Issues with kong.yml
githugt opened this issue · 3 comments
githugt commented
Hi, I tried using the docker file from here - Dockerfile:2.5.0
The only change I've made is adding
- copying the kong.yml file.
- Added a value for
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\(this is base64 forsome_base64_string)
kong.yml
_format_version: "1.1"
services:
- connect_timeout: 10000
host: echoserver
name: echoserver
port: 80
protocol: http
read_timeout: 5000
retries: 2
write_timeout: 5000
routes:
- hosts:
- echoserver:80
# id: 9c5c298c-1452-4c65-8d65-dcb1a4b4ea68
# path_handling: v0
# preserve_host: false
protocols:
- http
- https
# regex_priority: 0
# strip_path: true
# https_redirect_status_code: 426
plugins:
- name: oidc
config:
access_token_header_as_bearer: "no"
access_token_header_name: X-Access-Token
bearer_only: "yes"
client_id: someconsumer
client_secret: somesecret
disable_access_token_header: "no"
disable_id_token_header: "no"
disable_userinfo_header: "no"
discovery: http://hydra-service:9000/.well-known/openid-configuration
filters: null
groups_claim: groups
id_token_header_name: X-ID-Token
ignore_auth_filters: ""
introspection_endpoint: http://hydra-service:9001/oauth2/introspect
introspection_endpoint_auth_method: null
logout_path: /logout
realm: kong
recovery_page_path: null
redirect_after_logout_uri: /
redirect_uri: http://example.com
response_type: token
revoke_tokens_on_logout: "no"
scope: openid
session_secret: null
ssl_verify: "no"
timeout: null
token_endpoint_auth_method: client_secret_post
unauth_action: auth
userinfo_header_name: X-USERINFO
enabled: true
protocols:
# - grpc
# - grpcs
- http
- https
The only change I've made to the docker file from master for 2.5.0 is adding
- copying the kong.yml file.
- Added a value for
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\(this is base64 forsome_base64_string)
Dockerfile
FROM kong/kong:2.5.0
USER root
LABEL authors="Rami Abusereya <rami.abusereya@revomatico.com>,Cristian Chiru <cristian.chiru@revomatico.com>"
ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
LUA_BASE_DIR="/usr/local/share/lua/5.1" \
KONG_OIDC_VER="1.2.3-1" \
LUA_RESTY_OIDC_VER="1.7.4-1" \
KONG_PLUGIN_SESSION_VER="2.4.5" \
NGX_DISTRIBUTED_SHM_VER="1.0.2"
COPY kong.yml /
RUN set -ex \
&& apk --no-cache add \
libssl1.1 \
openssl \
curl \
unzip \
git \
&& apk --no-cache add --virtual .build-dependencies \
make \
gcc \
openssl-dev \
\
## Install plugins
# Download ngx-distributed-shm dshm library
&& curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \
# Remove old lua-resty-session and dependent kong-plugin-session
&& luarocks remove --force kong-plugin-session \
&& luarocks remove --force lua-resty-session \
# Add Pluggable Compressors dependencies
&& luarocks install lua-ffi-zlib \
&& luarocks install penlight \
# Build kong-plugin-session
&& curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
&& luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
# Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
&& curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | \
sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec \
&& luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec \
# Patch nginx_kong.lua for kong-oidc session_secret
&& TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \
# May cause side effects when using another nginx under this kong, unless set to the same value
&& sed -i "/server_name kong;/a\ \n\
set_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" \
# Patch nginx_kong.lua to set dictionaries
&& sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\
variables_hash_max_size 2048;\n\
lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\
lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\
lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
> if x_session_storage == "shm" then\n\
lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
> end\n\
' "$TPL" \
# Patch nginx_kong.lua to add for memcached sessions
&& sed -i "/server_name kong;/a\ \n\
## Session:
set \$session_storage \${{X_SESSION_STORAGE}};\n\
set \$session_name \${{X_SESSION_NAME}};\n\
set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
## Session: Memcached specific
set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
## Session: DHSM specific
set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
