Hello,
I would like to ask does kong authentication plugins support only ingress or both ingress and tcpingress?
Does it work: kubectl annotate tcpingress my-tcp-ingress konghq.com/plugins=my-auth-plugins
Many thanks.
Kong/kong · Discussions · GitHub would maybe be better able to comment, as on the Kubernetes integration side TCPIngress is just a means of creating a Kong route with the TCP protocol.
Whether a plugin (or other functionality) is available for tcp protocol routes depends on the gateway’s internals, so that team is better able to answer those questions in more detail.
On the controller side, I think we’ll try to attach a plugin if you request one via the annotation, but the controller doesn’t know whether that configuration will be accepted or work in practice.
From initial testing, it looks like you cannot add authentication plugins to tcp routes. Most of the authentication plugins rely on application-layer information (HTTP headers and such) that are not available in plain TCP.
I thought that mutual TLS may be an option for TLS-wrapped generic TCP, but it looks like that’s not the case: if I attempt to create an mTLS plugin, the only protocols I can choose are HTTPS and GRPCS (oddly, it actually does let me select plaintext HTTP and GRPC also, which shouldn’t actually work), not TCP or TLS.
So if i have a tcpingress to route and route based on SNI, → i can use mutual TLS authentication plugin with that tcpingress to authen my https requests