Hello!
First of all: This might be a duplicate of Nokia/kong-oidc and Auth0 on Kubernetes help
Unfortunately it looks like this has never been resolved, so let’s try it again!
What I want to do:
Use kong as an API gateway for some services I’m running on kubernetes. Further I want to use the kong-oidc plugin to protect those services, backed by keycloak as an IDP. Before I started I tested the concept by setting everything up with docker-compose and it worked.
The Problem:
Now I started introducing kong on my kubernetes cluster. The basic routing works fine, but kong ignores the kong-oidc plugin, so everything is unprotected.
Let me elaborate how I set things up.
Reproduction/Setup:
The kong-oidc plugin is not in the list of bundled images. That’s why I created my own Dockerfile including the plugin based on kong:1.4.0-alpine
:
FROM kong:1.4.0-alpine
LABEL description="Alpine + Kong 1.4.0 + kong-oidc plugin"
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc
Then I used this deployment yaml (from the official minikube-guide).
Because I have my own kong-image I replaced image: kong:1.3
with image: corphub/kong-oidc:1.4.0-centos
in the ingress-kong deployment. Note that I used this opportunity to go from kong-1.3
to kong-1.4
.
After that I set up an Ingress for kong and the configuration for the kong-oidc plugin:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-kong
annotations:
plugins.konghq.com: kong-oidc
spec:
rules:
- http:
paths:
- path: /graphql
backend:
serviceName: corphub-graphql-service
servicePort: 8082
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: kong-oidc
labels:
global: "true"
config:
client_id: kong
client_secret: XXX
discovery: http://keycloak:8180/auth/realms/master/.well-known/openid-configuration
plugin: kong-oidc
I also added the env variable KONG_CUSTOM_PLUGINS=kong-oidc
to the earlier mentioned ingress-kong deplyoment because I read that somewhere, but I’m not sure if that is needed.
Now I would expect that every request going through kong would be validated by leveraging the kong-oidc plugin and keycloak. But that’s just not happening. All the requests just go through as if the plugin is not there at all. I also can’t find any logs which could point me in any direction.
I would love this setup to work, because I find it very elegant and robust. I hope I provided enough information, if not please ask.
Thanks in advance,
Peter