Kong Ingress Controller:解析资源错误失败,dataplane-synchronizer 无法更新 kong admin

问题描述 投票:0回答:1

即使我已经解决了这个问题,我还是写了这篇文章,因为我认为这可能会对那里的人有所帮助,因为我在任何地方都找不到原因或解决方案。

我正在学习 Kong 身份验证策略,特别是通过这些插件:

但是,我已经被一个“错误”困住了近一个小时,我无法识别或解决该错误。来自 kong 控制器日志 (kubectl logs -n kong -f <kong_controller_pod_name>):

[...]
2023-11-22T15:09:42Z    error   Failed parsing resource errors  {"url": "https://10.244.0.125:8444", "update_strategy": "InMemory", "error": "could not unmarshal config error: json: cannot unmarshal object into Go struct field ConfigError.flattened_errors of type []sendconfig.FlatEntityError"}
2023-11-22T15:09:42Z    error   dataplane-synchronizer  Could not update kong admin     {"error": "performing update for https://10.244.0.125:8444 failed: failed posting new config to /config: got status code 400"}



此错误每 3 秒抛出一次。


设置


Kong Ingress Controller 运行在 minikube 上:


minikube start --driver=docker
minikube tunnel      # running in another terminal



然后按照
开始:安装 KIC
 中的步骤操作
配置文件


秘密


文件
secrets.yaml
# JWT Credential for Admin
apiVersion: v1
kind: Secret
metadata:
  name: jwt-admin-secret
  labels:
    konghq.com/credential: jwt
type: Opaque
stringData:
  key: admin-issuer
  algorithm: RS256
  secret: empty     # dummy field with arbitrary value, otherwise it throws an error
  rsa_public_key: |
    -----BEGIN PUBLIC KEY-----
    [...]
    -----END PUBLIC KEY-----
---
# JWT Credential for User
apiVersion: v1
kind: Secret
metadata:
  name: jwt-user-secret
  labels:
    konghq.com/credential: jwt
type: Opaque
stringData:
  key: user-issuer
  algorithm: RS256
  secret: empty     # dummy field with arbitrary value, otherwise it throws an error
  rsa_public_key: |
    -----BEGIN PUBLIC KEY-----
    [...]
    -----END PUBLIC KEY-----
---
# Basic auth for a generic user
apiVersion: v1
kind: Secret
metadata:
  name: user-generic-secret
  labels:
    konghq.com/credential: basic-auth
type: Opaque
stringData:
  username: user
  password: password
---
# Key auth for a generic API key
apiVersion: v1
kind: Secret
metadata:
  name: key-generic-secret
  labels:
    konghq.com/credential: key-auth
type: Opaque
stringData:
  key: key



消费者


文件
consumers.yaml
# Consumer for Admin JWT token
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: admin
 annotations:
   kubernetes.io/ingress.class: kong
username: admin
credentials:
- jwt-admin-secret      # references Kubernetes secret
---
# Consumer for User JWT token
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: user
 annotations:
   kubernetes.io/ingress.class: kong
username: user
credentials:
- jwt-user-secret       # references Kubernetes secret
---
# Consumer for generic basic auth user
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: generic-basic-auth-consumer
 annotations:
   kubernetes.io/ingress.class: kong
username: user
credentials:
- user-generic-secret   # references Kubernetes secret
---
# Consumer for generic key auth
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: user-api-key-consumer
 annotations:
   kubernetes.io/ingress.class: kong
username: user-key-auth
credentials:
- key-generic-secret    # references Kubernetes secret
---
# Consumer for anonymous user
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: anonymous-consumer
 annotations:
   kubernetes.io/ingress.class: kong
   konghq.com/plugins: 'request-termination-anonymous'
username: anonymous



