Kong Data Plane instances can be configured in Konnect using the KonnectExtension resource. This resource can be used to provision isolated DataPlanes (Hybrid mode) or pairs of ControlPlanes and DataPlanes (Kong Ingress Controller mode).
The KonnectExtension resource can be referenced by ControlPlanes, DataPlanes, or GatewayConfigurations from the extension point in their spec. Dedicated guides will guide you to through these kinds of setup.
KonnectExtension can be attached to Konnect ControlPlanes of type Hybrid or KIC. This reference can be performed in two different ways: via Konnect ID or via Kubernetes object reference to an in cluster KonnectGatewayControlPlane.
The Konnect Control Plane can be referenced by its ID, without having any KonnectGatewayControlPlane resource deployed in the cluster. The Control Plane ID can be fetched by the Konnect UI, in the Control Plane page. With this configuration, the KonnectExtension object requires to have the konnect.configuration.authref field set, as follows in the snippet below:
spec:
konnect:
controlPlane:
ref:
type: konnectID
konnectID: a6554c4c-79a6-4db7-b7a4-201c0cf746ba # The Konnect controlPlane ID
configuration:
authRef:
name: konnect-api-auth # Reference to the KonnectAPIAuthConfiguration object
The authRef.name fields refers to an object of type KonnectAPIAuthConfiguration that needs to exist in the same namespace as the KonnectExtension. Such objects contains all the data (server, token, etc.) to interact with konnect.
Alternatively, the KonnectExtension can reference an object in the cluster. This reference allows to attach the DataPlanes to the Konnect Control Plane via a local object (a.k.a. KonnectGatewayControlPlane). When this type of reference is used, the KonnectAPIAuthConfiguration data is inferred by the KonnectGatewayControlPlane objects. For this reason, it’s not possible to set the konnect.configuration.authref field in this scenario.
spec:
konnect:
controlPlane:
ref:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane # The KonnectGatewayControlPlane resource name
The DataPlane, in order to be configured in Konnect, needs a client certificate. This certificate can be manually created and managed by the user, or automatically provisioned by Kong Gateway Operator.
In order to manually create and set up a certificate to be used for Konnect DataPlanes, you can perform type the following commands:
Generate a new certificate and key:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
Create a Kubernetes secret that contains the previously created certificate:
kubectl create secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key
Label the secret to tell Kong Gateway Operator to reconcile it:
kubectl label secret konnect-client-tls konghq.com/konnect-dp-cert=true
Once the secret containing your certificate has been created in the cluster, you can set up your KonnectExtension as follows:
spec:
clientAuth:
certificateSecret:
provisioning: Manual
secretRef:
name: konnect-client-tls # The name of the secret containing your certificate
Alternatively, you can leave the certificate provisioning and management to Kong Gateway Operator, which will take care of creating a new certificate, write it into a Kubernetes Secret and manage the Secret’s lifecycle on behalf of you. To do so, you can configure a KonnectExtension as follows:
spec:
clientAuth:
certificateSecret:
provisioning: Automatic
or you can just leave the spec.clientAuth field empty, and the automatic provisioning will be used as the default value.
Multiple labels can be configured to the Konnect DataPlane via the following field:
spec:
konnect:
dataPlane:
foo: bar
foo2: bar2
Please note that the amount of labels that can be set on DataPlanes via KonnectExtension is limited to 5.