Home / Kong Operator
Edit
Report

Custom resource definitions

Uses: Kong Operator
Related Documentation
Operator Documentation

Packages

configuration.konghq.com/v1

Package v1 contains API Schema definitions for the konghq.com v1 API group.

KongClusterPlugin

KongClusterPlugin is the Schema for the kongclusterplugins API.

The only differences between KongPlugin and KongClusterPlugin are that KongClusterPlugin is a Kubernetes cluster-level resource instead of a namespaced resource, and it can be applied as a global plugin using the global label.

Field Description
apiVersion string configuration.konghq.com/v1
kind string KongClusterPlugin
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
consumerRef string ConsumerRef is a reference to a particular consumer.
disabled bool Disabled set if the plugin is disabled or not.
config k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON Config contains the plugin configuration. It’s a list of keys and values required to configure the plugin. Please read the documentation of the plugin being configured to set values in here. For any plugin in Kong, anything that goes in the config JSON key in the Admin API request, goes into this property. Only one of config or configFrom may be used in a KongClusterPlugin, not both at once.
configFrom NamespacedConfigSource ConfigFrom references a secret containing the plugin configuration. This should be used when the plugin configuration contains sensitive information, such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin. Only one of config or configFrom may be used in a KongClusterPlugin, not both at once.
configPatches NamespacedConfigPatch ConfigPatches represents JSON patches to the configuration of the plugin. Each item means a JSON patch to add something in the configuration, where path is specified in path and value is in valueFrom referencing a key in a secret. When Config is specified, patches will be applied to the configuration in Config. Otherwise, patches will be applied to an empty object.
plugin string PluginName is the name of the plugin to which to apply the config.
run_on string RunOn configures the plugin to run on the first or the second or both nodes in case of a service mesh deployment.
protocols KongProtocol Protocols configures plugin to run on requests received on specific protocols.
ordering *github.com/kong/go-kong/kong.PluginOrdering Ordering overrides the normal plugin execution order. It’s only available on Kong Enterprise. <phase> is a request processing phase (for example, access or body_filter) and <plugin> is the name of the plugin that will run before or after the KongPlugin. For example, a KongPlugin with plugin: rate-limiting and before.access: ["key-auth"] will create a rate limiting plugin that limits requests before they are authenticated.
instance_name string InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the same plugin in multiple contexts, for example, on multiple services.
status KongClusterPluginStatus Status represents the current status of the KongClusterPlugin resource.

KongConsumer

KongConsumer is the Schema for the kongconsumers API.

When this resource is created, a corresponding Consumer entity will be created in Kong Gateway. While KongConsumer exists in a specific Kubernetes namespace, KongConsumers from all namespaces are combined into a single Kong Gateway configuration, and no KongConsumers with the same kubernetes.io/ingress.class may share the same Username or CustomID value.

Field Description
apiVersion string configuration.konghq.com/v1
kind string KongConsumer
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
username string Username is a Kong cluster-unique username of the consumer.
custom_id string CustomID is a Kong cluster-unique existing ID for the consumer - useful for mapping Kong with users in your existing database.
credentials []string Credentials are references to secrets containing a credential to be provisioned in Kong.
consumerGroups []string ConsumerGroups are references to consumer groups (that consumer wants to be part of) provisioned in Kong.
spec KongConsumerSpec  
status KongConsumerStatus Status represents the current status of the KongConsumer resource.

KongPlugin

KongPlugin is the Schema for the kongplugins API.

Plugins can be associated with the Ingress, Service, HTTPRoute, KongConsumer or KongConsumerGroup object in Kubernetes using konghq.com/plugins annotation.

Field Description
apiVersion string configuration.konghq.com/v1
kind string KongPlugin
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
consumerRef string ConsumerRef is a reference to a particular consumer.
disabled bool Disabled set if the plugin is disabled or not.
config k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON Config contains the plugin configuration. It’s a list of keys and values required to configure the plugin. Please read the documentation of the plugin being configured to set values in here. For any plugin in Kong, anything that goes in the config JSON key in the Admin API request, goes into this property. Only one of config or configFrom may be used in a KongPlugin, not both at once.
configFrom ConfigSource ConfigFrom references a secret containing the plugin configuration. This should be used when the plugin configuration contains sensitive information, such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin. Only one of config or configFrom may be used in a KongPlugin, not both at once.
configPatches ConfigPatch ConfigPatches represents JSON patches to the configuration of the plugin. Each item means a JSON patch to add something in the configuration, where path is specified in path and value is in valueFrom referencing a key in a secret. When Config is specified, patches will be applied to the configuration in Config. Otherwise, patches will be applied to an empty object.
plugin string PluginName is the name of the plugin to which to apply the config.
run_on string RunOn configures the plugin to run on the first or the second or both nodes in case of a service mesh deployment.
protocols KongProtocol Protocols configures plugin to run on requests received on specific protocols.
ordering *github.com/kong/go-kong/kong.PluginOrdering Ordering overrides the normal plugin execution order. It’s only available on Kong Enterprise. <phase> is a request processing phase (for example, access or body_filter) and <plugin> is the name of the plugin that will run before or after the KongPlugin. For example, a KongPlugin with plugin: rate-limiting and before.access: ["key-auth"] will create a rate limiting plugin that limits requests before they are authenticated.
instance_name string InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the same plugin in multiple contexts, for example, on multiple services.
status KongPluginStatus Status represents the current status of the KongPlugin resource.

Types

In this section you will find types that the CRDs rely on.

ConfigPatch

ConfigPatch is a JSON patch (RFC6902) to add values from Secret to the generated configuration. It is an equivalent of the following patch: {"op": "add", "path": {.Path}, "value": {.ComputedValueFrom}}.

Field Description
path string Path is the JSON-Pointer value (RFC6901) that references a location within the target configuration.
valueFrom ConfigSource ValueFrom is the reference to a key of a secret where the patched value comes from.

Appears in:

ConfigSource

ConfigSource is a wrapper around SecretValueFromSource.

Field Description
secretKeyRef SecretValueFromSource Specifies a name and a key of a secret to refer to. The namespace is implicitly set to the one of referring object.

Appears in:

KongClusterPluginStatus

KongClusterPluginStatus represents the current status of the KongClusterPlugin resource.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongClusterPluginStatus.

Known condition types are:

* “Programmed”

Appears in:

KongConsumerSpec

KongConsumerSpec defines the specification of the KongConsumer.

Field Description
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this Consumer is associated with.
adopt AdoptOptions Adopt is the options for adopting a consumer from an existing consumer in Konnect.
tags Tags Tags is an optional set of tags applied to the consumer.

Appears in:

KongConsumerStatus

KongConsumerStatus represents the current status of the KongConsumer resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongConsumer.

Known condition types are:

* “Programmed”

Appears in:

KongPluginStatus

KongPluginStatus represents the current status of the KongPlugin resource.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongPluginStatus.

Known condition types are:

* “Programmed”

Appears in:

KongProtocol

Underlying type: string

KongProtocol is a valid Kong protocol. This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342

Appears in:

NamespacedConfigPatch

NamespacedConfigPatch is a JSON patch to add values from secrets to KongClusterPlugin to the generated configuration of plugin in Kong.

Field Description
path string Path is the JSON path to add the patch.
valueFrom NamespacedConfigSource ValueFrom is the reference to a key of a secret where the patched value comes from.

Appears in:

NamespacedConfigSource

NamespacedConfigSource is a wrapper around NamespacedSecretValueFromSource.

Field Description
secretKeyRef NamespacedSecretValueFromSource Specifies a name, a namespace, and a key of a secret to refer to.

Appears in:

NamespacedSecretValueFromSource

NamespacedSecretValueFromSource represents the source of a secret value specifying the secret namespace.

Field Description
namespace string The namespace containing the secret.
name string The secret containing the key.
key string The key containing the value.

Appears in:

SecretValueFromSource

SecretValueFromSource represents the source of a secret value.

Field Description
name string The secret containing the key.
key string The key containing the value.

Appears in:

configuration.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the configuration.konghq.com v1alpha1 API group.

EventGatewayBackendCluster

EventGatewayBackendCluster is the Schema for the eventgatewaybackendclusters API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayBackendCluster
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayBackendClusterSpec  
status EventGatewayBackendClusterStatus  

EventGatewayDataPlaneCertificate

EventGatewayDataPlaneCertificate is the Schema for the eventgatewaydataplanecertificates API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayDataPlaneCertificate
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayDataPlaneCertificateSpec  
status EventGatewayDataPlaneCertificateStatus  

EventGatewayListener

EventGatewayListener is the Schema for the eventgatewaylisteners API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayListener
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayListenerSpec  
status EventGatewayListenerStatus  

EventGatewayListenerPolicy

EventGatewayListenerPolicy is the Schema for the eventgatewaylistenerpolicys API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayListenerPolicy
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayListenerPolicySpec  
status EventGatewayListenerPolicyStatus  

EventGatewayVirtualCluster

EventGatewayVirtualCluster is the Schema for the eventgatewayvirtualclusters API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayVirtualCluster
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayVirtualClusterSpec  
status EventGatewayVirtualClusterStatus  

EventGatewayVirtualClusterConsumePolicy

EventGatewayVirtualClusterConsumePolicy is the Schema for the eventgatewayvirtualclusterconsumepolicys API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayVirtualClusterConsumePolicy
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayVirtualClusterConsumePolicySpec  
status EventGatewayVirtualClusterConsumePolicyStatus  

EventGatewayVirtualClusterPolicy

EventGatewayVirtualClusterPolicy is the Schema for the eventgatewayvirtualclusterpolicys API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayVirtualClusterPolicy
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayVirtualClusterPolicySpec  
status EventGatewayVirtualClusterPolicyStatus  

EventGatewayVirtualClusterProducePolicy

EventGatewayVirtualClusterProducePolicy is the Schema for the eventgatewayvirtualclusterproducepolicys API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string EventGatewayVirtualClusterProducePolicy
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec EventGatewayVirtualClusterProducePolicySpec  
status EventGatewayVirtualClusterProducePolicyStatus  

IngressClassParameters

IngressClassParameters is the Schema for the IngressClassParameters API.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string IngressClassParameters
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec IngressClassParametersSpec Spec is the IngressClassParameters specification.

KongCACertificate

KongCACertificate is the schema for CACertificate API which defines a Kong CA Certificate.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCACertificate
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCACertificateSpec  
status KongCACertificateStatus  

KongCertificate

KongCertificate is the schema for Certificate API which defines a Kong Certificate.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCertificate
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCertificateSpec  
status KongCertificateStatus  

KongCredentialACL

KongCredentialACL is the schema for ACL credentials API which defines a ACL credential for consumers.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCredentialACL
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCredentialACLSpec Spec contains the ACL credential specification.
status KongCredentialACLStatus Status contains the ACL credential status.

KongCredentialAPIKey

KongCredentialAPIKey is the schema for API key credentials API which defines a API key credential for consumers.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCredentialAPIKey
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCredentialAPIKeySpec Spec contains the API Key credential specification.
status KongCredentialAPIKeyStatus Status contains the API Key credential status.

KongCredentialBasicAuth

KongCredentialBasicAuth is the schema for BasicAuth credentials API which defines a BasicAuth credential for consumers.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCredentialBasicAuth
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCredentialBasicAuthSpec Spec contains the BasicAuth credential specification.
status KongCredentialBasicAuthStatus Status contains the BasicAuth credential status.

KongCredentialHMAC

KongCredentialHMAC is the schema for HMAC credentials API which defines a HMAC credential for consumers.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCredentialHMAC
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCredentialHMACSpec Spec contains the HMAC credential specification.
status KongCredentialHMACStatus Status contains the HMAC credential status.

KongCredentialJWT

KongCredentialJWT is the schema for JWT credentials API which defines a JWT credential for consumers.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCredentialJWT
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCredentialJWTSpec Spec contains the JWT credential specification.
status KongCredentialJWTStatus Status contains the JWT credential status.

KongCustomEntity

KongCustomEntity defines a “custom” Kong entity that KIC cannot support the entity type directly.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongCustomEntity
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongCustomEntitySpec  
status KongCustomEntityStatus Status stores the reconciling status of the resource.

