Configuring Authentication
decK assumes that it is running on the same machine as Kong Gateway and that the Admin API requires no authentication by default.
This page explains the CLI flags required to customise this behavior. If you would like to change the default behavior using environment variables or a configuration file, see the configuration options page.
The following examples use deck gateway ping
, but the flags also apply to all other deck gateway
commands.
The --kong-addr
flag configures the URL that decK calls to use the Admin API. The default value is http://localhost:8001
.
deck gateway ping --kong-addr https://my-kong-gateway.example.com:8001
If you run Kong Gateway using a self-signed TLS certificate, you should specify the --ca-cert
(raw contents) or --ca-cert-file
flag so that TLS verification can be performed:
deck gateway ping --kong-addr https://my-kong-gateway.example.com:8001 --ca-cert-file /path/to/ca.crt
If you don’t want to verify the TLS certificate (we do not recommend this), you can use the --tls-skip-verify
flag.
Token authentication
If your Admin API is secured using RBAC, you will need to send the Kong-Admin-Token
header in your requests. This is done using the --headers
flag:
deck gateway ping --headers "Kong-Admin-Token:$MY_TOKEN_HERE"
Certificate authentication
If your Admin API is secured using mutual TLS, you need to send a TLS client certificate and key:
deck gateway ping --tls-client-cert-file /path/to/tls.crt --tls-client-cert-key /path/to/tls.key
You may also specify the raw contents of these files as --tls-client-cert $CERT
and --tls-client-key $KEY
OpenID Connect authentication
If your Admin API is secured using OpenID Connect, you will need to call the Kong Manager /auth
endpoint and save the cookies to use with --kong-cookie-jar-path
.
To generate a session cookie, you can use the following script. Ensure that you change the KONG_ADMIN_URL
, KONG_ADMIN_USER
, KONG_IDP_USER
and KONG_IDP_PASS
values at the top.
#!/usr/bin/env bash
# halt on errors
set -e
# The admin URL for Kong
KONG_ADMIN_URL=https://my-kong.example.com
# The admin user for Kong
# This user should be the one associated with
# the IDP user
KONG_ADMIN_USER=jdoe
# The IDP user of the person initiating
# the pipeline job
KONG_IDP_USER=jdoe@your-idp.com
# The corresponding password for the IDP user
KONG_IDP_PASS=********
# The Kong workspace we want to use
KONG_WORKSPACE=default
# Create restrictive temp directory for session cookie
TMPDIR=$(mktemp -d -t ci-XXXXXXXXXX)
chmod 700 "${TMPDIR}"
# A temporary file used for storing the Kong
# manager session cookie
COOKIE_JAR=$(mktemp "${TMPDIR}/cookie.jar.XXXX")
# Chmod the cookie jar file path to stop access from other users
# on the same system
chmod 600 "${COOKIE_JAR}"
# Create a unique user agent name for this request
# This exact name is used when creating the session cookie
# if you try to reuse the cookie without this name or a different user-agent
# name then the signature validation will fail. And the cookie will not be
# usable.
# The UNIQUE_USER_AGENT variable is generated by uuidgen and only ever stored
# in memory.
UNIQUE_USER_AGENT=$(uuidgen)
# Function to call delete on the auth endpoint
# this will destroy the cookie in the Kong database
function auth_logout() {
curl -s -X DELETE --cookie "${COOKIE_JAR}" --cookie-jar "${COOKIE_JAR}" \
-A "${UNIQUE_USER_AGENT}" \
-H "Kong-Admin-User: ${KONG_ADMIN_USER}" \
"${KONG_ADMIN_URL}/auth?session_logout=true"
}
# Function to remove the cookie file from the filesystem
function remove_cookie() {
if [ -d "${TMPDIR}" ]; then
/usr/bin/rm -rf "${TMPDIR}"
fi
}
# On any interrupt, error or normal exit remove the cookie jar folder
# and call auth_logout
trap \
"{ auth_logout; remove_cookie ; exit 0; }" \
SIGINT SIGTERM ERR EXIT
# By hitting the /auth endpoint of Kong admin API
# we can simulate a Kong Manager login and store
# the session cookie that is returned.
# To do this we pass the Kong admin user name, the
# IDP user name and the IDP password.
curl -s -k --get --cookie "${COOKIE_JAR}" --cookie-jar "${COOKIE_JAR}" \
-A "${UNIQUE_USER_AGENT}" \
-H "Kong-Admin-User: ${KONG_ADMIN_USER}" \
-u ${KONG_IDP_USER}:${KONG_IDP_PASS} \
${KONG_ADMIN_URL}/auth
# decK now has a session cookie it can use when talking to the admin api.
# The decK command passes the kong-admin-user and user-agent headers
# without both of these headers set to the correct value the deck commands
# session cookie will fail validation
deck gateway ping \
--workspace "${KONG_WORKSPACE}" \
--kong-addr "${KONG_ADMIN_URL}" \
--kong-cookie-jar-path "${COOKIE_JAR}" \
--headers "kong-admin-user:${KONG_ADMIN_USER}" \
--headers "user-agent:${UNIQUE_USER_AGENT}" \
--yes