TLS Server: Allow TLS connections - Policy

Allow TLS connections

Allow TLS connections to the Event Gateway server.

The key value must be a reference to a secret.

Prerequisites

A certificate and key pair. The key must be stored as an environment variable. The certificate can be a literal value or a refernece to a secret.

Set up the policy

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/listeners/{eventGatewayListenerId}/policies \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "tls",
      "type": "tls_server",
      "config": {
        "certificates": [
          {
            "certificate": "${env[\"MY_CERTIFICATE\"]}",
            "key": "${env[\"MY_SECRET\"]}"
          }
        ],
        "versions": {
          "min": "TLSv1.2",
          "max": "TLSv1.2"
        },
        "allow_plaintext": false
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

resource "konnect_event_gateway_listener_policy_tls_server" "my_listener_policy_tls_server" {
  provider = konnect-beta
  type = "tls_server"
  config = {
    certificates = [
      {
        certificate = var.my_certificate
        key = var.my_secret
      }    ]

    versions = {
      min = "TLSv1.2"
      max = "TLSv1.2"
    }
    allow_plaintext = false
  }


  event_gateway_listener_id = konnect_event_gateway_listener.my_listener.id

  gateway_id = konnect_event_gateway.my_event_gateway.id
}

Copied!

The following example creates a new tls_server policy.

Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:

event_gateway_policy.yaml

Copied!

event_gateways:
  - ref: eventGatewayName
    name: eventGatewayName
    listeners:
    - ref: listenerName
      name: listenerName
      policies:
      - ref: tls
        type: tls_server
        tls_server:
          name: tls
          config:
            certificates:
            - certificate: ${env["MY_CERTIFICATE"]}
              key: ${env["MY_SECRET"]}
            versions:
              min: TLSv1.2
              max: TLSv1.2
            allow_plaintext: false

Make sure to replace the following placeholders with your own values:

eventGatewayName: The name of your Event Gateway.
listenerName: The name of the Listener.

TLS Server

Allow TLS connections

Prerequisites

Set up the policy

Help us make these docs great!

Still need help?