KongDataPlaneClientCertificate

KongDataPlaneClientCertificate is the schema for KongDataPlaneClientCertificate API which defines a KongDataPlaneClientCertificate entity.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongDataPlaneClientCertificate
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongDataPlaneClientCertificateSpec  
status KongDataPlaneClientCertificateStatus  

KongKey

KongKey is the schema for KongKey API which defines a KongKey entity.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongKey
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongKeySpec  
status KongKeyStatus  

KongKeySet

KongKeySet is the schema for KongKeySet API which defines a KongKeySet entity.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongKeySet
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongKeySetSpec  
status KongKeySetStatus  

KongLicense

KongLicense stores a Kong enterprise license to apply to managed Kong gateway instances.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongLicense
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
rawLicenseString string RawLicenseString is a string with the raw content of the license.
enabled bool Enabled is set to true to let controllers (like KIC or KGO) to reconcile it. Default value is true to apply the license by default.
status KongLicenseStatus Status is the status of the KongLicense being processed by controllers.

KongPluginBinding

KongPluginBinding is the schema for Plugin Bindings API which defines a Kong Plugin Binding.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongPluginBinding
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongPluginBindingSpec  
status KongPluginBindingStatus  

KongReferenceGrant

KongReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

Each KongReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.

All cross-namespace references in Kong APIs require a KongReferenceGrant.

KongReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongReferenceGrant
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongReferenceGrantSpec Spec defines the desired state of KongReferenceGrant.

KongRoute

KongRoute is the schema for Routes API which defines a Kong Route. Currently, KongRoute supports only the JSON flavor of Route configuration.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongRoute
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongRouteSpec  
status KongRouteStatus  

KongSNI

KongSNI is the schema for SNI API which defines a Kong SNI.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongSNI
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongSNISpec  
status KongSNIStatus  

KongService

KongService is the schema for Services API which defines a Kong Service.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongService
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongServiceSpec  
status KongServiceStatus  

KongTarget

KongTarget is the schema for Target API which defines a Kong Target attached to a Kong Upstream.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongTarget
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongTargetSpec  
status KongTargetStatus  

KongUpstream

KongUpstream is the schema for Upstream API which defines a Kong Upstream.

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongUpstream
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongUpstreamSpec  
status KongUpstreamStatus  

KongVault

KongVault is the schema for kongvaults API which defines a custom Kong vault. A Kong vault is a storage to store sensitive data, where the values can be referenced in configuration of plugins. See: https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/

Field Description
apiVersion string configuration.konghq.com/v1alpha1
kind string KongVault
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongVaultSpec  
status KongVaultStatus  

Types

In this section you will find types that the CRDs rely on.

BackendClusterAuthenticationAnonymous

BackendClusterAuthenticationAnonymous Anonymous authentication scheme for the backend cluster.

Appears in:

BackendClusterAuthenticationSaslPlain

BackendClusterAuthenticationSaslPlain SASL/PLAIN authentication scheme for the backend cluster.

Field Description
password GatewaySecret A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.
username GatewaySecretReferenceOrLiteral A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.

Appears in:

BackendClusterAuthenticationSaslScram

BackendClusterAuthenticationSaslScram SASL/SCRAM authentication scheme for the backend cluster.

Field Description
algorithm string The algorithm used for SASL/SCRAM authentication.
password GatewaySecret A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.
username GatewaySecretReferenceOrLiteral A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.

Appears in:

BackendClusterAuthenticationSchemeType

Underlying type: string

BackendClusterAuthenticationSchemeType represents the type of BackendClusterAuthenticationScheme.

Appears in:

Allowed values:

Value Description
anonymous  
saslPlain  
saslScram  

BackendClusterName

Underlying type: string

BackendClusterName The unique name of the backend cluster.

Appears in:

BackendClusterTLS

BackendClusterTLS is a type alias.

Field Description
caBundle GatewaySecretReferenceOrLiteral A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.
clientIdentity BackendClusterTLSClientIdentity Client mTLS configuration.

Requires a minimum runtime version of 1.1.
enabled string If true, TLS is enabled for connections to this backend cluster. If false, TLS is explicitly disabled.
insecureSkipVerify string If true, skip certificate verification. It’s not secure to use for production.
tlsVersions []string List of supported TLS versions.

Appears in:

BackendClusterTLSClientIdentity

BackendClusterTLSClientIdentity Client mTLS configuration.

Requires a minimum runtime version of 1.1.

Field Description
certificate SensitiveDataSource A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.
key SensitiveDataSource A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.

Appears in:

BackendMetadataUpdateIntervalSeconds

Underlying type: integer

BackendMetadataUpdateIntervalSeconds The interval at which metadata is updated in seconds.

Appears in:

ConsumeFailureMode

Underlying type: string

ConsumeFailureMode Describes how to handle a failure in a policy applied to consumed records.

  • error - the batch is not delivered to the client. Use sparingly: erroring on a batch causes clients to get stuck on the problematic offset and requires manual intervention to skip it.
  • skip - the record is not delivered to the client.
  • passthrough - passes the record to the client even though policy execution failed.
  • mark - passes the record to the client but marks it with a kong/policy-failure-<id> header whose value is the reason for the policy failure (truncated to 512 characters).

Appears in:

ConsumeKeyValidationAction

Underlying type: string

ConsumeKeyValidationAction Defines a behavior when record key is not valid.

  • mark - marks a record with kong/server header and client ID value to help to identify the clients violating schema.
  • skip - skips delivering a record.

Appears in:

ConsumeValueValidationAction

Underlying type: string

ConsumeValueValidationAction Defines a behavior when record value is not valid.

  • mark - marks a record with kong/server header and client ID value to help to identify the clients violating schema.
  • skip - skips delivering a record.

Appears in:

ControllerReference

ControllerReference is a reference to a controller that reconciles the KongLicense.

Field Description
group Group Group is the group of referent. It should be empty if the referent is in “core” group (like pod).
kind Kind Kind is the kind of the referent. By default the nil kind means kind Pod.
namespace Namespace Namespace is the namespace of the referent. It should be empty if the referent is cluster scoped.
name ObjectName Name is the name of the referent.

Appears in:

DecryptionRecordPart

Underlying type: string

DecryptionRecordPart * key - decrypt the record key

  • value - decrypt the record value

Appears in:

EncryptionFailureMode

Underlying type: string

EncryptionFailureMode Describes how to handle failing encryption or decryption. Use error if the record should be rejected if encryption or decryption fails. Use passthrough to ignore encryption or decryption failure and continue proxying the record.

Appears in:

EncryptionKeyAWS

EncryptionKeyAWS The AWS KMS key to use for encryption.

Field Description
arn string The AWS KMS key ARN.

Appears in:

EncryptionKeyStatic

EncryptionKeyStatic A static encryption key.

Field Description
key EncryptionKeyStaticReference A static encryption key reference, either by ID or by value.

Appears in:

EncryptionKeyStaticReference

EncryptionKeyStaticReference is a type alias.

Field Description
id *string  
name *string  

Appears in:

EncryptionKeyType

Underlying type: string

EncryptionKeyType represents the type of EncryptionKey.

Appears in:

Allowed values:

Value Description
aws  
static  

EncryptionRecordPart

Underlying type: string

EncryptionRecordPart * key - encrypt the record key

  • value - encrypt the record value

Appears in:

EventGatewayACLOperation

EventGatewayACLOperation An Event Gateway operation to match against in an ACL rule.

Field Description
name string  

Appears in:

EventGatewayACLPolicyConfig

EventGatewayACLPolicyConfig Apply ACLs to virtual cluster traffic.

Field Description
rules EventGatewayACLRule Every ACL rule in this list applies independently.

Appears in:

EventGatewayACLResourceName

EventGatewayACLResourceName An Event Gateway resource name to match against in an ACL rule.

Field Description
match string Currently supported are exact matches and globs. All * characters are interpreted as globs, i.e. they match zero or more of any character.

Appears in:

EventGatewayACLRule

EventGatewayACLRule A Kafka ACL rule to apply to virtual cluster traffic

Field Description
action string How to handle the request if the rule matches
operations EventGatewayACLOperation Types of Kafka operations to match against. Note that not every operation can apply to every resource type.
resourceNames EventGatewayACLRuleResourceNames If any of these entries match, the resource name matches for this rule. A maximum of 50 entries are allowed.
resourceType string This rule applies to access only for type of resource

Appears in:

EventGatewayACLRuleResourceNames

EventGatewayACLRuleResourceNames represents a union type for resource_names. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayACLRuleResourceNamesType Type designates the type of configuration.
stat EventGatewayACLRuleResourceNamesStaticArray Stat configuration.
dynam EventGatewayACLRuleResourceNamesDynamicArray Dynam configuration.

Appears in:

EventGatewayACLRuleResourceNamesDynamicArray

Underlying type: string

EventGatewayACLRuleResourceNamesDynamicArray This expression should evaluate to an array of glob patterns, equivalent to the match values in the static array form of resource_names.

Requires a minimum runtime version of 1.1.

Appears in:

EventGatewayACLRuleResourceNamesStaticArray

Underlying type: [EventGatewayACLResourceName](#eventgatewayaclresourcename)

EventGatewayACLRuleResourceNamesStaticArray A static list of resource name globs to match against resources when applying an ACL policy.

Field Description
match string Currently supported are exact matches and globs. All * characters are interpreted as globs, i.e. they match zero or more of any character.

Appears in:

EventGatewayACLRuleResourceNamesType

Underlying type: string

EventGatewayACLRuleResourceNamesType represents the type of resource_names.

Appears in:

Allowed values:

Value Description
stat  
dynam  

EventGatewayACLsPolicy

EventGatewayACLsPolicy Apply Kafka ACLs to virtual cluster traffic.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.
config EventGatewayACLPolicyConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayAWSKeySource

EventGatewayAWSKeySource A key source that uses an AWS KMS to find a symmetric key. Load KMS credentials from the environment.

See aws docs for more information about how credential retrieval.

Appears in:

EventGatewayBackendClusterAPISpec

EventGatewayBackendClusterAPISpec defines the API spec fields for EventGatewayBackendCluster.

Field Description
authentication EventGatewayBackendClusterAuthentication  
bootstrapServers []string A list of cluster bootstrap servers in the format address:port.
description string A human-readable description of the backend cluster.
insecureAllowAnonymousVirtualClusterAuth string If true, virtual clusters can have allow anonymous authentication and use this backend cluster. This setting is not recommended for production use as it may create privilege escalation vulnerabilities.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
metadataUpdateIntervalSeconds BackendMetadataUpdateIntervalSeconds The interval at which metadata is updated in seconds.
name BackendClusterName The unique name of the backend cluster.
tls BackendClusterTLS  

Appears in:

EventGatewayBackendClusterAuthentication

EventGatewayBackendClusterAuthentication represents a union type for authentication. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayBackendClusterAuthenticationType Type designates the type of configuration.
anonymous BackendClusterAuthenticationAnonymous Anonymous configuration.
saslPlain BackendClusterAuthenticationSaslPlain SaslPlain configuration.
saslScram BackendClusterAuthenticationSaslScram SaslScram configuration.

Appears in:

EventGatewayBackendClusterAuthenticationType

Underlying type: string

EventGatewayBackendClusterAuthenticationType represents the type of authentication.

Appears in:

Allowed values:

Value Description
anonymous  
saslPlain  
saslScram  

EventGatewayBackendClusterSpec

EventGatewayBackendClusterSpec defines the desired state of EventGatewayBackendCluster.

Field Description
gatewayRef ObjectRef GatewayRef is the reference to the parent Gateway object.
apiSpec EventGatewayBackendClusterAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayBackendClusterStatus

EventGatewayBackendClusterStatus defines the observed state of EventGatewayBackendCluster.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayConsumeSchemaValidationPolicy

EventGatewayConsumeSchemaValidationPolicy A policy that validates consume messages against a schema registry.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.
config EventGatewayConsumeSchemaValidationPolicyConfig The configuration of the schema validation policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayConsumeSchemaValidationPolicyConfig

EventGatewayConsumeSchemaValidationPolicyConfig The configuration of the schema validation policy.

Field Description
keyValidationAction ConsumeKeyValidationAction Defines a behavior when record key is not valid. * mark - marks a record with kong/server header and client ID value to help to identify the clients violating schema. * skip - skips delivering a record.
schemaRegistry EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistry A reference to a schema Registry.
type SchemaValidationType How to validate the schema and parse the record. * confluent_schema_registry - validates against confluent schema registry. * json - simple JSON parsing without the schema.
valueValidationAction ConsumeValueValidationAction Defines a behavior when record value is not valid. * mark - marks a record with kong/server header and client ID value to help to identify the clients violating schema. * skip - skips delivering a record.

