Jwt plugin change db-mode to db-less-mode

Hello

I used DB(postgesql) for the credential and consumer information of jwt plugin.
I am working on converting kong in DB mode to db-less mode.

In DB mode, I added consumer and credential through admin api and confirmed that JWT plugin works properly.

I set referring to the above page, but JWT plugin gives 401 (Unauthorized) response.
The published JWT contains “iss = aaa.com”.

Below is my configuration.

indent preformatted text by 4 spaces

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt
labels:
global: “false”
enabled: true
plugin: jwt


apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: global-consumer
username: GlobalConsumer
custom_id: GlobalConsumer


apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: global-consumer-credentials
consumerRef: global-consumer
type: jwt
config:
key: “aaa.com
rsa_public_key: |
-----BEGIN PUBLIC KEY-----
MIIBIjA-----------
NbOIuzKa----------
kwIDAQAB-----------
-----END PUBLIC KEY-----
algorithm: RS256

Two questions:

  1. Do you see error in logs of Kong Ingress Controller upon creation of that credential?
  2. Can you exec into the Kong container and ensure that Kong has the credential correctly populated inside? (GET /jwts on the Admin API.)

1, There is no log about creation of that credential
[kong-ingress log]
Kong Ingress controller
Release: 0.6.0
Build: 273a5664
Repository: git@github.com:Kong/kubernetes-ingress-controller.git
Go: go1.13
I1111 04:26:04.113427 1 main.go:367] Creating API client for https://10.221.0.1:443
I1111 04:26:04.122191 1 main.go:411] Running in Kubernetes Cluster version v1.15 (v1.15.0) - git (clean) commit e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529 - platform linux/amd64
I1111 04:26:04.248282 1 main.go:153] kong version: 1.3.0
I1111 04:26:04.248302 1 main.go:162] Kong datastore: off
I1111 04:26:04.364622 1 controller.go:242] starting Ingress controller
E1111 04:26:04.365118 1 main.go:315] error running the admission controller server:open /admission-webhook/tls.crt: no such file or directory
I1111 04:26:04.366959 1 status.go:201] new leader elected: kong-8694569ccd-jzk7c
I1111 04:26:04.430498 1 controller.go:135] successfully synced configuration to Kong
I1111 04:26:16.346805 1 controller.go:135] successfully synced configuration to Kong
I1111 04:26:19.625474 1 controller.go:135] successfully synced configuration to Kong

[kong log]
2019/11/11 04:25:57 [notice] 1#0: using the “epoll” event method
2019/11/11 04:25:57 [notice] 1#0: openresty/1.15.8.1
2019/11/11 04:25:57 [notice] 1#0: built by gcc 8.3.0 (Alpine 8.3.0)
2019/11/11 04:25:57 [notice] 1#0: OS: Linux 3.10.0-957.12.2.el7.x86_64
2019/11/11 04:25:57 [notice] 1#0: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2019/11/11 04:25:57 [notice] 1#0: start worker processes
2019/11/11 04:25:57 [notice] 1#0: start worker process 31
2019/11/11 04:25:57 [notice] 1#0: start worker process 32
127.0.0.1 - - [11/Nov/2019:04:26:04 +0000] “GET / HTTP/1.1” 200 6553 “-” “Go-http-client/1.1”
127.0.0.1 - - [11/Nov/2019:04:26:04 +0000] “GET /tags HTTP/1.1” 200 23 “-” “Go-http-client/1.1”
2019/11/11 04:26:04 [notice] 32#0: *42 [lua] cache.lua:321: purge(): [DB cache] purging (local) cache, client: 127.0.0.1, server: kong_admin, request: “POST /config?check_hash=1 HTTP/1.1”, host: “localhost:8001”

2. I checked admin api but no message found
I also checked consumer admin api but no message found

admin api : https://xx.xx.xx.xx:8001/consumers/GlobalConsumer/jwt
https://xx.xx.xx.xx:8001/consumers
** [Result] **
there is no message
{
message: “Not found”
}

I also check DB-mode both of admin apis
That work correctly.

ref. kong-ingress-controller is different
DB mode : : 0.5.0
DB-less mode : 0.6.0

I set the plugin and package_path both of kong.conf and env in deployment and _helper files
because I already set the plugin and package_path in kong.conf file but this is not working.
so I added env in deployment and _helper files

Do I need any additional configuration in kong.conf file when I change to db-less mode?

The correct Admin API endpoint is:

curl -k https://localhost:8444/

Please use that to check the configuration of Kong.

No, all you need is database=off.

I already set “database = off” in kong.conf

I set the node port 8001
I changed admin node port 8001 to 8444 but there is no change.

[root]# kubectl get kongplugins
NAME PLUGIN-TYPE AGE
jwt jwt 2m16s
[root]# kubectl get kongconsumers
NAME USERNAME AGE
global-consumer GlobalConsumer 2m22s
[root]# kubectl get kongcredential
NAME CREDENTIAL-TYPE AGE CONSUMER-REF
global-consumer-credentials jwt 2m29s global-consumer
[root]# kubectl get services |grep kong-admin
kong-admin NodePort 10.221.2.228 8444:8444/TCP 2m59s

[root]# curl -k https://xx.xx.xx.xx:8444/consumers
{“next”:null,“data”:[]}
[root]# curl -k https://xx.xx.xx.xx:8444/consumgers/GlobalConsumer/jwt
{“message”:“Not found”}
[root]# curl -k https://xx.xx.xx.xx:8444/jwts
{“next”:null,“data”:[]}
[root]# curl -k https://xx.xx.xx.xx:8444/plugins <== There are some results
{

  • created_at: 1573535366,
  • config: {
    • claims_to_verify: [
      • “exp”,
      • “nbf”],
    • run_on_preflight: true,

  • name: “jwt”,
  • enabled: true
    }

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