├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── build.sh ├── common.sh ├── push-to-registries.sh ├── run.sh ├── test.sh └── test ├── docker-compose ├── .env ├── POSTGRES_PASSWORD ├── README.md ├── docker-compose.yml └── test.sh └── kong.yml /.gitignore: -------------------------------------------------------------------------------- 1 | env.sh 2 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kong/kong:3.4.0 2 | 3 | USER root 4 | 5 | LABEL authors="Cristian Chiru " 6 | 7 | ENV DEV_PACKAGES="libssl-dev make gcc git curl unzip" \ 8 | LUA_BASE_DIR="/usr/local/share/lua/5.1" \ 9 | KONG_PLUGIN_OIDC_VER="1.4.0-1" \ 10 | KONG_PLUGIN_COOKIES_TO_HEADERS_VER="1.2.0-1" \ 11 | LUA_RESTY_OIDC_VER="1.7.6-3" \ 12 | NGX_DISTRIBUTED_SHM_VER="1.0.8" 13 | 14 | RUN set -ex \ 15 | && apt-get update \ 16 | && apt-get install --no-install-recommends --no-install-suggests -y $DEV_PACKAGES \ 17 | ## Install plugins 18 | # Download ngx-distributed-shm dshm library 19 | && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \ 20 | # Remove current lua-resty-session 21 | && luarocks remove --force lua-resty-session \ 22 | # Add Pluggable Compressors dependencies 23 | && luarocks install lua-ffi-zlib \ 24 | && luarocks install penlight \ 25 | # Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc 26 | && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/v${KONG_PLUGIN_OIDC_VER}/kong-oidc.rockspec | \ 27 | sed -E -e 's/(tag =)[^,]+/\1 "'v${KONG_PLUGIN_OIDC_VER}'"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" | \ 28 | tee kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \ 29 | && luarocks build kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \ 30 | # Build kong-plugin-cookies-to-headers 31 | && curl -sL https://raw.githubusercontent.com/revomatico/kong-plugin-cookies-to-headers/${KONG_PLUGIN_COOKIES_TO_HEADERS_VER}/kong-plugin-cookies-to-headers-${KONG_PLUGIN_COOKIES_TO_HEADERS_VER}.rockspec > kong-plugin-cookies-to-headers-${KONG_PLUGIN_COOKIES_TO_HEADERS_VER}.rockspec \ 32 | && luarocks build kong-plugin-cookies-to-headers-${KONG_PLUGIN_COOKIES_TO_HEADERS_VER}.rockspec \ 33 | # Patch nginx_kong.lua for kong-oidc session_secret 34 | && TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \ 35 | # May cause side effects when using another nginx under this kong, unless set to the same value 36 | && sed -i '/server_name kong;/a\ \n\ 37 | set \$session_secret "\${{X_SESSION_SECRET}}";\n\ 38 | ' "$TPL" \ 39 | # Patch nginx_kong.lua to set dictionaries 40 | && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\ 41 | variables_hash_max_size 2048;\n\ 42 | lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\ 43 | lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\ 44 | lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\ 45 | > if x_session_storage == "shm" then\n\ 46 | lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\ 47 | > end\n\ 48 | map \$remote_addr \$log_ip {\n\ 49 | > if x_nolog_list_file then\n\ 50 | include \${{X_NOLOG_LIST_FILE}};\n\ 51 | > end\n\ 52 | default 1;\n\ 53 | }\n\ 54 | ' "$TPL" \ 55 | # Patch nginx_kong.lua to add for memcached sessions 56 | && sed -i "/server_name kong;/a\ \n\ 57 | ## Session: 58 | set \$session_storage \${{X_SESSION_STORAGE}};\n\ 59 | set \$session_name \${{X_SESSION_NAME}};\n\ 60 | set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\ 61 | ## Session: Memcached specific 62 | set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\ 63 | set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\ 64 | set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\ 65 | set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\ 66 | set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\ 67 | set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\ 68 | set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\ 69 | set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\ 70 | set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\ 71 | set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\ 72 | set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\ 73 | ## Session: DHSM specific 74 | set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\ 75 | set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\ 76 | set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\ 77 | set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\ 78 | set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\ 79 | set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\ 80 | set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\ 81 | set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\ 82 | set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\ 83 | set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\ 84 | ## Session: SHM Specific 85 | set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\ 86 | set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\ 87 | set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\ 88 | set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\ 89 | set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\ 90 | set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\ 91 | set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\ 92 | " "$TPL" \ 93 | # Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started 94 | && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \ 95 | && sed -E -i "s/((admin|proxy)_access_log.+)/\1 combined if=\$log_ip/" "$TPL" \ 96 | && sed -i "/\]\]/i\ \n\ 97 | x_session_storage = cookie\n\ 98 | x_session_name = oidc_session\n\ 99 | x_session_compressor = 'none'\n\ 100 | x_session_secret = ''\n\ 101 | \n\ 102 | x_session_memcache_prefix = oidc_sessions\n\ 103 | x_session_memcache_connect_timeout = '1000'\n\ 104 | x_session_memcache_send_timeout = '1000'\n\ 105 | x_session_memcache_read_timeout = '1000'\n\ 106 | x_session_memcache_host = memcached\n\ 107 | x_session_memcache_port = '11211'\n\ 108 | x_session_memcache_uselocking = 'off'\n\ 109 | x_session_memcache_spinlockwait = '150'\n\ 110 | x_session_memcache_maxlockwait = '30'\n\ 111 | x_session_memcache_pool_timeout = '1000'\n\ 112 | x_session_memcache_pool_size = '10'\n\ 113 | \n\ 114 | x_session_dshm_region = oidc_sessions\n\ 115 | x_session_dshm_connect_timeout = '1000'\n\ 116 | x_session_dshm_send_timeout = '1000'\n\ 117 | x_session_dshm_read_timeout = '1000'\n\ 118 | x_session_dshm_host = hazelcast\n\ 119 | x_session_dshm_port = '4321'\n\ 120 | x_session_dshm_pool_name = oidc_sessions\n\ 121 | x_session_dshm_pool_timeout = '1000'\n\ 122 | x_session_dshm_pool_size = '10'\n\ 123 | x_session_dshm_pool_backlog = '10'\n\ 124 | \n\ 125 | x_session_shm_store_size = 5m\n\ 126 | x_session_shm_store = oidc_sessions\n\ 127 | x_session_shm_uselocking = off\n\ 128 | x_session_shm_lock_exptime = '30'\n\ 129 | x_session_shm_lock_timeout = '5'\n\ 130 | x_session_shm_lock_step = '0.001'\n\ 131 | x_session_shm_lock_ratio = '2'\n\ 132 | x_session_shm_lock_max_step = '0.5'\n\ 133 | \n\ 134 | x_oidc_cache_discovery_size = 128k\n\ 135 | x_oidc_cache_jwks_size = 128k\n\ 136 | x_oidc_cache_introspection_size = 128k\n\ 137 | \n\ 138 | x_nolog_list_file =\n\ 139 | \n\ 140 | " "$TPL" \ 141 | ## Cleanup 142 | && rm -fr *.rock* \ 143 | # && rm -f /usr/local/openresty/nginx/modules/ngx_wasm_module.so \ 144 | && apt-get purge -y $DEV_PACKAGES \ 145 | && apt-get autoremove -y \ 146 | && apt-get clean \ 147 | && rm -rf /var/lib/apt \ 148 | ## Create kong and working directory (https://github.com/Kong/kong/issues/2690) 149 | && mkdir -p /usr/local/kong \ 150 | && chown -R kong:`id -gn kong` /usr/local/kong 151 | USER kong 152 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker-kong-oidc 2 | 3 | > Builds a Docker image () from base Kong + [revomatico/kong-oidc](https://github.com/revomatico/kong-oidc) plugin (based on zmartzone/lua-resty-openidc) 4 | 5 | > !! Starting with [3.2.2-1](https://github.com/revomatico/docker-kong-oidc/releases/tag/3.2.2-1) Docker repository is available from personal account too because free organization repos where supposed to be removed but then Docker changed their minds on 20th of March 2023. Since I do not trust them anymore, the old repo () is still there, but I consider it deprecated. 6 | 7 | ## Notes 8 | 9 | - Overriding numeric values like ports via env vars: due to a limitation in the lua templating engine in openresty, they must be quoted twice: `KONG_X_VAR="'1234'"`. 10 | - Dockerfile will patch `nginx_kong.lua` template at build time, to include `set $session_secret "$KONG_X_SESSION_SECRET";` 11 | - This is needed for the kong-oidc plugin to set a session secret that will later override the template string 12 | - See: 13 | - A common default session_secret must be defined by setting env `KONG_X_SESSION_SECRET` to a string 14 | - To enable the plugins, set the env variable for the container with comma separated plugin values: 15 | - `KONG_PLUGINS=bundled,oidc` 16 | - Default: `KONG_X_SESSION_NAME=oidc_session` 17 | 18 | ## Session: Cookie 19 | 20 | - This is the default, but not recommended. I would recommend **shm** for a single instance, lightweight deployment. 