First of all: This might be a duplicate of Nokia/kong-oidc and Auth0 on Kubernetes help
Unfortunately it looks like this has never been resolved, so let’s try it again!
What I want to do:
Use kong as an API gateway for some services I’m running on kubernetes. Further I want to use the kong-oidc plugin to protect those services, backed by keycloak as an IDP. Before I started I tested the concept by setting everything up with docker-compose and it worked.
Now I started introducing kong on my kubernetes cluster. The basic routing works fine, but kong ignores the kong-oidc plugin, so everything is unprotected.
Let me elaborate how I set things up.
The kong-oidc plugin is not in the list of bundled images. That’s why I created my own Dockerfile including the plugin based on
FROM kong:1.4.0-alpine LABEL description="Alpine + Kong 1.4.0 + kong-oidc plugin" RUN apk update && apk add git unzip luarocks RUN luarocks install kong-oidc
Then I used this deployment yaml (from the official minikube-guide).
Because I have my own kong-image I replaced
image: kong:1.3 with
image: corphub/kong-oidc:1.4.0-centos in the ingress-kong deployment. Note that I used this opportunity to go from
After that I set up an Ingress for kong and the configuration for the kong-oidc plugin:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-kong annotations: plugins.konghq.com: kong-oidc spec: rules: - http: paths: - path: /graphql backend: serviceName: corphub-graphql-service servicePort: 8082 --- apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: kong-oidc labels: global: "true" config: client_id: kong client_secret: XXX discovery: http://keycloak:8180/auth/realms/master/.well-known/openid-configuration plugin: kong-oidc
I also added the env variable
KONG_CUSTOM_PLUGINS=kong-oidc to the earlier mentioned ingress-kong deplyoment because I read that somewhere, but I’m not sure if that is needed.
Now I would expect that every request going through kong would be validated by leveraging the kong-oidc plugin and keycloak. But that’s just not happening. All the requests just go through as if the plugin is not there at all. I also can’t find any logs which could point me in any direction.
I would love this setup to work, because I find it very elegant and robust. I hope I provided enough information, if not please ask.
Thanks in advance,