Closed bstaylor12 closed 6 months ago
KONG_PASSWORD
(aka env.password
in the chart is only honored during initial migrations, not after. If you've already initialized your database, you'll need to either destroy it and perform a fresh install with the variable set (if you're using the ingress controller, it will restore most other configuration, but not any workspace, Portal, or RBAC configuration) or create an admin from the API before enabling RBAC.
Good Morning,
This issue should not be closed. I followed this guide the Kong Gateway installation guide here: https://docs.konghq.com/gateway/3.6.x/install/kubernetes/proxy/
I tried setting the password in the .env section of the values-cp.yaml with the following variations: password kong_password PASSWORD
The password has been set the same as the database password during initial deployment under the .env "password" variable. When attempting to login through the manager portal with the kong_admin user and password, received an "invalid user/password" error. We are not using the ingress controller, but instead are using our own nginx controller within our kubernetes cluster.
I attempted the following:
Attempted to add a new user and password to the public.admins table. Result: Did not receive a successful login when trying to use it at the Kong Manager portal.
Attempted to update the basicauth_credentials table by modifying the password of the “kong_admin user, as it is referenced in the following link: https://support.konghq.com/support/s/article/How-to-change-Kong-manager-password-from-database Result: Received an “UPDATE 0” message instead of an “UPDATE 1” message
Tried to deactivate the following variables in the values-cp.yaml file:
enforce_rbac
admin_gui_session_conf
admin_gui_auth Result: Accessed the Kong Manager portal without authenticating. Not able to create a user under the admins or teams tab due to limited access within the portal.
Entered the shell of the Kong docker containers. Located the .kong.env and kong.conf.default files, which listed variables for the deployment. Discovered no variables of an admin username or password being set nor how to set the variables.
Can someone please provide feedback? My initial post was created 5 days ago, and I am just now getting a response. Along with the ticket being closed without me providing a response.
My initial post was created 5 days ago, and I am just now getting a response.
Can you create a support ticket? We don't generally use GitHub issues as a support channel and they're not monitored as frequently as https://support.konghq.com/support/s/. We can provide an initial response here for simpler issues, but if it's something more complex than the basic gotcha around needing to set the password during the initial install, a support ticket will be a better option.
While we do accept bug reports through them, they're specific to the individual repo rather than the product suite as a whole. The team that monitors this repo works primarily with the chart and other Kubernetes tooling, and is less familiar with Kong Manager and the RBAC/Admin system.
In a local test environment, I can confirm at least that the chart component of setting the environment variable (it is set there, i.e. in the container output of env
, not anything on the filesystem), that this creates the initial super admin during installation, and that I can log in after enabling RBAC. I used https://gist.github.com/rainest/fe85796e6f37e11c7a2c969dc3750d00 as a simplified localhost-only configuration (via port-forwards to the admin API and Manager) that mostly avoids CORS/session issues to check user creation only.
Logging in may still fail even with the user in place due to other reasons, however, and may incorrectly report other problems as being unable to find the requested user. Manager needs to be able to talk to the admin API to authenticate, and configuration of the surrounding environment may break that. You likely need to adjust either your CORS headers or session configuration to allow the login system to work properly: the chart attempts to configure some of those automatically, but if you're using your own ingress controller and configurations, the chart's assumptions about how to configure those are likely incorrect.
@rainest Good Morning,
I am not able to access that support page. It seems you have to have a login to be able to access that page and there is no way to create a login on that page.
