Kong Ingress Controller & KeyCloak

Hi Kong Nation,

I’m trying to setup Kong Ingress Controller with KeyCloak. I have both up and running fine in a local Kubernetes cluster but I can’t configure Kong to forward auth requests to KeyCloak via the OIDC plugin.

This is the YAML for OIDC plugin.

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oidc
  labels:
    global: "true"
config:
  client_id: kong
  client_secret: 56d88f68-7275-4691-aa75-3d0e419e8bb2
  discovery: http://172.17.0.5:8080/auth/realms/master/.well-known/openid-configuration
plugin: oidc

KeyCloak has the following IP address - 172.17.0.5 (internal to cluster) and I can curl the discovery address from another pod so KeyCloak seems to be up and running correctly.

When trying to apply the plugin YAML I’m getting the following error.

E0205 00:51:39.514093 1 kong.go:254] error filling in defaults for plugin: oidc

Any ideas of what I’m doing wrong?

Does anyone have an example of KongIngress and KeyCloak working together?

Any other ideas?

Ok looks like I don’t have oidc plugin installed.

Any way to install via Admin API or do I have to create a docker image with the plugin installed?

Yes, you need to build a Docker image with the plugin in it.

Or you can dynamically mount it via ConfigMap:

I have found this thread (Nokia/kong-oidc and Auth0 on Kubernetes help) that creates a docker image from kong and installs a plugin from luarocks, which meets my use case however this is the full kong image and I need to do this with the ingress image. Is there an example of this anywhere that I can follow?

I’ve got the following which is getting close (I hope) but still not managing to get the docker image to run.

Output when trying to run the docker image.

-------------------------------------------------------------------------------
Kong Ingress controller
  Release:    f10c76e
  Build:      f10c76e
  Repository: https://github.com/Kong/kubernetes-ingress-controller
  Go:         go1.13.7
-------------------------------------------------------------------------------

F0206 05:20:16.779928       1 main.go:100] either --publish-service or --publish-status-addressmust be specified

Am I missing some configuration?

Docker Image

FROM kong-docker-kubernetes-ingress-controller.bintray.io/master:latest

USER root

RUN apk update && apk add wget && rm -rf /var/cache/apk/*

ENV LUA_VERSION 5.3
ENV LUA_PACKAGE lua${LUA_VERSION}
ENV LUAROCKS_VERSION 3.0.3

# Install packages necessary for Lua, Luarocks.
RUN apk add ${LUA_PACKAGE}
RUN apk add ${LUA_PACKAGE}-dev
RUN apk add luajit
RUN apk add luarocks
RUN apk add build-base git bash zip unzip curl
RUN ln -s /usr/bin/luarocks-$LUA_VERSION /usr/bin/luarocks

RUN luarocks install kong-oidc

I’ve also tried to customize Kong with https://github.com/Kong/docker-kong/tree/master/customize but when starting the image it looks for a database so it’s either that the Ingress controller image is different or that there is config missing to setup db-lss mode.

Any help would be greatly appreciated.

There are two Docker images involved here:

  • Ingress Controller
  • Kong

You need to install the plugin in Kong’s Docker image and not the Ingress Controller.

I have done that and the docker image is created successfully but I want to use the ingress controller with the nokia/oidc plugin so I can auth with Keycloak. Is there a way to do this?

What you have done above in the previous comment is wrong.

FROM kong-docker-kubernetes-ingress-controller.bintray.io/master:latest

You want to do this to Kong’s Docker image and not the ingress controller.

The ingress controller doesn’t have any plugins installed in it. It dynamically figures out the plugins from Kong and configures them.

Thanks Harry. Okay so if I build a new Kong image with the plugins installed and then change the ingress deployment to use that image, will that work? Do I need to configure anything else in the YAML?

Yes that will work. Please make sure to replace the right image. Don’t replace the controller’s image with Kong’s image. Replace the existing Kong image with the one you have built.

Hi @hbagdi ,

Thanks that has worked to some degree. I’m now facing an issue where I’m getting 302 redirects in Kong Proxy which eventually timeout. My assumption is that these requests are being forwarded to Keycloak for authentication but I’m unable to trace these so not 100% sure where the redirects are trying to go to. In the proxy is there a way to trace these requests? Is there a way to change the logging level?

BTW the redirects only happen on routes / services that have the nokia/oidc plugin enabled. All other requests work as expected.

UPDATE:
I forgot to mention that I can get a successful token from Keycloak using postman so I believe I have everything setup correctly.

Please share your Ingress and KongPlugin manifests.

Correlation Plugin

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: cdx-correlation-id
  labels:
    global: "true"
config:
  header_name: cdx-correlation-id
plugin: correlation-id

OIDC Plugin

kind: KongPlugin
metadata:
  name: oidc
config:
  client_id: kong
  client_secret: cdb8a008-f126-4d0c-9340-d73f065315c4
  scope: openid
  realm: API
  # I've also tried the pod IP here and get the same 302 redirect
  discovery: http://keycloak.auth:8080/auth/realms/API/.well-known/openid-configuration
plugin: oidc

Customer ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: customer-api-ingress
  annotations:
    # OIDC only set for customer ingress
    plugins.konghq.com: oidc
spec:
  rules:
    - http:
        paths:
          - path: /customers
            backend:
              serviceName: customer-api-svc
              servicePort: 80

Foo ingress - just an echo server

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  annotations:
    plugins.konghq.com: cdx-correlation-id
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: echo
          servicePort: 80

Proxy works for /foo ingress but not /customers

Using postman I can get a token from Keycloak using port-forwarding

Here is my kong client in Keycloak. I have specified * for valid redirect URL’s.

I’ve noticed this warning in the Keycloak logs and wonder if this could be causing the issue?

You also need to expose keycloak itself outside the Kubernetes cluster via an Ingress rule. When the plugin wants user to authenticate with keycloak, it sends back aredirect to the user, but if the redirect URL is wrong or inaccessible outside the k8s cluster, then you will be stuck.


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