Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
39.24k stars 4.81k forks source link

Kong Manager fails to work due to Admin API CORS protection #13339

Closed xiaopanggege closed 4 months ago

xiaopanggege commented 4 months ago

Is there an existing issue for this?

Kong version ($ kong version)

3.7

Current Behavior

我按照官方的docker方法安装:

docker run -d --name kong-gateway \
--network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e "KONG_PG_USER=kong" \
-e "KONG_PG_PASSWORD=kongpass" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
-e "KONG_ADMIN_GUI_URL=http://localhost:8002" \
-e KONG_LICENSE_DATA \
-p 8000:8000 \
-p 8443:8443 \
-p 8001:8001 \
-p 8444:8444 \
-p 8002:8002 \
-p 8445:8445 \
-p 8003:8003 \
-p 8004:8004 \
kong/kong-gateway:3.7.1.1

没有报错,成功启动,但是kong manager有问题, image 导致我无法做任何操作。 我是通过另一台PC访问http://10.97.2.100:8002/workspaces出现上面的情况

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

hanshuebner commented 4 months ago

Hello @xiaopanggege,

you are running the Enterprise version of Kong Gateway. Please head to the Kong Enterprise Support page to get support for the commercial offering.

Kind regards, Hans

xiaopanggege commented 4 months ago

@hanshuebner 我安装了oss版本也有问题 image 开启kong manager: docker exec -i kong-gateway /bin/sh -c "export KONG_ADMIN_GUI_PATH='/'; export KONG_ADMIN_GUI_URL='http://0.0.0.0:8002/manager'; kong reload; exit"

开源版的我安装命令是这个:

docker run --rm --network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e "KONG_PG_PASSWORD=kongpass" \
kong:3.7.0 kong migrations bootstrap

docker run -d --name kong-gateway \
--network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e "KONG_PG_USER=kong" \
-e "KONG_PG_PASSWORD=kongpass" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
-e "KONG_ADMIN_GUI_URL=http://0.0.0.08002" \
-p 8000:8000 \
-p 8443:8443 \
-p 0.0.0.0:8001:8001 \
-p 0.0.0.0:8002:8002 \
-p 0.0.0.0:8444:8444 \
kong:3.7.0
hanshuebner commented 4 months ago

Your problem is that you've got KONG_ADMIN_GUI_URL incorrectly set, causing Kong Manager's Admin API requests to be rejected due to CORS protection. In your setup, you want to set KONG_ADMIN_GUI_URL=http://10.97.2.100.

hanshuebner commented 4 months ago

@sumimakito This really is - I'd say - a bug in Kong Manager, which fails to produce a useful error message if it cannot communicate with the backend due to CORS misconfiguration. I would suggest trapping CORS errors and displaying helpful message, which probably should also mention ADMIN_GUI_URL and/or a pointer to the relevant documentation.

xiaopanggege commented 4 months ago

@hanshuebner Thank you very much, that's why I mistakenly thought 0.0.0.0 could be used externally image

sumimakito commented 4 months ago

Thanks @xiaopanggege for reporting this issue.

@hanshuebner Thanks for your help. It's true that it would be better if we could show messages/warnings to users to allow them to find out which configuration is causing the issue. Moreover, we should improve the documentation for setting up Kong Manager.

I've created two tickets KM-293 and KM-294 to track this.

ramuyk commented 4 months ago

I've installed kong (not the enterprise) on Ubuntu 24.04 without docker and I'm facing a similar issue...

image

After modifying the /etc/kong/kong.conf file and restarting kong I'm still facing the CORS issue

image

Is the kong manager only available for the enterprise version?

hanshuebner commented 4 months ago

@ramuyk Kong Manager is available for the open source and enterprise versions of Kong Gateway, although the two versions have different feature sets. The source code for the open source version is hosted on GitHub as well.

I have just verified that the open source version works in a locally deployed version of Kong Gateway. Are you sure that you have restarted the Gateway and that the configuration file is correctly picked up?

ramuyk commented 4 months ago

I've installed kong from the package manager following the documentation page (https://docs.konghq.com/gateway/latest/install/linux/ubuntu/). It says we can install kong with this script https://get.konghq.com/install on Ubuntu.

Actually, the script provided in the documentation fails on Ubuntu 24.04 due to its outdated GPG key handling approach.

image

However, I've fixed this issue by substituting the lines

echo "deb [trusted=yes] https://download.konghq.com/gateway-3.x-ubuntu-$(lsb_release -sc)/ \
default all" | sudo tee /etc/apt/sources.list.d/kong.list > /dev/null

to

curl -1sLf "https://packages.konghq.com/public/gateway-37/gpg.C05D9BEAEB9E8E18.key" | gpg --dearmor | sudo tee /usr/share/keyrings/kong-gateway-37-archive-keyring.gpg > /dev/null
curl -1sLf "https://packages.konghq.com/public/gateway-37/config.deb.txt?distro=ubuntu&codename=jammy" | sudo tee /etc/apt/sources.list.d/kong-gateway-37.list > /dev/null

And changed the variable KONG_PACKAGE_NAME to kong instead of enterprise... Kong gets up and running if I do it, even though other changes in my kong.conf seem to be working fine, this admin_gui_url doesn't seem to control the CORS. Am I missing any other configuration?

zailaib commented 2 months ago

@hanshuebner Thank you very much, that's why I mistakenly thought 0.0.0.0 could be used externally image

请问最终是咋解决的?

xiaopanggege commented 2 months ago

@zailaib 改成服务器的真是ip:10.97.2.100,然后浏览器访问http://10.97.2.100:8002,就是你浏览器想要访问什么就配置什么,想要用域名应该也可以

zailaib commented 2 months ago

@zailaib 改成服务器的真是ip:10.97.2.100,然后浏览器访问http://10.97.2.100:8002,就是你浏览器想要访问什么就配置什么,想要用域名应该也可以

嗯,用了你的方法,可以了, 🙏 docker run -d --name kong-gateway \

--network="host" \ -e "KONG_DATABASE=postgres" \ -e "KONG_PG_HOST=127.0.0.1" \ -e "KONG_PG_USER=kong" \ -e "KONG_PG_PASSWORD=kongpass" \ -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \ -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \ -e "KONG_PROXY_ERROR_LOG=/dev/stderr" \ -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \ -e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \ -e "KONG_ADMIN_GUI_URL=http://**10.10.60.47**:8002" \ -p 8000:8000 \ -p 8443:8443 \ -p 0.0.0.0:8001:8001 \ -p 0.0.0.0:8002:8002 \ -p 0.0.0.0:8444:8444 \ kong:3.7.1