kong-init
kong-init copied to clipboard
liyuntao
Add Headers to all Admin API requests
Hello!, It's me again hehe.
I was wondering, does this tool has an option to add headers on args like kongfig?, we use this for Authorization headers, like this for example:
kongfig apply --https --path myconfig.yml --header "Authorization: Basic ${USER_PASSWORD}" --header "Kong-Admin-Token: ${USER_TOKEN}"
Do you mean to use such feature in a certain scene which kong-admin-api endpoint is secured by basic auth?
If so, it's pretty easy to add header when kong-init requesting the kong-admin-api endpoint.
Do you mean to use such feature in a certain scene which kong-admin-api endpoint is secured by basic auth?
If so, it's pretty easy to add header when kong-init requesting the kong-admin-api endpoint.
Yes, I don't know if there is another use case to require the use of headers, but at least this one requires those headers.
I'm implementing a quick&dirty solution for this using reqwest 0.9.2 and string headers, but I'm not versed on Rust, so I don't see this solution fit for a PR.
support for custom header has been added in the latest master branch. (It took a long time for the migration work from reqwest 0.8 -> 0.9)
I'll trigger a release version after complete test.
Hello!
Is there any update on the new release?, I'm sticking with my fork meanwhile, but I was wondering if your version with --header args is suitable for use or not.
I was going to try it anyway, but wanted your comments on this.
Thanks!
@arthmoeros I need some more detailed information. About how do you protect the admin-api? I just did some testing about header args feature. It works, but currently kong-init choose to clear all existed plugin/routes/services before doing initialization. So it doesn't fit the loopback api with key-auth/basic-auth plugin added to simply verify this feature.
verify detail:
# under kong 0.14.X
# following https://docs.konghq.com/0.14.x/secure-admin-api/#kong-api-loopback
# 1. add loopback service
curl -X POST http://localhost:8001/services \
--data name=admin-api \
--data host=localhost \
--data port=8001
# 2. add loopback route
curl -X POST http://localhost:8001/services/admin-api/routes \
--data paths[]=/admin-api
# 3. add basic-auth plugin to route (using konga, ignore the step)
# 4. create a consumer
curl -d "username=user123&custom_id=user123" http://localhost:8001/consumers/
# 5. create a credential
curl -X POST http://localhost:8001/consumers/user123/basic-auth \
--data "username=Aladdin" \
--data "password=OpenSesame"
# 6. comment the clearing logic and rebuild kong-init
fn clear_before_init(context: &ExecutionContext) {
info!("clear_before_init");
// context.kong_cli.delete_all_plugins();
// context.kong_cli.delete_all_routes();
// context.kong_cli.delete_all_services();
}
# 7. verify using url with basic-auth plugin protected
RUST_LOG=kong_init=debug ./target/debug/kong-init --path ./example/kong14.v2.yaml --url http://localhost:8000/admin-api --header 'Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l'
conclusion in short
- The feature(header args) is ok.
- Kong-init does not fit the loopback api way in practice(because of clear step) currently.
- Maybe we need discussion and design to solve such sence.
Let me check with the guys that made the jenkins pipeline that install our kong ee stack.
Because the admin api protection is done there, I just use kong-init to setup the routes, services and consumers, but the admin api protection is already setup.