Skip to content
|
search
Kong Ingress Controller
2.8.x
github-edit-pageEdit this page
report-issueReport an issue
You are browsing documentation for an outdated version. See the latest documentation here.

Provisioning Consumers and Credentials

Learn how to use the KongConsumer custom resource and use Secret resources to associate credentials with those consumers.

Installation

Follow the deployment documentation to install the Kong Ingress Controller on the Kubernetes cluster.

Installing the Gateway APIs

If you wish to use the Gateway APIs examples, follow the supplemental Gateway APIs installation instructions.

Testing connectivity to Kong Gateway

Ensure that the PROXY_IP environment variable is set to contain the IP address or URL pointing to Kong Gateway. The deployment guide that you used to install the Kong Ingress Controller on the Kubernetes cluster provides the instructions to configure this environment variable.

If everything is set correctly, a request to Kong Gateway returns a HTTP 404 Not Found status code:

curl -i $PROXY_IP

The results should look like this:

HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 0
Server: kong/3.0.0

{"message":"no Route matched with those values"}

This is expected because Kong Gateway doesn’t know how to proxy the request yet.

Deploy an upstream HTTP application

To proxy requests, you need an upstream application to send a request to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:

echo "
apiVersion: v1
kind: Service
metadata:
  labels:
    app: echo
  name: echo
spec:
  ports:
  - port: 1025
    name: tcp
    protocol: TCP
    targetPort: 1025
  - port: 1026
    name: udp
    protocol: TCP
    targetPort: 1026
  - port: 1027
    name: http
    protocol: TCP
    targetPort: 1027
  selector:
    app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: echo
  name: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: echo
    spec:
      containers:
      - image: kong/go-echo:latest
        name: echo
        ports:
        - containerPort: 1027
        env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
        resources: {}
" | kubectl apply -f -

The results should look like this:

service/echo created
deployment.apps/echo created

Create a configuration group

Ingress and Gateway APIs controllers need a configuration that indicates which set of routing configuration they should recognize. This allows multiple controllers to coexist in the same cluster. Before creating individual routes, you need to create a class configuration to associate routes with:

Official distributions of Kong Ingress Controller come with a kong IngressClass by default. If kubectl get ingressclass kong does not return a not found error, you can skip this command.

echo "
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: kong
spec:
  controller: ingress-controllers.konghq.com/kong
" | kubectl apply -f -

The results should look like this:

ingressclass.networking.k8s.io/kong configured

echo "
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: kong
  annotations:
    konghq.com/gatewayclass-unmanaged: 'true'

spec:
  controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
" | kubectl apply -f -

The results should look like this:

gatewayclass.gateway.networking.k8s.io/kong created
gateway.gateway.networking.k8s.io/kong created

After the controller has acknowledged the Gateway, it shows the proxy IP and its status:

kubectl get gateway kong

The results should look like this:

NAME   CLASS   ADDRESS        READY   AGE
kong   kong    203.0.113.42   True    4m46s

Kong Ingress Controller recognizes the kong IngressClass and konghq.com/kic-gateway-controller GatewayClass by default. Setting the CONTROLLER_INGRESS_CLASS or CONTROLLER_GATEWAY_API_CONTROLLER_NAME environment variable to another value overrides these defaults.

Add routing configuration

Create routing configuration to proxy /echo requests to the echo server:

echo "
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: echo
     annotations:
       konghq.com/strip-path: 'true'
   spec:
     ingressClassName: kong
     rules:
     - host: kong.example
       http:
         paths:
         - path: /echo
           pathType: ImplementationSpecific
           backend:
             service:
               name: echo
               port:
                 number: 1027
   " | kubectl apply -f -
echo "
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: HTTPRoute
   metadata:
     name: echo
     annotations:
       konghq.com/strip-path: 'true'
   spec:
     parentRefs:
     - name: kong
     hostnames:
     - 'kong.example'
     rules:
     - matches:
       - path:
           type: PathPrefix
           value: /echo
       backendRefs:
       - name: echo
         kind: Service
         port: 1027
   " | kubectl apply -f -
The results should look like this:

ingress.networking.k8s.io/proxy-from-k8s-to-httpbin created
httproute.gateway.networking.k8s.io/echo created

Test the routing rule:

curl -i -H 'Host:kong.example' $PROXY_IP/echo

The results should look like this:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2

Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...

If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.

Add authentication to the service

With Kong, adding authentication for an API is as simple as enabling a plugin.

  1. To enforce authentication requirements on the route you’ve created, create a KongPlugin resource with an authentication plugin, such as key-auth:

    echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: example-auth
plugin: key-auth
" | kubectl apply -f -

    The results should look like this:

     kongplugin.configuration.konghq.com/example-auth created

  2. Associate this plugin with the Ingress rule that you created using the konghq.com/plugins annotation:

    kubectl annotate ingress echo konghq.com/plugins=example-auth
    kubectl annotate httproute echo konghq.com/plugins=example-auth

    The results should look like this:

    ingress.networking.k8s.io/echo annotated
    httproute.gateway.networking.k8s.io/echo annotated

  3. Test the routing configuration by sending a request that matches the proxying rules defined in the echo routing configuration. It now requires a valid API key:

     curl -si http://kong.example/echo --resolve kong.example:80:$PROXY_IP

    The results should look like this:

     HTTP/1.1 401 Unauthorized
 Content-Type: application/json; charset=utf-8
 Connection: keep-alive
 WWW-Authenticate: Key realm="kong"
 Content-Length: 41
 Server: kong/3.0.1
    
 {"message":"No API key found in request"}

    Requests that do not include a key receive a 401 Unauthorized response.

Provision a consumer and credential

Credential Secrets include a kongCredType key, whose value indicates what authentication plugin the credential is for, and keys corresponding to the fields necessary to configure that credential type (key for key-auth credentials).

  1. Create a credential Secret:

     kubectl create secret generic kotenok-key-auth \
   --from-literal=kongCredType=key-auth  \
   --from-literal=key=gav

    The results should look like this:

     secret/kotenok-key-auth created

  2. Create a KongConsumer resource that uses the Secret:

    echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: kotenok
 annotations:
   kubernetes.io/ingress.class: kong
username: kotenok
credentials:
- kotenok-key-auth
" | kubectl apply -f -

    The results should look like this:

     kongconsumer.configuration.konghq.com/kotenok created

Use the credential

Now, send a request including the credential (key-auth expects an apikey header with the key by default):

curl -si http://kong.example/echo --resolve kong.example:80:$PROXY_IP -H "apikey: gav"

The results should look like this:

HTTP/1.1 200 OK                
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 09 Dec 2022 22:16:24 GMT
Server: echoserver
x-added-service:  demo
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.1.1

Hostname: echo-fc6fd95b5-8tn52
...

In this guide, you learned how to leverage an authentication plugin in Kong and provision credentials. This enables you to offload authentication into your Ingress layer and keeps the application logic simple.

All other authentication plugins bundled with Kong work in this way and can be used to quickly add an authentication layer on top of your microservices.