How to automatically generate API key?

mloskot · March 15, 2023, 5:08pm

Hi,

First, I have experience with configuring Kong using PostgreSQL database.

I’m now learning about Kong Ingress Controller (KIC) on Kubernetes, I’ve got Kong deployed on my cluster, services and routes configured, key-auth plugin added, it’s all working - so far so good.

Although this Provisioning Consumers and Credentials - v2.8.x | Kong Docs explains how to configure the key-auth plugin for KIC, it creates API key from a dummy literal stored in Kubernetes secret:

kubectl create secret generic kotenok-key-auth \
  --from-literal=kongCredType=key-auth  \
  --from-literal=key=gav

This is all clear and good for learning, but I assume this is not how it’s done at larger scale or in production, is it? What is the proper way to manage API keys at scale?

The Key Authentication plugin | Kong Docs makes this recommendation:

Does this apply to DB-only installation of Kong or does it also apply to DB-less and Kong Ingress Controller?

Is there any way to request KIC to automatically generate API key and perhaps even store it in Kubernetes secret?

JohnWilliams · March 21, 2023, 7:03am

@mloskot - There is an auto generated option in Kong Manager for Consumer credentials,

May be for KIC, its meant to be using some external providers. Hope this helps.

mloskot · March 22, 2023, 11:14am

@JohnWilliams Yes, running Kong with traditional mode (i.e. with database) does indeed support auto-generating of API keys, and it works fine with Kong Manager as well as curl-ed requests to the Admin API. Although it is useful for testing and learning Kong, it does not answer my need for KIC.

As you suggested, I currently use Kubernetes secrets importing API keys managed and stored in external vault, but I’m interested in what are best practices used in production.