Basic-auth plugin credentials not working - invalid authentication credentials

Hi,

I’am having trouble getting the basic auth plugin working with the kong ingress controller. This is my current setup:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: basic-auth
config:
  hide_credentials: true
plugin: basic-auth
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: cluster-admin
  annotations:
    kubernetes.io/ingress.class: "kong"
username: cluster-admin
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: cluster-admin-credential
  annotations:
    kubernetes.io/ingress.class: "kong"
consumerRef: cluster-admin
type: basic-auth
config:
  username: cluster-admin
  password: super-secret-password
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-service-ingress
  annotations:
    plugins.konghq.com: basic-auth
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - secretName: kong-tls-secret
      hosts:
        - my-service.domain.com
  rules:
    - host: my-service.domain.com
      http:
        paths:
          - backend:
              serviceName: my-service
              servicePort: 80

Kubernetes version: 1.16.2
Kong Ingress controller version: 0.6.0
Kong version: 1.3

When I call the url my-service.domain.com I get a 401 response with the message “Invalid authentication credentials”. So the plugin is loaded correctly but the credentials are not loaded.

It looks like the ingress controller is not finding the KongConsumer and KongCredential. When I check de logs on the ingress controller there is no record of the consumer or credentials. I don’t see any records of the consumer and credentials in the kong postgres database.

I’ve tried creating the consumer and credentials with and without the kubernetes.io/ingress.class annotation as mentioned here. But that does not seem to do the trick.

Kong is in it’s own kubernetes namespace named “kong”. I’am not sure if this matters, I’ve tried creating the consumer and credentials in the kong namespace and the default namespace where the “my-service” lives.

Any suggestions on how to solve this problem?

Thanks
Tom

Please check if Kong has picked up these by execing into Kong’s container:

curl -k https://localhost:8444/consumers
curl -k https://localhost:8444/basic-auths

Hi, Thanks for you reply.

Kong picked them apparently. This is the response when I execute these requests in the kong container:

{"next":null,"data":[{"custom_id":null,"created_at":1574433992,"id":"bdf188c5-6456-5651-819d-4924b6117518","tags":null,"username":"cluster-admin"}]}
{"next":null,"data":[{"created_at":1574433992,"consumer":{"id":"bdf188c5-6456-5651-819d-4924b6117518"},"id":"449403d4-88a2-58a6-b98a-641ec8de09cf","username":"cluster-admin","password":"super-secret-password"}]}

I really having trouble wrapping my head around this problem. Any suggestions on where to look next?

Thanks Tom

You are running into https://github.com/Kong/kong/issues/4542.

Please upgrade Kong to 1.4.0, which has a fix for the problem as per the changelog.

Thanks a lot, that fixed the problem.

@hbagdi Do you have an example of using basic auth with the new kube secret instead of the old kong credential? I can’t seem to get it going.

Thanks!

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
 metadata:
  name: my-user
 username: user
 credentials:
 - user-key

 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: user-key
 stringData:
  kongCredType: basic-auth
  password: "<SOMETHING_SECURE>"

Provide username in stringData as well.