I am looking for Kong Plugin for Ingress Controller where for every user request, it will first authenticate against an API endpoint and if the response is OK, it will redirect to actual user request.
We have recently moved from Traefik to Kong and there is a similar feature in Traefik
Any pointers would be greatly appreciated.
The authentication scheme that Traefik doc covers doesn’t provide specifics, but it sounds similar to what Open Policy Agent provides.
There are a few community plugins that integrate with OPA:
Thanks for your reply.
In the Traefik, we were doing like below
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ngnpb-ingress
namespace: ngnpb
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/protocol: h2c
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://mgmt-security.ngnpb.svc.cluster.local:29091/validateToken
ingress.kubernetes.io/auth-response-headers: Authorization, Role, User
spec:
rules:
- http:
paths:
- path: /api
backend:
serviceName: mgmt-security
servicePort: 29092
As you can see above, in the annotations we are providing auth-url, so every request to /api
will first go to auth-url and if user is authenticated then only it will redirect to /api.
Hope this is clear now.
Any updates on this?
I’ve been happily using Kong for a long time now and with the recent introduction of Authentik in my cluster, I’d like to leverage forward auth with it, rather than having another proxy to handle this.
Right now I use a caddy proxy after Kong to handle the forward auth with the implementation described here
Has anyone been able to develop a plugin to handle this in Kong or has any tips on how this could be implemented with it?