I have Kong 2.0.2 and Kong ingress controller 0.7.1 deployed in DB-less mode, and I’m trying to figure out how to provision a consumer using the new secret-based methods. The documentation is sparse on this topic, and with it being new in v0.7 of the ingress controller, there’s not a whole lot of working examples out there.
I have the following k8s resources (along with 2 other sets following the same pattern) created:
However, the kong ingress controller seems to choke on this config:
E0326 19:27:56.322072 1 controller.go:119] unexpected failure updating Kong configuration:
posting new config to /config: 400 Bad Request {"fields":{"consumers":[{"basicauth_credentials":[{"@entity":["all or none of these fields must be set: 'password', 'consumer.id'"]}]},{"basicauth_credentials":[{"@entity":["all or none of these fields must be set: 'password', 'consumer.id'"]}]},{"basicauth_credentials":[{"@entity":["all or none of these fields must be set: 'password', 'consumer.id'"]}]}]},"name":"invalid declarative configuration","code":14,"message":"declarative config is invalid: {consumers={{basicauth_credentials={{[\"@entity\"]={\"all or none of these fields must be set: 'password', 'consumer.id'\"}}}},{basicauth_credentials={{[\"@entity\"]={\"all or none of these fields must be set: 'password', 'consumer.id'\"}}}},{basicauth_credentials={{[\"@entity\"]={\"all or none of these fields must be set: 'password', 'consumer.id'\"}}}}}}"}
That is the result of running “kubectl get secret” after creating it using the “stringData” field. It does not matter how it was initially created. There API only ever returns “data”.
From the docs you linked:
The stringData field is a write-only convenience field. It is never output when retrieving Secrets.
There seems to be more going on here. I tried reproducing the issue locally (in k3d) with only the consumer/credential config, and it works fine. My production config also contains a lot of other config for services/routes. Could I potentially be running into a bug here?
I deleted all of the “Ingress” and “KongPlugin” resources that weren’t directly associated with what I was trying to do here, and now it’s generating the config properly. However, this is not an actual solution, as I need those other configs.
I seem to have narrowed this down to a problem with some of the unrelated “Ingress” resources for kong that use the “basic-auth” (and apparently “key-auth”) plugins. If I delete them, the kong config is suddenly fixed. Those “Ingress” resources do not break the config when my KongConsumer is not defined, so there’s some weird interaction here.
I managed to narrow down the circumstances under which this happens and created a small reproducing test case. I created the following Github issue with the details: