How to: Support multiple authentication methods

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Set the personal access token as an environment variable:
```
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
```
Copied to clipboard!

Enable the Gateway API

Install the Gateway API CRDs before installing Kong Ingress Controller.

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml

Copied to clipboard!

Create a Gateway and GatewayClass instance to use.

echo "
apiVersion: v1
kind: Namespace
metadata:
  name: kong
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'
spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
         from: All
" | kubectl apply -n kong -f -

      
        
      
    
Copied to clipboard!

Create a KIC Control Plane

Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:

CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "My KIC CP",
       "cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
     }')

Copied to clipboard!

We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Copied to clipboard!

Create mTLS certificates

Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.

Generate a new certificate using openssl:

openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt

Copied to clipboard!

The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:

export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);

Copied to clipboard!

Next, upload the certificate to Konnect:

curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Copied to clipboard!

Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:

kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key

Copied to clipboard!

Kong Ingress Controller running (attached to Konnect)

Add the Kong Helm charts:

helm repo add kong https://charts.konghq.com
helm repo update

Copied to clipboard!

Create a values.yaml file:

cat <<EOF > values.yaml
controller:
  ingressController:
    image:
      tag: "3.4"
    env:
      feature_gates: "FillIDs=true"
    konnect:
      license:
        enabled: true
      enabled: true
      controlPlaneID: "$CONTROL_PLANE_ID"
      tlsClientCertSecretName: konnect-client-tls
      apiHostname: "us.kic.api.konghq.com"
gateway:
  image:
    repository: kong/kong-gateway
  env:
    konnect_mode: 'on'
    vitals: "off"
    cluster_mtls: pki
    cluster_telemetry_endpoint: "$CONTROL_PLANE_TELEMETRY:443"
    cluster_telemetry_server_name: "$CONTROL_PLANE_TELEMETRY"
    cluster_cert: /etc/secrets/konnect-client-tls/tls.crt
    cluster_cert_key: /etc/secrets/konnect-client-tls/tls.key
    lua_ssl_trusted_certificate: system
    proxy_access_log: "off"
    dns_stale_ttl: "3600"
  secretVolumes:
     - konnect-client-tls
EOF

      
        
      
    
Copied to clipboard!

Install Kong Ingress Controller using Helm:

helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml

Copied to clipboard!

Set $PROXY_IP as an environment variable for future commands:

export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}')
echo $PROXY_IP

Copied to clipboard!

Kong Ingress Controller running

Add the Kong Helm charts:

helm repo add kong https://charts.konghq.com
helm repo update

Copied to clipboard!

Install Kong Ingress Controller using Helm:

helm install kong kong/ingress -n kong --create-namespace

Copied to clipboard!

Set $PROXY_IP as an environment variable for future commands:

export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{range .status.loadBalancer.ingress[0]}{@.ip}{@.hostname}{end}')
echo $PROXY_IP

Copied to clipboard!

Required Kubernetes resources

This how-to requires some Kubernetes services to be available in your cluster. These services will be used by the resources created in this how-to.

kubectl apply -f https://developer.konghq.com/manifests/kic/echo-service.yaml -n kong

Copied to clipboard!

Allowing multiple authentication methods

The default behavior for Kong Gateway authentication plugins is to require credentials for all requests even if a request has been authenticated through another plugin. Configure an anonymous Consumer on your authentication plugins to set authentication options.

Create Consumers

Create two Consumers that use different authentication methods:

consumer-1 uses basic-auth
consumer-2 uses key-auth

Create a secret to add a basic-auth credential for consumer-1:

 echo '
 apiVersion: v1
 kind: Secret
 metadata:
   name: consumer-1-basic-auth
   namespace: kong
   labels:
     konghq.com/credential: basic-auth
 stringData:
     username: consumer-1
     password: consumer-1-password
 ' | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Create a secret to add a key-auth credential for consumer-2:

 echo '
 apiVersion: v1
 kind: Secret
 metadata:
   name: consumer-2-key-auth
   namespace: kong
   labels:
     konghq.com/credential: key-auth
 stringData:
   key: consumer-2-password
 ' | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Create a Consumer named consumer-1:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: consumer-1
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
username: consumer-1
credentials:
- consumer-1-basic-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Create a Consumer named consumer-2:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: consumer-2
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
username: consumer-2
credentials:
- consumer-2-key-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Secure the service

Once the Consumers and credentials are created, you can add authentication plugins to your Service.

First, create a key-auth plugin. Notice the anonymous configuration option, which means that if no credentials match, the consumer named anonymous is assigned to the request:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: key-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  anonymous: anonymous
plugin: key-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

As Consumer 2 is using basic-auth, we also need to create a basic-auth plugin:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: basic-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  anonymous: anonymous
plugin: basic-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service echo konghq.com/plugins=key-auth,basic-auth --overwrite

Copied to clipboard!

Create an anonymous Consumer

Your endpoints are now secure, but neither Consumer can access the endpoint when providing valid credentials. This is because each plugin will verify the Consumer using it’s own authentication method.

To allow multiple authentication methods, create an anonymous Consumer which is the default user if no valid credentials are provided:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: anonymous
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
username: anonymous
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

All requests to the API will now succeed as the anonymous Consumer is being used as a default.

To secure the API once again, add a request termination plugin to the anonymous Consumer that returns HTTP 401:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: request-termination
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  message: Authentication required
  status_code: 401
plugin: request-termination
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the KongConsumer resource:

kubectl annotate -n kong  anonymous konghq.com/plugins=request-termination

Copied to clipboard!

Create an HTTPRoute

To route HTTP traffic, you need to create an HTTPRoute or an Ingress resource pointing at your Kubernetes Service.

echo "
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: echo
  namespace: kong
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
    namespace: kong
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /echo
    backendRefs:
    - name: echo
      kind: Service
      port: 1027
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo
  namespace: kong
  annotations:
    konghq.com/strip-path: 'true'
spec:
  ingressClassName: kong
  rules:
  - http:
      paths:
      - path: /echo
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 1027
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Validate your configuration

Once the resource has been reconciled, you’ll be able to call the /echo endpoint and Kong Gateway will route the request to the echo service.

Let’s check that authentication works.

Try to access the Gateway Service via the /anything Route using a nonsense API key:

curl "$PROXY_IP/echo" \
     -H "apikey:nonsense"

Copied to clipboard!

The request should now fail with a 401 response and your configured error message, as this Consumer is considered anonymous.

You should get the same result if you try to access the Route without any API key:

curl "$PROXY_IP/echo"

Copied to clipboard!

Finally, try accessing the Route with the configured basic auth credentials:

curl "$PROXY_IP/echo" \
     -u consumer-1:consumer-1-password

Copied to clipboard!

This time, authentication should succeed with a 200.

Cleanup

Delete created Kubernetes resources

kubectl delete -n kong -f https://developer.konghq.com/manifests/kic/echo-service.yaml

Copied to clipboard!

Support multiple authentication methods