Configure an AWS Secrets Manager Vault

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

1. The following Konnect items are required to complete this tutorial:
   • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

2. Set the personal access token as an environment variable:

   export KONNECT_TOKEN='YOUR KONNECT TOKEN'
   

This tutorial requires at least one secret in AWS Secrets Manager. In this example, the secret is named my-aws-secret and contains a key/value pair in which the key is token.

You will also need the following authentication information to connect your AWS Secrets Manager with Kong Gateway Enterprise:

• Your access key ID
• Your secret access key
• Your session token
• Your AWS region, us-east-1 in this example

export AWS_ACCESS_KEY_ID='YOUR AWS ACCESS KEY ID'
export AWS_SECRET_ACCESS_KEY='YOUR AWS SECRET ACCESS KEY'

If you get an error stating “The security token included in the request is invalid”, you need to set the AWS_SESSION_TOKEN environment variable.

Note that these variables need to be provided in customEnv in your values.yaml file below too

Alternative connection methods such as assume role and how to use an aws_session_token can be found on the AWS Secrets Manager page

Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:

CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "My KIC CP",
       "cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
     }')

We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Create mTLS certificates

Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.

Generate a new certificate using openssl:

openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt

The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:

export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);

Next, upload the certificate to Konnect:

curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:

kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key

1. Add the Kong Helm charts:

   helm repo add kong https://charts.konghq.com
   helm repo update
   

2. Create a file named license.json containing your Kong Gateway Enterprise license and store it in a Kubernetes secret:

   kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
   kubectl create secret generic kong-enterprise-license --from-file=license=./license.json -n kong
   

3. Create a values.yaml file:

   cat <<EOF > values.yaml
   gateway:
     image:
       repository: kong/kong-gateway
     env:
       LICENSE_DATA:
         valueFrom:
           secretKeyRef:
             name: kong-enterprise-license
             key: license
     customEnv:
       AWS_ACCESS_KEY_ID: '$AWS_ACCESS_KEY_ID'
       AWS_SECRET_ACCESS_KEY: '$AWS_SECRET_ACCESS_KEY'
   EOF
   

4. Install Kong Ingress Controller using Helm:

   helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml