search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

Plugin does not work with Kong V1.0.3 Docker #105

Closed ofg closed 5 years ago

ofg commented 5 years ago

After installing the plugin on top of kong:1.0.3 docker container I get the following error during startup:

nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:344: kong-oidc plugin is enabled but not installed;
module 'kong.plugins.kong-oidc.handler' not found:No LuaRocks module found for kong.plugins.kong-oidc.handler
    no field package.preload['kong.plugins.kong-oidc.handler']
    no file './kong/plugins/kong-oidc/handler.lua'
    no file './kong/plugins/kong-oidc/handler/init.lua'
    no file '/usr/local/openresty/site/lualib/kong/plugins/kong-oidc/handler.ljbc'
    no file '/usr/local/openresty/site/lualib/kong/plugins/kong-oidc/handler/init.ljbc'
    no file '/usr/local/openresty/lualib/kong/plugins/kong-oidc/handler.ljbc'
    no file '/usr/local/openresty/lualib/kong/plugins/kong-oidc/handler/init.ljbc'
    no file '/usr/local/openresty/site/lualib/kong/plugins/kong-oidc/handler.lua'
    no file '/usr/local/openresty/site/lualib/kong/plugins/kong-oidc/handler/init.lua'
    no file '/usr/local/openresty/lualib/kong/plugins/kong-oidc/handler.lua'
    no file '/usr/local/openresty/lualib/kong/plugins/kong-oidc/handler/init.lua'
    no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/kong/plugins/kong-oidc/handler.lua'
    no file '/usr/local/share/lua/5.1/kong/plugins/kong-oidc/handler.lua'
    no file '/usr/local/share/lua/5.1/kong/plugins/kong-oidc/handler/init.lua'
    no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/kong-oidc/handler.lua'
    no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/kong-oidc/handler/init.lua'
    no file '/home/kong/.luarocks/share/lua/5.1/kong/plugins/kong-oidc/handler.lua'
    no file '/home/kong/.luarocks/share/lua/5.1/kong/plugins/kong-oidc/handler/init.lua'
    no file '/usr/local/openresty/site/lualib/kong/plugins/kong-oidc/handler.so'
    no file '/usr/local/openresty/lualib/kong/plugins/kong-oidc/handler.so'
    no file './kong/plugins/kong-oidc/handler.so'
    no file '/usr/local/lib/lua/5.1/kong/plugins/kong-oidc/handler.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/kong/plugins/kong-oidc/handler.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file '/home/kong/.luarocks/lib/lua/5.1/kong/plugins/kong-oidc/handler.so'
    no file '/usr/local/openresty/site/lualib/kong.so'
    no file '/usr/local/openresty/lualib/kong.so'
    no file './kong.so'
    no file '/usr/local/lib/lua/5.1/kong.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/kong.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file '/home/kong/.luarocks/lib/lua/5.1/kong.so'
stack traceback:
    [C]: in function 'assert'
    /usr/local/share/lua/5.1/kong/init.lua:344: in function 'init'
    init_by_lua:3: in main chunk

The plugin kong-spec-expose is working normally and can be configured / used.

I have installed kong-oidc plugin in kong:1.0.3 docker container with following Dockerfile:

FROM kong:1.0.3

ENV KONG_PLUGINS=bundled,kong-spec-expose,kong-oidc

# install Kong's Spec Expose plugin
RUN luarocks install kong-spec-expose

# install kong-oidc plugin from https://github.com/nokia/kong-oidc/
RUN luarocks install kong-oidc

docker build -t kong:oidc-test . give the following build output:

Sending build context to Docker daemon  97.79kB
Step 1/5 : FROM kong:1.0.3
 ---> e5d28df8a3c5
Step 2/5 : LABEL maintainer="Oliver Graebner <oliver.graebner@siemens.com>"
 ---> Using cache
 ---> 8e5796298574
Step 3/5 : ENV KONG_PLUGINS=bundled,kong-spec-expose,kong-oidc
 ---> Running in 8a1ee903ae73
Removing intermediate container 8a1ee903ae73
 ---> 0f2c570af7a1
Step 4/5 : RUN luarocks install kong-spec-expose
 ---> Running in b50233ee399d
Warning: The directory '/root/.cache/luarocks' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing /usr/local/bin/luarocks with sudo, you may want sudo's -H flag.
Warning: falling back to curl - install luasec to get native HTTPS support
Installing https://luarocks.org/kong-spec-expose-0.2-1.src.rock
kong-spec-expose 0.2-1 is now installed in /usr/local (license: Apache 2.0)

