Header Cert Authentication: Application Load Balancer (ALB) integration - Plugin

Application Load Balancer (ALB) integrationv3.8+

Allows you to integrate Amazon Application Load Balancer (ALB) with the Header Cert Authentication plugin.

Prerequisites

Add certificate authority (CA) Certificates before configuring the plugin.
Generated certificates for ALB
Configure ALB by adding an HTTPS listener:

Setting	Mapping
Protocol	HTTPS
Port	443
Routing actions	Forward to target groups
Certificate source	From AWS Certificate Manager (ACM)
Certificate (from ACM)	Select the certificate that you want to use
Client certificate handling	Select Mutual authentication (mTLS) with Passthrough

Environment variables

HEADER_NAME: Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: header-cert-auth
    config:
      ca_certificates:
      - 322dce96-d434-4e0d-9038-311b3520f0a3
      certificate_header_name: ${{ env "DECK_HEADER_NAME" }}
      certificate_header_format: base64_encoded
      secure_source: false

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: header-cert-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  ca_certificates:
  - 322dce96-d434-4e0d-9038-311b3520f0a3
  certificate_header_name: '$HEADER_NAME'
  certificate_header_format: base64_encoded
  secure_source: false
plugin: header-cert-auth
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_header_cert_auth" "my_header_cert_auth" {
  enabled = true

  config = {
    ca_certificates = ["322dce96-d434-4e0d-9038-311b3520f0a3"]
    certificate_header_name = var.header_name
    certificate_header_format = "base64_encoded"
    secure_source = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "header_name" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: header-cert-auth
    service: serviceName|Id
    config:
      ca_certificates:
      - 322dce96-d434-4e0d-9038-311b3520f0a3
      certificate_header_name: ${{ env "DECK_HEADER_NAME" }}
      certificate_header_format: base64_encoded
      secure_source: false

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: header-cert-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  ca_certificates:
  - 322dce96-d434-4e0d-9038-311b3520f0a3
  certificate_header_name: '$HEADER_NAME'
  certificate_header_format: base64_encoded
  secure_source: false
plugin: header-cert-auth
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=header-cert-auth

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_header_cert_auth" "my_header_cert_auth" {
  enabled = true

  config = {
    ca_certificates = ["322dce96-d434-4e0d-9038-311b3520f0a3"]
    certificate_header_name = var.header_name
    certificate_header_format = "base64_encoded"
    secure_source = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "header_name" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: header-cert-auth
    route: routeName|Id
    config:
      ca_certificates:
      - 322dce96-d434-4e0d-9038-311b3520f0a3
      certificate_header_name: ${{ env "DECK_HEADER_NAME" }}
      certificate_header_format: base64_encoded
      secure_source: false

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "header-cert-auth",
      "config": {
        "ca_certificates": [
          "322dce96-d434-4e0d-9038-311b3520f0a3"
        ],
        "certificate_header_name": "'$HEADER_NAME'",
        "certificate_header_format": "base64_encoded",
        "secure_source": false
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: header-cert-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  ca_certificates:
  - 322dce96-d434-4e0d-9038-311b3520f0a3
  certificate_header_name: '$HEADER_NAME'
  certificate_header_format: base64_encoded
  secure_source: false
plugin: header-cert-auth
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=header-cert-auth

kubectl annotate -n kong ingress  konghq.com/plugins=header-cert-auth

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_header_cert_auth" "my_header_cert_auth" {
  enabled = true

  config = {
    ca_certificates = ["322dce96-d434-4e0d-9038-311b3520f0a3"]
    certificate_header_name = var.header_name
    certificate_header_format = "base64_encoded"
    secure_source = false
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "header_name" {
  type = string
}

Header Cert Authentication

Application Load Balancer (ALB) integrationv3.8+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help