Apply custom plugin via KongIngress


Is there a way to setup a custom plugin for kong (I’m trying to use the nokia-oidc plugin, when an ingress is created for the Kong-Ingress-Controller? Currently my ingress yml file looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
  name: echochamber-ingress
  annotations: /
  - http:
      - path: /echochamber
          serviceName: echochamber-service
          servicePort: 8080

I have a script that will set up the pluing on the service using curl commands like so:

curl -s -X POST --url "http://$KONG_HOSTNAME:$KONG_PORT/services/$SERVICE_NAME/plugins" \
 -d "name=oidc" \
 -d "config.discovery=$WELL_KNOWN_URL" \
 -d "config.introspection_endpoint=$INTROSPECTION_URL" \
 -d "config.client_id=$CLIENT_NAME" \
 -d "config.client_secret=$CLIENT_SECRET" \
 -d "config.realm=$REALM" &> /dev/null

After a little while though the plugin is removed from the service that is created in kong. Is there a way to setup the same plugin using something like this so it stays applied:

kind: KongPlugin
  name: oidc


Custom plugins can be added to the ingress controller via volume mounts and environment variable configuration. Note that these need to be added to both the kong Deployment and the ingress-kong Deployment, as the ingress controller uses a split deployment with separate Kong nodes for the admin API and proxy.

You’ll need to first create a configMap to hold your plugin source with something like kubectl create configmap custom-plugins --from-file=/path/to/kong-plugin-hello/ --namespace kong .

After, the volume configuration in the Kong deployment will look something like:

        image: kong:1.0.2-centos
          - name: custom-plugin-vol
            mountPath: /kong-plugins/kong/plugins/
          - name: KONG_LUA_PACKAGE_PATH
            value: "/kong-plugins/?.lua;;"
          - name: KONG_CUSTOM_PLUGINS
            value: hello-world

        - name: custom-plugin-vol
            name: custom-plugins
              - key: handler.lua
                path: hello-world/handler.lua
              - key: schema.lua
                path: hello-world/schema.lua

With that deployed, you can add Ingress objects normally, with annotations to load the plugin and specify configuration as you would with any standard plugin.

Note that there are some caveats to updating ConfigMaps that you’ll need to take into account pending Kubernetes feature requests:

You can alternately build a custom Docker image, starting from one of the standard Kong images and copying the plugin files over. The environment variables should still be added, but the volumeMounts/configMaps can be removed.


Also a side node that when you applying a plugin resource in Ingress Controller, you will need to specify the plugin field as well. The field is used to attach the plugin resource to a service/route/consumer resource, and it doesn’t equal to name in Kong Admin API. The plugin field specifies the actual plugin you want to create, in your case it will be oidc.

So the CRUD will be:

kind: KongPlugin
  name: oidc-for-echochamber
plugin: oidc

Then patch your service/route you want to apply that plugin to:

kubectl patch svc echochamber-service \
  -p '{"metadata":{"annotations":{"": "oidc-for-echochamber\n"}}}'


I had already went down the path of building a custom docker image with the oidc plugin built in.

FROM kong:0.14.1
RUN luarocks install kong-oidc
RUN sh -c “echo ‘plugins = bundled,oidc’ >> /etc/kong/kong.conf”

It looks like the main thing I was missing is the environment variables in the yaml file. Would I need the KONG_LUA_PACKAGE_PATH value or is KONG_CUSTOM_PLUGINS sufficient?