Renew Certificates for a Data Plane Node
Data plane certificates generated by Kong Konnect expire every ten years. If you bring your own certificates, make sure to review the expiration date and associated metadata.
Renew your certificates to prevent any interruption in communication between
Kong Konnect and any configured data plane nodes. The following happens if a certificate expires and isn’t replaced:
- The data plane node stops receiving configuration updates from
the control plane.
- The data plane node stops sending analytics and usage data
to the control plane.
- Each disconnected data plane node uses cached configuration to continue
proxying and routing traffic.
Depending on your setup, renewing certificates might mean bringing up a new data
plane, or generating new certificates and updating data plane nodes with the new
files.
Quick setup
If you originally created your data plane node container using one of the
Docker options in Gateway Manager, we recommend creating a new data plane node with renewed
certificates.
- Stop the data plane node container.
- Open Gateway Manager, select a control plane, open Data Plane Nodes from the side menu, and click New Data Plane Node.
- Run the script to create a new data plane node with
updated certificates.
- Remove the old data plane node container.
Advanced setup
If your data plane nodes are running on Linux or Kubernetes, or if you have a
Docker container that was not created using the quick setup script, you must
generate new certificates and replace them on the existing nodes.
Generate new data plane certificate
Gateway Manager
Konnect API
You can generate a new data plane certificate from the Gateway Manager.
- Select a control plane.
- Click Actions and select Data plane certificates.
-
Click Generate certificate.
-
Save the new certificate and key into separate files:
- certificate:
tls.crt
- private key:
tls.key
- Store the files on the local file system.
You can generate a certificate locally and use the pin data plane client certificate endpoint to add it to Konnect.
-
Generate a new certificate and key:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
-
Reformat the certificate into a single line for the API call:
export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt)
-
POST
the certificate to your control plane using the Konnect API:
curl https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/dp-client-certificates --json '{"cert":"'"$CERT"'"}' \
--header "Authorization: Bearer ${KONNECT_TOKEN}"
Update data plane
Open your node’s kong.conf
file. Replace existing certificates with
the new files:
cluster_cert = /{PATH_TO_FILE}/tls.crt
cluster_cert_key = /{PATH_TO_FILE}/tls.key
Restart Kong Gateway for the settings to take effect:
Delete any old certificate and key files on your filesystem.
Create new secrets for the certificates and key, making sure to name them
something different from the current secret names.
-
Create a tls
secret using the tls.cert
and tls.key
files
you saved earlier:
kubectl create secret tls kong-cluster-cert2 -n kong \
--cert=/PATH_TO_FILE/tls.crt \
--key=/PATH_TO_FILE/tls.key
-
Open the values.yaml
file for the data plane node and update it to point
to the new secrets.
Update the secretVolumes
section:
secretVolumes:
- kong-cluster-cert2
Update the cert values in the env
section:
env:
cluster_cert: /etc/secrets/kong-cluster-cert2/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert2/tls.key
-
Save the file. Reapply the configuration by running the Helm upgrade
command:
helm upgrade my-kong kong/kong -n kong \
--values ./values.yaml
-
Delete the old kong-cluster-cert
secret:
kubectl delete secret kong-cluster-cert
In your Docker container, replace any existing certificates on your data plane nodes
with the new files and restart the Gateway:
docker cp {PATH_TO_FILE}/tls.cert {CONTAINER_ID}:{PATH_TO_FILE}
docker cp {PATH_TO_FILE}/tls.key {CONTAINER_ID}:{PATH_TO_FILE}
echo "KONG_CLUSTER_CERT=/{PATH_TO_FILE}/tls.crt \
KONG_CLUSTER_CERT_KEY=/{PATH_TO_FILE}/tls.key \
kong reload exit" | docker exec -i {KONG_CONTAINER_ID} /bin/sh
Delete any old certificate and key files on your filesystem.