Create a control plane
Define a KonnectGatewayControlPlane to point to your Konnect instance, and a KonnectExtension to bind your Data Plane or Gateway to it.
Prerequisites
Series Prerequisites
This page is part of the Get started with Kong Operator and Konnect CRDs series.
Complete the previous page, Create API Authentication before completing this page.
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Create a KonnectAPIAuthConfiguration resource
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
Create a KonnectGatewayControlPlane
Use the KonnectGatewayControlPlane resource to define the Konnect control plane that your CRDs will target. This enables your cluster to send configuration to Konnect.
Apply the following configuration to define a Control Plane named gateway-control-plane:
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: gateway-control-plane
namespace: kong
spec:
createControlPlaneRequest:
name: gateway-control-plane
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
This resource links your cluster to a specific control plane instance in Konnect using the credentials provided in konnect-api-auth.
Make sure that the
KonnectGatewayControlPlaneresource is in the same namespace as theKonnectAPIAuthConfigurationresource.
Bind the control plane using a KonnectExtension
To finalize the connection between your cluster and the Konnect control plane, create a KonnectExtension object. This resource binds your local Gateway or data plane to the Konnect control plane you’ve defined.
echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: my-konnect-config
namespace: kong
spec:
clientAuth:
certificateSecret:
provisioning: Automatic
konnect:
controlPlane:
ref:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane
' | kubectl apply -f -
The KonnectExtension resource handles automatic certificate generation and establishes secure communication between your cluster and Konnect.
Deploy a Dataplane
The Dataplane is the listener that will accept requests, and route traffic to your Kubernetes services.
echo '
apiVersion: gateway-operator.konghq.com/v1beta1
kind: DataPlane
metadata:
name: dataplane
namespace: kong
spec:
extensions:
- kind: KonnectExtension
name: my-konnect-config
group: konnect.konghq.com
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong/kong-gateway:3.13
readinessProbe:
initialDelaySeconds: 1
periodSeconds: 1' | kubectl apply -f -
Validation
You can verify the KonnectGatewayControlPlane was reconciled successfully by checking its Programmed condition.
kubectl get -n kong konnectgatewaycontrolplane gateway-control-plane \
-o=jsonpath='{.status.conditions[?(@.type=="Programmed")]}' | jq
The output should look similar to this:
{
"observedGeneration": 1,
"reason": "Programmed",
"status": "True",
"type": "Programmed"
}
Once these resources are in place, your cluster is connected to Konnect and can begin managing entities such as KongService, KongRoute, and KongPlugin.