Keycloak Openid Connect with kong-oidc plugin

Hi
I’m having problems configuring authentication with keykloack
I’ve made setup that works with okta but when I switch to keycloak it fails
I’ve compared logs and in the case of succsefull authentication with okta there are some extra steps that happen after Authorization code flow finishes and redirects to original uri

from the keycloak log it looks like the acces handler of oidc plugin doesnt get executed, what would be the reason for this?

Okta conf

{
    "data": [
        {
            "config": {
                "bearer_only": "no",
                "client_id": "xxxxxxxxx",
                "client_secret": "xxxxxxxxxxxxxxxxxx",
                "discovery": "https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration",
                "logout_path": "/logout",
                "realm": "kong",
                "redirect_after_logout_uri": "/",
                "response_type": "code",
                "scope": "openid",
                "session_secret": "0oaez9z9tu95rEI5d356",
                "ssl_verify": "no",
                "token_endpoint_auth_method": "client_secret_post"
            },
            "created_at": 1558042384000,
            "enabled": true,
            "id": "f709d1cc-2f51-4c5a-adf1-5137a1bda70a",
            "name": "oidc",
            "route_id": "84dd2622-db06-428a-a100-7e5d48638122"
        }
    ],
    "total": 1
}

Keycloak configuration

{
    "data": [
        {
            "config": {
                "bearer_only": "no",
                "client_id": "console",
                "client_secret": "bf16df7a-c44e-4c5b-86d3-410b357fcf7e",
                "discovery": "https://auth.server.tk/auth/realms/kapua/.well-known/openid-configuration",
                "logout_path": "/logout",
                "realm": "kapua",
                "redirect_after_logout_uri": "/",
                "response_type": "code",
                "scope": "openid",
                "session_secret": "zA7_VEz2SWQ5VwPYuqrgRjIupKkAeYqxL3QYZfbE",
                "ssl_verify": "no",
                "token_endpoint_auth_method": "client_secret_post"
            },
            "created_at": 1558040826000,
            "enabled": true,
            "id": "4d46f4ad-039d-4200-a495-1ef22e5a9f57",
            "name": "oidc",
            "route_id": "84dd2622-db06-428a-a100-7e5d48638122"
        }
    ],
    "total": 1
}

Kong log okta

2019/05/17 14:29:10 [debug] 31#0: *539 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:10 [debug] 31#0: *539 [lua] http.lua:633: send_request(): 
GET /oauth2/default/v1/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJraWQiOiI0SmJJZ3prMHRpbnZYakIyYWhHYjZqei16MUlnZ2NiN282VVl3VkxJMnlZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkRRZDA4aUJfc2EwRG5adHlYNU15N2lKejZwQWo0eDFuTlNYSmlTVm9pQzAiLCJpc3MiOiJodHRwczovL2Rldi04OTA2NDUub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTU4MTAzMzQ5LCJleHAiOjE1NTgxMDY5NDksImNpZCI6IjBvYWV6OXo5dHU5NXJFSTVkMzU2IiwidWlkIjoiMDB1ZHF3azc2dnpUSDhHZU4zNTYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6Im1pcmtvdEBtaXJrb3QuY29tIn0.RRm_ERwe-90p33D2sYdm-Jh7mvF3UpmKRonCh_o-ZP6RBe2knNap5sw-t8Az28rZR-V8FKvK6LiidAy27CNB32E1OMaOiNTmOupbZvC0Fr7yBhPDT6qHfBwuYxfpr08gqimVzTanb9xfv10B2Us4Ca5aw28tkzGRdOBeTTQktvqVELvNdv17FhUtpJ5tqHXvwuWRQ3htaUMHFn701_tcZIFmppgNq_3XS5AI_GGZHmDJOmsFO_NKedxA-KImZ2RDZ5y_Vw0i88k8sin87OybPqcCbL_MdDbAROup2KEvpf8rDgLtjDrLz1zj-8mqhTJEodYKbvwFtxOuiXu4jTSitw
Host: dev-890645.okta.com


