You are browsing documentation for an outdated version.
See the latest documentation here.
Manage Konnect and Kong Gateway configuration declaratively
decK helps manage Kong’s configuration in a declarative fashion. This means that
a developer can define the desired state of Kong Gateway or Konnect –
services, routes, plugins, and more – and let decK handle implementation
without needing to execute each step manually, as you would with the Kong Admin
- Sync configuration to a running Kong cluster
- diff configuration to detect any drift or manual changes
- Back up your instance’s configuration
- Manage Kong’s configuration in a distributed way using tags, helping you split
the configuration across various teams
- Build pipelines of automation with APIOps
View our introductory screencast explaining decK.
Export: Export Kong configuration to a YAML configuration file.
This feature is especially useful for backing up Kong’s configuration.
Import: Populate Kong’s database using a previously exported or
manually written configuration file.
Diff and sync capabilities: decK can diff the configuration between the
provided configuration file and Kong’s database, then sync the configs based on
the diff. This feature is particularly useful for detecting config drifts or
Reverse sync: decK also supports sync in the opposite direction, meaning
that if an entity is created in Kong and isn’t added to the config file,
decK will detect the change.
Configuration generation: decK can generate gateway configurations from OpenAPI
Configuration transformations: decK provides multiple transformation commands
to manipulate full and partial configuration files. This feature allows you to build
API delivery automations, or APIOps.
Validation: decK can validate YAML files that you backup or modify to
catch errors early on.
Reset: decK can completely reset Kong’s database by deleting all entities.
Parallel operations: All Admin API calls to Kong are executed in parallel
using multiple threads to speed up the sync process.
Authentication with Kong: Custom HTTP headers can be injected in requests
to Kong’s Admin API for authentication or authorization purposes.
Manage Kong’s config with multiple config files: Split your configuration
into multiple logical files based on a shared set of tags amongst entities.
Designed to automate configuration management: decK is designed to be part
of your CI pipeline, where it can push configuration to Kong and detect drifts
decK is compatible with Kong Gateway (OSS) >= 1.x and
Kong Gateway Enterprise >= 0.35.
The command line
--help flag on the main command or a subcommand (like diff,
sync, reset, etc.) shows the help text along with supported flags for those
See a list of all commands available with decK.
Frequently Asked Questions (FAQs)
Access our FAQs page.
Video: Kong Summit motivation behind decK
Harry Bagdi gave a talk on the motivation behind decK and demonstrated a few key
features of decK at Kong Summit 2019.
The changelog can be found in the
decK is licensed with Apache License Version 2.0.
Please read the
LICENSE file for more details.
decK does not offer to secure your Kong deployment but only configures it.
It encourages you to protect your Kong Admin API implementation with authentication but
doesn’t offer such a service itself.
decK’s state file can contain sensitive data such as private keys of
certificates, credentials, etc. It is up to the user to manage
and store the state file in a secure fashion.
If you believe that you have found a security vulnerability in decK,
submit a detailed report, along with reproducible steps
One of the design goals of decK is to deliver a good developer experience.
To get help, use the following resources:
--help flag gives you the necessary help in the terminal itself and should
solve most of your problems.
- If you still need help, open a Github issue to ask your
- decK has very wide adoption by Kong’s community and you can seek help
from the larger community at Kong Nation.
Report a bug
If you believe you have run into a bug with decK, open a Github issue.
If you think you’ve found a security issue with decK, read the