Provisioning Consumers and Credentials
This guide walks through how to use the KongConsumer custom resource and use Secret resources to associate credentials with those consumers.
Installation
Please follow the deployment documentation to install the Kubernetes Ingress Controller onto your Kubernetes cluster.
Installing the Gateway APIs
If you wish to use the Gateway APIs examples, follow the supplemental Gateway APIs installation instructions.
Testing connectivity to Kong Gateway
This guide assumes that PROXY_IP
environment variable is
set to contain the IP address or URL pointing to Kong Gateway.
If you’ve not done so, follow one of the
deployment guides to configure this environment variable.
If everything is setup correctly, making a request to Kong Gateway should return back
a HTTP 404 Not Found
status code:
curl -i $PROXY_IP
Response:
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 0
Server: kong/3.0.0
{"message":"no Route matched with those values"}
This is expected since Kong Gateway doesn’t know how to proxy the request yet.
Deploy an upstream HTTP application
To proxy requests, you need an upstream application to proxy to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:
echo "
apiVersion: v1
kind: Service
metadata:
labels:
app: echo
name: echo
spec:
ports:
- port: 1025
name: tcp
protocol: TCP
targetPort: 1025
- port: 1026
name: udp
protocol: TCP
targetPort: 1026
- port: 1027
name: http
protocol: TCP
targetPort: 1027
selector:
app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: echo
name: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: echo
spec:
containers:
- image: kong/go-echo:latest
name: echo
ports:
- containerPort: 1027
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
resources: {}
" | kubectl apply -f -
Response:
service/echo created
deployment.apps/echo created
Create a configuration group
Ingress and Gateway APIs controllers need a configuration that indicates which set of routing configuration they should recognize. This allows multiple controllers to coexist in the same cluster. Before creating individual routes, you need to create a class configuration to associate routes with:
Kubernetes Ingress Controller recognizes the kong
IngressClass and
konghq.com/kic-gateway-controller
GatewayClass
by default. Setting the CONTROLLER_INGRESS_CLASS
or
CONTROLLER_GATEWAY_API_CONTROLLER_NAME
environment variable to
another value overrides these defaults.
Add routing configuration
Create routing configuration to proxy /echo
requests to the echo server:
Test the routing rule:
curl -i http://kong.example/echo --resolve kong.example:80:$PROXY_IP
Response:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2
Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...
If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.
Add authentication to the service
With Kong, adding authentication in front of an API is as simple as
enabling a plugin. To enforce authentication requirements on the on the route
you’ve created, create a KongPlugin resource with an authentication plugin,
such as key-auth
:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: example-auth
plugin: key-auth
" | kubectl apply -f -
Response:
kongplugin.configuration.konghq.com/example-auth created
Now, associate this plugin with the previous Ingress rule we created
using the konghq.com/plugins
annotation:
Any request matching the proxying rules defined in the echo
routing
configuration will now require a valid API key:
curl -si http://kong.example/echo --resolve kong.example:80:$PROXY_IP
Response:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Connection: keep-alive
WWW-Authenticate: Key realm="kong"
Content-Length: 41
Server: kong/3.0.1
{"message":"No API key found in request"}
Requests that do not include a key receive a 401 Unauthorized response.
Provision a consumer and credential
First, create a credential Secret:
kubectl create secret generic kotenok-key-auth \
--from-literal=kongCredType=key-auth \
--from-literal=key=gav
Response:
secret/kotenok-key-auth created
Second, create a KongConsumer resource that uses the Secret:
echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: kotenok
annotations:
kubernetes.io/ingress.class: kong
username: kotenok
credentials:
- kotenok-key-auth
" | kubectl apply -f -
Response:
kongconsumer.configuration.konghq.com/kotenok created
Credential Secrets include a kongCredType
key, whose value indicates what
authentication plugin the credential is for, and keys corresponding to the
fields necessary to configure that credential type (key
for key-auth
credentials).
Use the credential
Now, send a request including the credential (key-auth
expects an apikey
header with the key by default):
curl -si http://kong.example/echo --resolve kong.example:80:$PROXY_IP -H "apikey: gav"
Response:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 09 Dec 2022 22:16:24 GMT
Server: echoserver
x-added-service: demo
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.1.1
Hostname: echo-fc6fd95b5-8tn52
...
In this guide, you learned how to leverage an authentication plugin in Kong and provision credentials. This enables you to offload authentication into your Ingress layer and keeps the application logic simple.
All other authentication plugins bundled with Kong work in this way and can be used to quickly add an authentication layer on top of your microservices.