插件


文件
plugins.yaml
# JWT authentication
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: jwt-auth-foobar
plugin: jwt
config:
  anonymous: anonymous    # references a Consumer username
---
# Basic authentication
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: basic-auth-foobar
plugin: basic-auth
config:
  anonymous: anonymous    # references a Consumer username
  hide_credentials: true
---
# Key authentication
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: key-auth-foobar
plugin: key-auth
config:
  key_names:
    - apikey
  anonymous: anonymous    # references a Consumer username
  hide_credentials: true
---
# Request termination: when the authentication fails
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: request-termination-anonymous
plugin: request-termination
config:
  message: "Authentication required"
  status_code: 401



服务


文件
services.yaml
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: foobar
  name: foobar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: foobar
  strategy: {}
  template:
    metadata:
      labels:
        app: foobar
    spec:
      containers:
        - image: mikyll/foobar:latest
          name: foobar
          ports:
            - containerPort: 3000
---
# Service
apiVersion: v1
kind: Service
metadata:
  labels:
    app: foobar-service
  name: foobar-service
spec:
  ports:
    - port: 3000
      name: http
      protocol: TCP
      targetPort: 3000
  selector:
    app: foobar
---
# Route /foobar/test/auth/key
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: foobar-route-test-keyauth
  annotations:
    konghq.com/strip-path: 'true'
    konghq.com/plugins: 'key-auth-foobar'
spec:
  parentRefs:
  - name: kong
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /foobar/test/auth/key
    backendRefs:
    - name: foobar-service
      kind: Service
      port: 3000

---
# Route /foobar/test/auth/basic
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: foobar-route-test-basicauth
  annotations:
    konghq.com/strip-path: 'true'
    konghq.com/plugins: 'basic-auth-foobar'
spec:
  parentRefs:
  - name: kong
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /foobar/test/auth/basic
    backendRefs:
    - name: foobar-service
      kind: Service
      port: 3000

---
# Route /foobar/test/auth/jwt
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: foobar-route-test-jwtauth
  annotations:
    konghq.com/strip-path: 'true'
    konghq.com/plugins: 'jwt-auth-foobar'
spec:
  parentRefs:
  - name: kong
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /foobar/test/auth/jwt
    backendRefs:
    - name: foobar-service
      kind: Service
      port: 3000



适用于:


cat secrets.yaml | kubectl apply -f -
cat consumers.yaml | kubectl apply -f -
cat plugins.yaml | kubectl apply -f -
cat services.yaml | kubectl apply -f -


    



    
    authentication
    
    kubernetes
    
    api-gateway
    
    kong
    
    
1个回答

    

      
      
      

        

          

            

              
0
投票

              
            

          

        

        


# Consumer for User JWT token
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: user
 annotations:
   kubernetes.io/ingress.class: kong
username: user # <-- HERE
credentials:
- jwt-user-secret
---
# Consumer for generic basic auth user
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: generic-basic-auth-consumer
 annotations:
   kubernetes.io/ingress.class: kong
username: user # <-- HERE
credentials:
- user-generic-secret



配置失败,因为两者具有
相同的用户名
“用户”,而且显然这是不允许的。
因此,更改其中一个就解决了问题。
解决方案


新文件
consumers.yaml
:
# Consumer for Admin JWT token
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: admin
 annotations:
   kubernetes.io/ingress.class: kong
username: admin
credentials:
- jwt-admin-secret      # references Kubernetes secret
---
# Consumer for User JWT token
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: user
 annotations:
   kubernetes.io/ingress.class: kong
username: user
credentials:
- jwt-user-secret       # references Kubernetes secret
---
# Consumer for generic basic auth user
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: generic-basic-auth-consumer
 annotations:
   kubernetes.io/ingress.class: kong
username: generic
credentials:
- user-generic-secret   # references Kubernetes secret
---
# Consumer for generic key auth
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: user-api-key-consumer
 annotations:
   kubernetes.io/ingress.class: kong
username: user-key-auth
credentials:
- key-generic-secret    # references Kubernetes secret
---
# Consumer for anonymous user
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
 name: anonymous-consumer
 annotations:
   kubernetes.io/ingress.class: kong
   konghq.com/plugins: 'request-termination-anonymous'
username: anonymous


    

      

      
    

  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.