Appears in:

EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistry

EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistry represents a union type for schema_registry. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistryType Type designates the type of configuration.
id SchemaRegistryReferenceByID ID configuration.
name SchemaRegistryReferenceByName Name configuration.

Appears in:

EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistryType

Underlying type: string

EventGatewayConsumeSchemaValidationPolicyConfigSchemaRegistryType represents the type of schema_registry.

Appears in:

Allowed values:

Value Description
id  
name  

EventGatewayDataPlaneCertificateAPISpec

EventGatewayDataPlaneCertificateAPISpec defines the API spec fields for EventGatewayDataPlaneCertificate.

Field Description
certificate SensitiveDataSource JSON escaped string of the certificate.
description string A description of the certificate.
name string The name to identify of the certificate.

Appears in:

EventGatewayDataPlaneCertificateSpec

EventGatewayDataPlaneCertificateSpec defines the desired state of EventGatewayDataPlaneCertificate.

Field Description
gatewayRef ObjectRef GatewayRef is the reference to the parent Gateway object.
apiSpec EventGatewayDataPlaneCertificateAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayDataPlaneCertificateStatus

EventGatewayDataPlaneCertificateStatus defines the observed state of EventGatewayDataPlaneCertificate.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayDecryptPolicy

EventGatewayDecryptPolicy Decrypts Kafka records or keys using AES_256_GCM. Keys are therefore 256 bits long.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.
config EventGatewayDecryptPolicyConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayDecryptPolicyConfig

EventGatewayDecryptPolicyConfig The configuration of the decrypt policy.

Field Description
failureMode EncryptionFailureMode Describes how to handle failing encryption or decryption. Use error if the record should be rejected if encryption or decryption fails. Use passthrough to ignore encryption or decryption failure and continue proxying the record.
keySources EventGatewayKeySource Describes how to find a symmetric key for decryption.
partOfRecord DecryptionRecordPart Describes the parts of a record to decrypt.

Appears in:

EventGatewayEncryptConfig

EventGatewayEncryptConfig The configuration of the encrypt policy.

Field Description
encryptionKey EventGatewayEncryptConfigEncryptionKey The key to use for encryption.
failureMode EncryptionFailureMode Describes how to handle failing encryption or decryption. Use error if the record should be rejected if encryption or decryption fails. Use passthrough to ignore encryption or decryption failure and continue proxying the record.
partOfRecord EncryptionRecordPart Describes the parts of a record to encrypt.

Appears in:

EventGatewayEncryptConfigEncryptionKey

EventGatewayEncryptConfigEncryptionKey represents a union type for encryption_key. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayEncryptConfigEncryptionKeyType Type designates the type of configuration.
aws EncryptionKeyAWS AWS configuration.
static EncryptionKeyStatic Static configuration.

Appears in:

EventGatewayEncryptConfigEncryptionKeyType

Underlying type: string

EventGatewayEncryptConfigEncryptionKeyType represents the type of encryption_key.

Appears in:

Allowed values:

Value Description
aws  
static  

EventGatewayEncryptPolicy

EventGatewayEncryptPolicy Encrypts Kafka records or keys using AES_256_GCM. Keys are therefore 256 bits long.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.
config EventGatewayEncryptConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayKeySource

EventGatewayKeySource represents a union type for EventGatewayKeySource. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayKeySourceType Type designates the type of configuration.
aws EventGatewayAWSKeySource AWS configuration.
static EventGatewayStaticKeySource Static configuration.

Appears in:

EventGatewayKeySourceType

Underlying type: string

EventGatewayKeySourceType represents the type of EventGatewayKeySource.

Appears in:

Allowed values:

Value Description
aws  
static  

EventGatewayListenerAPISpec

EventGatewayListenerAPISpec defines the API spec fields for EventGatewayListener.

Field Description
addresses []string Which address or addresses to listen on. 0.0.0.0 means all addresses on the host. :: means all addresses on the host in IPv6.

If 0.0.0.0 or :: is used, there can’t be other extra addresses defined. WARNING: there are use cases where listening on all addresses is insecure. So use this with caution.

localhost means only the localhost ipv4 address.
description string A human-readable description of the listener.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string The unique name of the listener.
ports EventGatewayListenerPort Which port or ports to listen on. There can be multiple ways to define ports: - as a single port, e.g. 9092 - as a range of ports, e.g. 9092-9094

It’s possible to combine both, e.g. [9092, “9093-9095”, 9096].

Appears in:

EventGatewayListenerPolicyAPISpec

EventGatewayListenerPolicyAPISpec defines the API spec fields for EventGatewayListenerPolicy.

Appears in:

EventGatewayListenerPolicyConfig

EventGatewayListenerPolicyConfig represents a union type for EventGatewayListenerPolicyConfig. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayListenerPolicyConfigType Type designates the type of configuration.
forwardToVirtualCluster ForwardToVirtualClusterPolicy ForwardToVirtualClust configuration.
tlsServer EventGatewayTLSListenerPolicy EventGatewayTLSListen configuration.

Appears in:

EventGatewayListenerPolicyConfigType

Underlying type: string

EventGatewayListenerPolicyConfigType represents the type of EventGatewayListenerPolicyConfig.

Appears in:

Allowed values:

Value Description
forwardToVirtualCluster  
tlsServer  

EventGatewayListenerPolicySpec

EventGatewayListenerPolicySpec defines the desired state of EventGatewayListenerPolicy.

Field Description
eventGatewayListenerRef ObjectRef EventGatewayListenerRef is the reference to the parent EventGatewayListener object.
apiSpec EventGatewayListenerPolicyAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayListenerPolicyStatus

EventGatewayListenerPolicyStatus defines the observed state of EventGatewayListenerPolicy.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
eventGatewayListenerID KonnectEntityRef EventGatewayListenerID is the Konnect ID of the parent EventGatewayListener.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayListenerSpec

EventGatewayListenerSpec defines the desired state of EventGatewayListener.

Field Description
gatewayRef ObjectRef GatewayRef is the reference to the parent Gateway object.
apiSpec EventGatewayListenerAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayListenerStatus

EventGatewayListenerStatus defines the observed state of EventGatewayListener.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayModifyHeaderAction

EventGatewayModifyHeaderAction represents a union type for EventGatewayModifyHeaderAction. Only one of the fields should be set based on the Op.

Field Description
op EventGatewayModifyHeaderActionType Op designates the type of configuration.
remove EventGatewayModifyHeaderRemoveAction Remove configuration.
set EventGatewayModifyHeaderSetAction Set configuration.

Appears in:

EventGatewayModifyHeaderActionType

Underlying type: string

EventGatewayModifyHeaderActionType represents the type of EventGatewayModifyHeaderAction.

Appears in:

Allowed values:

Value Description
remove  
set  

EventGatewayModifyHeaderRemoveAction

EventGatewayModifyHeaderRemoveAction An action that removes a header by key.

Field Description
key string The key of the header to remove.

Appears in:

EventGatewayModifyHeaderSetAction

EventGatewayModifyHeaderSetAction An action that sets a header key and value.

Field Description
key string The key of the header to set.
value string The value of the header to set.

Appears in:

EventGatewayModifyHeadersPolicyCreate

EventGatewayModifyHeadersPolicyCreate A policy that modifies headers for requests.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.

When the policy is applied as a child policy of schema_validation, the expression can also reference record.value fields.
config EventGatewayModifyHeadersPolicyCreateConfig The configuration of the modify headers policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayModifyHeadersPolicyCreateConfig

EventGatewayModifyHeadersPolicyCreateConfig The configuration of the modify headers policy.

Field Description
actions EventGatewayModifyHeaderAction Actions are run in sequential order and act on individual headers.

Appears in:

EventGatewayParsedRecordDecryptFieldsConfig

EventGatewayParsedRecordDecryptFieldsConfig The configuration of the decrypt parsed record fields policy.

Field Description
decryptFields EventGatewayParsedRecordDecryptionSelector Selects which fields to decrypt.
failureMode ConsumeFailureMode Describes how to handle a failure in a policy applied to consumed records. * error - the batch is not delivered to the client. Use sparingly: erroring on a batch causes clients to get stuck on the problematic offset and requires manual intervention to skip it. * skip - the record is not delivered to the client. * passthrough - passes the record to the client even though policy execution failed. * mark - passes the record to the client but marks it with a kong/policy-failure-<id> header whose value is the reason for the policy failure (truncated to 512 characters).
keySources EventGatewayKeySource Describes how to find a symmetric key for decryption.

Appears in:

EventGatewayParsedRecordDecryptFieldsPolicyCreate

EventGatewayParsedRecordDecryptFieldsPolicyCreate Decrypts fields of parsed Kafka records using AES_256_GCM. Keys are therefore 256 bits long.

Note this policy can only be used as a child of a EventGatewayConsumeSchemaValidationPolicy policy.

Requires a minimum runtime version of 1.2.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.

When the policy is applied as a child policy of schema_validation, the expression can also reference record.value fields.
config EventGatewayParsedRecordDecryptFieldsConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayParsedRecordDecryptionSelector

EventGatewayParsedRecordDecryptionSelector Selects fields of a parsed record for decryption.

Field Description
paths EventGatewayParsedRecordDecryptionSelectorPaths Selects which fields of the parsed record to decrypt. A maximum of 50 path entries are allowed.

Appears in:

EventGatewayParsedRecordDecryptionSelectorPaths

EventGatewayParsedRecordDecryptionSelectorPaths represents a union type for paths. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayParsedRecordDecryptionSelectorPathsType Type designates the type of configuration.
variant1 EventGatewayParsedRecordDecryptionSelectorPathsVariant1 Variant1 configuration.
variant2 EventGatewayParsedRecordDecryptionSelectorPathsVariant2 Variant2 configuration.

Appears in:

EventGatewayParsedRecordDecryptionSelectorPathsType

Underlying type: string

EventGatewayParsedRecordDecryptionSelectorPathsType represents the type of paths.

Appears in:

Allowed values:

Value Description
variant1  
variant2  

EventGatewayParsedRecordDecryptionSelectorPathsVariant1

Underlying type: [JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#json-v1-apiextensions-k8s-io)

EventGatewayParsedRecordDecryptionSelectorPathsVariant1 is a type alias.

Appears in:

EventGatewayParsedRecordDecryptionSelectorPathsVariant2

Underlying type: string

EventGatewayParsedRecordDecryptionSelectorPathsVariant2 This expression should evaluate to an array of exact field paths, equivalent to the match values in the array variant.

Appears in:

EventGatewayParsedRecordEncryptFieldsConfig

EventGatewayParsedRecordEncryptFieldsConfig The configuration of the encrypt parsed record policy.

Field Description
encryptFields EventGatewayParsedRecordEncryptionSelector Selects which fields to encrypt and with what keys.
failureMode ProduceFailureMode Describes how to handle a failure in a policy applied to produced records. * reject - rejects the record batch. * passthrough - passes the record silently to the backend cluster even though policy execution failed. * mark - passes the record to the backend cluster but marks it with a kong/policy-failure-<id> header whose value is the reason for the policy failure (truncated to 512 characters).

Appears in:

EventGatewayParsedRecordEncryptFieldsPolicyCreate

EventGatewayParsedRecordEncryptFieldsPolicyCreate Encrypts fields of parsed Kafka records using AES_256_GCM. Keys are therefore 256 bits long.

Note this policy can only be used as a child of a EventGatewayProduceSchemaValidationPolicy policy.

Requires a minimum runtime version of 1.2.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.

When the policy is applied as a child policy of schema_validation, the expression can also reference record.value fields.
config EventGatewayParsedRecordEncryptFieldsConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayParsedRecordEncryptionSelector

EventGatewayParsedRecordEncryptionSelector Selects fields of a parsed record for encryption and defines what key to encrypt them with.

Field Description
encryptionKey EventGatewayParsedRecordEncryptionSelectorEncryptionKey The key to use for encryption.
paths EventGatewayParsedRecordEncryptionSelectorPaths Selects which fields of the parsed record to encrypt. A maximum of 50 path entries are allowed.

Appears in:

EventGatewayParsedRecordEncryptionSelectorEncryptionKey

EventGatewayParsedRecordEncryptionSelectorEncryptionKey represents a union type for encryption_key. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayParsedRecordEncryptionSelectorEncryptionKeyType Type designates the type of configuration.
aws EncryptionKeyAWS AWS configuration.
static EncryptionKeyStatic Static configuration.

