Comments (4)
cc @rainest
from charts.
At present I can think of two options:
- Simply remove portal_session_conf and portal_auth from values.yaml altogether. This somewhat breaks compatibility with 0.35, but it's possible to work around that. We'll want to continue support for the existing settings for a while, but will no longer require them.
- Instruct OIDC users to create a dummy session configuration.
@hbagdi I'm in favor of the first option, as I don't think we have that many 0.35 users still. Assuming I don't find other complications when testing this, do you think the workaround for 0.35 users below is reasonable?
Strictly speaking, the session plugin should at worst conflict with OIDC if they try to use the same cookie, which can only occur for Manager. The Portal code explicitly disables the session plugin configuration when using OIDC.
When 0.35 originally introduced session-based authentication, it only allowed a single portal_session_conf
for all workspaces. This is broken for a variety of reasons, but most importantly for this means that 0.35 cannot use basic-auth
or key-auth
for the Portal without configuring portal_session_conf
in kong.conf or equivalents. If we remove the dedicated values.yaml setting and associated secret check, 0.35 users will need to add it under env
.
0.36 fixed this and allowed per-workspace Portal session configuration. If we remove the dedicated setting, users enabling a Portal with basic-auth
will need to manually add a custom session configuration in Manager, though they should arguably do this anyway. Ideally, we should add quality of life improvements that handle this automatically for users, but that's outside of the chart.
At least as of 1.3, Kong will not start if portal_auth
is explicitly set to basic-auth
and portal_session_conf
is not set, but if portal_auth
isn't set, it bypasses this check while still using "Basic Authentication" as the default auth setting in per-workspace configuration. I'm not sure if there are versions that default to disabling authentication; will have to check.
from charts.
Simply remove portal_session_conf and portal_auth from values.yaml altogether. This somewhat breaks compatibility with 0.35, but it's possible to work around that. We'll want to continue support for the existing settings for a while, but will no longer require them.
As long as we can work around the breaking change and provide compatibility, we can put in this change.
It is unfortunate that that there is so much change that happens at this layer in the configuration. Whatever solution you end up picking, keep your assumptions about behaviors of how various settings interact with each other to minimum, those details change frequently enough to correctly assume anything.
from charts.
Version 1.3.0 of the Kong chart is now released, resolving this issue.
from charts.
Related Issues (20)
- "kong stop" in wait-for-db command prevents init container from exiting gracefully, suggest kong quit" HOT 2
- Upgrade PostgreSQL dependency version
- runAsUser: 1000 in securityContext causes error in Openshift HOT 5
- Service monitor scraping both status port of ingress pod HOT 5
- Kong chart cannot be deployed with ArgoCD / Kustomize HOT 7
- request-size-limiting http2 requests are not supported without content-length header HOT 1
- no matches for kind "PodSecurityPolicy" in version "policy/v1beta1" HOT 2
- How to increase kong's timeout time HOT 1
- From OpenSource Kong to Kong Plus in Kubernetes (AKS) HOT 1
- kong ingress controller helm chart overwrite values to subcharts now working 0.12.0 HOT 2
- Unable to login to Kong Manager with DB-less Kubernetes deployment HOT 1
- How to deploy Kong successfully without enabling ingress controller or load balancer
- Kubernetes Ingress Controller upgrade issue HOT 1
- Kong manager password HOT 10
- `helm template kong kong/ingress` does not produce the same output like `helm template kong kong/ingress --validate` HOT 1
- kong ingress duplicate CRD installation HOT 2
- No metrics from kong-controller HOT 2
- Kong unable to fetch JWT credentials HOT 4
- Env not merged/override from .Values.env HOT 1
- ingressController.konnect.tlsClientCertSecretName: wrong naming
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.