Home / Kong Operator / Konnect / Get Started
Edit
Report

Create a Control Plane

Uses: Kong Gateway Operator
Incompatible with
on-prem
Related Documentation
Operator Documentation
In This Series
  1. Install Kong Operator
  2. Create API Authentication
  3. Create a Control Plane
  4. Create a Service and Route
  5. Apply Rate Limiting
  6. Enable Proxy Caching
  7. Key Authentication
Related Resources
Deploy a DataPlane
TL;DR

Define a KonnectGatewayControlPlane to point to your Konnect instance, and a KonnectExtension to bind your Data Plane or Gateway to it.

Prerequisites

Series Prerequisites

This page is part of the Get Started with the Kong Gateway Operator series.

Complete the previous page, Create API Authentication before completing this page.

Create a KonnectGatewayControlPlane

Use the KonnectGatewayControlPlane resource to define the Konnect Control Plane that your CRDs will target. This enables your cluster to send configuration to Konnect.

A KonnectAPIAuthConfiguration must already exist to authenticate with the Konnect API. If you haven’t created one yet, see Create API Authentication.

Apply the following configuration to define a Control Plane named gateway-control-plane:

echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha2
metadata:
  name: gateway-control-plane
  namespace: kong
spec:
  createControlPlaneRequest:
    name: gateway-control-plane
  konnect:
    authRef:
      name: konnect-api-auth
' | kubectl apply -f -

This resource links your cluster to a specific Control Plane instance in Konnect using the credentials provided in konnect-api-auth.

Bind the Control Plane using a KonnectExtension

To finalize the connection between your cluster and the Konnect control plane, create a KonnectExtension object. This resource binds your local Gateway or Data Plane to the Konnect control plane you’ve defined.

echo '
kind: KonnectExtension
apiVersion: konnect.konghq.com/v1alpha2
metadata:
  name: my-konnect-config
  namespace: kong
spec:
  clientAuth:
    certificateSecret:
      provisioning: Automatic
  konnect:
    controlPlane:
      ref:
        type: konnectNamespacedRef
        konnectNamespacedRef:
          name: gateway-control-plane
' | kubectl apply -f -

The KonnectExtension resource handles automatic certificate generation and establishes secure communication between your cluster and Konnect.

Validation

Check that Programmed is True on the gateway-control-plane resource:

You can verify the KonnectGatewayControlPlane was reconciled successfully by checking its Programmed condition.

kubectl get -n kong konnectgatewaycontrolplane gateway-control-plane \
  -o=jsonpath='{.status.conditions[?(@.type=="Programmed")]}' | jq

The output should look similar to this:

{
  "observedGeneration": 1,
  "reason": "Programmed",
  "status": "True",
  "type": "Programmed"
}

Once these resources are in place, your cluster is connected to Konnect and can begin managing entities such as KongService, KongRoute, and KongPlugin.

← Previous 2. Create API Authentication Next → 4. Create a Service and Route
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support