Home / Kong Operator / Gateway Deployment / How-To
Edit
Report

Use a Custom CA Certificate

Uses: Kong Operator
Incompatible with
on-prem
Related Documentation
Operator Documentation
TL;DR

Provide the spec.clientAuth.certificateSecret field when defining your KonnectExtension resource

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'

Kong Operator running

  1. Add the Kong Helm charts:

    helm repo add kong https://charts.konghq.com
helm repo update

  2. Install Kong Operator using Helm:

    helm upgrade --install kong-operator kong/kong-operator -n kong-system \
  --create-namespace \
  --set image.tag=2.1 \
  --set env.ENABLE_CONTROLLER_KONNECT=true

    If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:

    --set global.webhooks.options.certManager.enabled=true

    If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates. Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane. This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the certificateAuthority section in the values.yaml of the Helm chart to learn how to create and reference your own CA certificate.

Create a KonnectAPIAuthConfiguration resource

 
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: kong
spec:
  type: token
  token: "'$KONNECT_TOKEN'"
  serverURL: us.api.konghq.com
' | kubectl apply -f -

Create a KonnectGatewayControlPlane resource

 
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
  name: gateway-control-plane
  namespace: kong
spec:
  createControlPlaneRequest:
    name: gateway-control-plane
  konnect:
    authRef:
      name: konnect-api-auth
' | kubectl apply -f -

Use a custom CA certificate

Kong Operator generates TLS certificates to enable Kong Gateway to authenticate with Konnect. By default, Kong Operator will act as its own CA. If you would prefer to use your own CA, upload the CA certificate as a Kubernetes secret.

Generate a certificate

  1. Generate a new certificate and key:

    openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt

  2. Create a Kubernetes secret that contains the previously created certificate:

    kubectl create -n kong secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key

  3. Label the Secret with KO’s Secret label selector (default: konghq.com/secret):

    kubectl label -n kong secret konnect-client-tls konghq.com/secret=true

  4. Label the Secret to tell Kong Operator’s KonnectExtension controller to reconcile it:

    kubectl label -n kong secret konnect-client-tls konghq.com/konnect-dp-cert=true

Create a KonnectExtension

Kong Operator inspects the spec.clientAuth.certificateSecret to decide how to provision certificates. Create a KonnectExtension with spec.clientAuth.certificateSecret.provisioning: Manual:

echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha2
metadata:
  name: my-konnect-config
  namespace: kong
spec:
  clientAuth:
    certificateSecret:
      provisioning: Manual
      secretRef:
        name: konnect-client-tls
  konnect:
    controlPlane:
      ref:
        type: konnectNamespacedRef
        konnectNamespacedRef:
          name: gateway-control-plane' | kubectl apply -f -

Validate your configuration

To ensure that the correct certificate has been used, fetch the Data Plane certificate from the Konnect API.

Fetch the Control Plane ID:

CONTROL_PLANE_ID=$(kubectl get -n kong konnectgatewaycontrolplanes.konnect.konghq.com gateway-control-plane -o yaml | yq .status.id)

Fetch the client certificate:

DP_CERT=$(curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" | jq -r ".items[].cert"
)

To validate that the correct CA certificate has been used, you can diff the local certificate with the one from the API:

echo $DP_CERT > dp.crt
diff -u tls.crt dp.crt

Check the return code of the command to make sure it completed successfully:

if [[ $? -ne 0 ]]; then
  echo "Did not receive the expected return code"
fi
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support