21 | - If you have too much information in the session (claims, etc), you may need to [increase the nginx header size](https://github.com/bungle/lua-resty-session#cookie-storage-adapter): 22 | - `KONG_NGINX_LARGE_CLIENT_HEADER_BUFFERS='4 16k'` 23 | - You can also enable [session compression](https://github.com/bungle/lua-resty-session#pluggable-compressors) to reduce cookie size: 24 | - `KONG_X_SESSION_COMPRESSOR=zlib` 25 | 26 | ## Session: Memcached 27 | 28 | > Instead of actual memcached, Hazelcast (that is Kubernetes aware), with memcache protocol enabled should be used. 29 | > See . 30 | 31 | - Reference: 32 | - To replace the default sesion storage: **cookie**, set 33 | - `KONG_X_SESSION_STORAGE=memcache` 34 | - Memcached hostname is by default **memcached** (in my case installed via helm in a Kubernetes cluster) 35 | - Set `KONG_X_SESSION_MEMCACHE_HOST=mynewhost` 36 | - Alternatively, set up DNS entry for **memcached** to be resolved from within the container 37 | - Memcached port is by default **11211**, override by setting: 38 | - `KONG_X_SESSION_MEMCACHE_PORT="'12345'"` 39 | - KONG_X_SESSION_MEMCACHE_USELOCKING, default: off 40 | - KONG_X_SESSION_MEMCACHE_SPINLOCKWAIT, default: 150 41 | - KONG_X_SESSION_MEMCACHE_MAXLOCKWAIT, default: 30 42 | - KONG_X_SESSION_MEMCACHE_POOL_TIMEOUT, default: 10 43 | - KONG_X_SESSION_MEMCACHE_POOL_SIZE, default: 10 44 | - KONG_X_SESSION_MEMCACHE_CONNECT_TIMEOUT, default 1000 (milliseconds) 45 | - KONG_X_SESSION_MEMCACHE_SEND_TIMEOUT, default 1000 (milliseconds) 46 | - KONG_X_SESSION_MEMCACHE_READ_TIMEOUT, default 1000 (milliseconds) 47 | 48 | ## Session: DSHM (Hazelcast + Vertex) 49 | 50 | > This lua-resty-session implementation depends on [grrolland/ngx-distributed-shm](https://github.com/grrolland/ngx-distributed-shm) dshm.lua library. 51 | > Recommended: Hazelcast with memcache protocol enabled (see above). 52 | 53 | - Reference: 54 | - To replace the default sesion storage: **cookie**, set 55 | - `KONG_X_SESSION_STORAGE=dshm` 56 | - X_SESSION_DSHM_REGION, default: oidc_sessions 57 | - X_SESSION_DSHM_CONNECT_TIMEOUT, default: 1000 58 | - X_SESSION_DSHM_SEND_TIMEOUT, default: 1000 59 | - X_SESSION_DSHM_READ_TIMEOUT, default: 1000 60 | - X_SESSION_DSHM_HOST, default: hazelcast 61 | - X_SESSION_DSHM_PORT, default: 4321 62 | - X_SESSION_DSHM_POOL_NAME, default: oidc_sessions 63 | - X_SESSION_DSHM_POOL_TIMEOUT, default: 1000 64 | - X_SESSION_DSHM_POOL_SIZE, default: 10 65 | - X_SESSION_DSMM_POOL_BACKLOG, default: 10 66 | 67 | ## Session: SHM 68 | 69 | > Good for single instance. No additional software is required. 70 | 71 | - Reference: 72 | - To replace the default sesion storage: **cookie** with **shm**, set 73 | - `KONG_X_SESSION_STORAGE=shm` 74 | - KONG_X_SESSION_SHM_STORE, default: oidc_sessions 75 | - KONG_X_SESSION_SHM_STORE_SIZE, default: 5m 76 | - KONG_X_SESSION_SHM_USELOCKING, default: no 77 | - KONG_X_SESSION_SHM_LOCK_EXPTIME, default: 30 78 | - KONG_X_SESSION_SHM_LOCK_TIMEOUT, default: 5 79 | - KONG_X_SESSION_SHM_LOCK_STEP, default: 0.001 80 | - KONG_X_SESSION_SHM_LOCK_RATIO, default: 2 81 | - KONG_X_SESSION_SHM_LOCK_MAX_STEP, default: 0.5 82 | 83 | ## Exclude IPs from access_log 84 | 85 | - `KONG_X_NOLOG_LIST_FILE` could be set to a file path, e.g. `/tmp/nolog.txt` 86 | - File format is `ip 0;`. To exclude for example requests from the kubernetes probes: 87 | 88 | ``` 89 | 127.0.0.1 0; 90 | ``` 91 | 92 | ## Releases 93 | 94 | - Kong v3.4.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/master/Dockerfile) 95 | - Kong v3.3.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.3.1-1/Dockerfile) 96 | - Kong v3.3.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.3.0-1/Dockerfile) 97 | - Kong v3.2.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.2.2-4/Dockerfile) 98 | - Kong v3.2.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.2.1-2/Dockerfile) 99 | - Kong v3.1.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.1.1-1/Dockerfile) 100 | - Kong v3.1.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.1.0-1/Dockerfile) 101 | - Kong v3.0.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.0.1-1/Dockerfile) 102 | - Kong v3.0.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/3.0.0-6/Dockerfile) 103 | - Kong v2.8.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.8.1-1/Dockerfile) 104 | - Kong v2.8.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.8.0-4/Dockerfile) 105 | - Kong v2.7.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.7.1-1/Dockerfile) 106 | - Kong v2.7.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.7.0-3/Dockerfile) 107 | - Kong v2.6.