kubernets ingress controller basic auth

Kong / kubernetes-ingress-controller

:gorilla: Kong for Kubernetes: The official Ingress Controller for Kubernetes.

https://docs.konghq.com/kubernetes-ingress-controller/

Apache License 2.0

2.22k stars 592 forks source link

kubernets ingress controller basic auth #607

Closed MarsForever closed 4 years ago

MarsForever commented 4 years ago

NOTE: GitHub issues are reserved for bug reports only. For anything else, please join the conversation in Kong Nation https://discuss.konghq.com/c/kubernetes.

Summary

In kong ingress controller version 0.7 or 0.8 how to create basic auth kong plugin and keep api key is effect. I know basic auth is deprecated. https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/custom-resources.md#kongcredential-deprecated

There is the template I used. https://discuss.konghq.com/t/basic-auth-plugin-credentials-not-working-invalid-authentication-credentials/4958 https://github.com/Kong/kubernetes-ingress-controller/issues/234#issue-407475677

Kong Ingress controller version 0.8

Kubernetes version

17.0.0

Environment

OS (e.g. from /etc/os-release): Centos 7

rainest commented 4 years ago

https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md#provision-a-consumer shows how to create a modern secret-based credential and map it to a consumer. The example in that thread is fine--KongCredential resources are still supported; they have not been removed from the controller yet.

Secret credentials use a kongCredType key within the secret data instead of the type field on KongCredential, and use secret keys for all items underneath the KongCredential config block.

MarsForever commented 4 years ago

Thanks for your answer. @rainest My question is can I use basic-auth and api key same time ?

use basic-auth to access service A
use api key to access service A

I create two kong plugins (api key and basic auth). and added it to ingress's annotation But I find it only one can be enable.

I refer to the following url for api key https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/using-consumer-credential-resource.md for basic auth https://discuss.konghq.com/t/basic-auth-plugin-credentials-not-working-invalid-authentication-credentials/4958

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo
  annotations:
    konghq.com/strip-path: "true"
    konghq.com/plugins: httpbin-auth
    konghq.com/plugins: basic-auth

rainest commented 4 years ago

You can, yes, by configuring each to use an anonymous consumer (note that you'll need to create a KongConsumer for the anonymous consumer also). Kong will try each method in sequence and assign the anonymous consumer if it doesn't match any credential of any type.

From there, you can apply a request termination plugin to the anonymous consumer, such that it won't actually be allowed: https://docs.konghq.com/2.0.x/auth/#multiple-authentication

https://docs.konghq.com/enterprise/0.34-x/allowing-multiple-authentication-methods/ is an older version of that guide with some more practical examples. Although it's marked Enterprise it applies to community releases also, excepting the OIDC stuff.