Key-auth credentials not working in db-less mode

Hi.
I am trying Kong DB-Less on Kubernets and It doesn’t recognizes the key configured with key-auth plugin.

After create the credentials with:

kubectl create secret generic harry-apikey \
--from-literal=kongCredType=key-auth \
--from-literal=key=my-sooper-secret-key \
-n test

and deploy the configuration below:

kind: Namespace
apiVersion: v1
metadata:
  name: teste
  labels:
    name: teste
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: teste
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: teste
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-auth
  namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo
    plugins.konghq.com: httpbin-auth
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: httpbin
          servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

I get:

$ curl -i -H 'apikey: my-sooper-secret-key' $PROXY_IP/foo/status/200
HTTP/1.1 401 Unauthorized
Date: Tue, 07 Jan 2020 14:31:03 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.3.0

{"message":"Invalid authentication credentials"}

Versions:
Kong 1.4 DB-Less mode.
kong-ingress-controller:0.6.2

Thanks,
Souto

Secret based credentials are not available in Controller 0.6.2.
Please upgrade to 0.7.0.

Hi Harry.

Updated to 0.7.0 with same results.

Only creating credentials is not enough.
You have to associate them with a consumer.
Please see: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md

Pleas help me with an example of how to do it.

My configuration above follows the exact same consumer and credential setup configuration of https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md.

As a matter of fact my configuration is the one from the URL slightly tweaked because the tutorial doesn’t work out of the box: if I create the Ingress with the config from the URL the creation fails with error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer".
In order to make it work I added:

 annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo

and:

---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

Any other thoughts?
Regards,
Souto

I have just tried the configuration below which yields the same results.

---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
username: harry
---
apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: httpbin-apikey
  namespace: teste
consumerRef: harry
type: key-auth
config:
  key: my-sooper-secret-key
---

It seems like you are using a different ingress class.
Please use the kubernetes.io/ingress.class: kong-api-controller annotation on KongConsumer and KongCredential resources as well.

It worked \o/
Great! Thank you.

“It seems like you are using a different ingress class.”
Is there another way?
As I sad before, without doing that and using the plain configuration from the URL I get the error
error while evaluating the ingress spec: service "default/httpbin" is type "ClusterIP", expected "NodePort" or "LoadBalancer".

Below is the full configuration that worked for me:

kind: Namespace
apiVersion: v1
metadata:
  name: teste
  labels:
    name: teste
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: teste
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: teste
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: httpbin-auth
  namespace: teste
plugin: key-auth
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
    configuration.konghq.com: demo
    plugins.konghq.com: httpbin-auth
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: httpbin
          servicePort: 80
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: harry
  namespace: teste
  annotations:
    kubernetes.io/ingress.class: kong-api-controller
username: harry
credentials:
- harry-apikey
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: demo
  namespace: teste
route:
  strip_path: true

Thank you and regards.

I’m using ingress controller 0.6.0. I don’t want to upgrade to 0.7.0 yet. So should I use KongCredential instead of secret based credentials even though KongCredential is deprecated?

Yes–you won’t be able to use Secret-based credentials until you upgrade to 0.7.0 or later.