Appears in:

EventGatewayParsedRecordEncryptionSelectorEncryptionKeyType

Underlying type: string

EventGatewayParsedRecordEncryptionSelectorEncryptionKeyType represents the type of encryption_key.

Appears in:

Allowed values:

Value Description
aws  
static  

EventGatewayParsedRecordEncryptionSelectorPaths

EventGatewayParsedRecordEncryptionSelectorPaths represents a union type for paths. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayParsedRecordEncryptionSelectorPathsType Type designates the type of configuration.
variant1 EventGatewayParsedRecordEncryptionSelectorPathsVariant1 Variant1 configuration.
variant2 EventGatewayParsedRecordEncryptionSelectorPathsVariant2 Variant2 configuration.

Appears in:

EventGatewayParsedRecordEncryptionSelectorPathsType

Underlying type: string

EventGatewayParsedRecordEncryptionSelectorPathsType represents the type of paths.

Appears in:

Allowed values:

Value Description
variant1  
variant2  

EventGatewayParsedRecordEncryptionSelectorPathsVariant1

Underlying type: [JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#json-v1-apiextensions-k8s-io)

EventGatewayParsedRecordEncryptionSelectorPathsVariant1 is a type alias.

Appears in:

EventGatewayParsedRecordEncryptionSelectorPathsVariant2

Underlying type: string

EventGatewayParsedRecordEncryptionSelectorPathsVariant2 This expression should evaluate to an array of exact field paths, equivalent to the match values in the array variant.

Appears in:

EventGatewayProduceSchemaValidationPolicy

EventGatewayProduceSchemaValidationPolicy A policy that validates produce messages against a schema registry.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.
config EventGatewayProduceSchemaValidationPolicyConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayProduceSchemaValidationPolicyConfig

EventGatewayProduceSchemaValidationPolicyConfig represents a union type for EventGatewayProduceSchemaValidationPolicyConfig. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayProduceSchemaValidationPolicyConfigType Type designates the type of configuration.
confluentSchemaRegistry EventGatewayProduceSchemaValidationPolicySchemaRegistryConfig SchemaRegistry configuration.
json EventGatewayProduceSchemaValidationPolicyJSONConfig JSON configuration.

Appears in:

EventGatewayProduceSchemaValidationPolicyConfigType

Underlying type: string

EventGatewayProduceSchemaValidationPolicyConfigType represents the type of EventGatewayProduceSchemaValidationPolicyConfig.

Appears in:

Allowed values:

Value Description
confluentSchemaRegistry  
json  

EventGatewayProduceSchemaValidationPolicyJSONConfig

EventGatewayProduceSchemaValidationPolicyJSONConfig The configuration of the produce schema validation policy when using JSON parsing without schema.

Field Description
keyValidationAction ProduceKeyValidationAction Defines a behavior when record key is not valid. * reject - rejects a batch for topic partition. Only available for produce. * mark - marks a record with kong/server header and client ID value

to help to identify the clients violating schema.
schemaRegistry EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistry A reference to a schema Registry.
valueValidationAction ProduceValueValidationAction Defines a behavior when record value is not valid. * reject - rejects a batch for topic partition. Only available for produce. * mark - marks a record with kong/server header and client ID value

to help to identify the clients violating schema.

Appears in:

EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistry

EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistry represents a union type for schema_registry. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistryType Type designates the type of configuration.
id SchemaRegistryReferenceByID ID configuration.
name SchemaRegistryReferenceByName Name configuration.

Appears in:

EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistryType

Underlying type: string

EventGatewayProduceSchemaValidationPolicyJSONConfigSchemaRegistryType represents the type of schema_registry.

Appears in:

Allowed values:

Value Description
id  
name  

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfig

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfig The configuration of the produce schema validation policy when using a schema registry.

Field Description
keyValidationAction ProduceKeyValidationAction Defines a behavior when record key is not valid. * reject - rejects a batch for topic partition. Only available for produce. * mark - marks a record with kong/server header and client ID value

to help to identify the clients violating schema.
schemaRegistry EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistry A reference to a schema Registry.
valueValidationAction ProduceValueValidationAction Defines a behavior when record value is not valid. * reject - rejects a batch for topic partition. Only available for produce. * mark - marks a record with kong/server header and client ID value

to help to identify the clients violating schema.

Appears in:

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistry

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistry represents a union type for schema_registry. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistryType Type designates the type of configuration.
id SchemaRegistryReferenceByID ID configuration.
name SchemaRegistryReferenceByName Name configuration.

Appears in:

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistryType

Underlying type: string

EventGatewayProduceSchemaValidationPolicySchemaRegistryConfigSchemaRegistryType represents the type of schema_registry.

Appears in:

Allowed values:

Value Description
id  
name  

EventGatewaySkipRecordPolicyCreate

EventGatewaySkipRecordPolicyCreate A policy that skips processing of a record.

Field Description
condition string A string containing the boolean expression that determines whether the policy is applied.

When the policy is applied as a child policy of schema_validation, the expression can also reference record.value fields.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayStaticKeySource

EventGatewayStaticKeySource A key source that uses static symmetric keys.

Appears in:

EventGatewayTLSListenerPolicy

EventGatewayTLSListenerPolicy The TLS Server policy defines the certificates and keys used by the gateway server when the client connects to the gateway over TLS.

While it is possible to have multiple TLS policies on a listener, only one can be active at a time.

Field Description
config EventGatewayTLSListenerPolicyConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

EventGatewayTLSListenerPolicyConfig

EventGatewayTLSListenerPolicyConfig is a type alias.

Field Description
allowPlaintext string If false, only TLS connections are allowed. If true, both TLS and plaintext connections are allowed.
certificates TLSCertificate  
clientAuthentication EventGatewayTLSListenerPolicyConfigClientAuthentication Configures mutual TLS (mTLS) client certificate verification. When set, the gateway requests or requires clients to present a certificate during the TLS handshake.

Requires a minimum runtime version of 1.1.
versions TLSVersionRange A range of TLS versions.

Appears in:

EventGatewayTLSListenerPolicyConfigClientAuthentication

EventGatewayTLSListenerPolicyConfigClientAuthentication Configures mutual TLS (mTLS) client certificate verification. When set, the gateway requests or requires clients to present a certificate during the TLS handshake.

Requires a minimum runtime version of 1.1.

Field Description
mode string * required - Reject TLS connections without a valid client certificate. * requested - Request a client certificate during the TLS handshake, but allow connections without one (falls back to other configured authentication methods). If a certificate is presented but cannot be verified, the connection is closed.
principalMapping string An expression that extracts a principal identifier from a verified client certificate. This expression must evaluate to a string.

Requires a minimum runtime version of 1.1.
tlsTrustBundles TLSTrustBundleReference TLS trust bundles contain CA certificate bundles used to verify client certificates. All bundles are merged into a single trust store; a client certificate is accepted if it chains to any trusted CA across all bundles.

Appears in:

EventGatewayVirtualClusterAPISpec

EventGatewayVirtualClusterAPISpec defines the API spec fields for EventGatewayVirtualCluster.

Field Description
aclMode VirtualClusterACLMode Configures whether or not ACL policies are enforced on the gateway. - enforce_on_gateway means the gateway enforces its own ACL policies for this virtual cluster

and does not forward ACL-related commands to the backend cluster. Note that if there are no ACL policies configured, all access is denied. - passthrough tells the gateway to forward all ACL-related commands.
authentication VirtualClusterAuthenticationScheme How to handle authentication from clients.

It tries to authenticate with every rule sequentially one by one. It succeeds on the first match, and fails if no rule matches.
description string A human-readable description of the virtual cluster.
dnsLabel VirtualClusterDNSLabel The DNS label used in the bootstrap server URL to identify the virtual cluster when using SNI routing. The format follows the RFC1035: 1-63 chars, lowercase alphanumeric or ‘-‘, must start and end with an alphanumeric character.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name VirtualClusterName The name of the virtual cluster.
namespace VirtualClusterNamespace Namespace allows to implement multitenancy using a single backend cluster. It allows to either hide or enforce a static prefix on resources (topics, consumer group IDs, transaction IDs).
topicAliases VirtualClusterTopicAlias Pre-release Feature This feature is currently in beta and is subject to change.

Topic aliases allow exposing backend topics under additional names. An alias creates a new entry point to the same physical data. The alias topic field references namespace-visible names (if namespace is configured). Aliases are independent of namespace and can be used without it.

Requires a minimum runtime version of 1.2.

Appears in:

EventGatewayVirtualClusterConsumePolicyAPISpec

EventGatewayVirtualClusterConsumePolicyAPISpec defines the API spec fields for EventGatewayVirtualClusterConsumePolicy.

Appears in:

EventGatewayVirtualClusterConsumePolicyConfig

EventGatewayVirtualClusterConsumePolicyConfig represents a union type for EventGatewayVirtualClusterConsumePolicyConfig. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayVirtualClusterConsumePolicyConfigType Type designates the type of configuration.
decrypt EventGatewayDecryptPolicy DecryptPolicy configuration.
decryptFields EventGatewayParsedRecordDecryptFieldsPolicyCreate ParsedRecordDecryptFieldsPolicyCreate configuration.
modifyHeaders EventGatewayModifyHeadersPolicyCreate ModifyHeadersPolicyCreate configuration.
schemaValidation EventGatewayConsumeSchemaValidationPolicy ConsumeSchemaValidationPolicy configuration.
skipRecord EventGatewaySkipRecordPolicyCreate SkipRecordPolicyCreate configuration.

Appears in:

EventGatewayVirtualClusterConsumePolicyConfigType

Underlying type: string

EventGatewayVirtualClusterConsumePolicyConfigType represents the type of EventGatewayVirtualClusterConsumePolicyConfig.

Appears in:

Allowed values:

Value Description
decrypt  
decryptFields  
modifyHeaders  
schemaValidation  
skipRecord  

EventGatewayVirtualClusterConsumePolicySpec

EventGatewayVirtualClusterConsumePolicySpec defines the desired state of EventGatewayVirtualClusterConsumePolicy.

Field Description
eventGatewayVirtualClusterRef ObjectRef EventGatewayVirtualClusterRef is the reference to the parent EventGatewayVirtualCluster object.
apiSpec EventGatewayVirtualClusterConsumePolicyAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayVirtualClusterConsumePolicyStatus

EventGatewayVirtualClusterConsumePolicyStatus defines the observed state of EventGatewayVirtualClusterConsumePolicy.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
virtualClusterID KonnectEntityRef VirtualClusterID is the Konnect ID of the parent VirtualCluster.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayVirtualClusterPolicyAPISpec

EventGatewayVirtualClusterPolicyAPISpec defines the API spec fields for EventGatewayVirtualClusterPolicy.

Appears in:

EventGatewayVirtualClusterPolicyConfig

EventGatewayVirtualClusterPolicyConfig represents a union type for EventGatewayVirtualClusterPolicyConfig. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayVirtualClusterPolicyConfigType Type designates the type of configuration.
acls EventGatewayACLsPolicy EventGatewayACLsPolicy configuration.

Appears in:

EventGatewayVirtualClusterPolicyConfigType

Underlying type: string

EventGatewayVirtualClusterPolicyConfigType represents the type of EventGatewayVirtualClusterPolicyConfig.

Appears in:

Allowed values:

Value Description
acls  

EventGatewayVirtualClusterPolicySpec

EventGatewayVirtualClusterPolicySpec defines the desired state of EventGatewayVirtualClusterPolicy.

Field Description
eventGatewayVirtualClusterRef ObjectRef EventGatewayVirtualClusterRef is the reference to the parent EventGatewayVirtualCluster object.
apiSpec EventGatewayVirtualClusterPolicyAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayVirtualClusterPolicyStatus

EventGatewayVirtualClusterPolicyStatus defines the observed state of EventGatewayVirtualClusterPolicy.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
virtualClusterID KonnectEntityRef VirtualClusterID is the Konnect ID of the parent VirtualCluster.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayVirtualClusterProducePolicyAPISpec

EventGatewayVirtualClusterProducePolicyAPISpec defines the API spec fields for EventGatewayVirtualClusterProducePolicy.

Appears in:

EventGatewayVirtualClusterProducePolicyConfig

EventGatewayVirtualClusterProducePolicyConfig represents a union type for EventGatewayVirtualClusterProducePolicyConfig. Only one of the fields should be set based on the Type.

