echo $DP_CERT > dp.crt
diff -u tls.crt dp.crt
Check the return code of the command to make sure it completed successfully:
if [[ ! $? -neq 0 ]]; then
echo "Did not receive the expected return code"
fi
Use a Custom CA Certificate
Uses:
Kong Gateway Operator
Related Documentation
Incompatible with
on-prem
TL;DR
Provide the spec.clientAuth.certificateSecret field when defining your KonnectExtension resource
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Kong Gateway Operator running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update -
Create a
kongnamespace:kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f - -
Install Kong Ingress Controller using Helm:
helm upgrade --install kgo kong/gateway-operator -n kong-system --create-namespace \ --set image.tag=1.5 \ --set kubernetes-configuration-crds.enabled=true \ --set env.ENABLE_CONTROLLER_KONNECT=true
Create a KonnectAPIAuthConfiguration resource
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
Create a KonnectGatewayControlPlane resource
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: gateway-control-plane
namespace: kong
spec:
name: gateway-control-plane
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
Use a custom CA certificate
Kong Gateway Operator generates TLS certificates to enable Kong Gateway to authenticate with Konnect. By default, Kong Gateway Operator will act as its own CA. If you would prefer to use your own CA, upload the CA certificate as a Kubernetes secret.
Generate a certificate
-
Generate a new certificate and key:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt -
Create a Kubernetes secret that contains the certificate:
kubectl create -n kong secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key -
Label the secret to tell Kong Gateway Operator to reconcile it:
kubectl label -n kong secret konnect-client-tls konghq.com/konnect-dp-cert=true
Create a KonnectExtension
Kong Gateway Operator inspects the spec.clientAuth.certificateSecret to decide how to provision certificates. Create a KonnectExtension with spec.clientAuth.certificateSecret.provisioning: Manual:
echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: my-konnect-config
namespace: kong
spec:
clientAuth:
certificateSecret:
provisioning: Manual
secretRef:
name: konnect-client-tls
konnect:
controlPlane:
ref:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane' | kubectl apply -f -
Validate your configuration
To ensure that the correct certificate has been used, fetch the Data Plane certificate from the Konnect API.
Fetch the Control Plane ID:
CONTROL_PLANE_ID=$(kubectl get -n kong konnectgatewaycontrolplanes.konnect.konghq.com gateway-control-plane -o yaml | yq .status.id)
Fetch the client certificate:
DP_CERT=$(curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
-H "Authorization: Bearer $KONNECT_TOKEN" | jq -r '.items[].cert')
To validate that the correct CA certificate has been used, you can diff the local certificate with the one from the API: