Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: acme
config:
account_email: ${{ env "DECK_EMAIL" }}
account_key:
key_id: ${{ env "DECK_KEY_ID" }}
key_set: ${{ env "DECK_KEY_SET" }}
domains:
- ${{ env "DECK_DOMAIN" }}
tos_accepted: true
storage: vault
storage_config:
vault:
host: ${{ env "DECK_HCV_HOST" }}
port: 8200
kv_path: acme
timeout: 2000
https: false
tls_verify: true
tls_server_name: nil
auth_method: token
token: nil
auth_path: kubernetes
auth_role: nil
jwt_path: ${{ env "DECK_JWT_PATH" }}
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "acme",
"config": {
"account_email": "'$EMAIL'",
"account_key": {
"key_id": "'$KEY_ID'",
"key_set": "'$KEY_SET'"
},
"domains": [
"'$DOMAIN'"
],
"tos_accepted": true,
"storage": "vault",
"storage_config": {
"vault": {
"host": "'$HCV_HOST'",
"port": 8200,
"kv_path": "acme",
"timeout": 2000,
"https": false,
"tls_verify": true,
"tls_server_name": "nil",
"auth_method": "token",
"token": "nil",
"auth_path": "kubernetes",
"auth_role": "nil",
"jwt_path": "'$JWT_PATH'"
}
}
}
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "acme",
"config": {
"account_email": "'$EMAIL'",
"account_key": {
"key_id": "'$KEY_ID'",
"key_set": "'$KEY_SET'"
},
"domains": [
"'$DOMAIN'"
],
"tos_accepted": true,
"storage": "vault",
"storage_config": {
"vault": {
"host": "'$HCV_HOST'",
"port": 8200,
"kv_path": "acme",
"timeout": 2000,
"https": false,
"tls_verify": true,
"tls_server_name": "nil",
"auth_method": "token",
"token": "nil",
"auth_path": "kubernetes",
"auth_role": "nil",
"jwt_path": "'$JWT_PATH'"
}
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates.
-
controlPlaneId: The id of the control plane.
-
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: acme
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
account_email: '$EMAIL'
account_key:
key_id: '$KEY_ID'
key_set: '$KEY_SET'
domains:
- '$DOMAIN'
tos_accepted: true
storage: vault
storage_config:
vault:
host: '$HCV_HOST'
port: 8200
kv_path: acme
timeout: 2000
https: false
tls_verify: true
tls_server_name: nil
auth_method: token
token: nil
auth_path: kubernetes
auth_role: nil
jwt_path: '$JWT_PATH'
plugin: acme
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_acme" "my_acme" {
enabled = true
config = {
account_email = var.email
account_key = {
key_id = var.key_id
key_set = var.key_set
}
domains = [var.domain]
tos_accepted = true
storage = "vault"
storage_config = {
vault = {
host = var.hcv_host
port = 8200
kv_path = "acme"
timeout = 2000
https = false
tls_verify = true
tls_server_name = "nil"
auth_method = "token"
token = "nil"
auth_path = "kubernetes"
auth_role = "nil"
jwt_path = var.jwt_path
}
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "jwt_path" {
type = string
}
