I have a setup with 1-node locally running kong proxy in minikube and Kong Konnect as the control plane. I am trying to enable there a custom plugin, which I developed with help of Pongo.
In Pongo’s version of Kong, the plugin works just fine. However, I a struggling to deploy it to the minikube:
deck konnect sync -s v1/konnect.yaml \
--konnect-email "<redacted>" --konnect-password-file secrets/konnect_pwd.txt
creating plugin tls-cert-extract (global)
Summary:
Created: 0
Updated: 0
Deleted: 0
Error: 1 errors occurred:
while processing event: {Create} plugin tls-cert-extract (global) failed: HTTP status 400 (message: "schema violation (name: plugin 'tls-cert-extract' not enabled; add it to the 'plugins' configuration property)")
I’ve tried to do everything according to the doc, i.e. uploaded sources to the configMap, enabled plugin it in the plugins section of the Helm chart. However, I still see the same error. Tried to manually define volumes and volume mounts, tried to mount it directly under /usr/local/share/lua/5.1/kong/plugins/ - nothing works.
When I SSH to the proxy pod I can see that plugin files are mounted at the correct locations and all the needed vars are set:
kubectl exec --stdin --tty \
$(kubectl get pod -l app.kubernetes.io/name=kong -n kong -o jsonpath="{.items[0].metadata.name}") \
-c proxy -n kong \
-- /bin/bash
bash-5.0$ echo $KONG_PLUGINS
bundled,tls-cert-extract
bash-5.0$ echo $KONG_LUA_PACKAGE_PATH
/opt/?.lua;/opt/?/init.lua;;
bash-5.0$ ls -al /usr/local/share/lua/5.1/kong/plugins/tls-cert-extract/
total 12
drwxrwxrwx 3 root root 4096 Aug 11 08:46 .
drwxr-xr-x 1 root root 4096 Aug 11 08:46 ..
drwxr-xr-x 2 root root 4096 Aug 11 08:46 ..2021_08_11_08_46_14.342433247
lrwxrwxrwx 1 root root 31 Aug 11 08:46 ..data -> ..2021_08_11_08_46_14.342433247
lrwxrwxrwx 1 root root 18 Aug 11 08:46 handler.lua -> ..data/handler.lua
lrwxrwxrwx 1 root root 17 Aug 11 08:46 schema.lua -> ..data/schema.lua
bash-5.0$ ls -al /opt/kong/plugins/tls-cert-extract/
total 12
drwxrwxrwx 3 root root 4096 Aug 11 08:46 .
drwxr-xr-x 3 root root 4096 Aug 11 08:46 ..
drwxr-xr-x 2 root root 4096 Aug 11 08:46 ..2021_08_11_08_46_14.342433247
lrwxrwxrwx 1 root root 31 Aug 11 08:46 ..data -> ..2021_08_11_08_46_14.342433247
lrwxrwxrwx 1 root root 18 Aug 11 08:46 handler.lua -> ..data/handler.lua
lrwxrwxrwx 1 root root 17 Aug 11 08:46 schema.lua -> ..data/schema.lua
Here is my plugin schema.lua:
local typedefs = require "kong.db.schema.typedefs"
local schema = {
name = "tls-cert-extract",
fields = {
-- the 'fields' array is the top-level entry with fields defined by Kong
{ consumer = typedefs.no_consumer }, -- this plugin cannot be configured on a consumer (typical for auth plugins)
{ protocols = typedefs.protocols_http },
{ config = {
-- The 'config' record is the custom part of the plugin schema
type = "record",
fields = {
-- a standard defined field (typedef), with some customizations
{ host = typedefs.wildcard_host {
required = true,
default = "*" } },
{ request_client_cert = {
type = "boolean",
required = true,
default = false } },
{ device_id = typedefs.header_name {
required = false,
default = "X-Lenovo-Device-ID" } },
},
entity_checks = {
-- add some validation rules across fields
-- the following is silly because it is always true, since they are both required
{ at_least_one_of = { "host" } }
},
},
},
},
}
return schema
My values.yaml:
image:
repository: kong/kong-gateway
tag: "2.4.1.1-alpine"
deployment:
userDefinedVolumes:
- name: kong-plugin-tls-cert-extract
configMap:
name: kong-plugin-tls-cert-extract
userDefinedVolumeMounts:
- name: kong-plugin-tls-cert-extract
mountPath: "/usr/local/share/lua/5.1/kong/plugins/tls-cert-extract"
secretVolumes:
- kong-cluster-cert
- kong-cluster-ca
env:
role: data_plane
database: "off"
anonymous_reports: off
vitals_ttl_days: 732
cluster_mtls: pki
cluster_control_plane: <redacted>
cluster_server_name: <redacted>
cluster_telemetry_endpoint: <redacted>
cluster_telemetry_server_name: <redacted>
cluster_ca_cert: /etc/secrets/kong-cluster-ca/ca.crt
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-ca/ca.crt
kong_plugins: bundled,tls-cert-extract
kong_lua_package_path: /opt/?.lua;/opt/?/init.lua;;
plugins:
configMaps:
- name: kong-plugin-tls-cert-extract
pluginName: tls-cert-extract
ingressController:
enabled: false
installCRDs: false
And konnect.yaml:
_format_version: "0.1"
service_packages:
- name: Echo
versions:
- implementation:
kong:
service:
connect_timeout: 60000
host: echo.mtls-poc
id: b939ce96-94e7-4337-82a9-3bbe8119ce90
path: /
port: 80
protocol: http
read_timeout: 60000
retries: 5
routes:
- hosts:
- mtls.auth.local
https_redirect_status_code: 426
id: 5a290e5f-4bf1-4023-b6c1-bde5679af14a
methods:
- GET
path_handling: v0
paths:
- /echo
preserve_host: false
protocols:
- https
regex_priority: 0
request_buffering: true
response_buffering: true
strip_path: true
write_timeout: 60000
type: kong-gateway
version: v1
certificates:
- cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
id: 18cee516-6268-11eb-ae93-0242ac130012
snis:
- name: mtls.auth.local
tags: [ "mtls.key" ]
plugins:
- id: 0e5aa468-fa7a-11eb-adf8-975743bfa9fc
name: tls-cert-extract
config:
host: mtls.auth.local
request_client_cert: true
protocols: [ "https" ]
enabled: true
tags: [ "tls-cert-extract" ]
I have a strong suspicion it has something to do with the Konnect control plane not knowing about my custom plugin and refusing to sync the decK’s YAML.
What should I do?