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.6.0-2/Dockerfile) 108 | - Kong v2.5.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.5.1-1/Dockerfile) 109 | - Kong v2.5.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.5.0-2/Dockerfile) 110 | - Kong v2.4.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.4.1-1/Dockerfile) 111 | - Kong v2.4.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.4.0-1/Dockerfile) 112 | - Kong v2.3.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.3.3-2/Dockerfile) 113 | - Kong v2.3.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.3.2-2/Dockerfile) 114 | - Kong v2.3.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.3.0-3/Dockerfile) 115 | - Kong v2.2.1: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.2.1-3/Dockerfile) 116 | - Kong v2.1.4: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.1.4-1/Dockerfile) 117 | - Kong v2.1.0: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.1.0-1/Dockerfile) 118 | - Kong v2.0.5: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.0.5-4/Dockerfile) 119 | - Kong v2.0.4: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.0.4-1/Dockerfile) 120 | - Kong v2.0.3: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.0.3-1/Dockerfile) 121 | - Kong v2.0.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.0.2-1/Dockerfile) 122 | 123 | ## Release notes 124 | 125 | - 2023-09-04 [3.4.0-2] 126 | - Bump kong-oidc plugin to [1.4.0-1](https://github.com/revomatico/kong-oidc/releases/tag/v1.4.0-1) 127 | - 2023-08-14 [3.4.0-1] 128 | - Bump kong to 3.4.0 129 | - 2023-08-09 [3.3.1-1] 130 | - Bump kong to 3.3.1 131 | - 2023-06-13 [3.3.0-1] 132 | - Bump kong to 3.3.0 133 | - 2023-03-26 [3.2.2-4] 134 | - Introduce `KONG_X_NOLOG_LIST_FILE` that could optionally point to a file containing list of IPs to be excluded from access_log 135 | - 2023-03-26 [3.2.2-3] 136 | - Bump lua-resty-oidc to 1.7.6-3 and kong-plugin-oidc to 1.3.1-1. Based on , will fix 137 | - 2023-03-24 [3.2.2-2] 138 | - Qote X_SESSION_SECRET in an attempt to prevent 500 internal error when it is not set 139 | - 2023-03-21 [3.2.2-1] 140 | - Bump kong to 3.2.2. Went back to the official kong image. 141 | - 2023-03-08 [3.2.1-2] 142 | - Bump [kong-plugin-cookies-to-headers](https://github.com/revomatico/kong-plugin-cookies-to-headers) plugin to 1.2.0-1 143 | - 2023-03-01 [3.2.1-1] 144 | - Bump kong to 3.2.1. Change in base image as 3.2.0 is not yet released in the official image. 145 | - 2023-02-24 [3.1.1-1] 146 | - Bump kong to 3.1.1 147 | - 2022-12-07 [3.1.0-1] 148 | - Bump kong to 3.1.0 149 | - 2022-12-06 [3.0.1-1] 150 | - Bump kong to 3.0.1 151 | - 2022-09-20 [3.0.0-6] 152 | - Bump kong-oidc plugin 1.3.0-3 153 | - 2022-09-20 [3.0.0-5] 154 | - Using kong-oidc plugin 1.3.0-2 that was fixed to work with Kong 3 155 | - 2022-09-17 [3.0.0-4] 156 | - Using kong-oidc plugin 1.3.0-1 that was fixed to work with Kong 3 157 | - Fixed build and basic test 158 | - 2022-09-08 [3.0.0-3] 159 | - Fix patching luarocks file 160 | - 2022-09-08 [3.0.0-2] 161 | - Bump kong-oidc plugin to 1.2.5-1 162 | - 2022-09-08 [3.0.0-1] 163 | - Bump kong to 3.0.0 164 | - 2022-04-06 [2.8.1-1] 165 | - Bump kong to 2.8.1 166 | - 2022-04-03 [2.8.0-4] 167 | - Bump kong-oidc plugin to 1.2.4-4, thank you @ruiengana! 168 | - 2022-04-01 [2.8.0-3] 169 | - Bump kong-oidc plugin to 1.2.4-3, thank you @ruiengana! 170 | - Bump [ngx-distributed-shm](https://github.com/grrolland/ngx-distributed-shm) to 1.0.7 171 | - 2022-03-08 [2.8.0-2] 172 | - Use kong official release image as base image 173 | - 2022-03-03 [2.8.0-1]: 174 | - Bump kong to 2.8.0 175 | - 2022-02-15 [2.7.1-1]: 176 | - Bump kong to 2.7.1 177 | - Bump kong-oidc plugin to 1.2.4-2 178 | - 2022-01-25 [2.7.0-3]: 179 | - Bump kong-oidc plugin to 1.2.4-1 180 | - Bump revomatico/kong-plugin-cookies-to-headers to 1.1-1 181 | - 2022-01-07 [2.7.0-2]: 182 | - Change to [kong-plugin-cookies-to-headers](https://github.com/revomatico/kong-plugin-cookies-to-headers) 183 | - 2022-01-07 [2.7.0-1]: 184 | - Bump kong to 2.6.0 185 | - Bump lua-resty-oidc to 1.7.5-1 186 | - Add [kong-plugin-cookies-to-headers](https://github.com/pravin-raha/kong-plugin-cookies-to-headers) 187 | - 2021-10-20 [2.6.0-2]: 188 | - Fix kong-oidc plugin rockspec [referral to just master](https://github.com/revomatico/docker-kong-oidc/issues/23), breaking older Dockerfile builds. 