Kong + OIDC plugins
Builds a Docker image (https://hub.docker.com/r/cristianchiru/docker-kong-oidc) from base Kong + revomatico/kong-oidc plugin (based on zmartzone/lua-resty-openidc)
!! Starting with 3.2.2-1 Docker repository is available from personal account too because free organization repos where supposed to be removed but then Docker changed their minds on 20th of March 2023. Since I do not trust them anymore, the old repo (https://hub.docker.com/r/revomatico/docker-kong-oidc) is still there, but I consider it deprecated.
KONG_X_VAR="'1234'"
.nginx_kong.lua
template at build time, to include set $session_secret "$KONG_X_SESSION_SECRET";
KONG_X_SESSION_SECRET
to a stringKONG_PLUGINS=bundled,oidc
KONG_X_SESSION_NAME=oidc_session
KONG_NGINX_LARGE_CLIENT_HEADER_BUFFERS='4 16k'
KONG_X_SESSION_COMPRESSOR=zlib
Instead of actual memcached, Hazelcast (that is Kubernetes aware), with memcache protocol enabled should be used. See https://docs.hazelcast.org/docs/latest-dev/manual/html-single/#memcache-client.
KONG_X_SESSION_STORAGE=memcache
KONG_X_SESSION_MEMCACHE_HOST=mynewhost
KONG_X_SESSION_MEMCACHE_PORT="'12345'"
This lua-resty-session implementation depends on grrolland/ngx-distributed-shm dshm.lua library. Recommended: Hazelcast with memcache protocol enabled (see above).
KONG_X_SESSION_STORAGE=dshm
Good for single instance. No additional software is required.
KONG_X_SESSION_STORAGE=shm
KONG_X_NOLOG_LIST_FILE
could be set to a file path, e.g. /tmp/nolog.txt
File format is ip 0;
. To exclude for example requests from the kubernetes probes:
127.0.0.1 0;
KONG_X_NOLOG_LIST_FILE
that could optionally point to a file containing list of IPs to be excluded from access_logKONG_X_SESSION_COMPRESSOR
lua_shared_dict
caching for discovery, jwks and introspection. Default cache size is 128k (small).disable_userinfo_header
paramdisable_userinfo_header
is now honored also for introspectionx_proxy_cache_storage_name
in favor of built-in nginx_http_lua_shared_dict
. See: https://github.com/Kong/kong/issues/4643
kong-plugin-session
to 2.4.4session_name
to override the default 'session' with 'oidc_session' as it may be overriden by upstream applications./usr/local/kong
in DockerfileUSER
directive is incompatible with su-exec. See https://github.com/ncopa/su-exec/issues/2#issuecomment-336670196