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+ name: kong
+ annotations:
+   konghq.com/gatewayclass-unmanaged: 'true'
+
+spec:
+ controllerName: konghq.com/kic-gateway-controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:latest
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-svc
+  namespace: default
+spec:
+  selector:
+    app: nginx
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  type: ClusterIP
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: demo-gateway
+  namespace: default
+  annotations:
+    konghq.com/publish-service: kong/kong-gateway-proxy
+spec:
+  gatewayClassName: kong
+  listeners:
+    - name: https
+      port: 443
+      protocol: HTTPS
+      hostname: "demo.onwalk.net"
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: onwalk-tls
+      allowedRoutes:
+        namespaces:
+          from: All
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: demo-route
+  namespace: default
+spec:
+  parentRefs:
+    - name: demo-gateway
+      namespace: default
+  hostnames:
+    - demo.onwalk.net
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: nginx-svc
+          port: 80
+YEOF
+
+kubectl label nodes icp-aliyun.svc.plus ingress-node=true
+
+curl -ksv https://demo.onwalk.net/ --resolve demo.onwalk.net:443:172.30.0.10