Field Description
type EventGatewayVirtualClusterProducePolicyConfigType Type designates the type of configuration.
encrypt EventGatewayEncryptPolicy EncryptPolicy configuration.
encryptFields EventGatewayParsedRecordEncryptFieldsPolicyCreate ParsedRecordEncryptFieldsPolicyCreate configuration.
modifyHeaders EventGatewayModifyHeadersPolicyCreate ModifyHeadersPolicyCreate configuration.
schemaValidation EventGatewayProduceSchemaValidationPolicy ProduceSchemaValidationPolicy configuration.

Appears in:

EventGatewayVirtualClusterProducePolicyConfigType

Underlying type: string

EventGatewayVirtualClusterProducePolicyConfigType represents the type of EventGatewayVirtualClusterProducePolicyConfig.

Appears in:

Allowed values:

Value Description
encrypt  
encryptFields  
modifyHeaders  
schemaValidation  

EventGatewayVirtualClusterProducePolicySpec

EventGatewayVirtualClusterProducePolicySpec defines the desired state of EventGatewayVirtualClusterProducePolicy.

Field Description
eventGatewayVirtualClusterRef ObjectRef EventGatewayVirtualClusterRef is the reference to the parent EventGatewayVirtualCluster object.
apiSpec EventGatewayVirtualClusterProducePolicyAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayVirtualClusterProducePolicyStatus

EventGatewayVirtualClusterProducePolicyStatus defines the observed state of EventGatewayVirtualClusterProducePolicy.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
virtualClusterID KonnectEntityRef VirtualClusterID is the Konnect ID of the parent VirtualCluster.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

EventGatewayVirtualClusterSpec

EventGatewayVirtualClusterSpec defines the desired state of EventGatewayVirtualCluster.

Field Description
eventGatewayBackendClusterRef ObjectRef EventGatewayBackendClusterRef is the reference to the parent EventGatewayBackendCluster object.
apiSpec EventGatewayVirtualClusterAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

EventGatewayVirtualClusterStatus

EventGatewayVirtualClusterStatus defines the observed state of EventGatewayVirtualCluster.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
gatewayID KonnectEntityRef GatewayID is the Konnect ID of the parent Gateway.
eventGatewayBackendCluster KonnectEntityRef EventGatewayBackendCluster is the Konnect entity reference for the parent EventGatewayBackendCluster.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

ForwardToClusterByPortMappingConfig

ForwardToClusterByPortMappingConfig The configuration to forward request to destination and rewrite ports accordingly. All broker ids must fit in the range of ports defined in the listener, if it doesn’t the metadata request will return an error.

For example with ports: [9000, “9092-9094”, “9100”] and bootstrap_port: at_start and brokers with ids 1, 2, 3, 4 we will map: bootstrap to 9000 broker 1 to 9001, broker 2 to 9002, broker 3 to 9003, and broker 4 to 9004 and fail the metadata request as these ports are not open.

However, with the same configuration but with brokers with ids: 92,93,94,100 we will map: bootstrap to 9000, broker 92 to 9092, broker 93 to 9093, broker 94 to 9094, and broker 100 to 9100.

In most cases users should use a single range ["9090-9094"] and bootstrap_port: at_start and connect with <host>:9090 as bootstrap server. Being able to use multiple ranges is only useful when when dealing with gaps in broker ids.

It is strongly discouraged to use port mapping in production.

Field Description
advertisedHost string Virtual brokers are advertised to clients using this host. Any kind of host supported by kafka can be used. If not defined, it’s listen_address. If listen_address is 0.0.0.0 it’s the destination IP of the TCP connection.
bootstrapPort string If set to at_start, the first port will be used as a bootstrap port. It provides a stable endpoint to use as the bootstrap server for clients, regardless of broker IDs in the cluster.

Additionally, it offsets all ports by one, so for example, if there are 3 brokers (id=1, id=2, id=3) then we will use 4 ports: 9092 (bootstrap), 9093 (id=1), 9094 (id=2), 9095 (id=3) With none we will use 3 ports: 9092 (id=1), 9093 (id=2), 9094 (id=3).
destination VirtualClusterReference A reference to a virtual cluster.
minBrokerID int The lowest broker node ID in the cluster.

Appears in:

ForwardToClusterBySNIConfig

ForwardToClusterBySNIConfig The configuration to forward requests to virtual clusters configured with SNI routing.

Field Description
advertisedPort int Virtual brokers are advertised to clients with this port instead of listen_port. Useful when proxy is behind loadbalancer listening on different port.
brokerHostFormat ForwardToClusterBySNIConfigBrokerHostFormat Configures DNS names assigned to brokers in virtual clusters.

- per_cluster_suffix is the default and allocates one level in the hierarchy for virtual clusters: broker-{node_id}.{virtual_cluster}.{sni_suffix} - shared_suffix puts all brokers from every virtual clusters into the same level: broker-{node_id}-{virtual_cluster}.{sni_suffix}. This makes it easier to manage certificates for this listener.

Requires a minimum runtime version of 1.1.
sniSuffix string Optional suffix for TLS SNI validation.

This suffix is concatenated with the virtual cluster “dns.label” label to form the base name for the SNI. If not provided, the virtual cluster “dns.label” label alone is used as the base name for the SNI. For example with sni_suffix: .example.com and virtual cluster “dns.label” label: my-cluster, the SNI suffix for it is my-cluster.example.com. If “dns.label” label is absent on the virtual cluster, the traffic won’t be routed there.

The bootstrap host is bootstrap.my-cluster.example.com and then each broker is addressable at broker-0.my-cluster.example.com, broker-1.my-cluster.example.com, etc. This means that your deployment needs to have a wildcard certificate for the domain and a DNS resolver that routes *.my-cluster.example.com to the proxy.

The accepted format is a DNS subdomain starting with either . or -. For example, -keg.example.com, .keg.example.com, .namespace.svc.cluster.local, and .localhost are all valid, while keg.example.com is not.

Appears in:

ForwardToClusterBySNIConfigBrokerHostFormat

ForwardToClusterBySNIConfigBrokerHostFormat Configures DNS names assigned to brokers in virtual clusters.

- per_cluster_suffix is the default and allocates one level in the hierarchy for virtual clusters: broker-{node_id}.{virtual_cluster}.{sni_suffix}

  • shared_suffix puts all brokers from every virtual clusters into the same level: broker-{node_id}-{virtual_cluster}.{sni_suffix}. This makes it easier to manage certificates for this listener.

    Requires a minimum runtime version of 1.1.
Field Description
type string  

Appears in:

ForwardToVirtualClusterPolicy

ForwardToVirtualClusterPolicy Forwards requests to virtual clusters configured with port routing or SNI routing. While there can be multiple of these policies configured on a listener, there can only be one instance of port_mapping. When multiple policies are configured, the first one that matches the connection is used. If no policy matches, the connection is rejected.

When using port_mapping, there must be a mapping port for each broker on the backend cluster see ForwardToClusterBySNIConfig for more details.

Field Description
config ForwardToVirtualClusterPolicyConfig The configuration of the policy.
description string A human-readable description of the policy.
enabled string Whether the policy is enabled.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string A unique user-defined name of the policy.

Appears in:

ForwardToVirtualClusterPolicyConfig

ForwardToVirtualClusterPolicyConfig represents a union type for config. Only one of the fields should be set based on the Type.

Field Description
type ForwardToVirtualClusterPolicyConfigType Type designates the type of configuration.
portMapping ForwardToClusterByPortMappingConfig PortMapping configuration.
sni ForwardToClusterBySNIConfig SNI configuration.

Appears in:

ForwardToVirtualClusterPolicyConfigType

Underlying type: string

ForwardToVirtualClusterPolicyConfigType represents the type of config.

Appears in:

Allowed values:

Value Description
portMapping  
sni  

GatewaySecret

Underlying type: string

GatewaySecret A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.

Appears in:

GatewaySecretReferenceOrLiteral

Underlying type: string

GatewaySecretReferenceOrLiteral A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.

Appears in:

Group

Underlying type: string

Group refers to a Kubernetes Group. It must either be an empty string or a RFC 1123 subdomain.

Appears in:

IngressClassParametersSpec

IngressClassParametersSpec defines the desired state of IngressClassParameters.

Field Description
serviceUpstream bool Offload load-balancing to kube-proxy or sidecar.
enableLegacyRegexDetection bool EnableLegacyRegexDetection automatically detects if ImplementationSpecific Ingress paths are regular expression paths using the legacy 2.x heuristic. The controller adds the “~” prefix to those paths if the Kong version is 3.0 or higher.

Appears in:

KeySetRef

KeySetRef is the schema for the KeySetRef type. It is used to reference a KeySet entity.

Field Description
type KeySetRefType Type defines type of the KeySet object reference. It can be one of: - konnectID - namespacedRef
konnectID *string KonnectID is the schema for the KonnectID type. This field is required when the Type is konnectID.
namespacedRef NameRef NamespacedRef is a reference to a KeySet entity inside the cluster. This field is required when the Type is namespacedRef.

Appears in:

KeySetRefType

Underlying type: string

KeySetRefType is the enum type for the KeySetRef.

Appears in:

Allowed values:

Value Description
konnectID KeySetRefKonnectID is the type for the KonnectID KeySetRef.
It is used to reference a KeySet entity by its ID on the Konnect platform.
namespacedRef KeySetRefNamespacedRef is the type for the KeySetRef.
It is used to reference a KeySet entity inside the cluster
using a namespaced reference.

Kind

Underlying type: string

Kind refers to a Kubernetes kind.

Appears in:

KongCACertificateAPISpec

KongCACertificateAPISpec contains the API specification for the KongCACertificate.

Field Description
cert string Cert is the PEM-encoded CA certificate. This field is used when type is ‘inline’.
tags Tags Tags is an optional set of tags applied to the certificate. Tags will be applied when type is ‘inline’ or ‘secretRef’. This field allows you to attach metadata to the certificate for identification or organization purposes.

Appears in:

KongCACertificateSourceType

Underlying type: string

KongCACertificateSourceType is the type of source for the CA certificate data.

Appears in:

Allowed values:

Value Description
inline KongCACertificateSourceTypeInline indicates that the CA certificate data is provided inline in the spec.
secretRef KongCACertificateSourceTypeSecretRef indicates that the CA certificate data is sourced from a Kubernetes Secret.

KongCACertificateSpec

KongCACertificateSpec contains the specification for the KongCACertificate.

Field Description
cert string Cert is the PEM-encoded CA certificate. This field is used when type is ‘inline’.
tags Tags Tags is an optional set of tags applied to the certificate. Tags will be applied when type is ‘inline’ or ‘secretRef’. This field allows you to attach metadata to the certificate for identification or organization purposes.
type KongCACertificateSourceType Type indicates the source of the CA certificate data. Can be ‘inline’ or ‘secretRef’.
controlPlaneRef ControlPlaneRef ControlPlaneRef references the Konnect Control Plane that this KongCACertificate should be created in.
adopt AdoptOptions Adopt is the options for adopting a CA certificate from an existing CA certificate in Konnect.
secretRef NamespacedRef SecretRef is a reference to a Kubernetes Secret containing the CA certificate. This field is used when type is ‘secretRef’. The Secret must contain a key named ‘ca.crt’. The namespace field is optional, but will be restricted by validation until ReferenceGrant support is implemented.

Appears in:

KongCACertificateStatus

KongCACertificateStatus defines the observed state of KongCACertificate.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCertificateAPISpec

KongCertificateAPISpec contains the API specification for the KongCertificate.

Field Description
cert string Cert is the PEM-encoded certificate. This field is used when type is ‘inline’.
cert_alt string CertAlt is the PEM-encoded certificate. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is used when type is ‘inline’.
key string Key is the PEM-encoded private key. This field is used when type is ‘inline’.
key_alt string KeyAlt is the PEM-encoded private key. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is used when type is ‘inline’.
tags Tags Tags is an optional set of tags applied to the certificate. Tags will be applied when type is ‘inline’ or ‘secretRef’. This field allows you to attach metadata to the certificate for identification or organization purposes.

Appears in:

KongCertificateSourceType

Underlying type: string

KongCertificateSourceType is the type of source for the certificate data.

Appears in:

Allowed values:

Value Description
inline KongCertificateSourceTypeInline indicates that the certificate data is provided inline in the spec.
secretRef KongCertificateSourceTypeSecretRef indicates that the certificate data is sourced from a Kubernetes Secret.