## Session: SHM Specific
set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
" "$TPL" \
# Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
# x_session_secret value = some_base64_string
&& TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
&& sed -i "/\]\]/i\ \n\
x_session_storage = cookie\n\
x_session_name = oidc_session\n\
x_session_compressor = 'none'\n\
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
\n\
x_session_memcache_prefix = oidc_sessions\n\
x_session_memcache_connect_timeout = '1000'\n\
x_session_memcache_send_timeout = '1000'\n\
x_session_memcache_read_timeout = '1000'\n\
x_session_memcache_host = memcached\n\
x_session_memcache_port = '11211'\n\
x_session_memcache_uselocking = 'off'\n\
x_session_memcache_spinlockwait = '150'\n\
x_session_memcache_maxlockwait = '30'\n\
x_session_memcache_pool_timeout = '1000'\n\
x_session_memcache_pool_size = '10'\n\
\n\
x_session_dshm_region = oidc_sessions\n\
x_session_dshm_connect_timeout = '1000'\n\
x_session_dshm_send_timeout = '1000'\n\
x_session_dshm_read_timeout = '1000'\n\
x_session_dshm_host = hazelcast\n\
x_session_dshm_port = '4321'\n\
x_session_dshm_pool_name = oidc_sessions\n\
x_session_dshm_pool_timeout = '1000'\n\
x_session_dshm_pool_size = '10'\n\
x_session_dshm_pool_backlog = '10'\n\
\n\
x_session_shm_store_size = 5m\n\
x_session_shm_store = oidc_sessions\n\
x_session_shm_uselocking = off\n\
x_session_shm_lock_exptime = '30'\n\
x_session_shm_lock_timeout = '5'\n\
x_session_shm_lock_step = '0.001'\n\
x_session_shm_lock_ratio = '2'\n\
x_session_shm_lock_max_step = '0.5'\n\
\n\
x_oidc_cache_discovery_size = 128k\n\
x_oidc_cache_jwks_size = 128k\n\
x_oidc_cache_introspection_size = 128k\n\
\n\
" "$TPL" \
## Cleanup
&& rm -fr *.rock* \
&& apk del .build-dependencies 2>/dev/null \
## Create kong and working directory (https://github.com/Kong/kong/issues/2690)
&& mkdir -p /usr/local/kong \
&& chown -R kong:`id -gn kong` /usr/local/kong
USER kong
Build this image via docker build -t kong-dbless .
Now I run this with a simple yml for kubernetes
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong
labels:
app: kong
spec:
replicas: 1
selector:
matchLabels:
app: kong
template:
metadata:
labels:
app: kong
spec:
containers:
- name: kong
image: kong-dbless:latest
imagePullPolicy: Never
ports:
- containerPort: 8000
- containerPort: 8001
- containerPort: 8443
- containerPort: 8444
env:
- name: KONG_DATABASE
value: "off"
- name: KONG_DECLARATIVE_CONFIG
value: kong.yml
- name: KONG_PLUGINS
value: "bundled,oidc"
- name: KONG_X_SESSION_SECRET
value: c29tZV9iYXNlNjRfc3RyaW5n
- name: KONG_X_SESSION_NAME
value: oidc_session
---
# Service
apiVersion: v1
kind: Service
metadata:
name: kong-service
spec:
selector:
app: kong
ports:
- protocol: TCP
port: 8000
targetPort: 8000
name: publicapi
- protocol: TCP
port: 8001
targetPort: 8001
name: adminapi
- protocol: TCP
port: 8443
targetPort: 8443
name: securepublicapi
- protocol: TCP
port: 8444
targetPort: 8444
name: secureadminapi
Logs give me.
2021/08/18 15:02:56 [warn] 1#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
2021/08/18 15:02:57 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
- in entry 1 of 'services':
in 'plugins':
- in entry 1 of 'plugins':
in 'config':
in 'access_token_header_as_bearer': unknown field
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
- in entry 1 of 'services':
in 'plugins':
- in entry 1 of 'plugins':
in 'config':
in 'access_token_header_as_bearer': unknown field
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
init_by_lua:3: in main chunk
Which, based on this seems to me that the plugin is not installed.
cristichiru commented
Try removing this field access_token_header_as_bearer from the oidc plugin config, should work with the default value.
githugt commented
I just added
COPY kong.yml /
after the environment packages section. i.e
ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
LUA_BASE_DIR="/usr/local/share/lua/5.1" \
KONG_OIDC_VER="1.2.3-2" \
LUA_RESTY_OIDC_VER="1.7.4-1" \
KONG_PLUGIN_SESSION_VER="2.4.5" \
NGX_DISTRIBUTED_SHM_VER="1.0.2"
COPY kong.yml /
cristichiru commented
Glad you sorted it out. Normally there is no need (I think) to copy the file, rather either mount it at container runtime or better yet, load it via admin api.