Kong custom plugin accessing kongCredential in db-less mode

1

Hi there,

I have a custom plugin that is based on the JWT plugin that ships with kong, however the difference is that there is an additional step to retrieve an access token from a OIDC discovery end point. The problem I’m experiencing is that my plugin can’t find any credentials for my issuer. I have followed this guide to setup my plugin as a configMap.

https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/setting-up-custom-plugins.md

I have kong consumer and a kong credential CRD with a type of jwt which I assumed would work (as they do with the JWT plugin) but getting the following error message.

“message”: “No credentials found for given key ‘http://xx.xx.xx.xx/auth/realms/Api’”

How can I reference the KongCredential from my plugin in db-less mode?

2

Do you have a new type of credential or are you reusing JWT credential type that ships with Kong?

You can’t reference a credential in a plugin, that doesn’t make much sense because they are not related at all.

3

Using the JWT credential type that ships with Kong. How does the JWT plugin use the KongCredential?

In source code for the JWT plugin there is this code -

kong.db.jwt_secrets:select_by_key(jwt_secret_key)

Does the in-memory db for kong get loaded with KongCredentials, consumers etc?

4

Yes.

You can use KongCredential (deprecated) or k8s Secret resources to provision JWT credentials inside Kong.
Here is the flow:

  1. Create a k8s secret and associate it with a KongConsumer resource in k8s
  2. Kong dynamically gets this info loaded into it’s memory.
  3. Now you can use the credential to authenticate against your APIs.

Follow the existing guide on using key-auth credential, but substitute the fields with corresponding JWT credential fields.

5

Thanks @hbagdi, I have another question related to consumers / credentials or secrets when configuring a custom plugin.

I want to create a new database table to hold secrets about a consumer which I have done in the daos.lua file. I assume I wouldn’t need migrations as I’m using db-less mode, is my assumption correct?

daos.lua

return {
  jwt_oidc_secrets = {
    name = "jwt_oidc_secrets",
    primary_key = { "id" },
    cache_key = { "key" },
    endpoint_key = "key",
    fields = {
      { id = typedefs.uuid },
      { created_at = typedefs.auto_timestamp_s },
      { consumer = { type = "foreign", reference = "consumers", default = ngx.null, on_delete = "cascade", }, },
      { field1 = { type = "string", required = true, unique = true, auto = true }, },
      { field2 = { type = "string", required = true }, },
    },
  },
}

How do I configure a credential or secret to be inserted(loaded) into my new jwt_oidc_secrets table?

How does the secret / credential know which table to insert the data into?

I’m wanting to retrieve these details in my custom plugin like:

local result, err = kong.db.jwt_oidc_secrets:select_by_key(key)

6

Custom DAOs for credentials are not yet supported by the Ingress Controller.
You can use Kong in DB mode and populate credentials via the Admin API and configure all the routing in Kong via Ingress an CRDs.

7

Yeah I suspected this might be the case, thanks @hbagdi

Is this on the roadmap for Ingress Controller?