Apply custom plugin via KongIngress

Is there a way to setup a custom plugin for kong (I’m trying to use the nokia-oidc plugin, https://github.com/nokia/kong-oidc) when an ingress is created for the Kong-Ingress-Controller? Currently my ingress yml file looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echochamber-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /echochamber
        backend:
          serviceName: echochamber-service
          servicePort: 8080

I have a script that will set up the pluing on the service using curl commands like so:

curl -s -X POST --url "http://$KONG_HOSTNAME:$KONG_PORT/services/$SERVICE_NAME/plugins" \
 -d "name=oidc" \
 -d "config.discovery=$WELL_KNOWN_URL" \
 -d "config.introspection_endpoint=$INTROSPECTION_URL" \
 -d "config.client_id=$CLIENT_NAME" \
 -d "config.client_secret=$CLIENT_SECRET" \
 -d "config.realm=$REALM" &> /dev/null

After a little while though the plugin is removed from the service that is created in kong. Is there a way to setup the same plugin using something like this so it stays applied:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oidc
config:
  ???

Custom plugins can be added to the ingress controller via volume mounts and environment variable configuration. Note that these need to be added to both the kong Deployment and the ingress-kong Deployment, as the ingress controller uses a split deployment with separate Kong nodes for the admin API and proxy.

You’ll need to first create a configMap to hold your plugin source with something like kubectl create configmap custom-plugins --from-file=/path/to/kong-plugin-hello/ --namespace kong .

After, the volume configuration in the Kong deployment will look something like:

        image: kong:1.0.2-centos
        volumeMounts:
          - name: custom-plugin-vol
            mountPath: /kong-plugins/kong/plugins/
        env:
          - name: KONG_LUA_PACKAGE_PATH
            value: "/kong-plugins/?.lua;;"
          - name: KONG_CUSTOM_PLUGINS
            value: hello-world

      volumes:
        - name: custom-plugin-vol
          configMap:
            name: custom-plugins
            items:
              - key: handler.lua
                path: hello-world/handler.lua
              - key: schema.lua
                path: hello-world/schema.lua

With that deployed, you can add Ingress objects normally, with annotations to load the plugin and specify configuration as you would with any standard plugin.

Note that there are some caveats to updating ConfigMaps that you’ll need to take into account pending Kubernetes feature requests:


You can alternately build a custom Docker image, starting from one of the standard Kong images and copying the plugin files over. The environment variables should still be added, but the volumeMounts/configMaps can be removed.

Also a side node that when you applying a plugin resource in Ingress Controller, you will need to specify the plugin field as well. The metadata.name field is used to attach the plugin resource to a service/route/consumer resource, and it doesn’t equal to name in Kong Admin API. The plugin field specifies the actual plugin you want to create, in your case it will be oidc.

So the CRUD will be:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oidc-for-echochamber
config:
  ???
plugin: oidc

Then patch your service/route you want to apply that plugin to:

kubectl patch svc echochamber-service \
  -p '{"metadata":{"annotations":{"plugins.konghq.com": "oidc-for-echochamber\n"}}}'

I had already went down the path of building a custom docker image with the oidc plugin built in.

FROM kong:0.14.1
RUN luarocks install kong-oidc
RUN sh -c “echo ‘plugins = bundled,oidc’ >> /etc/kong/kong.conf”

It looks like the main thing I was missing is the environment variables in the yaml file. Would I need the KONG_LUA_PACKAGE_PATH value or is KONG_CUSTOM_PLUGINS sufficient?

Any update on your progress?

Any update on your progress? I’m trying to do exactly this and still not quite there. I have a custom docker image but when trying to start the image it is looking for DB config and I want to run in db-less mode.

Any help will be greatly appreciated.

sadly no, we ended switching to istio for ingress control so this issue became moot.

Thanks for reply, I guess I’ll have to look for alternatives :slight_smile:

You can easily setup Custom plugins with Kong Ingress Controller.
Here is a handy guide to setup plugins via COnfigMaps:

Kong and the Ingress Controller do not differentiate between a plugin that is bundled with Kong and a plugin that is installed by a user. They are exactly the same. The only challenge is to ensure that you have to install the plugin in the file-system and configure plugins property.

1 Like

I have created the custom plugin “https://medium.com/swlh/creating-and-installing-custom-lua-plugins-in-kong-ce7fd64d33bf” using this reference, and we are successfully able to build and deploy the plugin in KONG 2.0 using docker image.

Now we are trying to deploy the same plugin in the KONG as ingress controller (we are using AKS) but i am facing issue

what we had did till now

  • Created the configMap and successfully able to describe it by following above steps

*Now we are trying to deploy the same plugin but facing if we follow the above steps and deployment file looks like

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
name: kong-ingress-custom-plugin
namespace: konga-test
spec:
selector:
matchLabels:
app: konga-test
template:
metadata:
name: kong-ingress-custom-plugin
labels:
app: kong-ingress-custom-plugin
spec:
containers:
- name: proxy
env:
- name: KONG_PLUGINS
value: ‘bundled,cutom-auth’
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;;
volumeMounts:
- name: kong-plugin-cutom-auth
mountPath: /opt/kong/plugins/cutom-auth
volumes:
- defaultMode: 755
- name: kong-plugin-cutom-auth
configMap:
name: kong-plugin-cutom-auth

we are executing the same below command to apply the change

kubectl apply -f miniorange-auth-deployment.yaml --validate=false

and error we got

The Deployment “kong-plugin-miniorange-auth” is invalid: spec.template.spec.containers[0].image: Required value

Here i don’t understand, if we created the ConfigMap for same plugin then why its asking for docker image.

Kindly assist.

Thanks & Regards
Jaiswar Vipin Kumar R.

After updating the YAML finally custom pluing get install but after that got next issue. Now same POD, Deployment and Replicaset throwing “CrashloopOff”. After checking the log of the pod we got following error.

init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:389: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: connection refused stack traceback:

However Updated YAML is

apiVersion: apps/v1
kind: Deployment
metadata:
name: kong-ingress-custom-plugin
namespace: konga-test
spec:
selector:
matchLabels:
app: konga-test
replicas: 1
template:
metadata:
name: kong-ingress-custom-plugin
labels:
app: kong-ingress-custom-plugin
spec:
containers:
name: proxy
image: ‘kong:2.0’
volumeMounts:
- name: kong-plugin-custom-auth
mountPath: /opt/kong/plugins/kong-plugin-custom-auth
- env:
- name: KONG_PG_DATABASE
value: kong
- name: KONG_PG_HOST
value: postgres
- name: KONG_PG_PORT
value: ‘5432’
- name: KONG_PG_PASSWORD
value: kong
- name: KONG_PG_USER
value: kong
- name: KONG_LOG_LEVEL
value: info
- name: KONG_PLUGINS
value: ‘bundled,kong-plugin-custom-auth’
- name: KONG_LUA_PACKAGE_PATH
value: /etc/?./opt/?.lua;;
volumes:
- defaultMode: 755
- name: kong-plugin-custom-auth
configMap:
name: kong-plugin-custom-auth

Thanks & Regards
Jaiswar Vipin Kumar R.