You are browsing documentation for an older version. See the latest documentation here.
Using Kubernetes Secrets in Plugins
Kong Ingress Controller allows you to configure Kong Gateway plugins using the contents of a Kubernetes secret. Kong Ingress Controller can read secrets in two ways:
- Read the complete plugin configuration from a secret
- Use
configPatches
to set a single field in a plugin configuration (requires Kong Ingress Controller 3.1+)
Kong Ingress Controller resolves the referenced secrets and sends a complete configuration to Kong Gateway.
Kong Ingress Controller resolves secrets before sending the configuration to Kong Gateway. Anyone with access to the Kong Gateway pod can read the configuration, including secrets, from the admin API. To securely fetch secrets at runtime, use Kong’s Vault support.
Read a complete configuration
The configFrom
field in the KongPlugin
resource allows you to set a secretKeyRef
pointing to a Kubernetes secret.
This KongPlugin
definition points to a secret named rate-limit-redis
that contains a complete configuration for the plugin:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limiting-example
plugin: rate-limiting
configFrom:
secretKeyRef:
name: rate-limit-redis
key: config
" | kubectl apply -f -
The rate-limit-redis
secret contains a complete configuration as a string:
echo "
apiVersion: v1
kind: Secret
metadata:
name: rate-limit-redis
stringData:
config: |
minute: 10
policy: redis
redis_host: redis-master
redis_password: PASSWORD
type: Opaque
" | kubectl apply -f -