search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

Kong bypassing kong-oidc on kubernetes #140

Closed paichinger closed 4 years ago

paichinger commented 4 years ago

Hello!

First of all: I'm not sure if this an issue of kong itself or of the kong-oidc plugin. That's why I put the issue here, but also at kongnation.

What I want to do: Use kong as an API gateway for some services I'm running on kubernetes. Further I want to use the kong-oidc plugin to protect those services, backed by keycloak as an IDP. Before I started I tested the concept by setting everything up with docker-compose and it worked.

The Problem: Now I started introducing kong on my kubernetes cluster. The basic routing works fine, but kong ignores the kong-oidc plugin, so everything is unprotected. Let me elaborate how I set things up.

Reproduction/Setup: The kong-oidc plugin is not in the list of bundled images. That's why I created my own Dockerfile including the plugin based on kong:1.4.0-alpine : 

FROM kong:1.4.0-alpine
LABEL description="Alpine + Kong 1.4.0 + kong-oidc plugin"
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc

Then I used this deployment yaml (from the official minikube-guide). Because I have my own kong-image I replaced image: kong:1.3 with image: corphub/kong-oidc:1.4.0-centos in the ingress-kong deployment. Note that I used this opportunity to go from kong-1.3 to kong-1.4.

After that I set up an Ingress for kong and the configuration for the kong-oidc plugin:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-kong
  annotations:
    plugins.konghq.com: kong-oidc
spec:
  rules:
  - http:
      paths:
      - path: /graphql
        backend:
          serviceName: corphub-graphql-service
          servicePort: 8082
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: kong-oidc
  labels:
    global: "true"
config:
  client_id: kong
  client_secret: XXX
  discovery: http://keycloak:8180/auth/realms/master/.well-known/openid-configuration
plugin: kong-oidc

I also added the env variable KONG_CUSTOM_PLUGINS=kong-oidc to the earlier mentioned ingress-kong deplyoment because I read that somewhere, but I'm not sure if that is needed.

Now I would expect that every request going through kong would be validated by leveraging the kong-oidc plugin and keycloak. But that's just not happening. All the requests just go through as if the plugin is not there at all. I also can't find any logs which could point me in any direction.

I would love this setup to work, because I find it very elegant and robust. I hope I provided enough information, if not please ask. Thanks in advance, Peter

paichinger commented 4 years ago

Has been solved, see the linked issue on kongnation.