helm upgrade --install kong-operator kong/kong-operator -n kong-system \
--create-namespace \
--set image.tag=2.1 \
--set env.ENABLE_CONTROLLER_KONNECT=true
Copied!
Adopt existing entities from Konnect
Uses:
Kong Operator
Incompatible with
on-prem
Related Documentation
Tags
Minimum Version
Kong Operator - 2.1
TL;DR
Create a resource for each entity you want to manage and configure the spec.adopt parameters:
- Set
spec.adopt.konnect.idto the entity’s Konnect ID. - Set
spec.adopt.modeto:-
overrideif you want to change the entity’s configuration. -
matchif you want to keep the existing configuration.
-
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Kong Operator running
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Install Kong Operator using Helm:
If you want cert-manager to issue and rotate the admission and conversion webhook certificates, install cert-manager to your cluster and enable cert-manager integration by passing the following argument while installing, in the next step:
--set global.webhooks.options.certManager.enabled=trueCopied!If you do not enable this, the chart will generate and inject self-signed certificates automatically. We recommend enabling cert-manager to manage the lifecycle of these certificates. Kong Operator needs a certificate authority to sign the certificate for mTLS communication between the control plane and the data plane. This is handled automatically by the Helm chart. If you need to provide a custom CA certificate, refer to the
certificateAuthoritysection in thevalues.yamlof the Helm chart to learn how to create and reference your own CA certificate.
Create a KonnectAPIAuthConfiguration resource
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-api-auth
namespace: kong
spec:
type: token
token: "'$KONNECT_TOKEN'"
serverURL: us.api.konghq.com
' | kubectl apply -f -
Copied!
Create resources in Konnect
This example requires an existing Konnect control plane and entities that we’ll then connect to our Kubernetes cluster. Let’s create these entities with the Konnect API.
Run the following command to create a control plane and save its ID to your environment:
CONTROL_PLANE_ID=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "gateway-control-plane"
}' | jq -r ".id"
)
Copied!
Create a Gateway Service:
SERVICE_ID=$(curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/services" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "demo-service",
"protocol": "http",
"host": "httpbin.konghq.com",
"path": "/anything"
}' | jq -r ".id"
)
Copied!
Create a Route:
ROUTE_ID=$(curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/routes" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "demo-route",
"paths": [
"/anything"
],
"service": {
"id": "'$SERVICE_ID'"
}
}' | jq -r ".id"
)
Copied!
Create a Rate Limiting plugin:
PLUGIN_ID=$(curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/plugins" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "rate-limiting",
"config": {
"second": 5,
"hour": 1000,
"policy": "local"
}
}' | jq -r ".id"
)
Copied!
Create the KonnectGatewayControlPlane resource
To manage adopt entities, you first need to create a KonnectGatewayControlPlane resource that references our Konnect control plane:
echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
name: gateway-control-plane
namespace: kong
spec:
source: Mirror
mirror:
konnect:
id: "'$CONTROL_PLANE_ID'"
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
Copied!
You can verify the KonnectGatewayControlPlane was reconciled successfully by checking its Programmed condition.
kubectl get -n kong konnectgatewaycontrolplane gateway-control-plane \
-o=jsonpath='{.status.conditions[?(@.type=="Programmed")]}' | jq
Copied!
The output should look similar to this:
{
"observedGeneration": 1,
"reason": "Programmed",
"status": "True",
"type": "Programmed"
}
Copied!
Adopt a Gateway Service
To adopt entities directly referencing a control plane, such as Services, make sure you’ve created the KonnectGatewayControlPlane resource to manage the Konnect control plane.
In this example, we’ll adopt the Service we created in the prerequisites in match mode. This mode is useful if you want to adopt an entity without making any changes to it yet.
