Home / Kong Gateway Operator / Gateway Deployment / How-To
Edit
Report

Use a Custom CA Certificate

Uses: Kong Gateway Operator
Related Documentation
All Operator Documentation
Incompatible with
on-prem
TL;DR

Provide the spec.clientAuth.certificateSecret field when defining your KonnectExtension resource

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'
    Copied to clipboard!

Use a custom CA certificate

Kong Gateway Operator generates TLS certificates to enable Kong Gateway to authenticate with Konnect. By default, Kong Gateway Operator will act as its own CA. If you would prefer to use your own CA, upload the CA certificate as a Kubernetes secret.

Generate a certificate

  1. Generate a new certificate and key:

     openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
    Copied to clipboard!

  2. Create a Kubernetes secret that contains the certificate:

     kubectl create -n kong secret tls konnect-client-tls --cert=./tls.crt --key=./tls.key
    Copied to clipboard!

  3. Label the secret to tell Kong Gateway Operator to reconcile it:

     kubectl label -n kong secret konnect-client-tls konghq.com/konnect-dp-cert=true
    Copied to clipboard!

Create a KonnectExtension

Kong Gateway Operator inspects the spec.clientAuth.certificateSecret to decide how to provision certificates. Create a KonnectExtension with spec.clientAuth.certificateSecret.provisioning: Manual:

echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: my-konnect-config
  namespace: kong
spec:
  clientAuth:
    certificateSecret:
      provisioning: Manual
      secretRef:
        name: konnect-client-tls
  konnect:
    controlPlane:
      ref:
        type: konnectNamespacedRef
        konnectNamespacedRef:
          name: gateway-control-plane' | kubectl apply -f -
Copied to clipboard!

Validate your configuration

To ensure that the correct certificate has been used, fetch the Data Plane certificate from the Konnect API.

Fetch the Control Plane ID:

CONTROL_PLANE_ID=$(kubectl get -n kong konnectgatewaycontrolplanes.konnect.konghq.com gateway-control-plane -o yaml | yq .status.id)
Copied to clipboard!

Fetch the client certificate:

DP_CERT=$( curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" | jq -r '.items[].cert')
Copied to clipboard!

To validate that the correct CA certificate has been used, you can diff the local certificate with the one from the API:

echo $DP_CERT > dp.crt
diff -u tls.crt dp.crt
Copied to clipboard!

Check the return code of the command to make sure it completed successfully:

if [[ $? -ne 0 ]]; then
  echo "Did not receive the expected return code"
fi
Copied to clipboard!

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support