Hello,
I’m trying to deploy Kong with plugin jwt that will work with Auth0 but when I try to test it with the token I get the error:
"message": "No credentials found for given ‘iss’"
Here are the configuration that I use:
1. I deploy Kong Ingress controller using the command
helm upgrade --install kong-ingress --namespace project-dev -f kong-ingress-values.yaml kong/kong
Where the file kong-ingress-values.yaml looks like this
env:
database: "off"
nginx_worker_processes: "1"
proxy_access_log: /dev/stdout
admin_access_log: /dev/stdout
admin_gui_access_log: /dev/stdout
portal_api_access_log: /dev/stdout
proxy_error_log: /dev/stderr
admin_error_log: /dev/stderr
admin_gui_error_log: /dev/stderr
portal_api_error_log: /dev/stderr
prefix: /kong_prefix/
plugins: bundled, jwt, tcp-log, oidc, cors, request-transformer
LUA_PACKAGE_PATH: /usr/local/share/lua/5.1/?.lua;;
KONG_CLIENT_BODY_BUFFER_SIZE: 20m
nginx_proxy_set: "$session_secret secret"
AUTH0_PUBKEY: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVHdcccujDNtG03fARIM
vs4mumjQKy6/IfkK4xChrkNTMy4kf/YMA5TdmqEpftjN+MeXSzjXAUjG3+le6vqI
O5mNP3SPB3GC2voLp0NteAOWgDqrNukJLExL5zwlnglBex+m1HcRIxfY2nzgJ1pL
i5ufCRxC0gsJdX8+YF8CYZWvBlItmodTOFDs1CETGnsGb2nqN3odmi12gTs5yXnO
syt5R16TWkjtP1seTjM5BouUrCxaJjIaXyFlsrq1Cs1zesC+2x1nvA7L8D/Bakxt
/ZcjPRKmeNbrkM2mJG9CnB3rqhLm3wiffZtscNNgwLkoQdVQdk8ihV3MsyaKENYR
nwIDAQAB
-----END PUBLIC KEY-----
image:
repository: registry.gitlab.com/project/kong #this image is based on kong 2.1.1
tag: latest
pullPolicy: Always
pullSecrets:
- project-bot
admin:
enabled: false
annotations: {}
useTLS: true
servicePort: 8444
containerPort: 8444
type: NodePort
ingress:
enabled: false
hostname:
annotations: {}
path: /
proxy:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
ingress.kubernetes.io/force-ssl-redirect: "true"
http:
enabled: true
servicePort: 80
containerPort: 8000
tls:
enabled: true
servicePort: 443
containerPort: 8443
type: LoadBalancer
ingress:
enabled: false
hosts: []
annotations: {}
path: /
externalIPs: []
plugins: {}
runMigrations: true
dblessConfig:
configMap: ""
config:
_format_version: "1.1"
services:
ingressController:
enabled: true
image:
repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller
tag: 0.9.1
env:
plugins: jwt, tcp-log, oidc, cors
admissionWebhook:
enabled: false
failurePolicy: Fail
port: 8080
ingressClass: project-kong
rbac:
create: true
serviceAccount:
create: true
name:
installCRDs: false
livenessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources: {}
postgresql:
enabled: false
waitImage:
repository: busybox
tag: latest
pullPolicy: IfNotPresent
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "0%"
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 500m
memory: 1024Mi
readinessProbe:
httpGet:
path: "/status"
port: metrics
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: "/status"
port: metrics
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- kong
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
tolerations: []
nodeSelector: {}
podAnnotations: {}
replicaCount: 2
podDisruptionBudget:
enabled: false
maxUnavailable: "50%"
podSecurityPolicy:
enabled: false
securityContext:
runAsUser: 1000
serviceMonitor:
enabled: true
labels: { release: "prometheus" }
enterprise:
enabled: false
license_secret: you-must-create-a-kong-license-secret
vitals:
enabled: true
portal:
enabled: false
portal_auth: basic-auth
session_conf_secret: you-must-create-a-portal-session-conf-secret
rbac:
enabled: false
admin_gui_auth: basic-auth
session_conf_secret: you-must-create-an-rbac-session-conf-secret
admin_gui_auth_conf_secret: you-must-create-an-admin-gui-auth-conf-secret
smtp:
enabled: false
portal_emails_from: none@example.com
portal_emails_reply_to: none@example.com
