I’m trying to setup Kong Ingress Controller with KeyCloak. I have both up and running fine in a local Kubernetes cluster but I can’t configure Kong to forward auth requests to KeyCloak via the OIDC plugin.
KeyCloak has the following IP address - 172.17.0.5 (internal to cluster) and I can curl the discovery address from another pod so KeyCloak seems to be up and running correctly.
When trying to apply the plugin YAML I’m getting the following error.
E0205 00:51:39.514093 1 kong.go:254] error filling in defaults for plugin: oidc
Any ideas of what I’m doing wrong?
Does anyone have an example of KongIngress and KeyCloak working together?
I have found this thread (Nokia/kong-oidc and Auth0 on Kubernetes help) that creates a docker image from kong and installs a plugin from luarocks, which meets my use case however this is the full kong image and I need to do this with the ingress image. Is there an example of this anywhere that I can follow?
I’ve got the following which is getting close (I hope) but still not managing to get the docker image to run.
Output when trying to run the docker image.
-------------------------------------------------------------------------------
Kong Ingress controller
Release: f10c76e
Build: f10c76e
Repository: https://github.com/Kong/kubernetes-ingress-controller
Go: go1.13.7
-------------------------------------------------------------------------------
F0206 05:20:16.779928 1 main.go:100] either --publish-service or --publish-status-addressmust be specified
Am I missing some configuration?
Docker Image
FROM kong-docker-kubernetes-ingress-controller.bintray.io/master:latest
USER root
RUN apk update && apk add wget && rm -rf /var/cache/apk/*
ENV LUA_VERSION 5.3
ENV LUA_PACKAGE lua${LUA_VERSION}
ENV LUAROCKS_VERSION 3.0.3
# Install packages necessary for Lua, Luarocks.
RUN apk add ${LUA_PACKAGE}
RUN apk add ${LUA_PACKAGE}-dev
RUN apk add luajit
RUN apk add luarocks
RUN apk add build-base git bash zip unzip curl
RUN ln -s /usr/bin/luarocks-$LUA_VERSION /usr/bin/luarocks
RUN luarocks install kong-oidc
I’ve also tried to customize Kong with https://github.com/Kong/docker-kong/tree/master/customize but when starting the image it looks for a database so it’s either that the Ingress controller image is different or that there is config missing to setup db-lss mode.
I have done that and the docker image is created successfully but I want to use the ingress controller with the nokia/oidc plugin so I can auth with Keycloak. Is there a way to do this?
Thanks Harry. Okay so if I build a new Kong image with the plugins installed and then change the ingress deployment to use that image, will that work? Do I need to configure anything else in the YAML?
Yes that will work. Please make sure to replace the right image. Don’t replace the controller’s image with Kong’s image. Replace the existing Kong image with the one you have built.
Thanks that has worked to some degree. I’m now facing an issue where I’m getting 302 redirects in Kong Proxy which eventually timeout. My assumption is that these requests are being forwarded to Keycloak for authentication but I’m unable to trace these so not 100% sure where the redirects are trying to go to. In the proxy is there a way to trace these requests? Is there a way to change the logging level?
BTW the redirects only happen on routes / services that have the nokia/oidc plugin enabled. All other requests work as expected.
UPDATE:
I forgot to mention that I can get a successful token from Keycloak using postman so I believe I have everything setup correctly.
kind: KongPlugin
metadata:
name: oidc
config:
client_id: kong
client_secret: cdb8a008-f126-4d0c-9340-d73f065315c4
scope: openid
realm: API
# I've also tried the pod IP here and get the same 302 redirect
discovery: http://keycloak.auth:8080/auth/realms/API/.well-known/openid-configuration
plugin: oidc
Customer ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: customer-api-ingress
annotations:
# OIDC only set for customer ingress
plugins.konghq.com: oidc
spec:
rules:
- http:
paths:
- path: /customers
backend:
serviceName: customer-api-svc
servicePort: 80
You also need to expose keycloak itself outside the Kubernetes cluster via an Ingress rule. When the plugin wants user to authenticate with keycloak, it sends back aredirect to the user, but if the redirect URL is wrong or inaccessible outside the k8s cluster, then you will be stuck.