echo $DP_CERT > dp.crt
diff -u tls.crt dp.crt
Check the return code of the command to make sure it completed successfully:
if [[ $? -ne 0 ]]; then
echo "Did not receive the expected return code"
fi
Provide the spec.clientAuth.certificateSecret
field when defining your KonnectExtension
resource
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com
helm repo update
Install Kong Gateway Operator using Helm:
helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.0.2 \
--set env.ENABLE_CONTROLLER_KONNECT=true
If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing:
--set global.webhooks.options.certManager.enabled=true
If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates.
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: gateway-control-plane
namespace: kong
spec:
createControlPlaneRequest:
name: gateway-control-plane
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
Kong Gateway Operator generates TLS certificates to enable Kong Gateway to authenticate with Konnect. By default, Kong Gateway Operator will act as its own CA. If you would prefer to use your own CA, upload the CA certificate as a Kubernetes secret.
Generate a new certificate and key:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
Create a Kubernetes secret that contains the certificate:
kubectl create -n kong secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key
Label the secret to tell Kong Gateway Operator to reconcile it:
kubectl label -n kong secret konnect-client-tls konghq.com/konnect-dp-cert=true
Kong Gateway Operator inspects the spec.clientAuth.certificateSecret
to decide how to provision certificates. Create a KonnectExtension
with spec.clientAuth.certificateSecret.provisioning: Manual
:
echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: my-konnect-config
namespace: kong
spec:
clientAuth:
certificateSecret:
provisioning: Manual
secretRef:
name: konnect-client-tls
konnect:
controlPlane:
ref:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane' | kubectl apply -f -
To ensure that the correct certificate has been used, fetch the Data Plane certificate from the Konnect API.
Fetch the Control Plane ID:
CONTROL_PLANE_ID=$(kubectl get -n kong konnectgatewaycontrolplanes.konnect.konghq.com gateway-control-plane -o yaml | yq .status.id)
Fetch the client certificate:
DP_CERT=$( curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
-H "Authorization: Bearer $KONNECT_TOKEN" | jq -r '.items[].cert')
To validate that the correct CA certificate has been used, you can diff
the local certificate with the one from the API:
echo $DP_CERT > dp.crt
diff -u tls.crt dp.crt
Check the return code of the command to make sure it completed successfully:
if [[ $? -ne 0 ]]; then
echo "Did not receive the expected return code"
fi