Kong proxy elb ssl terminate oath2 plugin

I have kong + kong-ingress-controller behind aws elb that has ACM certificate in AWS.
kong-admin and kong-proxy work quite well with https BUT I can’t request token … always get as response and access denied.


apiVersion: v1
kind: Service
metadata:
name: kong-proxy
namespace: kong
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: “http”
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: “443,8443”
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: “*”
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:xxxxxxxxxxxxx
spec:
externalTrafficPolicy: Local
type: LoadBalancer
ports:

  • name: kong-proxy
    port: 80
    targetPort: 8000
    protocol: TCP
  • name: kong-proxy-ssl
    port: 443
    targetPort: 8000
    protocol: TCP
    selector:
    app: kong

apiVersion: v1
kind: Service
metadata:
name: kong-ingress-controller
namespace: kong
spec:
type: ClusterIP
ports:

  • name: kong-admin
    port: 80
    targetPort: 8001
    protocol: TCP
  • name: kong-admin-ssl
    port: 443
    targetPort: 8001
    protocol: TCP
    selector:
    app: ingress-kong

my ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kong-ingress-1
namespace: kong
annotations:
ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: “kong”
spec:
rules:

  • http:
    paths:
    • path: /admin
      backend:
      serviceName: kong-ingress-controller
      servicePort: 443
    • path: /proxy
      backend:
      serviceName: kong-proxy
      servicePort: 443

curl for adding oauth2:

curl -X POST
–url http://dev.cert.scadip.com/admin/services/football-service/plugins/
–data “name=oauth2”
–data “config.mandatory_scope=true”
–data “config.scopes=read”
–data “config.enable_password_grant=true”
–data “config.global_credentials=true”
data "config.accept_http_if_already_terminated=true"

and I have added trusted ip too in both (kong and kong ingress controller):


apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kong
namespace: kong
spec:
template:
metadata:
labels:
name: kong
app: kong
spec:
containers:
- name: kong-proxy
image: kong:1.2
env:
- name: KONG_DATABASE
value: cassandra
- name: KONG_CASSANDRA_KEYSPACE
value: kong
- name: KONG_CASSANDRA_CONTACT_POINTS
value: cassandra.default.svc.cluster.local
- name: KONG_PROXY_ACCESS_LOG
value: “/dev/stdout”
- name: KONG_PROXY_ERROR_LOG
value: “/dev/stderr”
- name: KONG_ADMIN_LISTEN
value: ‘off’
- name: KONG_TRUSTED_IPS
value: 0.0.0.0/0,::/0
ports:
- name: proxy
containerPort: 8000
protocol: TCP
- name: proxy-ssl
containerPort: 8443
protocol: TCP
lifecycle:
preStop:
exec:
command: [ “/bin/sh”, “-c”, “kong quit” ]

my request token curl:

curl -v -i -X POST
–url https://dev.xxxx.com/proxy/apirest/premier/oauth2/token
–data “grant_type=password”
–data “client_id=fg9mcyewJ15cgxxxxxxxxxx”
–data “client_secret=zANetM0xxxxxxxR3ZQDqIC8EvUL”
–data “provision_key=hB3eH5MTuneFixxxxxxxxxxq8oG8auR”
–data “scope=read”
–data “authenticated_userid=myusrid”

any idea about why I always have access denied as response, please?

I solved the problem … I gonna prepared a link with all implementation on github as soon as I can because there are many people with the same problem …


© 2018 Kong Inc.    Terms  •  Privacy  •  FAQ