Hybrid Deployments
Kong Gateway Operator deploys and manages DataPlane
resources that connect to a externally managed Control Plane using a Hybrid Mode deployment.
The external control plane may be a Kong Konnect control plane, or a self-managed control plane.
Installation
# Ensure that you create a secret containing your cluster certificate before applying this
# kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key
# See https://docs.konghq.com/gateway-operator/1.4.x/get-started/konnect/install/ for complete instructions
echo '
kind: KonnectExtension
apiVersion: gateway-operator.konghq.com/v1alpha1
metadata:
name: example-konnect-config
namespace: kong
spec:
controlPlaneRef:
type: konnectID
konnectID: <CP_ID>
controlPlaneRegion: <REGION>
serverHostname: <HOSTNAME>
konnectControlPlaneAPIAuthConfiguration:
clusterCertificateSecretRef:
name: konnect-client-tls
---
apiVersion: gateway-operator.konghq.com/v1beta1
kind: DataPlane
metadata:
name: dataplane-example
namespace: kong
spec:
extensions:
- kind: KonnectExtension
name: example-konnect-config
group: gateway-operator.konghq.com
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong/kong-gateway:3.9.0.1
env:
- name: KONG_LOG_LEVEL
value: debug
' | kubectl apply -f -
# Ensure that you create a secret containing your cluster certificate before applying
# kubectl create secret tls kong-cluster-cert -n kong --cert=./tls.crt --key=./tls.key
# Note that the cluster_control_plane value will differ depending on your environment.
# control-plane-release-name will change to your CP release name,
# hybrid will change to whatever namespace it resides in.
echo "
apiVersion: gateway-operator.konghq.com/v1beta1
kind: DataPlane
metadata:
name: dataplane-example
namespace: kong
spec:
deployment:
podTemplateSpec:
spec:
containers:
- name: proxy
image: kong/kong-gateway:3.9.0.1
env:
- name: KONG_ROLE
value: data_plane
- name: KONG_DATABASE
value: "off"
- name: KONG_CLUSTER_CERT
value: /etc/secrets/kong-cluster-cert/tls.crt
- name: KONG_CLUSTER_CERT_KEY
value: /etc/secrets/kong-cluster-cert/tls.key
- name: KONG_LUA_SSL_TRUSTED_CERTIFICATE
value: system
- name: KONG_CLUSTER_CONTROL_PLANE
value: control-plane-release-name-kong-cluster.hybrid.svc.cluster.local:8005
- name: KONG_CLUSTER_TELEMETRY_ENDPOINT
value: control-plane-release-name-kong-clustertelemetry.hybrid.svc.cluster.local:8006
volumeMounts:
- name: cluster-certificate
mountPath: /var/cluster-certificate
- name: kong-cluster-cert
mountPath: /etc/secrets/kong-cluster-cert/
readOnly: true
volumes:
- name: cluster-certificate
- name: kong-cluster-cert
secret:
secretName: kong-cluster-cert
defaultMode: 420
For more information about hybrid mode, see the Kong Gateway hybrid mode documentation.