0

I am trying to use key-auth and acl plugins of kong in a db-less declarative manner.

In kong.yml I have:

_format_version: "2.1"
_transform: true

services:
  - name: gamma-live
    host: gamma
    port: 8000
    protocol: http
    path: /live
    plugins:
      - name: key-auth
        config:
          key_names:
            - kong-key-auth
          key_in_body: false
          key_in_header: true
          key_in_query: false
          hide_credentials: true
          run_on_preflight: true
      - name: acl
        config:
          allow:
            - group1

    routes:
      - name: gamma-live
        methods:
          - GET
        paths:
          - /gamma/live
        strip_path: true

consumers:
  - username: mars
    keyauth_credentials:
      - key: mars-key
  - username: zeus
    keyauth_credentials:
      - key: zeus-key

acls:
  - consumer: mars
    group: group1

As you see, I have two consumers: mars and zeus

And their credentials are mars-key and zeus-key

And I use git version control so I push it to the remote repository which I want to avoid!

How should I do this?

Note that I run the gamma service and kong each on a docker container of its own.

Amin Ba
  • 1,603
  • 1
  • 13
  • 38

1 Answers1

0

There is several way to do this:

You can use a secret manager ( the best is Vault by Hashicorp )

You can use, for your case docker secrets ( cf https://docs.docker.com/engine/swarm/secrets/#:~:text=About%20secrets,in%20your%20application's%20source%20code. )

I recommend you to begin using kubernetes (containers orchestrator, the best but you must know this) to deploy your containers and you could use then the kubernetes secret, that are unfortunately natively encoded in base64 but there is a lot of way to connect them to vault ( to make k8s fetch the secret from vault - cf vault-injector) of use things like kubeseal etc.

However, every enterprise should use Vault by Hashicorp ( or something equivalent, but again Vault has a very large number of implementation plugins)

Just follow this link to know how to integrate vault with Kong: https://tech.aufomm.com/how-to-use-kong-vault-authentication-plugin/

Bguess
  • 1,700
  • 1
  • 11
  • 24
  • I know about vault and docker secrets but how to use them in kong declarative yml file? – Amin Ba May 09 '22 at 11:49
  • https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/backends/hashicorp-vault/ ?? – Bguess May 09 '22 at 13:13
  • it is not possible to be used in the declarative mode. is it? – Amin Ba May 09 '22 at 13:21
  • Oh yes sorry, check this link https://docs.konghq.com/hub/kong-inc/vault-auth/ – Bguess May 09 '22 at 13:36
  • still not relevant. The question is how to avoid storing `mars-key` and `zeus-key` in kong.yml file – Amin Ba May 09 '22 at 13:41
  • https://tech.aufomm.com/how-to-use-kong-vault-authentication-plugin/ vaults: - host: vault_token: mount: protocol: http name: port: 8200 id: E1B0164F-E80E-4373-9880-60B0C2C515DF – Bguess May 09 '22 at 13:55
  • suppose I have this plugin and I have a key in vault named `MARS-AUTH_KEY` . Then how do I use it instead of the current credential hardcoded in the kong.yml file? – Amin Ba May 09 '22 at 14:06
  • Did you get to the bottom of this @AminBa? I am struggling with the same, and with the latest version of Kong I thought this would work: - keyauth_credentials: - key: {vault://env/key_stored_in_environment_var} username: username According to this: https://docs.konghq.com/gateway/2.8.x/plan-and-deploy/security/secrets-management/backends/env/ But no luck yet. – illug Aug 18 '22 at 11:14
  • @illug yes I did. I used envsubs in the entry-point to replace variables with values – Amin Ba Aug 18 '22 at 11:57
  • Thanks, @AminBa. Could you elaborate? How do you reference the variables in the kong.yaml? – illug Aug 18 '22 at 12:12
  • in the yaml file you simply put the variable name like MY_VAR. You have to replace MY_VAR with your secret before kong starts. You have to do this in the docker-entrypoint.sh file using envsubst from the gettext in linux – Amin Ba Aug 18 '22 at 12:25