I reviewed the Kong CORs documentation. I have those suggested values listed on this page set already: https://docs.konghq.com/gateway/latest/install/kubernetes/manager/
env:
admin_gui_url: http://manager-kong.example.com/ admin_gui_api_url: http://admin-kong.example.com/ admin_gui_session_conf: ‘{“secret”:”secret”,”storage”:”kong”}’ admin_gui_auth_auth: “basic-auth”
enterprise: rbac: enabled: true admin_gui_auth: “basic-auth”
The current setup is following the second option under the quick guide section on this page, where the Kong Manager and Admin API are served under two different hostnames with a shared suffix: https://docs.konghq.com/gateway/latest/production/networking/dns-considerations/#quick-guide
When I attempt to access the Manager Portal from the browser, in the developer Console tool, I see the following errors:
“Mixed Content: The page at ‘
I attempted to modify the URLS to reflect “https”:
env:
admin_gui_url: https://manager-kong.example.com/ admin_gui_api_url: https://admin-kong.example.com/
The Network tool is showing the following:
“auth?session_logout=true
Referrer policy: strict-origin-when-cross-origin Access-Control-Request-Method: Delete”
I attempted to look up the “strict-origin-when-cross-origin”, and I came across this page in Kong in reference to CORS limitations: https://docs.konghq.com/hub/kong-inc/cors/
I am not sure if the following variables should be set in addition to the ones I already have set: • proxy_listen • admin_listen • stream_listen
I am now getting the following errors when attempting to login to the manager portal:
Cross-Origin Request Blocked: The same origin policy disallows reading the remote resource at https://admin-kong.example.com Reason: CORS request did not succeed. Status code: (null)
Do you have an Enterprise contract/license? Your support account should have been set up as part of issuing that, though it may have been given to someone else in your organization; check with your account manager if you're unsure.
If you do not, as far as I know you cannot use RBAC--I don't believe there's been any change to the free mode feature set to include RBAC. We arguably shouldn't let you enable that if a license isn't available, but apparently do.
If you don't currently have a contract and want RBAC you'd either need to contact sales regarding an on-premise contract or use our SaaS self-service billing option for a hosted management platform.
In general, hosting the manager and admin API on the same hostname is the simplest option, as it doesn't require CORS. If they are cross-origin, admin_gui_url
should provide the admin API with the appropriate CORS headers (though it does need to be a full URL and include the https://
scheme). If you're getting no response for those requests you may have NGINX not configured to relay them correctly. This applies to Manager use in general and not just RBAC, but again, RBAC won't actually be available without a license.
@rainest I do have a enterprise license. We were able to login finally, but was receiving an "not secure-certificate" message. I set the following:
env: role: control_plane admin_access_log: /dev/stdout admin_error_log: /dev/stderr proxy_error_log: /dev/stderr proxy_access_log: /dev/stdout cors_enabled: "true" cors_headers: "Content-Type, Authorization, X-Requested-With, Access-Control-Allow-Origin, Origin" cors_origins: "*" cors_methods: "GET, POST, PUT" cors_max_age: "86400" cors_credentials: "true"
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key ssl_cert: /etc/secrets/kong-cluster-cert/tls.crt ssl_cert_key: /etc/secrets/kong-cluster-cert/tls.key admin_ssl_cert: /etc/secrets/kong-cluster-cert/tls.crt admin_ssl_cert_key: /etc/secrets/kong-cluster-cert/tls.key admin_gui_ssl-cert_cert: /etc/secrets/kong-cluster-cert/tls.crt admin_gui_ssl-cert_key: /etc/secrets/kong-cluster-cert/tls.key
However, I am getting this error now: Access to XMLHttpRequest at https://admin-kong.example.com/auth from origin 'https://manager-kong' has been blocked by CORS policy: No "Access-Control-Allow-Origin" header is present on the requested resource.
If the setting I have above for header does not work, what needs to be set?
Can you please tell me how to set the cors variable to remove the error: CORS policy: No "Access-Control-Allow-Origin" header
@rainest Good morning,
Can you please write back? I have tried changing the admin and manager url to be the same as you suggested, but I am running into an issue error where the "e.data.admin is undefined". When I set it back to how I originally set it, I get the "the same origin policy disallows reading the remove resource at https://admin-kong.example.com. Reason: CORs header 'Access-Control-Allow-Origin' missing.
Again, if you have an enterprise license and support contract, please, use the designated support channels. If you do not have access to them, contact your account manager. There's no indication of a bug here and we will not continue here further.
Good Evening,
I have given your suggestions a try, but it did not work. I'm not sure why you will not provide more guidance when this is a community page. This appears to be a common issue. I've come across several posts that are similar to the issue I am experiencing, but there is no clear solution. Just vague suggestions.
Thanks
How do I can I ensure I am setting the manager password when deploying kong with the helm chart? I was following the kong gateway installation page, and I have the manager password set in the env variables as mentioned in the guide. However, when I attempt to access the manager ui, I am not able to log in with the admin_user and password. Please help.