Add external-oauth plugin in Kong image fails with permission issue

I was trying to have external-oauth plugin (https://github.com/mogui/kong-external-oauth) available in my Kong image. Hence, I tried to customize the image by adding “luarocks install external-oauth”. The image got built successfully, but when tried running the same in my K8s cluster, the proxy container failed with the following error.

kubectl logs -n kong ingress-kong-65588778f5-mcgnt proxy -f

Error: could not prepare Kong prefix at /usr/local/kong: Permission denied

Run with --v (verbose) or --vv (debug) for more details

I checked the file location and could see that, the permissions are well given.

I hit this yesterday too but haven’t dug into it yet.
Remove the securityContext stanza from your deployment and then it will work correctly.

SecurityContext was not present there in my script. Now, I added the following and the error is gone.

 securityContext:
        runAsUser: 0
        runAsGroup: 0

My kong installation is now up with external-oauth plugin activated. But, now faced a different error when configured an ingress to use the same plugin.

My KongPlugin configuration

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: external-oauth
labels:
  global: “false”
  enabled: true
config:
  authorize_url: "https://login.microsoftonline.com/xxxxxx-xxxxxxx-xxxxxx/oauth2/authorize"
  token_url: "https://login.microsoftonline.com/xxxxxx-xxxxxxx-xxxxxx/oauth2/token"
  user_url: "https://login.microsoftonline.com/xxxxxx-xxxxxxx-xxxxxx/oauth2/userinfo"
  client_id: "yyyyyy-yyyyyy-yyyyyyy"
  client_secret: "zzzzzzzzzzzzzzzzzzzz"
  hosted_domain: "my-org-name.onmicrosoft.com"
  user_keys: "email,name,sub,my-custom-claim"
  scopes: "openid+profile+email"
  email_key: "email"
plugin: external-oauth

And, the Ingress configuration as…

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-example-com
annotations:
plugins.konghq.com: external-oauth
spec:
rules:

  • host: api.example.com
    http:
    paths:
    • path: /bar
      backend:
      serviceName: echo
      servicePort: 80

I got response as…

{“message”:“An unexpected error occurred”}

Then, when I checked the error log inside the container/pod, I found the following.

2019/12/06 03:47:28 [error] 25#0: *557489 [kong] init.lua:701 …cal/share/lua/5.1/kong/plugins/external-oauth/access.lua:28: attempt to index field ‘api’ (a nil value), client: 10.244.0.0, server: kong, request: “GET /bar/sample HTTP/2.0”, host: “api.example.com:37443
2019/12/06 03:48:20 [error] 25#0: *557489 lua coroutine: runtime error: …cal/share/lua/5.1/kong/plugins/external-oauth/access.lua:28: attempt to index field ‘api’ (a nil value)
stack traceback:
coroutine 0:
…cal/share/lua/5.1/kong/plugins/external-oauth/access.lua: in function ‘run’
…al/share/lua/5.1/kong/plugins/external-oauth/handler.lua:27: in function <…al/share/lua/5.1/kong/plugins/external-oauth/handler.lua:25>
coroutine 1:
[C]: in function ‘resume’
coroutine.wrap:21: in function coroutine.wrap:21
/usr/local/share/lua/5.1/kong/init.lua:694: in function ‘access’
access_by_lua(nginx-kong.conf:93):2: in main chunk, client: 10.244.0.0, server: kong, request: “GET /bar/sample HTTP/2.0”, host: “api.example.com:37443
2019/12/06 03:48:20 [error] 25#0: *557489 [kong] init.lua:701 …cal/share/lua/5.1/kong/plugins/external-oauth/access.lua:28: attempt to index field ‘api’ (a nil value), client: 10.244.0.0, server: kong, request: “GET /bar/sample HTTP/2.0”, host: “api.example.com:37443

What is missing here ? Can anyone help please ?

It seems like the plugin is written for Kong versions before 0.14.

You will need to update plugin’s code to be compatible with 1.x (which comes with forward compatibility promise).


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