189 | - 2021-09-28 [2.6.0-1]: 190 | - Bump kong to 2.6.0 191 | - No more removing of kong-plugin-session, as this is [moved in tree of kong repo](https://github.com/Kong/kong/blob/master/CHANGELOG.md#260) 192 | - 2021-09-08 [2.5.1-1]: 193 | - Bump kong to 2.5.1 194 | - 2021-07-14 [2.5.0-2]: 195 | - Bumped kong-oidc version to 1.2.3-2 to implement 196 | - 2021-07-14 [2.5.0-1]: 197 | - Bump kong to 2.5.0 198 | - 2021-05-13 [2.4.1-1]: 199 | - Bump kong to 2.4.1 200 | - 2021-04-14 [2.4.0-1]: 201 | - Bump kong to 2.4.0 202 | - Changed base docker image to kong/kong 203 | - Bump [kong-plugin-session](https://github.com/Kong/kong-plugin-session) to 2.4.5 204 | - 2021-04-12 [2.3.3-3]: 205 | - Add poor man [test using docker-compose and postgres database](test/docker-compose) 206 | - 2021-03-16 [2.3.3-2]: 207 | - Add [pluggable compressor zlib](https://github.com/bungle/lua-resty-session#pluggable-compressors) dependencies #17 208 | - 2021-03-10 [2.3.3-1]: 209 | - Bumped kong to 2.3.3 210 | - 2021-02-25 [2.3.2-2]: 211 | - Do not add NET_BIND_SERVICE capability to make it easier to deploy the image in environments with security constraints 212 | - Improved test script 213 | - 2021-02-17 [2.3.2-1]: 214 | - Bumped kong to 2.3.2 215 | - 2021-02-17 [2.3.0-3]: 216 | - Bumped kong-oidc version to 1.2.3-1 to implement PR [revomatico#3](https://github.com/revomatico/kong-oidc/pull/3) and [revomatico#4](https://github.com/revomatico/kong-oidc/pull/4) 217 | - 2021-01-21 [2.3.0-2]: 218 | - Added session compression configuration using `KONG_X_SESSION_COMPRESSOR` 219 | - 2021-01-16 [2.3.0-1]: 220 | - Bumped Kong to 2.3.0 221 | - 2021-01-16 [2.2.1-3]: 222 | - Added `lua_shared_dict` caching for discovery, jwks and introspection. Default cache size is 128k (small). 223 | - Bumped kong-oidc version to 1.2.2-2 to implement PR [revomatico#2](https://github.com/revomatico/kong-oidc/pull/2) 224 | - Compatibility note: Groups/credentials are now injected regardless of `disable_userinfo_header` param 225 | - Compatibility note: Param `disable_userinfo_header` is now honored also for introspection 226 | - Compatibility note: OIDC authenticated request now clears possible (anonymous) consumer identity and sets X-Credential-Identifier 227 | - 2021-01-06 [2.2.1-2]: 228 | - Removed `x_proxy_cache_storage_name` in favor of built-in `nginx_http_lua_shared_dict`. See: 229 | - Bump `kong-plugin-session` to 2.4.4 230 | - 2020-12-14 [2.2.1-1]: 231 | - Bumped Kong to 2.2.1 232 | - Bumped lua-resty-oidc to 1.7.4-1 233 | - Bumped kong-plugin-session to 2.4.3 234 | - 2020-10-27 [2.1.4-1]: 235 | - Bumped Kong to 2.1.4 236 | - Bumped lua-resty-oidc to 1.7.3-1 237 | - 2020-07-26 [2.1.0-1]: 238 | - Bumped Kong to 2.1.0 239 | - 2020-07-26 [2.0.5-4]: 240 | - Set default image user to kong 241 | - 2020-07-03 [2.0.5-3]: 242 | - Added DSHM (Hazelcast) session storage support using [ngx-distributed-shm](https://github.com/grrolland/ngx-distributed-shm/) dshm.lua library 243 | - 2020-07-02 [2.0.5-2]: 244 | - Using kong-plugin-session 2.4.1 245 | - Using lua-resty-session 3.5 246 | - 2020-07-02 [2.0.5-1]: 247 | - Bumped Kong version to 2.0.5 248 | - Add memcache env vars 249 | - 2020-05-06 [2.0.4-1]: 250 | - Bumped Kong version to 2.0.4 251 | - Bumped kong-oidc plugin to 1.2.1-1 after implementing PR [nokia#132](https://github.com/nokia/kong-oidc/pull/132) 252 | - 2020-04-12 [2.0.3-1]: 253 | - Bumped Kong version to 2.0.3 254 | - 2020-03-20 [2.0.2-1]: 255 | - Bumped Kong version to 2.0.2, using alpine image instead of centos 256 | - 2020-02-21 [1.5.0-1]: 257 | - Bumped Kong version to 1.5.0, the last 1.x version 258 | - Using [revomatico/kong-oidc](https://github.com/revomatico/kong-oidc) repo 259 | - 2019-11-19 [1.4.2-1]: 260 | - Bumped Kong version to 1.4.2 261 | - Added proxy cache plugin custom dictionary 262 | - 2019-10-28 [1.4.1-1]: 263 | - Bumped Kong version to 1.4.1 264 | - Added shm session storage support 265 | - Added test.sh to quickly validate the build 266 | - Improved README.md 267 | - 2019-10-28 [1.4.0-1]: 268 | - Bumped Kong version to 1.4.0 269 | - 2019-09-05 [1.3.0-2]: 270 | - Introduced `session_name` to override the default 'session' with 'oidc_session' as it may be overriden by upstream applications. 