Unable to login to Kong Manager with DB-less Kubernetes deployment
cnukwas opened this issue · 1 comments
Tried with most of the default configuration with Db-less and without Ingress Controller component.
Pod comes up fine when logged into Kong Manager UI with kong-admin password that's set in the secret, I get "Username/Password is invalid" error. Any clues on what we're missing here or this is a known limitation of the DB-less approach?
I could see curl http://locallost:8001 and http://locallost:8001/routes calls are successful when ran from the same or different pod.
Applied Helm chart with below values.yaml after creating necessary secrets and configmaps.
Secrets: kong-session-config, kong-ee-pass, and kong-enterprise-license
kong-session-config secret data:
admin_gui_session_conf
{"cookie_name":"admin_session","cookie_samesite":"off","secret":"dummy-dfsdfsgdsfsdg","cookie_secure":true,"storage":"cookie"}
portal_session_conf
{"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-dummy-dfsdfsgdsfsdg","cookie_secure":true,"storage":"cookie"}
kind: Secret
apiVersion: v1
metadata:
name: kong-ee-pass
namespace: kong-ns
data:
password: dummy_pass_1
type: Opaque
kind: ConfigMap
apiVersion: v1
metadata:
name: kong-dbless-config
namespace: kong-ns
data:
kong.yml: |-
_format_version: "3.0"
_transform: true
services:
- name: my-service
url: https://example.com
# Basic values.yaml for Kong for Kubernetes with Kong Enterprise (DB-less)
# Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.
image:
repository: kong/kong-gateway
tag: "3.5"
enterprise:
enabled: true
# See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license
vitals:
enabled: false
portal:
enabled: false
rbac:
enabled: true
admin_gui_auth: basic-auth
manager:
enabled: true
portal:
enabled: false
portalapi:
enabled: false
env:
database: "off"
admin_listen: "0.0.0.0:8001, 0.0.0.0:8444 ssl"
password:
valueFrom:
secretKeyRef:
name: kong-ee-pass
key: password
admin:
enabled: true
http:
enabled: true
servicePort: 8001
containerPort: 8001
ingressController:
enabled: false
proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
type: NodePort
dblessConfig:
# Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
configMap: kong-dbless-config
As far as I know there is no support for RBAC (and by extension, Manager authentication) in DB-less mode. If you want additional authentication options in DB-less mode, you'll want to file a support ticket with a feature request for it.
Setting env.password does not define the super admin password per se. It's not a typical kong.conf setting like most env settings, but instead directs initial database migrations to create a super admin with that password.
I'm checking around to see why we don't actually disallow enabling RBAC when using DB-less mode. I'm not sure why the documentation for RBAC doesn't mention anything about it one way or the other either.
Note that if you do switch to using a database, you'll need to delete and re-create the Helm release, as the initial install is the only time it runs initial migrations. Once you've done so, you can remove the env.password setting. It has no effect after initial migrations; all admin management is handled via the database and admin API after.
I'll reopen this if I find further information of interest, but don't expect I will.