Month: March 2025

Kong – generate client cert

techhadoop

When generating a client certificate for Kong, you generally need to provide the .crt and .key files to the client. However, the .pem file can also be used, depending on the application’s needs.

Here’s how each file is used:

  1. .crt (Certificate File) – This contains the public certificate of the client.
  2. .key (Private Key File) – This holds the private key for the client.
  3. .pem (Privacy-Enhanced Mail Format) – This can contain both the certificate and private key (and sometimes even intermediate certificates) in a single file.

What Should You Provide to the Client?

  • If the client explicitly needs separate certificate and key files, provide:
    • client.crt
    • client.key
  • If the client can handle a single PEM file, provide:
    • client.pem (which includes both the certificate and private key)

To generate a PEM file from .crt and .key:

cat client.crt client.key > client.pem

πŸ”Ή Use Case:

  • Some applications and libraries (e.g., cURL, OpenSSL, and certain API clients) accept a single PEM file instead of separate .crt and .key files.
  • If the client is using mutual TLS (mTLS) authentication with Kong, check if they need a .pem file instead.

Install plugins

techhadoop 
---
- name: Install Specified Kong Plugins Globally
  hosts: localhost
  tasks:
    - name: Define Kong Plugins with Configurations
      set_fact:
        kong_plugins:
          - name: "correlation-id"
            config:
              header_name: "Kong-Request-ID"
              generator: "uuid"
              echo_downstream: true
          - name: "http-log"
            config:
              http_endpoint: "http://your-logging-service.local/logs"
              method: "POST"
              timeout: 10000
              keepalive: 60000
          - name: "jwt"
            config: {}
          - name: "ldap-auth-advanced"
            config:
              ldap_host: "ldap.yourdomain.com"
              ldap_port: 389
              start_tls: false
              verify_ldap_host: true
              base_dn: "dc=yourdomain,dc=com"
              attribute: "uid"
              cache_ttl: 60
              timeout: 10000
              keepalive: 60000
          - name: "mtls-auth"
            config:
              ca_certificates: ["<CA_CERTIFICATE>"]
              depth: 1
              cache_ttl: 60
          - name: "openid-connect"
            config:
              issuer: "https://your-oidc-provider.com"
              client_id: "your-client-id"
              client_secret: "your-client-secret"
              redirect_uri: "https://your-kong-instance.com/redirect"
              scopes: ["openid", "profile", "email"]
          - name: "request-termination"
            config:
              status_code: 403
              message: "Forbidden"
              content_type: "text/plain"

    - name: Ensure Specified Plugins Are Installed Globally
      uri:
        url: "http://localhost:8001/plugins"
        method: POST
        body_format: json
        body:
          name: "{{ plugin.name }}"
          config: "{{ plugin.config | default({}) }}"
        status_code: [201, 409]  # 201 = Created, 409 = Conflict (Already Exists)
      loop: "{{ kong_plugins }}"
      loop_control:
        loop_var: plugin
      register: plugin_response
      ignore_errors: yes

    - name: Debug Plugin Deployment Responses
      debug:
        var: plugin_response.results