Specify the Service’s parameters to match the ones we defined when creating it, and add the Service’s Konnect ID and the reference to the control plane:
echo '
kind: KongService
apiVersion: configuration.konghq.com/v1alpha1
metadata:
name: adopt-service
namespace: kong
spec:
controlPlaneRef:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane
adopt:
from: konnect
mode: match
konnect:
id: "'$SERVICE_ID'"
name: demo-service
protocol: http
host: httpbin.konghq.com
path: "/anything"
' | kubectl apply -f -
Copied!
You can validate that the Route was successfully adopted by fetching its configuration using the Konnect API:
curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/services/$SERVICE_ID" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"
Copied!
You should see k8s-* tags, which indicate that the Service is managed with Kubernetes.
Adopt a Route
To adopt entities that are attached to another entity, such as a Route attached to a Service, make sure you’ve created the KonnectGatewayControlPlane resource and the parent resource.
Let’s adopt the Route we created in the prerequisites, and this time we’ll use override mode to change its configuration.
Specify the Route’s new parameters, and add the Route’s Konnect ID and the reference to the Service:
echo '
kind: KongRoute
apiVersion: configuration.konghq.com/v1alpha1
metadata:
name: adopt-route
namespace: kong
spec:
serviceRef:
type: namespacedRef
namespacedRef:
name: adopt-service
adopt:
from: konnect
mode: override
konnect:
id: "'$ROUTE_ID'"
name: demo-route
paths:
- "/new"
' | kubectl apply -f -
Copied!
You can validate that the Route was successfully adopted by fetching its configuration using the Konnect API:
curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/routes/$ROUTE_ID" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"
Copied!
You should see the updated configuration and the k8s-* tags.
Adopt a plugin
To adopt a plugin, we need to create two different resources:
- A
KongPluginresource to specify the configuration of the plugin. - A
KongPluginBindingresource to adopt the plugin by ID and specify the relationship between the plugin and other entities.
In this example, we’ll modify the configuration of the Rate Limiting plugin we created in the prerequisites.
First, create the Rate Limiting KongPlugin resource:
echo '
kind: KongPlugin
apiVersion: configuration.konghq.com/v1
metadata:
name: rate-limit
namespace: kong
config:
second: 3
hour: 300
policy: local
plugin: rate-limiting
' | kubectl apply -f -
Copied!
Create the KongPluginBinding resource to link the KongPlugin to the plugin we created in Konnect and associate it to our Service:
echo '
kind: KongPluginBinding
apiVersion: configuration.konghq.com/v1alpha1
metadata:
name: plugin-binding-kongservice
namespace: kong
spec:
controlPlaneRef:
type: konnectNamespacedRef
konnectNamespacedRef:
name: gateway-control-plane
pluginRef:
name: rate-limit
adopt:
from: konnect
mode: override
konnect:
id: "'$PLUGIN_ID'"
targets:
serviceRef:
name: adopt-service
kind: KongService
group: configuration.konghq.com
' | kubectl apply -f -
Copied!
You can validate that the plugin was successfully adopted by fetching its configuration using the Konnect API:
curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/plugins/$PLUGIN_ID" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"
Copied!
You should see the updated configuration and the k8s-* tags.
FAQs
Why can’t I override certain entities?
Immutable entities only support adoption in match mode and can’t be modified after adoption. This is the case for:
- Cloud Gateway resources: Networks, data plane group configurations, and transit gateways.
- Data plane client certificates.
You must adopt these entities in match mode and configure the resource to match the existing entity in Konnect.
Here’s an example of network adoption:
echo '
kind: KonnectCloudGatewayNetwork
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: adopt-konnect-network
namespace: default
spec:
adopt:
from: konnect
mode: match
konnect:
id: "'$NETWORK_ID'"
name: network1
cloud_gateway_provider_account_id: "'$CLOUD_GATEWAY_PROVIDER_ID'"
availability_zones:
- use1-az1
- use1-az2
- use1-az4
- use1-az5
- use1-az6
cidr_block: 10.0.0.1/24
region: us-east-1
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
Copied!