You are browsing documentation for an older version. See the latest documentation here.
Kong Vault
Secrets Management is a Kong Gateway Enterprise feature for storing sensitive plugin configuration separately from the visible plugin configuration.
Secrets Management supports several backend systems. This guide uses the environment variable backend, which requires minimal configuration and integrates well with Kubernetes’ standard Secret-sourced environment variables.
Available Vaults
Kong Gateway supports environment variables, HashiCorp Vault, AWS Secrets Manager and Google Cloud Secret Manager as a source for secret configuration. These vaults can be configured using environment variables on your gateway
deployments.
To learn more about the available vaults, see the Kong Gateway documentation.
Environment Vault
-
Set an environment variable on your proxy Pod using
valueFrom.secretKeyRef
in your deployment. This example makes theredis-password-secret
secret available using the environment variable vault.kubectl patch deploy -n kong kong-gateway --patch ' { "spec": { "template": { "spec": { "containers": [ { "name": "proxy", "env": [ { "name": "SECRET_REDIS_PASSWORD", "valueFrom": { "secretKeyRef": { "name": "redis-password-secret", "key": "redis-password" } } } ] } ] } } } }'
-
Use this value
SECRET_REDIS_PASSWORD
in aKongPlugin
definition.apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limiting-example plugin: rate-limiting config: second: 5 hour: 10000 policy: redis redis_host: <redis_host> redis_password: "vault://env/secret-redis-password"
HashiCorp Vault
Configure the following in your values.yaml
:
AWS Secrets Manager
Google Cloud Secret Manager
Configure the following in your values.yaml
:
gateway:
customEnv:
gcp_service_account: '{"credentials": "here in JSON format. See gcp-project-RANDOM_ID.json"}'