Skip to content
|
search
Kong Ingress Controller
2.6.x
github-edit-pageEdit this page
report-issueReport an issue
You are browsing documentation for an outdated version. See the latest documentation here.

Using OIDC plugin

Kong Enterprise’s OIDC plugin can authenticate requests using OpenID Connect protocol. Learn to setup the OIDC plugin using the Ingress Controller. It is important that create a domain name to use OIDC plugin in a production environment.

Before you begin ensure that you have Installed Kong Ingress Controller with Gateway API support in your Kubernetes cluster and are able to connect to Kong. This guide requires Kong Gateway Enterprise.

Prerequisites

Install the Gateway APIs

  1. Install the Gateway API CRDs before installing Kong Ingress Controller.

     kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml

  2. Create a Gateway and GatewayClass instance to use.

    echo "
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'

spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
" | kubectl apply -f -

    The results should look like this:

    gatewayclass.gateway.networking.k8s.io/kong created
gateway.gateway.networking.k8s.io/kong created

Install Kong

You can install Kong in your Kubernetes cluster using Helm.

  1. Add the Kong Helm charts:

     helm repo add kong https://charts.konghq.com
 helm repo update

  2. Create a file named license.json containing your Kong Gateway Enterprise license and store it in a Kubernetes secret:

     kubectl create namespace kong
 kubectl create secret generic kong-enterprise-license --from-file=license=./license.json -n kong

  3. Create a values.yaml file:

     gateway:
   image:
     repository: kong/kong-gateway
   env:
     LICENSE_DATA:
       valueFrom:
         secretKeyRef:
           name: kong-enterprise-license
           key: license

  4. Install Kong Ingress Controller and Kong Gateway with Helm:

     helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml

Test connectivity to Kong

Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:

  1. Populate $PROXY_IP for future commands:

     export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo $PROXY_IP

  2. Ensure that you can call the proxy IP:

     curl -i $PROXY_IP

    The results should look like this:

     HTTP/1.1 404 Not Found
 Content-Type: application/json; charset=utf-8
 Connection: keep-alive
 Content-Length: 48
 X-Kong-Response-Latency: 0
 Server: kong/3.0.0
  
 {"message":"no Route matched with those values"}

Deploy an echo service

To proxy requests, you need an upstream application to send a request to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:

kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yaml

The results should look like this:

service/echo created
deployment.apps/echo created

Add routing configuration

Create routing configuration to proxy /echo requests to the echo server:

echo "
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: echo
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
  hostnames:
  - '127.0.0.1.nip.io'
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /echo
    backendRefs:
    - name: echo
      kind: Service
      port: 1027
" | kubectl apply -f -

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo
  annotations:
    konghq.com/strip-path: 'true'
spec:
  ingressClassName: kong
  rules:
  - host: 127.0.0.1.nip.io
    http:
      paths:
      - path: /echo
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 1027
" | kubectl apply -f -

The results should look like this:

httproute.gateway.networking.k8s.io/echo created

ingress.networking.k8s.io/echo created

Test the routing rule:

curl -i -H 'Host:127.0.0.1.nip.io' $PROXY_IP/echo

The results should look like this:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2

Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...

If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.

This example uses 127.0.0.1.nip.io as the host, you can use any domain name of your choice. For demo purpose, you can nip.io service to avoid setting up a DNS record.

Test the Ingress rule:

$ curl -i 127.0.0.1.nip.io/echo
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 137
Connection: keep-alive
Date: Tue, 31 Oct 2023 21:26:56 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.4.1.0-enterprise-edition

Welcome, you are connected to node orbstack.
Running on Pod echo-74d47cc5d9-cqnh6.
In namespace default.
With IP address 192.168.194.7.

Setup OIDC plugin

Now we are going to protect our dummy service with OpenID Connect protocol using Google as our identity provider.

  1. Setup an OAuth 2.0 application in Google. And set the redirect_uri to http://127.0.0.1.nip.io/echo.

    Your OAuth 2.0 application must have the openid scope.

  2. After you have setup your application in Google, use the client ID and client secret and create a KongPlugin resource in Kubernetes.

     $ echo "
 apiVersion: configuration.konghq.com/v1
 kind: KongPlugin
 metadata:
   name: oidc-auth
 config:
   issuer: https://accounts.google.com/.well-known/openid-configuration
   client_id:
   - <client-id>
   client_secret:
   - <client-secret>
   redirect_uri:
   - http://127.0.0.1.nip.io/echo
 plugin: openid-connect
 " | kubectl apply -f -

    The results should look like this:

     kongplugin.configuration.konghq.com/oidc-auth created

    The redirect_uri parameter must be a URI that matches the Ingress rule that you created. You must also add it to your Google OIDC configuration.

  3. Enable the plugin on ingress.

     $ kubectl patch ingress echo -p '{"metadata":{"annotations":{"konghq.com/plugins":"oidc-auth"}}}'
 ingress.extensions/demo patched

Test the configuration

Now, if you visit http://127.0.0.1.nip.io/echo in your web browser Kong should redirect you to Google to verify your identity. After you identify yourself, you should be able to browse our dummy service once again.

This basic configuration permits any user with a valid Google account to access the dummy service. For setting up more complicated authentication and authorization flows, see the plugin docs.