OpenId connect problem (no redirection to Identity Provider

jondow · June 21, 2020, 12:46pm

Hi,
I have installed Kong Enterprise k8s and Kong Ingress Controller successfully with the manifests from

Kong/kubernetes-ingress-controller/blob/master/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: kong
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: kongclusterplugins.configuration.konghq.com
spec:
  additionalPrinterColumns:
  - JSONPath: .plugin
    description: Name of the plugin
    name: Plugin-Type
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: Age
    name: Age
    type: date
  - JSONPath: .disabled

This file has been truncated. show original

I was following the OpenId Connect guide from https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-oidc-plugin.md to test the OpenId connect plugin with Google as an IdP.
However, it looks like the OpenId-Connect plugin. does not redirect the request to Google for Authentication. Hereafter is the Kong Deployment manifest that I am using.
Can you please tell me what could be the issue:
kong_deployment.yaml manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: kong
spec:
replicas: 1
selector:
matchLabels:
app: ingress-kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
prometheus.io/port: “8100”
prometheus.io/scrape: “true”
traffic.sidecar.istio.io/includeInboundPorts: “”
labels:
app: ingress-kong
spec:
containers:
- env:
- name: KONG_LICENSE_DATA
valueFrom:
secretKeyRef:
key: license
name: kong-enterprise-license
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 ssl
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100
- name: KONG_DATABASE
value: “off”
- name: KONG_NGINX_WORKER_PROCESSES
value: “1”
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PLUGINS
value: “oidc”
#image: kong-docker-kong-enterprise-k8s.bintray.io/kong-enterprise-k8s:2.0.4.1-alpine
image: jondow/kong-enterprise-k8s:2.0.4.1-alpine
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- kong quit
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8100
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-ssl
protocol: TCP
- containerPort: 8100
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: 8100
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
runAsUser: 1000
- env:
- name: CONTROLLER_KONG_ADMIN_URL
value: https://127.0.0.1:8444
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: “true”
- name: CONTROLLER_PUBLISH_SERVICE
value: kong/kong-proxy
- name: CONTROLLER_WATCH_NAMESPACE
value: kong
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller:0.9.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
imagePullSecrets:
- name: regcred
serviceAccountName: kong-kong

Thanks
Jon

traines · June 23, 2020, 6:20pm

Hi, it looks like you’re using Kong Enterprise, have you submitted a ticket for this issue? This forum is generally more for supporting non-Enterprise deployments.

In general, at a baseline, you’ll want to check the controller container logs (e.g. kubectl logs KONG_POD_NAME -c ingress-controller) to see if it’s unable to apply your configuration for some reason, and if not, check the admin API (GET /routes to find the route matching your Ingress and then GET /routes/ROUTE_NAME/plugins to see if the OIDC configuration is present).

Furthermore, when you say the redirect doesn’t occur, are you then allowed upstream (i.e. you get a 200 response) or are you then blocked by the plugin (you should receive a 403 or 401)?

jondow · June 25, 2020, 6:22am

Hi Travis,
Yes, I am using Kong Enterprise K8S. I was able to solve the issue. The Kong Enterprise K8S is different from the open source version as it requires Ingress Resource patch. So, there was an issue in my Ingress Resource. Anyway, now the OpenID Connect plugin works and we are going ahead with the Kong API Gateway in our company.
I will wait for the official version of Kong Enterprise K8S not relying on ClusterRoles and ClusterRoleBindings. For now, we will use the fork of the Kong Ingress Controller 0.9.1 that I have created thanks to your help.

Your support is amazing and this gives us more confidence to use Kong as an API Gateway in our organization.

Thank you
Regards
Jon

Topic		Replies	Views
OpenID Connect Plugin Okta Integration Issue Kubernetes	4	1453	June 29, 2020
Kong Ingress Controller & KeyCloak	12	4296	February 12, 2020
Kong bypassing kong-oidc plugin Questions	3	1711	December 11, 2019
OAuth Plugin Not Working - Kubernetes Ingress Kubernetes	3	783	October 12, 2021
Oauth2 proxy - Reverse proxy to provide authentication with OIDC Questions	1	1281	October 12, 2021

OpenId connect problem (no redirection to Identity Provider

Related Topics