KongCertificateSpec

KongCertificateSpec contains the specification for the KongCertificate.

Field Description
cert string Cert is the PEM-encoded certificate. This field is used when type is ‘inline’.
cert_alt string CertAlt is the PEM-encoded certificate. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is used when type is ‘inline’.
key string Key is the PEM-encoded private key. This field is used when type is ‘inline’.
key_alt string KeyAlt is the PEM-encoded private key. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is used when type is ‘inline’.
tags Tags Tags is an optional set of tags applied to the certificate. Tags will be applied when type is ‘inline’ or ‘secretRef’. This field allows you to attach metadata to the certificate for identification or organization purposes.
type KongCertificateSourceType Type indicates the source of the certificate data. Can be ‘inline’ or ‘secretRef’.
controlPlaneRef ControlPlaneRef ControlPlaneRef references the Konnect Control Plane that this KongCertificate should be created in.
adopt AdoptOptions Adopt is the options for adopting a certificate from an existing certificate in Konnect.
secretRef NamespacedRef SecretRef is a reference to a Kubernetes Secret containing the certificate and key. This field is used when type is ‘secretRef’. The Secret must contain keys named ‘tls.crt’ and ‘tls.key’. The namespace field is optional, but will be restricted by validation until ReferenceGrant support is implemented.
secretRefAlt NamespacedRef SecretRefAlt is a reference to a Kubernetes Secret containing the alternative certificate and key. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is used when type is ‘secretRef’. The Secret must contain keys named ‘tls.crt’ and ‘tls.key’. The namespace field is optional, but will be restricted by validation until ReferenceGrant support is implemented.

Appears in:

KongCertificateStatus

KongCertificateStatus defines the observed state of KongCertificate.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCredentialACLAPISpec

KongCredentialACLAPISpec defines specification of an ACL credential.

Field Description
group string Group is the name for the ACL credential.
tags Tags Tags is a list of tags for the ACL credential.

Appears in:

KongCredentialACLSpec

KongCredentialACLSpec defines specification of Kong ACL.

Field Description
group string Group is the name for the ACL credential.
tags Tags Tags is a list of tags for the ACL credential.
consumerRef LocalObjectReference ConsumerRef is a reference to a Consumer this KongCredentialACL is associated with.
adopt AdoptOptions Adopt is the options for adopting an ACL from an existing ACL in Konnect.

Appears in:

KongCredentialACLStatus

KongCredentialACLStatus represents the current status of the ACL credential resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndConsumerRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCredentialAPIKeyAPISpec

KongCredentialAPIKeyAPISpec defines specification of an API Key credential.

Field Description
key string Key is the key for the API Key credential.
tags Tags Tags is a list of tags for the API Key credential.

Appears in:

KongCredentialAPIKeySpec

KongCredentialAPIKeySpec defines specification of a Kong API key credential.

Field Description
key string Key is the key for the API Key credential.
tags Tags Tags is a list of tags for the API Key credential.
consumerRef LocalObjectReference ConsumerRef is a reference to a Consumer this KongCredentialAPIKey is associated with.
adopt AdoptOptions Adopt is the options for adopting an API key credential from an existing API key in Konnect.

Appears in:

KongCredentialAPIKeyStatus

KongCredentialAPIKeyStatus represents the current status of the API Key credential resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndConsumerRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCredentialBasicAuthAPISpec

KongCredentialBasicAuthAPISpec defines specification of a BasicAuth credential.

Field Description
password string Password is the password for the BasicAuth credential.
tags Tags Tags is a list of tags for the BasicAuth credential.
username string Username is the username for the BasicAuth credential.

Appears in:

KongCredentialBasicAuthSpec

KongCredentialBasicAuthSpec defines specification of a Kong BasicAuth credential.

Field Description
password string Password is the password for the BasicAuth credential.
tags Tags Tags is a list of tags for the BasicAuth credential.
username string Username is the username for the BasicAuth credential.
consumerRef LocalObjectReference ConsumerRef is a reference to a Consumer this CredentialBasicAuth is associated with.
adopt AdoptOptions Adopt is the options for adopting a BasicAuth credential from an existing BasicAuth credential in Konnect.

Appears in:

KongCredentialBasicAuthStatus

KongCredentialBasicAuthStatus represents the current status of the BasicAuth credential resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndConsumerRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCredentialHMACAPISpec

KongCredentialHMACAPISpec defines specification of an HMAC credential.

Field Description
id *string ID is the unique identifier for the HMAC credential.
secret *string Secret is the secret for the HMAC credential.
tags Tags Tags is a list of tags for the HMAC credential.
username *string Username is the username for the HMAC credential.

Appears in:

KongCredentialHMACSpec

KongCredentialHMACSpec defines specification of a Kong HMAC credential.

Field Description
id *string ID is the unique identifier for the HMAC credential.
secret *string Secret is the secret for the HMAC credential.
tags Tags Tags is a list of tags for the HMAC credential.
username *string Username is the username for the HMAC credential.
consumerRef LocalObjectReference ConsumerRef is a reference to a Consumer this KongCredentialHMAC is associated with.
adopt AdoptOptions Adopt is the options for adopting a HMAC credential from an existing HMAC credential in Konnect.

Appears in:

KongCredentialHMACStatus

KongCredentialHMACStatus represents the current status of the HMAC credential resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndConsumerRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCredentialJWTAPISpec

KongCredentialJWTAPISpec defines specification of an JWT credential.

Field Description
algorithm string Algorithm is the algorithm used to sign the JWT token.
id *string ID is the unique identifier for the JWT credential.
key *string Key is the key for the JWT credential.
rsa_public_key *string RSA PublicKey is the RSA public key for the JWT credential.
secret *string Secret is the secret for the JWT credential.
tags Tags Tags is a list of tags for the JWT credential.

Appears in:

KongCredentialJWTSpec

KongCredentialJWTSpec defines specification of a Kong JWT credential.

Field Description
algorithm string Algorithm is the algorithm used to sign the JWT token.
id *string ID is the unique identifier for the JWT credential.
key *string Key is the key for the JWT credential.
rsa_public_key *string RSA PublicKey is the RSA public key for the JWT credential.
secret *string Secret is the secret for the JWT credential.
tags Tags Tags is a list of tags for the JWT credential.
consumerRef LocalObjectReference ConsumerRef is a reference to a Consumer this KongCredentialJWT is associated with.
adopt AdoptOptions Adopt is the options for adopting a JWT credential from an existing JWT credential in Konnect.

Appears in:

KongCredentialJWTStatus

KongCredentialJWTStatus represents the current status of the JWT credential resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndConsumerRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongCustomEntitySpec

KongCustomEntitySpec defines the specification of the KongCustomEntity.

Field Description
type string EntityType is the type of the Kong entity. The type is used in generating declarative configuration.
fields k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON Fields defines the fields of the Kong entity itself.
controllerName string ControllerName specifies the controller that should reconcile it, like ingress class.
parentRef ObjectReference ParentRef references the kubernetes resource it attached to when its scope is “attached”. Currently only KongPlugin/KongClusterPlugin allowed. This will make the custom entity to be attached to the entity(service/route/consumer) where the plugin is attached.

Appears in:

KongCustomEntityStatus

KongCustomEntityStatus defines the status of the KongCustomEntity.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongCustomEntityStatus.

Known condition types are:

* “Programmed”

Appears in:

KongDataPlaneClientCertificateAPISpec

KongDataPlaneClientCertificateAPISpec defines the attributes of a Kong DP certificate.

Field Description
cert string Cert is the certificate in PEM format. Once the certificate gets programmed this field becomes immutable.

Appears in:

KongDataPlaneClientCertificateSpec

KongDataPlaneClientCertificateSpec defines the spec for a KongDataPlaneClientCertificate.

Field Description
cert string Cert is the certificate in PEM format. Once the certificate gets programmed this field becomes immutable.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a Konnect ControlPlane this KongDataPlaneClientCertificate is associated with.
adopt AdoptOptions Adopt is the options for adopting a key from an existing key in Konnect.

Appears in:

KongDataPlaneClientCertificateStatus

KongDataPlaneClientCertificateStatus defines the status for a KongDataPlaneClientCertificate.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongKeyAPISpec

KongKeyAPISpec defines the attributes of a Kong Key.

Field Description
kid string KID is a unique identifier for a key. When JWK is provided, KID has to match the KID in the JWK.
name *string Name is an optional name to associate with the given key.
jwk *string JWK is a JSON Web Key represented as a string. The JWK must contain a KID field that matches the KID in the KongKey. Either JWK or PEM must be set.
pem PEMKeyPair PEM is a keypair in PEM format. Either JWK or PEM must be set.
tags Tags Tags is an optional set of strings associated with the Key for grouping and filtering.

Appears in:

KongKeySetAPISpec

KongKeySetAPISpec defines the attributes of a Kong KeySet.

Field Description
name string Name is a name of the KeySet.
tags Tags Tags is an optional set of strings associated with the KeySet for grouping and filtering.

Appears in:

KongKeySetSpec

KongKeySetSpec defines the spec for a KongKeySet.

Field Description
name string Name is a name of the KeySet.
tags Tags Tags is an optional set of strings associated with the KeySet for grouping and filtering.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a Konnect ControlPlane with which KongKeySet is associated.
adopt AdoptOptions Adopt is the options for adopting a key set from an existing key set in Konnect.

Appears in:

KongKeySetStatus

KongKeySetStatus defines the status for a KongKeySet.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongKeySpec

KongKeySpec defines the spec for a KongKey.

Field Description
kid string KID is a unique identifier for a key. When JWK is provided, KID has to match the KID in the JWK.
name *string Name is an optional name to associate with the given key.
jwk *string JWK is a JSON Web Key represented as a string. The JWK must contain a KID field that matches the KID in the KongKey. Either JWK or PEM must be set.
pem PEMKeyPair PEM is a keypair in PEM format. Either JWK or PEM must be set.
tags Tags Tags is an optional set of strings associated with the Key for grouping and filtering.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a Konnect ControlPlane this KongKey is associated with.
keySetRef KeySetRef KeySetRef is a reference to a KongKeySet this KongKey is attached to. ControlPlane referenced by a KongKeySet must be the same as the ControlPlane referenced by the KongKey.
adopt AdoptOptions Adopt is the options for adopting a key from an existing key in Konnect.

Appears in:

KongKeyStatus

KongKeyStatus defines the status for a KongKey.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndKeySetRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongLicenseControllerStatus

KongLicenseControllerStatus is the status of owning KongLicense being processed identified by the controllerName field.

Field Description
controllerName string ControllerName is an identifier of the controller to reconcile this KongLicense. Should be unique in the list of controller statuses.
controllerRef ControllerReference ControllerRef is the reference of the controller to reconcile this KongLicense. It is usually the name of (KIC/KGO) pod that reconciles it.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongLicense on the controller.

Appears in:

KongLicenseStatus

KongLicenseStatus stores the status of the KongLicense being processed in each controller that reconciles it.

Field Description
controllers KongLicenseControllerStatus  

Appears in:

KongPluginBindingScope

Underlying type: string

KongPluginBindingScope defines the scope of the plugin binding. Allowed values are:

  • OnlyTargets
  • GlobalInControlPlane

Appears in:

Allowed values:

Value Description
OnlyTargets KongPluginBindingScopeOnlyTargets is the scope for the plugin binding to be applied only to the targets.
GlobalInControlPlane KongPluginBindingScopeGlobalInControlPlane is the scope for the plugin binding to be applied to all entities in the
control plane (a.k.a. global scope).

KongPluginBindingSpec

KongPluginBindingSpec defines specification of a KongPluginBinding.

Field Description
pluginRef PluginRef PluginReference is a reference to the KongPlugin or KongClusterPlugin resource.
targets KongPluginBindingTargets Targets contains the targets references. It is possible to set multiple combinations of references, as described in https://docs.konghq.com/gateway/latest/key-concepts/plugins/#precedence The complete set of allowed combinations and their order of precedence for plugins configured to multiple entities is:

1. Consumer + route + service 2. Consumer group + service + route 3. Consumer + route 4. Consumer + service 5. Consumer group + route 6. Consumer group + service 7. Route + service 8. Consumer 9. Consumer group 10. Route 11. Service
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this KongPluginBinding is associated with.
scope KongPluginBindingScope Scope defines the scope of the plugin binding.
adopt AdoptOptions Adopt is the options for adopting a plugin instance from an existing plugin in Konnect.

