Apply custom plugin via KongIngress


#1

Is there a way to setup a custom plugin for kong (I’m trying to use the nokia-oidc plugin, https://github.com/nokia/kong-oidc) when an ingress is created for the Kong-Ingress-Controller? Currently my ingress yml file looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echochamber-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /echochamber
        backend:
          serviceName: echochamber-service
          servicePort: 8080

I have a script that will set up the pluing on the service using curl commands like so:

curl -s -X POST --url "http://$KONG_HOSTNAME:$KONG_PORT/services/$SERVICE_NAME/plugins" \
 -d "name=oidc" \
 -d "config.discovery=$WELL_KNOWN_URL" \
 -d "config.introspection_endpoint=$INTROSPECTION_URL" \
 -d "config.client_id=$CLIENT_NAME" \
 -d "config.client_secret=$CLIENT_SECRET" \
 -d "config.realm=$REALM" &> /dev/null

After a little while though the plugin is removed from the service that is created in kong. Is there a way to setup the same plugin using something like this so it stays applied:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oidc
config:
  ???

#2

Custom plugins can be added to the ingress controller via volume mounts and environment variable configuration. Note that these need to be added to both the kong Deployment and the ingress-kong Deployment, as the ingress controller uses a split deployment with separate Kong nodes for the admin API and proxy.

You’ll need to first create a configMap to hold your plugin source with something like kubectl create configmap custom-plugins --from-file=/path/to/kong-plugin-hello/ --namespace kong .

After, the volume configuration in the Kong deployment will look something like:

        image: kong:1.0.2-centos
        volumeMounts:
          - name: custom-plugin-vol
            mountPath: /kong-plugins/kong/plugins/
        env:
          - name: KONG_LUA_PACKAGE_PATH
            value: "/kong-plugins/?.lua;;"
          - name: KONG_CUSTOM_PLUGINS
            value: hello-world

      volumes:
        - name: custom-plugin-vol
          configMap:
            name: custom-plugins
            items:
              - key: handler.lua
                path: hello-world/handler.lua
              - key: schema.lua
                path: hello-world/schema.lua

With that deployed, you can add Ingress objects normally, with annotations to load the plugin and specify configuration as you would with any standard plugin.

Note that there are some caveats to updating ConfigMaps that you’ll need to take into account pending Kubernetes feature requests:


You can alternately build a custom Docker image, starting from one of the standard Kong images and copying the plugin files over. The environment variables should still be added, but the volumeMounts/configMaps can be removed.


#3

Also a side node that when you applying a plugin resource in Ingress Controller, you will need to specify the plugin field as well. The metadata.name field is used to attach the plugin resource to a service/route/consumer resource, and it doesn’t equal to name in Kong Admin API. The plugin field specifies the actual plugin you want to create, in your case it will be oidc.

So the CRUD will be:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oidc-for-echochamber
config:
  ???
plugin: oidc

Then patch your service/route you want to apply that plugin to:

kubectl patch svc echochamber-service \
  -p '{"metadata":{"annotations":{"plugins.konghq.com": "oidc-for-echochamber\n"}}}'

#4

I had already went down the path of building a custom docker image with the oidc plugin built in.

FROM kong:0.14.1
RUN luarocks install kong-oidc
RUN sh -c “echo ‘plugins = bundled,oidc’ >> /etc/kong/kong.conf”

It looks like the main thing I was missing is the environment variables in the yaml file. Would I need the KONG_LUA_PACKAGE_PATH value or is KONG_CUSTOM_PLUGINS sufficient?