Using Kubernetes Secrets in Plugins
Kong Ingress Controller allows you to configure Kong Gateway plugins using the contents of a Kubernetes secret. Kong Ingress Controller can read secrets in two ways:
- Read the complete plugin configuration from a secret
- Use
configPatches
to set a single field in a plugin configuration (requires Kong Ingress Controller 3.1+)
Kong Ingress Controller resolves the referenced secrets and sends a complete configuration to Kong Gateway.
Kong Ingress Controller resolves secrets before sending the configuration to Kong Gateway. Anyone with access to the Kong Gateway pod can read the configuration, including secrets, from the admin API. To securely fetch secrets at runtime, use Kong’s Vault support.
Read a complete configuration
The configFrom
field in the KongPlugin
resource allows you to set a secretKeyRef
pointing to a Kubernetes secret.
This KongPlugin
definition points to a secret named rate-limit-redis
that contains a complete configuration for the plugin:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limiting-example
plugin: rate-limiting
configFrom:
secretKeyRef:
name: rate-limit-redis
key: config
" | kubectl apply -f -
The rate-limit-redis
secret contains a complete configuration as a string:
echo "
apiVersion: v1
kind: Secret
metadata:
name: rate-limit-redis
stringData:
config: |
minute: 10
policy: redis
redis_host: redis-master
redis_password: PASSWORD
type: Opaque
" | kubectl apply -f -
Single field using ConfigPatches
Kong Ingress Controller allows you to populate individual plugin configuration fields from a Kubernetes secret.
The configPatches
field in the KongPlugin
resource allows you to set a path
to a field in the KongPlugin
and a valueFrom
that points to a Kubernetes secret (and its field) that the configuration field value should be loaded from.
In the previous Redis rate-limiting example, only the redis_password
field is sensitive. Instead of storing the whole configuration in a secret, use configPatches
to patch a single key:
Create a Kubernetes secret that contains a password
field.
echo "
apiVersion: v1
kind: Secret
metadata:
name: rate-limit-redis
stringData:
password: '\"PASSWORD\"' # The string fields require the value to be quoted in double quotation marks.
type: Opaque" | kubectl apply -f -
Define a new rate-limiting KongPlugin
resource. The majority of the configuration is provided under the config
key. The redis_password
field is populated from the password
field in the rate-limit-redis
secret using configPatches
.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limiting-example
plugin: rate-limiting
config: # You can define the non-sensitive part of the config explicitly here.
minute: 10
policy: redis
redis_host: redis-master
configPatches:
- path: /redis_password # This is the path to the field in the plugin's configuration this patch will populate.
valueFrom:
secretKeyRef:
name: rate-limit-redis # This is the name of the secret.
key: password # This is the key in the secret.
" | kubectl apply -f -
Kong Ingress Controller resolves the referenced secret and builds the complete configuration for the plugin before sending it to Kong Gateway. The complete configuration will look like this:
minute: 10
policy: redis
redis_host: redis-master
redis_password: PASSWORD