search

Kong / charts

Helm chart for Kong
Apache License 2.0
247 stars 477 forks source link

Unable to login to Kong Manager with DB-less Kubernetes deployment #1044

Closed cnukwas closed 6 months ago

cnukwas commented 6 months ago

Tried with most of the default configuration with Db-less and without Ingress Controller component. Pod comes up fine when logged into Kong Manager UI with kong-admin password that's set in the secret, I get "Username/Password is invalid" error. Any clues on what we're missing here or this is a known limitation of the DB-less approach?

I could see curl http://locallost:8001 and http://locallost:8001/routes calls are successful when ran from the same or different pod.

Applied Helm chart with below values.yaml after creating necessary secrets and configmaps.

Secrets: kong-session-config, kong-ee-pass, and kong-enterprise-license

kong-session-config secret data:

admin_gui_session_conf
{"cookie_name":"admin_session","cookie_samesite":"off","secret":"dummy-dfsdfsgdsfsdg","cookie_secure":true,"storage":"cookie"}

portal_session_conf
{"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-dummy-dfsdfsgdsfsdg","cookie_secure":true,"storage":"cookie"}
kind: Secret
apiVersion: v1
metadata:
  name: kong-ee-pass
  namespace: kong-ns
data:
  password: dummy_pass_1
type: Opaque
kind: ConfigMap
apiVersion: v1
metadata:
  name: kong-dbless-config
  namespace: kong-ns
data:
  kong.yml: |-
    _format_version: "3.0"
    _transform: true
    services:
    - name: my-service
      url: https://example.com
# Basic values.yaml for Kong for Kubernetes with Kong Enterprise (DB-less)
# Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.

image:
  repository: kong/kong-gateway
  tag: "3.5"

enterprise:
  enabled: true
  # See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
  license_secret: kong-enterprise-license
  vitals:
    enabled: false
  portal:
    enabled: false
  rbac:
    enabled: true
    admin_gui_auth: basic-auth
manager:
  enabled: true

portal:
  enabled: false

portalapi:
  enabled: false

env:
  database: "off"
  admin_listen: "0.0.0.0:8001, 0.0.0.0:8444 ssl"
  password:
    valueFrom:
      secretKeyRef:
        name: kong-ee-pass
        key: password

admin:
  enabled: true
  http:
    enabled: true
    servicePort: 8001
    containerPort: 8001

ingressController:
  enabled: false

proxy:
  # Enable creating a Kubernetes service for the proxy
  enabled: true
  type: NodePort
dblessConfig:
  # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
  configMap: kong-dbless-config
rainest commented 6 months ago

As far as I know there is no support for RBAC (and by extension, Manager authentication) in DB-less mode. If you want additional authentication options in DB-less mode, you'll want to file a support ticket with a feature request for it.

Setting env.password does not define the super admin password per se. It's not a typical kong.conf setting like most env settings, but instead directs initial database migrations to create a super admin with that password.

I'm checking around to see why we don't actually disallow enabling RBAC when using DB-less mode. I'm not sure why the documentation for RBAC doesn't mention anything about it one way or the other either.

Note that if you do switch to using a database, you'll need to delete and re-create the Helm release, as the initial install is the only time it runs initial migrations. Once you've done so, you can remove the env.password setting. It has no effect after initial migrations; all admin management is handled via the database and admin API after.

I'll reopen this if I find further information of interest, but don't expect I will.