Appears in:

KongPluginBindingStatus

KongPluginBindingStatus represents the current status of the KongBinding resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongPluginBindingTargets

KongPluginBindingTargets contains the targets references.

Field Description
routeRef TargetRefWithGroupKind RouteReference can be used to reference one of the following resources: - networking.k8s.io/Ingress - gateway.networking.k8s.io/HTTPRoute - gateway.networking.k8s.io/GRPCRoute - configuration.konghq.com/KongRoute
serviceRef TargetRefWithGroupKind ServiceReference can be used to reference one of the following resources: - core/Service or /Service - configuration.konghq.com/KongService
consumerRef TargetRef ConsumerReference is used to reference a configuration.konghq.com/Consumer resource. The group/kind is fixed, therefore the reference is performed only by name.
consumerGroupRef TargetRef ConsumerGroupReference is used to reference a configuration.konghq.com/ConsumerGroup resource. The group/kind is fixed, therefore the reference is performed only by name.

Appears in:

KongReferenceGrantSpec

KongReferenceGrantSpec identifies a cross namespace relationship that is trusted for Kong APIs.

Field Description
from ReferenceGrantFrom From describes the trusted namespaces and kinds that can reference the resources described in “To”. Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR.
to ReferenceGrantTo To describes the resources that may be referenced by the resources described in “From”. Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR.

Appears in:

KongRouteAPISpec

KongRouteAPISpec represents the configuration of a Route in Kong as defined by the Konnect API. Currently, this only supports the JSON route fields.

Field Description
id *string ID is the unique identifier for the Route. Can be specified when creating a Route, but not updatable. If not specified, Kong will generate one.
destinations []github.com/Kong/sdk-konnect-go/models/components.Destinations A list of IP destinations of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
headers map[string][]string One or more lists of values indexed by header name that will cause this Route to match if present in the request. The Host header cannot be used with this attribute: hosts should be specified using the hosts attribute. When headers contains only one value and that value starts with the special prefix ~*, the value is interpreted as a regular expression.
hosts []string A list of domain names that match this Route. Note that the hosts value is case sensitive.
https_redirect_status_code *github.com/Kong/sdk-konnect-go/models/components.HTTPSRedirectStatusCode The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is HTTP instead of HTTPS. Location header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the https protocol.
methods []string A list of HTTP methods that match this Route.
name *string The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named “test” and “Test”.
path_handling *github.com/Kong/sdk-konnect-go/models/components.PathHandling Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior.
paths []string A list of paths that match this Route.
preserve_host *bool When matching a Route via one of the hosts domain names, use the request Host header in the upstream request headers. If set to false, the upstream Host header will be that of the Service’s host.
protocols []github.com/Kong/sdk-konnect-go/models/components.RouteJSONProtocols An array of the protocols this Route should allow. See KongRoute for a list of accepted protocols. When set to only "https", HTTP requests are answered with an upgrade error. When set to only "http", HTTPS requests are answered with an error.
regex_priority *int64 A number used to choose which route resolves a given request when several routes match it using regexes simultaneously. When two routes match the path and have the same regex_priority, the older one (lowest created_at) is used. Note that the priority for non-regex routes is different (longer non-regex routes are matched before shorter ones).
request_buffering *bool Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding.
response_buffering *bool Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding.
snis []string A list of SNIs that match this Route when using stream routing.
sources []github.com/Kong/sdk-konnect-go/models/components.Sources A list of IP sources of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
strip_path *bool When matching a Route via one of the paths, strip the matching prefix from the upstream request URL.
tags Tags An optional set of strings associated with the Route for grouping and filtering.

Appears in:

KongRouteSpec

KongRouteSpec defines spec of a Kong Route.

Field Description
id *string ID is the unique identifier for the Route. Can be specified when creating a Route, but not updatable. If not specified, Kong will generate one.
destinations []github.com/Kong/sdk-konnect-go/models/components.Destinations A list of IP destinations of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
headers map[string][]string One or more lists of values indexed by header name that will cause this Route to match if present in the request. The Host header cannot be used with this attribute: hosts should be specified using the hosts attribute. When headers contains only one value and that value starts with the special prefix ~*, the value is interpreted as a regular expression.
hosts []string A list of domain names that match this Route. Note that the hosts value is case sensitive.
https_redirect_status_code *github.com/Kong/sdk-konnect-go/models/components.HTTPSRedirectStatusCode The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is HTTP instead of HTTPS. Location header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the https protocol.
methods []string A list of HTTP methods that match this Route.
name *string The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named “test” and “Test”.
path_handling *github.com/Kong/sdk-konnect-go/models/components.PathHandling Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior.
paths []string A list of paths that match this Route.
preserve_host *bool When matching a Route via one of the hosts domain names, use the request Host header in the upstream request headers. If set to false, the upstream Host header will be that of the Service’s host.
protocols []github.com/Kong/sdk-konnect-go/models/components.RouteJSONProtocols An array of the protocols this Route should allow. See KongRoute for a list of accepted protocols. When set to only "https", HTTP requests are answered with an upgrade error. When set to only "http", HTTPS requests are answered with an error.
regex_priority *int64 A number used to choose which route resolves a given request when several routes match it using regexes simultaneously. When two routes match the path and have the same regex_priority, the older one (lowest created_at) is used. Note that the priority for non-regex routes is different (longer non-regex routes are matched before shorter ones).
request_buffering *bool Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding.
response_buffering *bool Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding.
snis []string A list of SNIs that match this Route when using stream routing.
sources []github.com/Kong/sdk-konnect-go/models/components.Sources A list of IP sources of incoming connections that match this Route when using stream routing. Each entry is an object with fields “ip” (optionally in CIDR range notation) and/or “port”.
strip_path *bool When matching a Route via one of the paths, strip the matching prefix from the upstream request URL.
tags Tags An optional set of strings associated with the Route for grouping and filtering.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this KongRoute is associated with. Route can either specify a ControlPlaneRef and be ‘serviceless’ route or specify a ServiceRef and be associated with a Service.
serviceRef ServiceRef ServiceRef is a reference to a Service this KongRoute is associated with. Route can either specify a ControlPlaneRef and be ‘serviceless’ route or specify a ServiceRef and be associated with a Service.
adopt AdoptOptions Adopt is the options for adopting a route from an existing route in Konnect.

Appears in:

KongRouteStatus

KongRouteStatus represents the current status of the Kong Route resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndServiceRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongSNIAPISpec

KongSNIAPISpec defines the spec of an SNI.

Field Description
name string Name is the name of the SNI. Required and must be a host or wildcard host.
tags Tags Tags is an optional set of strings associated with the SNI for grouping and filtering.

Appears in:

KongSNISpec

KongSNISpec defines specification of a Kong SNI.

Field Description
name string Name is the name of the SNI. Required and must be a host or wildcard host.
tags Tags Tags is an optional set of strings associated with the SNI for grouping and filtering.
certificateRef NamespacedRef CertificateRef is the reference to the certificate to which the KongSNI is attached.
adopt AdoptOptions Adopt is the options for adopting an SNI from an existing SNI in Konnect.

Appears in:

KongSNIStatus

KongSNIStatus defines the status for a KongSNI.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndCertificateRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongServiceAPISpec

KongServiceAPISpec defines the specification of a Kong Service.

Field Description
clientCertificateRef NamespacedRef ClientCertificateRef is a reference to a KongCertificate used as the client certificate when proxying to the upstream over TLS. The referenced KongCertificate MUST belong to the same Konnect ControlPlane as this KongService. Cross-namespace references require a KongReferenceGrant in the target namespace.
caCertificateRefs NamespacedRef CACertificateRefs is the list of references to KongCACertificates used to verify the upstream server’s TLS certificate. Each referenced KongCACertificate MUST belong to the same Konnect ControlPlane as this KongService. Cross-namespace references require a KongReferenceGrant in the target namespace.
id *string ID is the unique identifier for the Service. Can be specified when creating a Service, but not updatable. If not specified, Kong will generate one.
url *string Helper field to set protocol, host, port and path using a URL. This field is write-only and is not returned in responses.
connect_timeout *int64 The timeout in milliseconds for establishing a connection to the upstream server.
enabled *bool Whether the Service is active. If set to false, the proxy behavior will be as if any routes attached to it do not exist (404). Default: true.
host string The host of the upstream server. Note that the host value is case sensitive.
name *string The Service name.
path *string The path to be used in requests to the upstream server.
port int64 The upstream server port.
protocol github.com/Kong/sdk-konnect-go/models/components.Protocol The protocol used to communicate with the upstream.
read_timeout *int64 The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server.
retries *int64 The number of retries to execute upon failure to proxy.
tags Tags An optional set of strings associated with the Service for grouping and filtering.
tls_verify *bool Whether to enable verification of upstream server TLS certificate. If set to null, then the Nginx default is respected.
tls_verify_depth *int64 Maximum depth of chain while verifying Upstream server’s TLS certificate. If set to null, then the Nginx default is respected.
write_timeout *int64 The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server.

Appears in:

KongServiceSpec

KongServiceSpec defines specification of a Kong Service.

Field Description
clientCertificateRef NamespacedRef ClientCertificateRef is a reference to a KongCertificate used as the client certificate when proxying to the upstream over TLS. The referenced KongCertificate MUST belong to the same Konnect ControlPlane as this KongService. Cross-namespace references require a KongReferenceGrant in the target namespace.
caCertificateRefs NamespacedRef CACertificateRefs is the list of references to KongCACertificates used to verify the upstream server’s TLS certificate. Each referenced KongCACertificate MUST belong to the same Konnect ControlPlane as this KongService. Cross-namespace references require a KongReferenceGrant in the target namespace.
id *string ID is the unique identifier for the Service. Can be specified when creating a Service, but not updatable. If not specified, Kong will generate one.
url *string Helper field to set protocol, host, port and path using a URL. This field is write-only and is not returned in responses.
connect_timeout *int64 The timeout in milliseconds for establishing a connection to the upstream server.
enabled *bool Whether the Service is active. If set to false, the proxy behavior will be as if any routes attached to it do not exist (404). Default: true.
host string The host of the upstream server. Note that the host value is case sensitive.
name *string The Service name.
path *string The path to be used in requests to the upstream server.
port int64 The upstream server port.
protocol github.com/Kong/sdk-konnect-go/models/components.Protocol The protocol used to communicate with the upstream.
read_timeout *int64 The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server.
retries *int64 The number of retries to execute upon failure to proxy.
tags Tags An optional set of strings associated with the Service for grouping and filtering.
tls_verify *bool Whether to enable verification of upstream server TLS certificate. If set to null, then the Nginx default is respected.
tls_verify_depth *int64 Maximum depth of chain while verifying Upstream server’s TLS certificate. If set to null, then the Nginx default is respected.
write_timeout *int64 The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this KongService is associated with.
adopt AdoptOptions Adopt is the options for adopting a service from an existing service in Konnect.

Appears in:

KongServiceStatus

KongServiceStatus represents the current status of the Kong Service resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndCertificateAndCACertificatesRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongTargetAPISpec

KongTargetAPISpec are the attributes of the Kong Target itself.

Field Description
target string Target is the target address of the upstream.
weight int Weight is the weight this target gets within the upstream loadbalancer.
tags Tags Tags is an optional set of strings associated with the Target for grouping and filtering.

Appears in:

KongTargetSpec

KongTargetSpec defines the spec of KongTarget.

Field Description
target string Target is the target address of the upstream.
weight int Weight is the weight this target gets within the upstream loadbalancer.
tags Tags Tags is an optional set of strings associated with the Target for grouping and filtering.
upstreamRef NamespacedRef UpstreamRef is a reference to a KongUpstream this KongTarget is attached to.
adopt AdoptOptions Adopt is the options for adopting a target from an existing target in Konnect.

Appears in:

KongTargetStatus

KongTargetStatus defines the observed state of KongTarget.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndUpstreamRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongUpstreamAPISpec

KongUpstreamAPISpec defines specification of a Kong Upstream.

