Hello,
I am trying to declaratively create a KongConsumer and accompanying KongCredential based on the documentation here: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/custom-resources.md
It works fine, but I would like Kong to create the apikey for me in config of KongCredential (instead of me typing in a random password). Is there a best way to do this?
hbagdi
August 5, 2019, 7:37pm
2
Please have a look at the example:
# Custom Resource Definitions
The Ingress Controller can configure Kong specific features
using several [Custom Resource Definitions(CRDs)][k8s-crd].
Following CRDs enables users to declaratively configure all aspects of Kong:
- [**KongPlugin**](#kongplugin): These resources correspond to [Plugin][kong-plugin]
entities in Kong.
- [**KongIngress**](#kongingress): These resources can control routing, load-balancing,
health checking properties in Kong.
It works with the Ingress resources in Kubernetes.
- [**KongConsumer**](#kongconsumer):
These resources map to [Consumer][kong-consumer] entities in Kong.
- [**KongCredential**](#kongcredential): These resources map to
credentials (key-auth, basic-auth, etc) that belong to consumers.
## KongPlugin
This resource allows the configuration of
This file has been truncated. show original
You can define your API key using the key
parameter.
@hbagdi thanks for the quick response. Yup - is there a way to make this a secret/ hashed? It seems like a security risk to be able to just create keys when something like this is doable:
Hello @jmtoball ,
Thank you for the detailed explanation.
Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?
This is not a bug but an expected behavior.
The Ingress Controller doesn’t enforce any k8s namespace level scopes in Kong.
Any consumer with valid credential will be authenticated by Kong, no matter which namespace it belongs to.
There are a couple of ways to solve this problem:
Run an Ingress Controller in each namesp…
hbagdi
August 5, 2019, 9:59pm
4
@Bosterito95
I totally get your fear but there is no way to do this as of now using a secret.
This is something that we are aware is very important to address and we have this as a high priority item on the roadmap.