I set up Kong locally (Docker) with Nokia’s oidc plugin and used Auth0 as the OIDC authority – it worked wonderfully well!
I’ve since moved an identical service into Kubernetes using dist-kubernetes. I exposed the ingress-data-plane via Load Balancer and set an A record for the LB’s IP. The kong service’s route points to a deployment’s ClusterIP service and the host is the A record.
For some reason, Kong is bypassing the OIDC plugin and is routing straight to the deployment without authentication. Any ideas how I’d go about debugging?
How have you installed the plugin? git://kong-dist-kubernetes will always run the latest official Kong image which comes with our bundled plugins but won’t include the Nokia OIDC plugin.
Either make your own Dockerfile that additionally installs Nokia’s plugin, or use https://github.com/Kong/docker-kong/tree/master/customize. You’ll also need to update the kong-dist-kubernetes YAML files to reference your Kong image instead of image: kong
I’ve written a Docker container which adds the plugin onto the latest Kong image. From there I’ve dropped the container into a registry and have adjusted the deployment yaml accordingly.
I’ve also enabled the plugin (verified with Konga) and entered the same application info from my working local system (user access key, secret key, callback url, and discovery url). I don’t believe plugin installation is the problem…
have you found a solution for your problem? I’ve been running into the same problem. I wrote my own Dockerfile which installs the plugin:
FROM kong:1.4-centos
LABEL description="Centos 7 + Kong 1.4 + kong-oidc plugin"
ENV KONG_DATABASE=off
ENV KONG_DECLARATIVE_CONFIG=/config/kong.yml
ENV KONG_PLUGINS=oidc,cors,prometheus
RUN cp /etc/kong/kong.conf.default /etc/kong/kong.conf
RUN yum install -y git unzip && yum clean all
RUN luarocks install kong-oidc
Everything seems to work great locally. Kong added my routes, plugins, services with my self declared kong.yml and each request gets checked by kong for a valid token.
Unfortunately it ignores the authorization and routes the request to the upstream service when deployed on OpenShift (Container Platform).
My guess is that my kong container did not enable the declared plugins (oidc, cors, prometheus).