Home / Kong Mesh
Edit
Report

Authentication with the Kong Mesh API server

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Related Resources
Manage secrets
Mesh ports
Zone Ingress

Kong Mesh exposes its API server on ports 5681 and 5682. An authenticated user can be authorized to execute administrative actions such as:

  • Managing administrative resources like Kong Mesh secrets on Universal.
  • Generating user tokens, data plane proxy tokens, zone ingress tokens, and zone tokens.

User token

A user token is a signed JWT token that contains:

  • The name of the user
  • The list of groups that a user belongs to
  • The expiration date of the token

Groups

Groups in Kong Mesh allow you to manage API permissions for users. A user can be a part of multiple groups. Kong Mesh adds two groups to a user automatically:

  • Authenticated users are added to mesh-system:authenticated.
  • Unauthenticated users are added to mesh-system:unauthenticated.

Admin user token

Kong Mesh creates an admin user token on the first start of the control plane. The admin user token is a user token issued for users in the mesh-system:admin group. This group is authorized by default to execute all administrative operations.

Configure kumactl with an admin user token

  1. Use kubectl to extract the admin token:

    kubectl get secret admin-user-token -n kong-mesh-system --template={{.data.value}} | base64 -d
  2. Expose the Kong Mesh control plane to make it accessible from your machine using one of the following methods:
    • Port-forward port 5681.
    • Expose port 5681 and protect it with TLS or expose port 5682 with built-in via a load balancer.
    • Expose port 5681 using an Ingress (for example Kong Ingress Controller) and protect it with TLS.
  3. Configure kumactl with the admin user token: 
    kumactl config control-planes add \
  --name my-control-plane \
  --address https://$CONTROL_PLANE_ADDRESS:5682 \
  --auth-type=tokens \
  --auth-conf token=$GENERATED_TOKEN \
  --ca-cert-file=$CA_FILE_PATH

    If you are using the 5681 port, change the schema to http://. If you want to skip CP verification, use --skip-verify instead of --ca-cert-file.

Generate user tokens

To generate user tokens, you must provide the credentials of a user authorized to generate user tokens. If you have configured kumactl with an admin user token, you can use the following command to create a user token:

kumactl generate user-token \
  --name john \
  --group team-a \
  --valid-for 24h

With the API, you must provide a token in the Authorization header:

curl localhost:5681/tokens/user \
  -H'authorization: Bearer eyJhbGc...' \
  -H'content-type: application/json' \
  --data '{"name": "john","groups": ["team-a"], "validFor": "24h"}'

Revoke user tokens

Kong Mesh doesn’t keep a list of issued tokens. To invalidate a token, you must add it to the revocation list.

Every token has its own ID under the jti key. You can extract the ID from the token using jwt.io or the jwt-cli tool.

To revoke user tokens, specify a comma-separated list of revoked IDs in a global secret named user-token-revocations.

REVOCATIONS=$(echo '0e120ec9-6b42-495d-9758-07b59fe86fb9' | base64) && echo "apiVersion: v1
kind: Secret
metadata:
  name: user-token-revocations
  namespace: kong-mesh-system 
data:
  value: $REVOCATIONS
type: system.kuma.io/global-secret" | kubectl apply -f -

Rotate the signing key

A user token is signed by a signing key which is autogenerated on the first start of the control plane.

If the signing key is compromised, you must rotate it. You must also rotate all the tokens that were signed by it.

  1. Generate a new signing key. The signing key is stored as a global secret named in the following format: user-token-signing-key-<serial_number>.

    When generating a new signing key, assign it a serial number greater than the current key’s serial number.

    Get the current key’s serial number:

    kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret'
NAME                       TYPE                           DATA   AGE
user-token-signing-key-1   system.kuma.io/global-secret   1      25m

    In this example, the highest serial number is 1.

    Generate a new signing key with a serial number of 2:

    TOKEN="$(kumactl generate signing-key)" && echo "
apiVersion: v1
data:
  value: $TOKEN
kind: Secret
metadata:
  name: user-token-signing-key-2
  namespace: kong-mesh-system
type: system.kuma.io/global-secret
" | kubectl apply -f -

  2. Generate new tokens. New tokens are generated with the signing key that has the highest serial number. At this point, tokens signed by either the new or old signing key are valid.

