Kong Authorizer configuration reference
Learn how to configure Kong Authorizer to adjust authorizer's settings to your needs.
Configuring Kong Authorizer
The Kong Authorizer can be configured with a file in YAML format, or via environment variables. To generate a template configuration file that is populated with default settings, you can use a Docker image and pipe the output to a configuration file:
docker run --rm docker.cloudentity.io/kong-authorizer reference > reference_config.yaml
You can use the reference configuration as a basis for your customization. You can omit settings for which the default configuration is satisfactory, specifying only the required values, which are the client ID, client secret, issuer URL, and Kong admin URL parameters.
ACP_CLIENT_ID: {your_client_id}
ACP_CLIENT_SECRET: {your_client_secret}
ACP_ISSUER_URL: https://{tid}.us.authz.stage.cloudentity.io/{tid}/system
KONG_ADMIN_URL: http://kong-acp:8001
Environment variables can also be used to set these configuration values. The environment variable’s name
are the uppercase version of the YAML name. For example, in the docker-compose.yml
that you downloaded,
you can set the ACP_CLIENT_ID
via the environment variable ACP_CLIENT_ID
:
environment:
- ACP_CLIENT_ID=${CLIENT_ID}
- ACP_CLIENT_SECRET=${CLIENT_SECRET}
- ACP_ISSUER_URL=${ISSUER_URL}
- ACP_TLS_CLIENT_INSECURE_SKIP_VERIFY=TRUE
- KONG_ADMIN_URL=${KONG_ADMIN_URL}
- KONG_TLS_CLIENT_INSECURE_SKIP_VERIFY=TRUE
- SERVER_LISTENER_PORT=9003
Tip
Note that nested YAML settings can be accessed by joining uppercased names with underscores, as shown in the example above, where the
SERVER_LISTENER_PORT=9003
parameter is set.
To run the kong authorizer with a configuration file, use the --config
option to specify
the YAML file with your configuration.
For example, assuming that you have created a kong_config.yaml
file in your current
directory your docker run
command would look like the following:
docker run --rm --volume `pwd`:/config:ro docker.cloudentity.io/kong-authorizer --config /config/kong_config.yaml
Configuration reference
# acp
acp:
reload_interval: 1m0s # reload interval
reload_timeout: 30s # reload configuration timeout
issuer_url: https://localhost:8443/sample/system # issuer url
client_id: bqesdrc4m4co2s81mpu0 # client id
client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
tenant_id: "" # tenant id
server_id: "" # server id
# http client
http_client:
timeout: 10s # http client timeout
retry_wait_min: 0s # minimum time to wait between retries
retry_wait_max: 0s # maximum time to wait between retries
retry_max: 0 # maximum number of retries
root_ca: "" # root ca that this client should trust (defaults to system root ca)
insecure_skip_verify: false # disable cert verification
disable_follow_redirects: false # disable follow redirects
disable_retry: true # disable retry
# analytics
analytics:
enabled: true # when enabled, events are sent to audit log
# sampling
sampling:
probability: 1 # Probability of an event to be published (0.0-1.0)
batch_inverval: 1s # Max duration to wait for a batch to publish
batch_limit: 100 # Max number of events in a batch
limit: 5 # Max number of batches per second to be published
timeout: 5s # Timeout for a single batch to send
workers: 8 # Number of sending workers
# cache
cache:
ttl: 10s # ttl
max_size: 100 # max size
# logging config
logging:
level: info # log level severity
# token echange config
token_exchange:
enabled: false # enable token exchange (temporary until acp 2.0 is released)
# cache
cache:
ttl: 1m0s # ttl
max_size: 1000 # max size
do_not_fail_on_non_matching_requests: false # don't fail when the request has no matching rule
# http server
http_server:
port: 9003 # http port
dangerous_disable_tls: false # diables TLS
# certificate configuration
certificate:
password: "" # key passphrase
cert_path: "" # path to the certificate PEM file
key_path: "" # path to the key PEM file
cert: "" # base64 encoded cert PEM
key: "" # base64 encoded key PEM
generated_key_type: ecdsa # type for generated key if cert and key are not provided (rsa or ecda)
client_auth_type: 0 # client auth type
# kong
kong:
admin_url: "" # kong admin url
# http client used for admin url
http_client:
timeout: 0s # http client timeout
retry_wait_min: 0s # minimum time to wait between retries
retry_wait_max: 0s # maximum time to wait between retries
retry_max: 0 # maximum number of retries
root_ca: "" # root ca that this client should trust (defaults to system root ca)
insecure_skip_verify: true # disable cert verification
disable_follow_redirects: false # disable follow redirects
disable_retry: false # disable retry