@hbagdi the KongCredential CRD type acl doesn’t work properly. The group is never associated to the consumer.
ingress annotations:
plugins.konghq.com: tokenizer-auth,tokenizer-prometheus,tokenizer-ratelimit,tokenizer-acl
tokenizer-acl plugin:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: tokenizer-acl
namespace: dev
plugin: acl
config:
whitelist: tokenizer-group
hide_groups_header: "true"
consumer and one api-key credential:
apiVersion: v1
items:
- apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: tokenizer
username: tokenizer
kind: List
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: tokenizer
consumerRef: tokenizer
type: key-auth
config:
key: REDACTED
Finally acl credential of type acl:
apiVersion: configuration.konghq.com/v1
kind: KongCredential
group: "tokenizer-group"
metadata:
name: tokenizer-group4
namespace: dev
consumerRef: tokenizer
type: acl
config:
group: "tokenizer-group"
I also tried different ways to define the credential:
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: tokenizer-group4
namespace: dev
consumerRef: tokenizer
type: acl
config:
group: "tokenizer-group"
Was tried and doesn’t work either.
Response from kong:
/ # curl http://localhost:8001/consumers/tokenizer/acls
{"total":0,"data":[]}
Nothing of note in the logs except entity 'acl' not registered
but i think this is because the acl plugin didn’t get added to the ingress before the credential got applied.