I have an issue with the scoping of consumers/credentials trying to establish the following scenario:
- We’re exposing kubeless functions (I’ll just call those endpoints from now on) via the kong-ingress-controller
- Endpoints may require no auth, basic-auth or key-auth
- The users/tokens allowed to access vary by endpoint
I tried the following approach to do this:
- Create consumers and credentials and link each credential to a consumer via consumerRef
- Create a key-auth KongPlugin for each consumer, link the consumer via consumerRef
- Add a comma-separated list of the created plugins as value to the “plugins.konghq.com”-annotation of the ingress for this endpoint
This works partially: The authentication is enforced and wrong credentials are rejected while valid credentials get access to the endpoint’s response. HOWEVER, the credentials are not scoped to the consumers linked to the plugins linked to the ingress, but ANY credentials of type “key-auth” in this namespace are considered valid.
I understand that having multiple auth-plugins on one endpoint could cause issues, but this also applies to the case where I only have one plugin linked to one consumer with one linked credential. All other unlinked credentials are still considered valid.
Is this expected? Is this a bug? Is there a better way to do this, apart from creating a namespace per endpoint?