Removing intermediate container b50233ee399d
 ---> cf0530e52b60
Step 5/5 : RUN luarocks install kong-oidc
 ---> Running in a4e70c8c85c6
Warning: The directory '/root/.cache/luarocks' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing /usr/local/bin/luarocks with sudo, you may want sudo's -H flag.
Warning: falling back to curl - install luasec to get native HTTPS support
Installing https://luarocks.org/kong-oidc-1.1.0-0.src.rock
Missing dependencies for kong-oidc 1.1.0-0:
   lua-resty-openidc ~> 1.6.0 (not installed)

kong-oidc 1.1.0-0 depends on lua-resty-openidc ~> 1.6.0 (not installed)
Installing https://luarocks.org/lua-resty-openidc-1.6.0-1.src.rock
Missing dependencies for lua-resty-openidc 1.6.0-1:
   lua-resty-session >= 2.8 (not installed)
   lua-resty-jwt >= 0.2.0 (not installed)

lua-resty-openidc 1.6.0-1 depends on lua-resty-session >= 2.8 (not installed)
Installing https://luarocks.org/lua-resty-session-2.23-1.src.rock
lua-resty-session 2.23-1 is now installed in /usr/local (license: BSD)

lua-resty-openidc 1.6.0-1 depends on lua-resty-jwt >= 0.2.0 (not installed)
Installing https://luarocks.org/lua-resty-jwt-0.2.0-0.src.rock
lua-resty-jwt 0.2.0-0 is now installed in /usr/local (license: Apache License Version 2)

lua-resty-openidc 1.6.0-1 is now installed in /usr/local (license: Apache 2.0)

kong-oidc 1.1.0-0 is now installed in /usr/local (license: Apache 2.0)

Removing intermediate container a4e70c8c85c6
 ---> 6f0ee4e7e3f1
Successfully built 6f0ee4e7e3f1
Successfully tagged kong:oidc-test

Any hints?

satishmane commented 5 years ago

Follow Steps here. Use centos 1.0.3 kong image

https://www.jerney.io/secure-apis-kong-keycloak-1/

bsakweson commented 5 years ago

I am running into some issues with this myself. It looks like something may have changed on the CE version side. This https://www.jerney.io/secure-apis-kong-keycloak-1/ does not relly work for me as expected either. In my case when I introduce KONG-PLUGINS=oidc environment variable, all other plugins in my kong cluster disappear leaving only oidc plugin in the custom plugin tab section of plugins tab (Konga UI). If remove this KONG-PLUGINS=oidc all other plugins come up. I have even tried KONG-PLUGINS=bundled,oidc as adviced by some other folks in the websphere, to no avail. This time around my pods just hang.

bsakweson commented 5 years ago

So I gave a shot again a few minutes after I wrote my notes by looking at this documentation closely

plugins
Comma-separated list of names of plugins this node should load. By default, only plugins bundled in official distributions are loaded via the bundled keyword.

Loading a plugin does not enable it by default, but only instructs Kong to load its source code, and allows to configure the plugin via the various related Admin API endpoints.

The specified name(s) will be substituted as such in the Lua namespace: kong.plugins.{name}.*.

When the off keyword is specified as the only value, no plugins will be loaded.

bundled and plugin names can be mixed together, as the following examples suggest:

plugins=bundled,custom-auth,custom-log will include the bundled plugins plus two custom ones
plugins=custom-auth,custom-log will only include the custom-auth and custom-log plugins.
plugins=off will not include any plugins
Note: Kong will not start if some plugins were previously configured (i.e. have rows in the database) and are not specified in this list. Before disabling a plugin, ensure all instances of it are removed before restarting Kong.

Note: Limiting the amount of available plugins can improve P99 latency when experiencing LRU churning in the database cache (i.e. when the configured mem_cache_size is full.

Default: bundled

and got everything working.

cristichiru commented 5 years ago

I am setting: KONG_PLUGINS=bundled,oidc and works as expected, since 0.14. KONGunderscorePLUGINS not dash.

satishmane commented 5 years ago

This is also good plugin which is based on oidc and resty https://bitbucket.org/gt_tech/jwks_aware_oauth_jwt_access_token_validator/src/master/

ofg commented 5 years ago

I solved the issue: While installing the plugin name is kong-oidc, for activation at startup the plugin name is oidc. It works with this Dockerfile

FROM kong:1.0.3

ENV KONG_PLUGINS=bundled,kong-spec-expose,oidc

# install Kong's Spec Expose plugin
RUN luarocks install kong-spec-expose

# install kong-oidc plugin from https://github.com/nokia/kong-oidc/
RUN luarocks install kong-oidc