admin_emails_from: none@example.com
admin_emails_reply_to: none@example.com
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
smtp_starttls: true
auth:
smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: you-must-create-an-smtp-password
manager:
annotations: {}
http:
enabled: true
servicePort: 8002
containerPort: 8002
tls:
enabled: true
servicePort: 8445
containerPort: 8445
type: NodePort
ingress:
enabled: false
hostname:
annotations: {}
path: /
externalIPs: []
portal:
annotations: {}
http:
enabled: true
servicePort: 8003
containerPort: 8003
tls:
enabled: true
servicePort: 8446
containerPort: 8446
type: NodePort
ingress:
enabled: false
hostname:
annotations: {}
path: /
externalIPs: []
portalapi:
annotations: {}
http:
enabled: true
servicePort: 8004
containerPort: 8004
tls:
enabled: true
servicePort: 8447
containerPort: 8447
type: NodePort
ingress:
enabled: false
hostname:
annotations: {}
path: /
externalIPs: []
- Here are the kong components
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: project-jwt
namespace: project-dev
labels:
global: "false"
disabled: false
config:
claims_to_verify:
- "exp"
plugin: jwt
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: project-kong-jwt-consumer
namespace: project-dev
username: project
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: project-kong-jwt-credentials
namespace: project-dev
consumerRef: project-kong-jwt-consumer
type: jwt
config:
secret: b0970f7fc9564e65xklfn48930b5d08b1
key: https://project.eu.auth0.com/
rsa_public_key: |-
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1VQxKGhiAgGUheoO2f35
bkZfq9cX6J3edJBji8dyaZQYrHTc7jETPo6ud6KBoNMM03Y9PgC7dcKyfkMPoDTd
546e6gDD9/ldmp1ideC3blIHL3vMvPNYW8wanBnDpNjj5L2R+Fw0YmnYsscUWAmf
k926sBEErDeyHIYSzFjpC/jiSF/LJ6UD2JSfWFmoj0SrwYPbKkvBipTL5itbobmK
YKY+NcGdc0wyzwH4P4A69prEWHbVude7M7egRp/7PUi6zMICTtuOYuQQks0ooKkv
AY8BbhjgbS7NnKI1Dm5zcQxNEAsksYjBvWoFavnpSwrYStZvowfC9ui7LiIjs7UF
oQIDAQAB
-----END PUBLIC KEY-----
algorithm: RS256
- Config for KongIngress
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: project-kongingress
namespace: project-dev
route:
protocols:
- https
https_redirect_status_code: 301
strip_path: false
- The Ingress that I deployed for the application
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: project
namespace: project-dev
labels:
app: project
component: project-ingress
environment: project-dev
annotations:
kubernetes.io/ingress.class: project-kong
acme.cert-manager.io/http01-ingress-class: project-kong
external-dns.alpha.kubernetes.io/hostname: test.domain.com
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
configuration.konghq.com: "project-kongingress"
plugins.konghq.com: project-jwt
spec:
tls:
- hosts:
- test.domain.com
secretName: test.domain.com
rules:
- host: test.domain.com
http:
paths:
- path: /
backend:
serviceName: project
servicePort: http
5. Logs from the Ingress controller
a. Container 'ingress-controller'
I0826 09:04:02.330184 1 kong.go:66] successfully synced configuration to Kong
I0826 09:04:05.627304 1 kong.go:66] successfully synced configuration to Kong
b. Container 'proxy'
10.34.105.10 - - [26/Aug/2020:09:06:49 +0000] "GET / HTTP/1.1" 401 50 "-" "PostmanRuntime/7.26.3"
10.34.105.10 - - [26/Aug/2020:09:35:54 +0000] "GET / HTTP/1.1" 401 50 "-" "PostmanRuntime/7.26.3"
10.34.105.10 - - [26/Aug/2020:09:35:55 +0000] "GET / HTTP/1.1" 401 50 "-" "PostmanRuntime/7.26.3"
10.34.105.10 - - [26/Aug/2020:09:35:55 +0000] "GET / HTTP/1.1" 401 50 "-" "PostmanRuntime/7.26.3"
From what I see, the configuration looks good but I get the error that “No credentials found for given ‘iss’”
If you encountered this in the past can you please point me in the right direction ?
Any help is appreciated.
Best regards,
Stefan