2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"00udqwk76vzTH8GeN356","user.fullName":"mirko mirko","user.email":"mirkot@mirkot.com"}
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] handler.lua:46: make_oidc(): OidcHandler calling authenticate, requested path: /api/management/v1/useradm/auth/ssologin
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:467: openidc_discover(): openidc_discover: URL is: https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:473: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] http.lua:633: send_request(): 
GET /oauth2/default/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: dev-890645.okta.com


2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:485: openidc_discover(): response data: {"issuer":"https://dev-890645.okta.com/oauth2/default","authorization_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/authorize","token_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/token","userinfo_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/userinfo","registration_endpoint":"https://dev-890645.okta.com/oauth2/v1/clients","jwks_uri":"https://dev-890645.okta.com/oauth2/default/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","profile","email","address","phone","offline_access"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => client_secret_basic
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1203: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"mirko mirko","iat":1558103349,"iss":"https:\/\/dev-890645.okta.com\/oauth2\/default","aud":"0oaez9z9tu95rEI5d356","idp":"00odqmy78hrj72VvL356","amr":["pwd"],"user.email":"mirkot@mirkot.com","exp":1558106949,"sub":"00udqwk76vzTH8GeN356","jti":"ID.xeeZplWT0xBO8E5W6QEiIb0e-FMb0lMXj7oeNg326U8","auth_time":1558103346,"nonce":"0e25d502f0d4ff42e9ba96af807e68a1","at_hash":"O_APuNM4_LQzOsPyJHizfQ"}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] handler.lua:25: OidcHandler done
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] init.lua:411: balancer(): setting address (try 1): 10.126.22.36:8080
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:14 [debug] 30#0: *618 [lua] cluster_events.lua:222: [cluster_events] polling events f

Kong keycloak log

2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:425: openidc_call_userinfo_endpoint(): authorization header 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA'
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] http.lua:633: send_request(): 
GET /auth/realms/kapua/protocol/openid-connect/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA
Host: auth.server.tk:9080


2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"ebc1496d-5fa6-4198-99df-30c729634e8c","namexxxxxxxxxxxxxxxxxxxxxxxxx}
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:22:56 [debug] 26#0: *1629 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102976.755
2019/05/17 14:23:01 [debug] 31#0: *1678 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102981.756
2019/05/17 14:23:06 [debug] 33#0: *1724 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102986.756

this is resolved with nginx configuration increasing buffer size , nginx that is in front of the kong server

problem was with

019/05/20 08:24:47 [debug] 2719#2719: *23 http proxy header: "Connection: close"
2019/05/20 08:24:47 [error] 2719#2719: *23 upstream sent too big header while reading response header from upstream, client: 127.0.0.1, server: ui.mender.com, request: "GET /api/management/v1/useradm/auth/ssologin/?state=35cba490b014c7e3a7e47f018c7d7cea&session_state=eff639c5-e8ba-40bc-8233-586c75c9d86e&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ant4aB9f8lCzE3_Eep6xkg.q6DftLsfXY8ISWLUVKNAMkWW-EWn4d6bWQHblsohLxJPtumRGW0hqaw-wP5lU0ztAJo1rBJXSipF2h3ViaE-UEBEnk0ubxm0jmdduB8lOVCHnHy-gPT0o1UHU-znDRcCnVwBWDhc-I2rk0Oo0_ZWmJi405bqq-XC_EEWqhj6OmRENODFVQwo19GHMO7DKoSXZbsW9EY88dB3kAxtGNC6DBZM54GLLgjijQ_vhndN-Hgrci71ORfImodQp1LWZrRB.ni0y9i0nh8IeUaHECf9KUA HTTP/1.1", upstream: "http://127.0.0.1:8000/api/management/v1/useradm/auth/ssologin/?state=35cba490b014c7e3a7e47f018c7d7cea&session_state=eff639c5-e8ba-40bc-8233-586c75c9d86e&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ant4aB9f8lCzE3_Eep6xkg.q6DftLsfXY8ISWLUVKNAMkWW-EWn4d6bWQHblsohLxJPtumRGW0hqaw-wP5lU0ztAJo1rBJXSipF2h3ViaE-UEBEnk0ubxm0jmdduB8lOVCHnHy-gPT0o1UHU-znDRcCnVwBWDhc-I2rk0Oo0_ZWmJi405bqq-XC_EEWqhj6OmRENODFVQwo19GHMO7DKoSXZbsW9EY88dB3kAxtGNC6DBZM54GLLgjijQ_vhndN-Hgrci71ORfImodQp1LWZrRB.ni0y9i0nh8IeUaHECf9KUA", host: "ui.mender.com", referrer: "http://auth.solidsense.tk:9080/auth/realms/kapua/protocol/openid-connect/auth?response_type=code&client_id=console&state=35cba490b014c7e3a7e47f018c7d7cea&redirect_uri=http%3A%2F%2Fui.mender.com%2Fapi%2Fmanagement%2Fv1%2Fuseradm%2Fauth%2Fssologin%2F&nonce=2dbc200bd280f1944526779970c930d4&scope=openid"
2019/05/20 08:24:47 [debug] 2719#2719: *23 http next upstream, 8

