For UI setup instructions to install Kong Ingress Controller on Konnect, use the Gateway Manager setup UI.
To create a Kong Ingress Controller in Konnect deployment, you need the following items:
- A Kong Ingress Controller Control Plane, including the Control Plane URL
- An mTLS certificate for Kong Ingress Controller to talk to Konnect
Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER
Control Plane:
CONTROL_PLANE_DETAILS=$( curl -X POST "https://us.api.konghq.com/v2/control-planes" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "My KIC CP",
"cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
}')
We’ll need the id
and telemetry_endpoint
for the values.yaml
file later. Save them as environment variables:
CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')
Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.
Generate a new certificate using openssl
:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk
to format the certificate:
export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
Next, upload the certificate to Konnect:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"cert": "'$CERT'"
}'
Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:
kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key
Kong Ingress Controller must be configured to send it’s configuration to Konnect. Create a values.yaml
file by copying and pasting the following command into your terminal:
echo 'controller:
ingressController:
image:
tag: "3.4"
env:
feature_gates: "FillIDs=true"
konnect:
license:
enabled: true
enabled: true
controlPlaneID: "'$CONTROL_PLANE_ID'"
tlsClientCertSecretName: konnect-client-tls
apiHostname: "us.kic.api.konghq.com"
gateway:
image:
repository: kong/kong-gateway
tag: "3.11"
env:
konnect_mode: 'on'
vitals: "off"
cluster_mtls: pki
cluster_telemetry_endpoint: "'$CONTROL_PLANE_TELEMETRY':443"
cluster_telemetry_server_name: "'$CONTROL_PLANE_TELEMETRY'"
cluster_cert: /etc/secrets/konnect-client-tls/tls.crt
cluster_cert_key: /etc/secrets/konnect-client-tls/tls.key
lua_ssl_trusted_certificate: system
proxy_access_log: "off"
dns_stale_ttl: "3600"
resources:
requests:
cpu: 1
memory: "2Gi"
secretVolumes:
- konnect-client-tls' > values.yaml