Nokia/kong-oidc and Auth0 on Kubernetes help

Kubernetes
1

I set up Kong locally (Docker) with Nokia’s oidc plugin and used Auth0 as the OIDC authority – it worked wonderfully well!

I’ve since moved an identical service into Kubernetes using dist-kubernetes. I exposed the ingress-data-plane via Load Balancer and set an A record for the LB’s IP. The kong service’s route points to a deployment’s ClusterIP service and the host is the A record.

For some reason, Kong is bypassing the OIDC plugin and is routing straight to the deployment without authentication. Any ideas how I’d go about debugging?

2

How have you installed the plugin? git://kong-dist-kubernetes will always run the latest official Kong image which comes with our bundled plugins but won’t include the Nokia OIDC plugin.

Either make your own Dockerfile that additionally installs Nokia’s plugin, or use https://github.com/Kong/docker-kong/tree/master/customize. You’ll also need to update the kong-dist-kubernetes YAML files to reference your Kong image instead of image: kong

3

I’ve written a Docker container which adds the plugin onto the latest Kong image. From there I’ve dropped the container into a registry and have adjusted the deployment yaml accordingly.

I’ve also enabled the plugin (verified with Konga) and entered the same application info from my working local system (user access key, secret key, callback url, and discovery url). I don’t believe plugin installation is the problem…

4

Hey, I am trying to install the nokia/kong-oidc on kong, could you share the Dockerfile you wrote ? thanks.

5

Hi, you can use this Dockerfile:

FROM kong:1.4.1-alpine

LABEL description="Alpine + Kong 1.4.1 + kong-oidc plugin"

RUN apk update && apk add git unzip luarocks && mkdir /kong-plugins

ADD plugins/* /kong-plugins

RUN luarocks install kong-oidc

Remember to set the env variable KONG_PLUGINS to oidc

6

You need to set the env var to bundled,oidc to also enable all the plugins bundled with Kong itself.

1 Like
7

thanks both of you , it worked ( and yes blundled in env var is important otherwise it won’t work correctly)

8

Hey _rubik,

have you found a solution for your problem? I’ve been running into the same problem. I wrote my own Dockerfile which installs the plugin:

FROM kong:1.4-centos

LABEL description="Centos 7 + Kong 1.4 + kong-oidc plugin"

ENV KONG_DATABASE=off
ENV KONG_DECLARATIVE_CONFIG=/config/kong.yml
ENV KONG_PLUGINS=oidc,cors,prometheus

RUN cp /etc/kong/kong.conf.default /etc/kong/kong.conf
RUN yum install -y git unzip && yum clean all

RUN luarocks install kong-oidc

Everything seems to work great locally. Kong added my routes, plugins, services with my self declared kong.yml and each request gets checked by kong for a valid token.

Unfortunately it ignores the authorization and routes the request to the upstream service when deployed on OpenShift (Container Platform).

My guess is that my kong container did not enable the declared plugins (oidc, cors, prometheus).

Any help is appreciated!