Kong Ingress Controller allows you to populate individual plugin configuration fields from a Kubernetes secret.
The configPatches field in the KongPlugin resource allows you to set a path to a field in the KongPlugin and a valueFrom that points to a Kubernetes secret (and its field) that the configuration field value should be loaded from.
In the previous Redis rate-limiting example, only the redis_password field is sensitive. Instead of storing the whole configuration in a secret, use configPatches to patch a single key:
Create a Kubernetes secret that contains a password field:
echo "
apiVersion: v1
kind: Secret
metadata:
name: rate-limit-redis
stringData:
password: '\"PASSWORD\"' # The string fields require the value to be quoted in double quotation marks.
type: Opaque" | kubectl apply -f -
Define a new rate limiting KongPlugin resource. The majority of the configuration is provided under the config key. The redis_password field is populated from the password field in the rate-limit-redis secret using configPatches:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limiting-example
plugin: rate-limiting
config: # You can define the non-sensitive part of the config explicitly here.
minute: 10
policy: redis
redis_host: redis-master
configPatches:
- path: /redis_password # This is the path to the field in the plugin's configuration this patch will populate.
valueFrom:
secretKeyRef:
name: rate-limit-redis # This is the name of the secret.
key: password # This is the key in the secret.
" | kubectl apply -f -
Kong Ingress Controller resolves the referenced secret and builds the complete configuration for the plugin before sending it to Kong Gateway. The complete configuration will look like this:
minute: 10
policy: redis
redis_host: redis-master
redis_password: PASSWORD