271 | - 2019-08-16 [1.3.0-1]: 272 | - Bump to Kong 1.3.0-centos image 273 | - Trying again lua-resty-oidc 1.7.2-1 274 | - 2019-08-16 [1.2.2-1]: 275 | - Bump to Kong 1.2.2-centos image 276 | - 2019-07-05 [1.2.1-4]: 277 | - Removed **kong-http-to-https-redirect** in favor of the built in route attribute: [https_redirect_status_code=301](https://docs.konghq.com/1.2.x/admin-api/#create-route) 278 | - 2019-07-04 [1.2.1-3]: 279 | - Reverted to original nokia/kong-oidc, that uses lua-resty-oidc 1.6.1-1 - because of bad performance, again, with 1.7.1-1 280 | - 2019-07-04 [1.2.1-2]: 281 | - Correctly added **hostname** package in Dockerfile 282 | - Forced a commit to rebuild the image on docker hub, because of changes in kong-oidc plugin 283 | - 2019-07-01 [1.2.1-1]: 284 | - Bump to Kong 1.2.1-centos image 285 | - 2019-06-13 [1.2.0-1]: 286 | - Bump to Kong 1.2.0-centos image 287 | - 2019-04-27 [1.1.2-1]: 288 | - Used Kong 1.1.2-centos image 289 | - Changed kong-oidc plugin repo from Nokia to [revomatico](https://github.com/revomatico/kong-oidc) for various improvements and compatibility with lua-resty-openidc 1.7 290 | - 2019-04-02 [1.1.1-1]: 291 | - Using Kong 1.1.1-centos image 292 | - 2019-02-22 [1.0.3-1]: 293 | - Kept creation of `/usr/local/kong` in Dockerfile 294 | - Removed Dockerfile's `USER` directive is incompatible with su-exec. See 295 | - 2019-02-21 [1.0.3]: 296 | - Replaced **revomatico/kong-http-to-https-redirect** with [dsteinkopf/kong-http-to-https-redirect](https://github.com/dsteinkopf/kong-http-to-https-redirect) as it has more fixes and improvements 297 | - Upgraded rockspec [zmartzone/lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) to 1.7.1-1 298 | - Using Kong 1.0.3 image 299 | - Added new environment variables to configure memcached 300 | - 2018-11-27 [0.14-2]: 301 | - ~~Upgraded rockspec [zmartzone/lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) to 1.7.0-2~~ this causes issues, staying with 1.6.1-1 for now 302 | - Added env variable KONG_X_SESSION_SECRET to populate $session_secret variable with the same variable for all pods in the cluster 303 | - Removed explicitly building lua-resty-openidc in Dockerfile, since is automatically done by luarocks build, since is a dependency of kong-oidc 304 | - Set everything to run under regular user kong instead of root 305 | - 2018-10-09 [0.14-1]: 306 | - Upgraded to Kong 0.14 307 | - 2018-10-09 [0.13-3]: 308 | - Changed repo for kong-http-to-https-redirect to [revomatico/kong-http-to-https-redirect](https://github.com/revomatico/kong-http-to-https-redirect) 309 | - 2018-08-10 [0.13-2]: 310 | - Forced a rebuild to update rockspec [HappyValleyIO/kong-http-to-https-redirect](https://github.com/HappyValleyIO/kong-http-to-https-redirect) 311 | - 2018-07-07 [0.13-1]: 312 | - Updated rockspec [zmartzone/lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) to 1.6.1-1 313 | - 2018-07-04 [0.13]: 314 | - Updated rockspec [nokia/kong-oidc](https://github.com/nokia/kong-oidc) to 1.1.0-0 315 | - Updated rockspec [zmartzone/lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) to 1.6.0-1 316 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd $(readlink -f ${0%/*}) 4 | . common.sh 5 | 6 | docker build \ 7 | -t $DOCKER_IMAGE \ 8 | . \ 9 | $* 10 | 11 | # List image in docker 12 | docker images $DOCKER_IMAGE 13 | -------------------------------------------------------------------------------- /common.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Common script used by all others to define variables and stay DRY 4 | DOCKER_CONTAINER='docker-kong-oidc' 5 | DOCKER_IMAGE="local/$DOCKER_CONTAINER:3.4.0-2" 6 | KONG_LOCAL_HTTP_PORT=${KONG_LOCAL_HTTP_PORT:-18000} 7 | KONG_LOCAL_HTTPS_PORT=${KONG_LOCAL_HTTPS_PORT:-14443} 8 | KONG_LOCAL_ADMIN_PORT=${KONG_LOCAL_ADMIN_PORT:-18001} 9 | -------------------------------------------------------------------------------- /push-to-registries.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -o pipefail 4 | 5 | cd $(readlink -f ${0%/*}) 6 | . common.sh 7 | . env.sh 8 | 9 | ## Push to optional space separated local registries 10 | for reg in $LOCAL_REGISTRIES; do 11 | docker tag $DOCKER_IMAGE $reg/${DOCKER_IMAGE##*/} 12 | docker push $reg/${DOCKER_IMAGE##*/} 13 | done 14 | 15 | DH_USERNAME="${1:-$DH_USERNAME}" 16 | DH_PASSWORD="${2:-$DH_PASSWORD}" 17 | [[ -n "$DH_PASSWORD" ]] || read -p "Docker Hub Password for $DH_USERNAME: " -s DH_PASSWORD 18 | DH_REPO="$DH_USERNAME/${DOCKER_IMAGE##*/}" 19 | 20 | ## Push image to Docker Hub 21 | docker login -u $DH_USERNAME --password-stdin <<< "$DH_PASSWORD" 22 | for tag in "$DH_REPO" "${DH_REPO%:*}:latest" "revomatico/${DOCKER_IMAGE##*/}"; do 23 | docker tag $DOCKER_IMAGE "$tag" 24 | docker push "$tag" 25 | done 26 | 27 | ## Update Docker Hub README 28 | docker run --rm -v $PWD:/workspace \ 29 | -e DOCKERHUB_USERNAME="$DH_USERNAME" \ 30 | -e DOCKERHUB_PASSWORD="$DH_PASSWORD" \ 31 | -e DOCKERHUB_REPOSITORY="${DH_REPO%:*}" \ 32 | -e README_FILEPATH='/workspace/README.md' \ 33 | peterevans/dockerhub-description:2 34 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd $(readlink -f $0 | grep -o '.