How to automatically generate API key?

mloskot · March 15, 2023, 5:08pm

Hi,

First, I have experience with configuring Kong using PostgreSQL database.

I’m now learning about Kong Ingress Controller (KIC) on Kubernetes, I’ve got Kong deployed on my cluster, services and routes configured, key-auth plugin added, it’s all working - so far so good.

Although this Provisioning Consumers and Credentials - v2.8.x | Kong Docs explains how to configure the key-auth plugin for KIC, it creates API key from a dummy literal stored in Kubernetes secret:

kubectl create secret generic kotenok-key-auth \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=gav

This is all clear and good for learning, but I assume this is not how it’s done at larger scale or in production, is it? What is the proper way to manage API keys at scale?

The Key Authentication plugin | Kong Docs makes this recommendation:

Does this apply to DB-only installation of Kong or does it also apply to DB-less and Kong Ingress Controller?

Is there any way to request KIC to automatically generate API key and perhaps even store it in Kubernetes secret?

JohnWilliams · March 21, 2023, 7:03am

@mloskot - There is an auto generated option in Kong Manager for Consumer credentials,

May be for KIC, its meant to be using some external providers. Hope this helps.

mloskot · March 22, 2023, 11:14am

@JohnWilliams Yes, running Kong with traditional mode (i.e. with database) does indeed support auto-generating of API keys, and it works fine with Kong Manager as well as curl-ed requests to the Admin API. Although it is useful for testing and learning Kong, it does not answer my need for KIC.

As you suggested, I currently use Kubernetes secrets importing API keys managed and stored in external vault, but I’m interested in what are best practices used in production.

chi_ding · November 20, 2023, 9:46pm

I am also curious if the CRDs can just create some random string and store in kubernetes secret.
For now, we are using Terraform to create random string and store on AWS secret manager, and we use externalSecret operator to move the secret from AWS to kubernetes.

mloskot · November 21, 2023, 8:26am

@chi_ding As you see, my question received no informative responses.

I used to use Terraform to generate values for secrets stored in Azure Key Vault and read by Kubernetes, but I have switched to use https://external-secrets.io for all the purposes:

generate random value (password or API key) - Password - External Secrets Operator
create Kubernetes secret - ExternalSecret - External Secrets Operator
push Kubernetes secret to Azure Key Vault for sharing/backup - PushSecret - External Secrets Operator

I hope it helps.

Topic		Replies	Views
Creating an APIkey when declaratively creating a KongCredential	3	714	August 5, 2019
Activated key-auth plugin from GUI and I locked myself out Kubernetes	1	581	March 7, 2022
How can we use custom apikey instead of auto generate by kong for consumers in key-authentication Questions	1	412	June 1, 2018
Key Authentication Plugin key publish algorithm Questions	1	539	June 2, 2021
Changing apikey header with KongConsumer/secret Kubernetes	3	542	April 9, 2020

How to automatically generate API key?

Related Topics