Key-auth credentials not working in db-less mode

#1

Hi.
I am trying Kong DB-Less on Kubernets and It doesn’t recognizes the key configured with key-auth plugin.

After create the credentials with:

kubectl create secret generic harry-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=my-sooper-secret-key \
-n test

and deploy the configuration below:

kind: Namespace
apiVersion: v1
metadata:
  name: teste
  labels:
    name: teste
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: teste
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: teste
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-auth
  namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo
    plugins.konghq.com: httpbin-auth
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: httpbin
          servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

I get:

$ curl -i -H 'apikey: my-sooper-secret-key' $PROXY_IP/foo/status/200
HTTP/1.1 401 Unauthorized
Date: Tue, 07 Jan 2020 14:31:03 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.3.0

{"message":"Invalid authentication credentials"}

Versions:
Kong 1.4 DB-Less mode.
kong-ingress-controller:0.6.2

Thanks,
Souto

#2

Secret based credentials are not available in Controller 0.6.2.
Please upgrade to 0.7.0.

#3

Hi Harry.

Updated to 0.7.0 with same results.

#4

Only creating credentials is not enough.
You have to associate them with a consumer.
Please see: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md

#5

Pleas help me with an example of how to do it.

My configuration above follows the exact same consumer and credential setup configuration of https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md.

As a matter of fact my configuration is the one from the URL slightly tweaked because the tutorial doesn’t work out of the box: if I create the Ingress with the config from the URL the creation fails with error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer".
In order to make it work I added:

 annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo

and:

---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

Any other thoughts?
Regards,
Souto

#6

I have just tried the configuration below which yields the same results.

---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
username: harry
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: httpbin-apikey
  namespace: teste
consumerRef: harry
type: key-auth
config:
  key: my-sooper-secret-key
---
#7

It seems like you are using a different ingress class.
Please use the kubernetes.io/ingress.class: kong-api-controller annotation on KongConsumer and KongCredential resources as well.

#8

It worked \o/
Great! Thank you.

“It seems like you are using a different ingress class.”
Is there another way?
As I sad before, without doing that and using the plain configuration from the URL I get the error
error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer".

Below is the full configuration that worked for me:

kind: Namespace
apiVersion: v1
metadata:
  name: teste
  labels:
    name: teste
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: teste
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: teste
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-auth
  namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo
    plugins.konghq.com: httpbin-auth
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: httpbin
          servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

Thank you and regards.

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