KongIngress Proxy Path Not working

I’m trying to create two KongIngress resources for a single service so that I can specify a different proxy path for a path that requires another form of authentication.

proxy path: /
ingress path: /api/wallet/

proxy path: /openapi
ingress path: /api/wallet/openapi

When I access the url api.foo/api/wallet/openapi I get served from path: / instead of path: /openapi indicating that the kong-wallet-open-ingress KongIngress is not being configured right but I fail to see any misconfigurations with the Ingress definitions

Kong Ingress Controller v 0.3.0
Kong v 1.1.0

Ingress Definitions

I tried this myself and it’s not possible to have one backend service with different proxy path overrides.

When setup by Ingress controller, they will share the same backend configuration.

We had to start using a URL rewrite plugin / rule on the service level to accomodate this.

My scenario is that I’ve got a service that I’d want to use key-auth on the service level and then on a route I want another form of authentication (anonymous in this specific case).

If I move back to only one KongIngress and one Ingress for the service, how can I apply key-auth and acl plugins for only one route?

If I put the plugins annotation on the Ingress resource it will be applied for all routes, but in this case I only want it applied to /api/wallet/openapi and not /api/wallet/

Can I maybe use one KongIngress and multiple Ingress resources to achieve this?

What I would propose is to keep your two ingresses with the one service.

Then on one ingress rewrite the url path to /api/wallet/openapi
On the other rewrite the backend url to /api/wallet

If you use the proxy path, like said, that applies to a backend service, since you only have one backend service you can only rewrite its backend path to either “/api/wallet/openapi” or “/api/wallet” you can’t have it both ways configuring it that way.

You can look at the following plugins to apply to your kong ingress to accomplish this:

Stone payments Kong URL rewrite plugin

Kong request transformer advanced (requires Kong Enterprise)

Pearson URL rewrite plugin (this is not up to date with Kong 1.0.0 though - We are using this with custom modifications at the moment)

There might be other solutions but this is the one I am personally familiar with getting around this particular problem.

Well it seems that the Stone payments URL rewrite plugin deals with absolute paths when rewriting so that when rewriting /api/wallet/openapi/foo to /wallet, /foo is not passed along with the request to the upstream.

Any chance you have the modifications of the Pearsons URL rewrite plugin publicly available ?

The changes made to it are when we migrated from Kong 0.14.x to Kong 1.0 in a “hack it to get it to work” kind of fashion.

These are not changes that are scheduled to be made public in the short term, maybe if I get time alotted to work on it further and submit a pull request, but I could probably tell you that rates very low on the priorty radar right now.

The thing with Pearson’s plugin is they have many other functionality besides rewrite URL like header overwrite, JSON parsing etc. Things we do not use, but would require review in upgrading to Kong 1.0 so for us its not really that useful. You might consider upvoting my thread in their forum to make it compatible with Kong 1.0 out of the box.

If you are interested in the rewrite URL part only you can see the method they have called and use it for inspiration to make a very simple plugin that just calls that method. But that would involve writing your own plugin. Or get Kong Enterprise that is also the alternative.

Please upgrade your ingress controller to 0.4.0 to solve this issue. Thanks!

@hbagdi can you elaborate on how 0.4.0 fixes this issue and is there any change log available for the 0.4.0 version?

The changelog for 0.4.0 is available here.

We did some major changes in 0.4.0 and a lot of such bugs have been squashed in that release.

I tried creating two KongIngress resources with

proxy path: /
ingress path: /api/wallet/

proxy path: /openapi
ingress path: /api/wallet/openapi

But the incoming request to the pod is still “/” but not “/openapi” when accessing foo.bar/api/wallet/openapi

Ingress & KongIngress