Kong DB-less mode and dynamic Consumers

I’m studying a little bit more about service mesh (istio) and found out Kong has awesome features to work with, so I decided to integrate it in my service mesh.

I’m trying to achieve End-User Authentication feature in my service mesh, and reading a little bit more I got stuck in Consumers part. It says a Consumer is a human trying to access a Service, and since Kong in k8s is recommended without DB (due to delcarative configs) how will I implement authentication feature for my microservices for each user?

In database mode, it seems fine to keep Kong db in sync with my ‘users’ microservice db, then it’s just a matter of using a plugin. Although it seems a bad practice to create a Consumer yaml for each user that signs up in my system

How do I approach this?

Depending upon the scale of consumers, you’ve three options:

  • If there are not going to be a lot of consumers, then you can create KongConsumer resource for each user that signs up. A lot mean, less than a thousand (no data to back this up).
  • If you have a lot of consumers, then you should deploy Kong with a database and then configure the consumers in Kong’s database. Please note that only the consumers are configured via your sync script/app. Rest of the configuration will be taken care of by Kong.
  • If you can, you should rather integrate an IdP with Kong, meaning, you don’t need a consumer resource for each of your user and also get to run Kong in DB-less mode.

Thanks for replying! Can you please explain a little more about the third option? How do I integrate with as IdP? Is there a famous one well used by community? How does that work?

Thanks in advance

You can use Nokia’s OIDC plugin and integrate any IdP that supports the OIDC protocol.

Kong then doesn’t store any identity information and relies on a third party to do that.

OIDC is supported by most IdP providers like Okta, Google, Ping etc.