  3. Remove the old signing key:

    kubectl delete secret user-token-signing-key-1 -n kong-mesh-system

    All new connections to the control plane now require tokens signed with the new signing key.

Disable the admin user token

You can remove the default admin user token from storage and prevent it from being recreated. Keep in mind that removing the admin user token doesn’t remove the signing key. Anyone with access to the signing key can generate a new admin token.

  1. Delete the admin-user-token secret 
    kubectl delete secret admin-user-token -n kuma-namespace
  2. Disable the token bootstrap by configuring your control plane with the KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN variable set to false.

Offline token issuing

In addition to the regular flow of generating signing keys, storing them in a secret, and using them to sign tokens on the control plane, Kong Mesh also offers offline signing of tokens.

In this flow, you can generate a pair of public and private keys and configure the control plane only with public keys for token verification. You can generate all the tokens without running the control plane.

The advantages of this mode are:

  • It allows for easier and more reproducible deployments of the control plane, and it’s more in line with GitOps.
  • It’s a potentially more secure setup, because the control plane doesn’t have access to the private keys.

Here’s how to use offline issuing:

  1. Generate a pair of signing keys:

    kumactl generate signing-key --format=pem > /tmp/key-private.pem
kumactl generate public-key --signing-key-path=/tmp/key-private.pem > /tmp/key-public.pem

    These commands generate standard RSA key of 2048 bits and outputs it in PEM-encoded format. You can use any external tool to generate a pair of keys. The result should look like this:

    cat /tmp/key-private.pem /tmp/key-public.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsS61a79gC4mkr2Ltwi09ajakLyUR8YTkJWzZE805EtTkEn/r
...
htKtzsYA7yGlt364IuDybrP+PlPMSK9cQAmWRRZIcBNsKOODkAgKFA==
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsS61a79gC4mkr2Ltwi09ajakLyUR8YTkJWzZE805EtTkEn/rL2u/
...
se7sx2Pt/NPbWFFTMGVFm3A1ueTUoorW+wIDAQAB
-----END RSA PUBLIC KEY-----

  2. Configure the control plane with the public key.

    Configure a control plane with the following settings:

    apiServer:
  authn:
    type: tokens
    tokens:
      enableIssuer: false # disable control plane token issuer that uses secrets
      validator:
        useSecrets: false # do not use signing key stored in secrets to validate the token
        publicKeys:
        - kid: "key-1"
          key: |
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAsS61a79gC4mkr2Ltwi09ajakLyUR8YTkJWzZE805EtTkEn/rL2u/
            ...
            se7sx2Pt/NPbWFFTMGVFm3A1ueTUoorW+wIDAQAB
            -----END RSA PUBLIC KEY-----

  3. Use the private key to issue tokens offline:

    kumactl generate user-token \
  --name john.doe@example.com \
  --group users \
  --valid-for 24h \
  --signing-key-path /tmp/key-private.pem \
  --kid key-1

    The command is the same as with online signing, but with two additional arguments:

    • --kid: The ID of the key that should be used to validate the token. This should match kid specified in the control plane configuration.
    • --signing-key-path: The path to a PEM-encoded private key.

    You can also use any external system that can issue JWT tokens using RS256 signing method with the following claims:

    • Name: The name of the user.
    • Groups: The list of user groups.

Migration

You can use both offline and online issuing by setting apiServer.authn.tokens.enableIssuer to true. You can use both secrets and public key static config validators by setting apiServer.authn.tokens.validator.useSecrets to true.

Management

Token revocation works the same when using both online and offline issuing.

Signing key rotation works similarly:

  1. Generate another pair of signing keys.
  2. Configure a control plane with old and new public keys.
  3. Regenerate all tokens with the new private key.
  4. Remove the old public key from the configuration.

Multi-zone

In multi-zone mode, users execute a majority of actions on the global control plane. However, some actions such as generating data plane tokens, are available on the zone control plane. The global control plane doesn’t propagate authentication credentials to the zone control plane. You can set up consistent user tokens across the whole environment by manually copying signing keys from the global control plane to zone control planes.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support