resolved with

        location / {
             proxy_set_header Host $host;
             proxy_set_header                X-Real-IP       $remote_addr;
             proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header                X-Forwarded-Proto $scheme;
             add_header Access-Control-Allow-Origin '*';
             add_header Access-Control-Allow-Methods '*';
             add_header Access-Control-Allow-Headers '*';
             proxy_set_header   Cookie $http_cookie; 
             proxy_pass http://localhost:8000;

             proxy_buffer_size          128k; 
             proxy_buffers              4 256k; 
             proxy_busy_buffers_size    256k; 
       }

2 Likes

I have same problem I’m using Kong Helm Chart https://hub.kubeapps.com/charts/stable/kong
where do I add that configuration? I have this error “upstream sent too big header while reading response header from upstream”
Thanks!!!

All the nginx config can be set as environment variable following the rules described here:

  • Entries prefixed with nginx_http_ will be injected to the overall http block directive.
  • Entries prefixed with nginx_proxy_ will be injected to the server block directive handling Kong’s proxy ports.
  • Entries prefixed with nginx_admin_ will be injected to the server block directive handling Kong’s Admin API ports.

So, in the values.yaml, the “env” property.

Thanks for your answer, I am using as follows in values.yaml:
env:
database: postgres
proxy_access_log: /dev/stdout
admin_access_log: /dev/stdout
admin_gui_access_log: /dev/stdout
portal_api_access_log: /dev/stdout
proxy_error_log: /dev/stderr
admin_error_log: /dev/stderr
admin_gui_error_log: /dev/stderr
portal_api_error_log: /dev/stderr
admin_listen: 127.0.0.1:8444 ssl
client_body_buffer_size: 512k
client_header_buffer_size: 512k
http2_max_field_size: 512k
http2_max_header_size: 512k
ssl_buffer_size: 512k

Do I have to use the nginx_http_ prefix in the env section?

For example if I want to add: proxy_buffer_size
I should use in the env section: nginx_proxy_proxy_buffer_size
It’s correct?
thank you very much

Hi!

Following the documentation (1.4 version) it should work by that way, however comparing my the env variables defined with the nginx directives set in the pod (/usr/local/kong/nginx-kong.conf) seems that the “nginx_” prefix is not necessary.

So, nginx_proxy_proxy_buffer_size env property should be a KONG_NGINX_PROXY_PROXY_BUFFER_SIZE environment variable in the pod and “proxy_buffer_size” directive should be set in the nginx server block.

I solved the problem adding in values.yaml in the env section the values:
env:
nginx_proxy_proxy_buffer_size: 128k
nginx_proxy_proxy_buffers: 4 256k
nginx_proxy_proxy_busy_buffers_size: 256k
Thank you very much for your help.

Hi there, am trying to integrate Keycloak with Kong, both of them are on the same namespace on Kubernetes cluster. This article is quite useful for local machine dockerized solution, if anyone had experienced this implementation on K8 cluster with Istio mesh, knowing that my Kong proxy and ingress are working fine for basic service-route, yet I need to install OIDC plugin, configure it and do other configurations for Keycloak to let it use Postgres perhaps same Kong DB, can anyone help. Thnx