Hi.
I am trying Kong DB-Less on Kubernets and It doesn’t recognizes the key configured with key-auth plugin.
After create the credentials with:
kubectl create secret generic harry-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=my-sooper-secret-key \
-n test
and deploy the configuration below:
kind: Namespace
apiVersion: v1
metadata:
name: teste
labels:
name: teste
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: teste
labels:
app: httpbin
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
namespace: teste
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- image: docker.io/kennethreitz/httpbin
name: httpbin
ports:
- containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-auth
namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo
namespace: teste
annotations:
kubernetes.io/ingress.class: kong-api-controller
configuration.konghq.com: demo
plugins.konghq.com: httpbin-auth
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: httpbin
servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: harry
namespace: teste
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: demo
namespace: teste
route:
strip_path: true
I get:
$ curl -i -H 'apikey: my-sooper-secret-key' $PROXY_IP/foo/status/200
HTTP/1.1 401 Unauthorized
Date: Tue, 07 Jan 2020 14:31:03 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.3.0
{"message":"Invalid authentication credentials"}
Versions:
Kong 1.4 DB-Less mode.
kong-ingress-controller:0.6.2
Thanks,
Souto
hbagdi
January 8, 2020, 3:44pm
2
Secret based credentials are not available in Controller 0.6.2.
Please upgrade to 0.7.0.
Hi Harry.
Updated to 0.7.0 with same results.
hbagdi
January 8, 2020, 7:23pm
4
Pleas help me with an example of how to do it.
My configuration above follows the exact same consumer and credential setup configuration of https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md .
As a matter of fact my configuration is the one from the URL slightly tweaked because the tutorial doesn’t work out of the box: if I create the Ingress with the config from the URL the creation fails with error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer"
.
In order to make it work I added:
annotations:
kubernetes.io/ingress.class: kong-api-controller
configuration.konghq.com: demo
and:
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: demo
namespace: teste
route:
strip_path: true
Any other thoughts?
Regards,
Souto
I have just tried the configuration below which yields the same results.
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: harry
namespace: teste
username: harry
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
name: httpbin-apikey
namespace: teste
consumerRef: harry
type: key-auth
config:
key: my-sooper-secret-key
---
hbagdi
January 8, 2020, 8:03pm
7
It seems like you are using a different ingress class.
Please use the kubernetes.io/ingress.class: kong-api-controller
annotation on KongConsumer and KongCredential resources as well.
It worked \o/
Great! Thank you.
“It seems like you are using a different ingress class.”
Is there another way?
As I sad before, without doing that and using the plain configuration from the URL I get the error
error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer"
.
Below is the full configuration that worked for me:
kind: Namespace
apiVersion: v1
metadata:
name: teste
labels:
name: teste
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: teste
labels:
app: httpbin
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
namespace: teste
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- image: docker.io/kennethreitz/httpbin
name: httpbin
ports:
- containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-auth
namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo
namespace: teste
annotations:
kubernetes.io/ingress.class: kong-api-controller
configuration.konghq.com: demo
plugins.konghq.com: httpbin-auth
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: httpbin
servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: harry
namespace: teste
annotations:
kubernetes.io/ingress.class: kong-api-controller
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: demo
namespace: teste
route:
strip_path: true
Thank you and regards.
I’m using ingress controller 0.6.0. I don’t want to upgrade to 0.7.0 yet. So should I use KongCredential instead of secret based credentials even though KongCredential is deprecated?
Yes–you won’t be able to use Secret-based credentials until you upgrade to 0.7.0 or later.