Kong Vault
Secrets Management is a Kong Gateway Enterprise feature for storing sensitive plugin configuration separately from the visible plugin configuration.
Secrets Management supports several backend systems. This guide uses the environment variable backend, which requires minimal configuration and integrates well with Kubernetes’ standard Secret-sourced environment variables.
Available Vaults
Kong Gateway supports environment variables, HashiCorp Vault, AWS Secrets Manager and Google Cloud Secret Manager as a source for secret configuration. These vaults can be configured using environment variables on your gateway
deployments.
You can also configure vaults using the KongVault
CRD.
To learn more about the available vaults, see the Kong Gateway documentation.
Environment Vault
-
Set an environment variable on your proxy Pod using
valueFrom.secretKeyRef
in your deployment. This example makes theredis-password-secret
secret available using the environment variable vault.kubectl patch deploy -n kong kong-gateway --patch ' { "spec": { "template": { "spec": { "containers": [ { "name": "proxy", "env": [ { "name": "SECRET_REDIS_PASSWORD", "valueFrom": { "secretKeyRef": { "name": "redis-password-secret", "key": "redis-password" } } } ] } ] } } } }'
-
Use this value
SECRET_REDIS_PASSWORD
in aKongPlugin
definition.apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limiting-example plugin: rate-limiting config: second: 5 hour: 10000 policy: redis redis_host: <redis_host> redis_password: "vault://env/secret-redis-password"
HashiCorp Vault
Configure the following in your values.yaml
:
AWS Secrets Manager
Google Cloud Secret Manager
Configure the following in your values.yaml
:
gateway:
customEnv:
gcp_service_account: '{"credentials": "here in JSON format. See gcp-project-RANDOM_ID.json"}'
Configuring Vaults dynamically with the KongVault CRD
Kong vaults can be configured by creating KongVault
objects in your Kubernetes cluster.
The KongVault
CRD allows you to configure a vault backend details (its type, prefix, description) and the vault’s connection details that are specific to the backend type.
Please note that you still need to configure credentials used by your vault backend in your
values.yaml
file (e.g.aws_secret_access_key
,vault_hcv_token
etc.).
The following is an example of a KongVault
definition for the AWS backend in us-west-2
region:
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
name: aws-us-west-vault
spec:
backend: aws
prefix: aws-us-west
description: "AWS Secrets Manager vault for us-west-2 region"
config:
region: us-west-2
You can also create another KongVault
using the same backend type, but with different configuration details (e.g. a different region):
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
name: aws-us-east-vault
spec:
backend: aws
prefix: aws-us-east
description: "AWS Secrets Manager vault for us-east-1 region"
config:
region: us-east-1
To refer to secrets stored in your vaults, you can use a vault://<kong-vault-prefix>
prefix (with <kong-vault-prefix>
substituted by aws-us-east
or aws-us-west
)
in your plugin configuration. For example:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limiting-example
plugin: rate-limiting
config:
second: 5
hour: 10000
policy: redis
redis_host: <redis_host>
redis_password: "vault://aws-us-east/secret-redis-password"