*/') 4 | . common.sh 5 | 6 | set -x 7 | docker run -d -t \ 8 | --name $DOCKER_CONTAINER \ 9 | --hostname $DOCKER_CONTAINER \ 10 | -e KONG_LOG_LEVEL=${KONG_LOG_LEVEL:-info} \ 11 | -e KONG_ADMIN_ACCESS_LOG=/dev/stdout \ 12 | -e KONG_ADMIN_ERROR_LOG=/dev/stderr \ 13 | -e KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout \ 14 | -e KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr \ 15 | -e KONG_PORTAL_API_ACCESS_LOG=/dev/stdout \ 16 | -e KONG_PORTAL_API_ERROR_LOG=/dev/stderr \ 17 | -e KONG_PROXY_ACCESS_LOG=/dev/stdout \ 18 | -e KONG_PROXY_ERROR_LOG=/dev/stderr \ 19 | -e KONG_ANONYMOUS_REPORTS='false' \ 20 | -e KONG_CLUSTER_LISTEN='off' \ 21 | -e KONG_DATABASE='off' \ 22 | -e KONG_DECLARATIVE_CONFIG=/kong_dbless/kong.yml \ 23 | -e KONG_LUA_PACKAGE_PATH='/opt/?.lua;/opt/?/init.lua;;' \ 24 | -e KONG_NGINX_WORKER_PROCESSES='1' \ 25 | -e KONG_PLUGINS='bundled,oidc,cookies-to-headers' \ 26 | -e KONG_ADMIN_LISTEN='0.0.0.0:8001' \ 27 | -e KONG_PROXY_LISTEN='0.0.0.0:8000, 0.0.0.0:8443 http2 ssl' \ 28 | -e KONG_STATUS_LISTEN='0.0.0.0:8100' \ 29 | -e KONG_NGINX_DAEMON='off' \ 30 | -e KONG_X_SESSION_SECRET='eW91Z290bWVoYWNrZXIh' \ 31 | -e KONG_X_SESSION_MEMCACHE_PORT="'1234'" \ 32 | -e KONG_X_SESSION_COMPRESSOR=zlib \ 33 | -v $PWD/test:/kong_dbless \ 34 | -p $KONG_LOCAL_ADMIN_PORT:8001 \ 35 | -p $KONG_LOCAL_HTTP_PORT:8000 \ 36 | -p $KONG_LOCAL_HTTPS_PORT:8443 \ 37 | $DOCKER_IMAGE \ 38 | $* 39 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ### This is not a real test. Just a quick check that kong starts just fine with some parameters. 4 | 5 | cd `readlink -f $0 | grep -o '.*/'` 6 | 7 | . common.sh 8 | 9 | cleanup() { 10 | docker rm -f $DOCKER_CONTAINER | xargs printf "Deleted container: %s\n\n" 11 | } 12 | 13 | trap cleanup EXIT 14 | 15 | ./run.sh | xargs printf "Created container: %s\n" 16 | sleep 10 17 | if [[ -x $(which jq) ]]; then 18 | set -x 19 | curl -sSL localhost:$KONG_LOCAL_ADMIN_PORT | jq '{version,hostname,node_id}' 20 | else 21 | set -x 22 | curl -sSL localhost:$KONG_LOCAL_ADMIN_PORT | head -2 | tail -1 23 | fi 24 | { set +x; } 2>/dev/null 25 | 26 | RESP=$(set -x; curl -sSv localhost:$KONG_LOCAL_HTTP_PORT/request.php 2>&1) 27 | RET=$? 28 | 29 | ## Cleanup 30 | HTTP_RESP=$(grep -oP '(?<=HTTP\/1.1 )[0-9]+' <<< \"$RESP\") 31 | if [[ "$HTTP_RESP" != "200" ]]; then 32 | docker logs $DOCKER_CONTAINER 33 | echo "-----------------------------------------------------------------------------------------" 34 | echo "$RESP" 35 | echo "-----------------------------------------------------------------------------------------" 36 | echo "!!!!!FAILED with ret code $RET / http code $HTTP_RESP!!!!!" 37 | exit $RET 38 | else 39 | echo "$RESP" | grep -oP '(?<=
  • )[^<]+' 40 | echo "" 41 | echo "Success!!!" 42 | fi 43 | -------------------------------------------------------------------------------- /test/docker-compose/.env: -------------------------------------------------------------------------------- 1 | PG_DOCKER_IMAGE=postgres:12 2 | KONG_DOCKER_TAG=local/docker-compose-oidc:latest 3 | -------------------------------------------------------------------------------- /test/docker-compose/POSTGRES_PASSWORD: -------------------------------------------------------------------------------- 1 | postgres -------------------------------------------------------------------------------- /test/docker-compose/README.md: -------------------------------------------------------------------------------- 1 | Poor man test of Kong with postgres database. 2 | 3 | Used compose file from: https://github.com/Kong/docker-kong/blob/master/compose/docker-compose.yml 4 | 5 | `./test.sh [NN]` 6 | 7 | NN - rough timeout in seconds to wait for containers initialization, default: 10 8 | -------------------------------------------------------------------------------- /test/docker-compose/docker-compose.yml: -------------------------------------------------------------------------------- 1 | ## curl -sL https://raw.githubusercontent.com/Kong/docker-kong/master/compose/docker-compose.yml > docker-compose.yml.ori 2 | 3 | version: '3.7' 4 | 5 | volumes: 6 | kong_data: {} 7 | 8 | networks: 9 | kong-net: 10 | external: false 11 | 12 | services: 13 | kong-migrations: 14 | image: "${KONG_DOCKER_TAG:-kong:latest}" 15 | command: kong migrations bootstrap 16 | depends_on: 17 | - db 18 | environment: 19 | KONG_DATABASE: postgres 20 | KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong} 21 | KONG_PG_HOST: db 22 | KONG_PG_USER: ${KONG_PG_USER:-kong} 23 | KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password 24 | secrets: 25 | - kong_postgres_password 26 | networks: 27 | - kong-net 28 | restart: on-failure 29 | deploy: 30 | restart_policy: 31 | condition: on-failure 32 | 33 | kong-migrations-up: 34 | image: "${KONG_DOCKER_TAG:-kong:latest}" 35 | command: kong migrations up && kong migrations finish 36 | depends_on: 37 | - db 38 | environment: 39 | KONG_DATABASE: postgres 40 | KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong} 41 | KONG_PG_HOST: db 42 | KONG_PG_USER: ${KONG_PG_USER:-kong} 43 | KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password 44 | secrets: 45 | - kong_postgres_password 46 | networks: 47 | - kong-net 48 | restart: on-failure 49 | deploy: 50 | restart_policy: 51 | condition: on-failure 52 | 53 | kong: 54 | image: "${KONG_DOCKER_TAG:-kong:latest}" 55 | user: "${KONG_USER:-kong}" 56 | depends_on: 57 | - db 58 | environment: 59 | - KONG_LOG_LEVEL=info 60 | - KONG_ADMIN_ACCESS_LOG=/dev/stdout 61 | - KONG_ADMIN_ERROR_LOG=/dev/stderr 62 | - KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout 63 | - KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr 64 | - KONG_PORTAL_API_ACCESS_LOG=/dev/stdout 65 | - KONG_PORTAL_API_ERROR_LOG=/dev/stderr 66 | - KONG_PROXY_ACCESS_LOG=/dev/stdout 67 | - KONG_PROXY_ERROR_LOG=/dev/stderr 68 | - KONG_ANONYMOUS_REPORTS=false 69 | - KONG_CLUSTER_LISTEN=off 70 | - 'KONG_LUA_PACKAGE_PATH=/opt/?.lua;/opt/?/init.lua;;' 71 | - KONG_NGINX_WORKER_PROCESSES=1 72 | - 'KONG_PLUGINS=bundled,oidc' 73 | - 'KONG_ADMIN_LISTEN=0.0.0.0:8001' 74 | - 'KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 http2 ssl' 75 | - 'KONG_STATUS_LISTEN=0.0.0.0:8100' 76 | - KONG_NGINX_DAEMON=off 77 | - 'KONG_X_SESSION_MEMCACHE_PORT=''1234''' 78 | - KONG_X_SESSION_COMPRESSOR=zlib 79 | - KONG_DATABASE=postgres 80 | - KONG_PG_DATABASE=${KONG_PG_DATABASE:-kong} 81 | - KONG_PG_HOST=db 82 | - KONG_PG_USER=${KONG_PG_USER:-kong} 83 | - KONG_PG_PASSWORD_FILE=/run/secrets/kong_postgres_password 84 | secrets: 85 | - kong_postgres_password 86 | networks: 87 | - kong-net 88 | ports: 89 | - "8000:8000/tcp" 90 | - "127.0.0.1:8001:8001/tcp" 91 | - "8443:8443/tcp" 92 | - "127.0.0.1:8444:8444/tcp" 93 | healthcheck: 94 | test: ["CMD", "kong", "health"] 95 | interval: 10s 96 | timeout: 10s 97 | retries: 10 98 | restart: on-failure 99 | deploy: 100 | restart_policy: 101 | condition: on-failure 102 | 103 | db: 104 | image: ${PG_DOCKER_IMAGE:-postgres:9.5} 105 | environment: 106 | POSTGRES_DB: ${KONG_PG_DATABASE:-kong} 107 | POSTGRES_USER: ${KONG_PG_USER:-kong} 108 | POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password 109 | secrets: 110 | - kong_postgres_password 111 | healthcheck: 112 | test: ["CMD", "pg_isready", "-U", "${KONG_PG_USER:-kong}"] 113 | interval: 30s 114 | timeout: 30s 115 | retries: 3 116 | restart: on-failure 117 | deploy: 118 | restart_policy: 119 | condition: on-failure 120 | stdin_open: true 121 | tty: true 122 | networks: 123 | - kong-net 124 | volumes: 125 | - kong_data:/var/lib/postgresql/data 126 | 127 | secrets: 128 | kong_postgres_password: 129 | file: ./POSTGRES_PASSWORD 130 | -------------------------------------------------------------------------------- /test/docker-compose/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exit_failed() { 4 | echo "[FAILED] ${1:-Kong cannot reach the database or did not start}" 5 | exit 1 6 | } 7 | 8 | cd $(readlink -f ${0%/*}) 9 | 10 | . ../../common.sh 11 | 12 | set -x 13 | 14 | export KONG_DOCKER_TAG=$DOCKER_IMAGE 15 | 16 | docker-compose up -d 17 | 18 | sleep ${1:-10} 19 | 20 | RET=`curl -s localhost:8001/status | grep -o '"database":{"reachable":true}'` 21 | 22 | docker-compose ps 23 | 24 | docker-compose down 25 | 26 | docker-compose rm -f 27 | 28 | docker volume rm docker-compose_kong_data 29 | 30 | { set +x; } 2>/dev/null 31 | [[ -n "$RET" ]] && echo "[SUCCESS] Kong with database is up!" || exit_failed 32 | -------------------------------------------------------------------------------- /test/kong.yml: -------------------------------------------------------------------------------- 1 | _format_version: "1.1" 2 | 3 | services: 4 | - name: test-service 5 | host: headers.4tools.net 6 | path: / 7 | port: 443 8 | protocol: https 9 | tags: 10 | - test 11 | routes: 12 | - name: test-route 13 | hosts: 14 | - localhost 15 | paths: 16 | - / 17 | preserve_host: false 18 | protocols: 19 | - http 20 | - https 21 | strip_path: false 22 | tags: 23 | - test 24 | --------------------------------------------------------------------------------