Field Description
algorithm *github.com/Kong/sdk-konnect-go/models/components.UpstreamAlgorithm Which load balancing algorithm to use.
client_certificate *github.com/Kong/sdk-konnect-go/models/components.UpstreamClientCertificate Deprecated: use clientCertificateRef instead. If set, the certificate to be used as client certificate while TLS handshaking to the upstream server.
clientCertificateRef NamespacedRef ClientCertificateRef is a reference to a KongCertificate used as the client certificate during TLS handshaking to the upstream server. Mutually exclusive with the deprecated client_certificate field. Cross-namespace references require a KongReferenceGrant in the target namespace.
hash_fallback *github.com/Kong/sdk-konnect-go/models/components.HashFallback What to use as hashing input if the primary hash_on does not return a hash (eg. header is missing, or no Consumer identified). Not available if hash_on is set to cookie.
hash_fallback_header *string The header name to take the value from as hash input. Only required when hash_fallback is set to header.
hash_fallback_query_arg *string The name of the query string argument to take the value from as hash input. Only required when hash_fallback is set to query_arg.
hash_fallback_uri_capture *string The name of the route URI capture to take the value from as hash input. Only required when hash_fallback is set to uri_capture.
hash_on *github.com/Kong/sdk-konnect-go/models/components.HashOn What to use as hashing input. Using none results in a weighted-round-robin scheme with no hashing.
hash_on_cookie *string The cookie name to take the value from as hash input. Only required when hash_on or hash_fallback is set to cookie. If the specified cookie is not in the request, Kong will generate a value and set the cookie in the response.
hash_on_cookie_path *string The cookie path to set in the response headers. Only required when hash_on or hash_fallback is set to cookie.
hash_on_header *string The header name to take the value from as hash input. Only required when hash_on is set to header.
hash_on_query_arg *string The name of the query string argument to take the value from as hash input. Only required when hash_on is set to query_arg.
hash_on_uri_capture *string The name of the route URI capture to take the value from as hash input. Only required when hash_on is set to uri_capture.
healthchecks *github.com/Kong/sdk-konnect-go/models/components.Healthchecks Healthchecks is the configuration of upstream’s healthchecks.
host_header *string The hostname to be used as Host header when proxying requests through Kong.
name string This is a hostname, which must be equal to the host of a Service.
slots *int64 The number of slots in the load balancer algorithm. If algorithm is set to round-robin, this setting determines the maximum number of slots. If algorithm is set to consistent-hashing, this setting determines the actual number of slots in the algorithm. Accepts an integer in the range 10-65536.
sticky_sessions_cookie *string The cookie name to keep sticky sessions. Required when algorithm is set to sticky-sessions.
sticky_sessions_cookie_path *string The cookie path to set in the response headers for sticky sessions.
tags Tags An optional set of strings associated with the Upstream for grouping and filtering.
use_srv_name *bool If set, the balancer will use SRV hostname(if DNS Answer has SRV record) as the proxy upstream Host.

Appears in:

KongUpstreamSpec

KongUpstreamSpec defines the spec of Kong Upstream.

Field Description
algorithm *github.com/Kong/sdk-konnect-go/models/components.UpstreamAlgorithm Which load balancing algorithm to use.
client_certificate *github.com/Kong/sdk-konnect-go/models/components.UpstreamClientCertificate Deprecated: use clientCertificateRef instead. If set, the certificate to be used as client certificate while TLS handshaking to the upstream server.
clientCertificateRef NamespacedRef ClientCertificateRef is a reference to a KongCertificate used as the client certificate during TLS handshaking to the upstream server. Mutually exclusive with the deprecated client_certificate field. Cross-namespace references require a KongReferenceGrant in the target namespace.
hash_fallback *github.com/Kong/sdk-konnect-go/models/components.HashFallback What to use as hashing input if the primary hash_on does not return a hash (eg. header is missing, or no Consumer identified). Not available if hash_on is set to cookie.
hash_fallback_header *string The header name to take the value from as hash input. Only required when hash_fallback is set to header.
hash_fallback_query_arg *string The name of the query string argument to take the value from as hash input. Only required when hash_fallback is set to query_arg.
hash_fallback_uri_capture *string The name of the route URI capture to take the value from as hash input. Only required when hash_fallback is set to uri_capture.
hash_on *github.com/Kong/sdk-konnect-go/models/components.HashOn What to use as hashing input. Using none results in a weighted-round-robin scheme with no hashing.
hash_on_cookie *string The cookie name to take the value from as hash input. Only required when hash_on or hash_fallback is set to cookie. If the specified cookie is not in the request, Kong will generate a value and set the cookie in the response.
hash_on_cookie_path *string The cookie path to set in the response headers. Only required when hash_on or hash_fallback is set to cookie.
hash_on_header *string The header name to take the value from as hash input. Only required when hash_on is set to header.
hash_on_query_arg *string The name of the query string argument to take the value from as hash input. Only required when hash_on is set to query_arg.
hash_on_uri_capture *string The name of the route URI capture to take the value from as hash input. Only required when hash_on is set to uri_capture.
healthchecks *github.com/Kong/sdk-konnect-go/models/components.Healthchecks Healthchecks is the configuration of upstream’s healthchecks.
host_header *string The hostname to be used as Host header when proxying requests through Kong.
name string This is a hostname, which must be equal to the host of a Service.
slots *int64 The number of slots in the load balancer algorithm. If algorithm is set to round-robin, this setting determines the maximum number of slots. If algorithm is set to consistent-hashing, this setting determines the actual number of slots in the algorithm. Accepts an integer in the range 10-65536.
sticky_sessions_cookie *string The cookie name to keep sticky sessions. Required when algorithm is set to sticky-sessions.
sticky_sessions_cookie_path *string The cookie path to set in the response headers for sticky sessions.
tags Tags An optional set of strings associated with the Upstream for grouping and filtering.
use_srv_name *bool If set, the balancer will use SRV hostname(if DNS Answer has SRV record) as the proxy upstream Host.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this KongUpstream is associated with.
adopt AdoptOptions Adopt is the options for adopting an upstream from an existing upstream in Konnect.

Appears in:

KongUpstreamStatus

KongUpstreamStatus represents the current status of the Kong Upstream resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneAndCertificateRefs Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect entity.

Appears in:

KongVaultSpec

KongVaultSpec defines specification of a custom Kong vault.

Field Description
backend string Backend is the type of the backend storing the secrets in the vault. The supported backends of Kong is listed here: https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/
prefix string Prefix is the prefix of vault URI for referencing values in the vault. It is immutable after created.
description string Description is the additional information about the vault.
config k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON Config is the configuration of the vault. Varies for different backends.
tags Tags Tags are the tags associated to the vault for grouping and filtering.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a Konnect ControlPlane this KongVault is associated with.
adopt AdoptOptions Adopt is the options for adopting a vault from an existing vault in Konnect.

Appears in:

KongVaultStatus

KongVaultStatus represents the current status of the KongVault resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongVaultStatus.

Known condition types are:

* “Programmed”

Appears in:

KonnectEntityRef

KonnectEntityRef is a reference to a Konnect entity.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API.

Appears in:

Labels

Underlying type: [map[string]LabelsValue](#map[string]labelsvalue)

Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.

Appears in:

LabelsValue

Underlying type: string

LabelsValue is the value type for Labels.

Appears in:

Namespace

Underlying type: string

Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.

Appears in:

ObjectName

Underlying type: string

ObjectName refers to the name of a Kubernetes object. Object names can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

Appears in:

ObjectReference

ObjectReference defines reference of a kubernetes object.

Field Description
group *string Group defines the API group of the referred object.
kind *string Kind defines the kind of the referred object.
namespace *string Empty namespace means the same namespace of the owning object.
name string Name defines the name of the referred object.

Appears in:

PEMKeyPair

PEMKeyPair defines a keypair in PEM format.

Field Description
private_key string The private key in PEM format.
public_key string The public key in PEM format.

Appears in:

PluginRef

PluginRef is a reference to a KongPlugin or KongClusterPlugin resource.

Field Description
name string Name is the name of the KongPlugin or KongClusterPlugin resource.
namespace string Namespace is the namespace of the referenced KongPlugin resource. Can only be set when Kind is KongPlugin.
kind *string Kind can be KongPlugin or KongClusterPlugin. If not set, it is assumed to be KongPlugin.

Appears in:

ProduceFailureMode

Underlying type: string

ProduceFailureMode Describes how to handle a failure in a policy applied to produced records.

  • reject - rejects the record batch.
  • passthrough - passes the record silently to the backend cluster even though policy execution failed.
  • mark - passes the record to the backend cluster but marks it with a kong/policy-failure-<id> header whose value is the reason for the policy failure (truncated to 512 characters).

Appears in:

ProduceKeyValidationAction

Underlying type: string

ProduceKeyValidationAction Defines a behavior when record key is not valid.

  • reject - rejects a batch for topic partition. Only available for produce.
  • mark - marks a record with kong/server header and client ID value

    to help to identify the clients violating schema.

Appears in:

ProduceValueValidationAction

Underlying type: string

ProduceValueValidationAction Defines a behavior when record value is not valid.

  • reject - rejects a batch for topic partition. Only available for produce.
  • mark - marks a record with kong/server header and client ID value

    to help to identify the clients violating schema.

Appears in:

ReferenceGrantFrom

ReferenceGrantFrom describes trusted namespaces and kinds.

Field Description
group Group Group is the group of the referent.
kind Kind Kind is the kind of the referent.
namespace Namespace Namespace is the namespace of the referent.

Appears in:

ReferenceGrantTo

ReferenceGrantTo describes what Kinds are allowed as targets of the references.

Field Description
group Group Group is the group of the referent.
kind Kind Kind is the kind of the referent.
name ObjectName Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace.

Appears in:

SchemaRegistryReferenceByID

SchemaRegistryReferenceByID is a type alias.

Appears in:

SchemaRegistryReferenceByName

SchemaRegistryReferenceByName Reference a schema registry by its unique name.

Field Description
name string The unique name of the schema registry.

Appears in:

SchemaValidationType

Underlying type: string

SchemaValidationType How to validate the schema and parse the record.

  • confluent_schema_registry - validates against confluent schema registry.
  • json - simple JSON parsing without the schema.

Appears in:

SensitiveDataSource

SensitiveDataSource holds a sensitive string value that can be provided either inline or sourced from a Kubernetes Secret.

Field Description
type SensitiveDataSourceType Type indicates the source of the sensitive data: ‘inline’ or ‘secretRef’.
value *string Value contains the sensitive data provided inline. Required when type is ‘inline’.
secretRef NamespacedRef SecretRef is a reference to a Kubernetes Secret containing the sensitive data. Required when type is ‘secretRef’.

Appears in:

SensitiveDataSourceType

Underlying type: string

SensitiveDataSourceType is the type of source for the sensitive data.

Appears in:

Allowed values:

Value Description
inline SensitiveDataSourceTypeInline indicates that the data is provided inline in the APISpec.
secretRef SensitiveDataSourceTypeSecretRef indicates that the data is sourced from a Kubernetes Secret.

ServiceRef

ServiceRef is a reference to a KongService.

Field Description
type string Type can be one of: - namespacedRef
namespacedRef NamespacedRef NamespacedRef is a reference to a KongService. If namespace is not specified, the KongService in the same namespace as the referencing entity. Namespace can be specified to reference a KongService in a different namespace but this requires a KongReferenceGrant in the target namespace allowing the reference.

Appears in:

TLSCertificate

TLSCertificate A TLS certificate and its associated private key.

Field Description
certificate SensitiveDataSource A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.
key SensitiveDataSource A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.

Appears in:

TLSTrustBundleName

Underlying type: string

TLSTrustBundleName The unique name of the TLS trust bundle.

Appears in:

TLSTrustBundleReference

TLSTrustBundleReference is a type alias.

Field Description
id *string  
name TLSTrustBundleName  

Appears in:

TLSVersionRange

TLSVersionRange A range of TLS versions.

Field Description
max string Maximum TLS version to use.
min string Minimum TLS version to use.

Appears in:

TargetRef

TargetRef is a reference based on the object’s name.

Field Description
name string Name is the name of the entity.

Appears in:

TargetRefWithGroupKind

TargetRefWithGroupKind is a reference based on the object’s group, kind, and name.

Field Description
name string Name is the name of the entity.
kind string  
group string  

Appears in:

VirtualClusterACLMode

Underlying type: string

VirtualClusterACLMode Configures whether or not ACL policies are enforced on the gateway.

  • enforce_on_gateway means the gateway enforces its own ACL policies for this virtual cluster

    and does not forward ACL-related commands to the backend cluster. Note that if there are no ACL policies configured, all access is denied.
  • passthrough tells the gateway to forward all ACL-related commands.

Appears in:

VirtualClusterAuthenticationAnonymous

VirtualClusterAuthenticationAnonymous is a type alias.

Appears in:

VirtualClusterAuthenticationAudience

VirtualClusterAuthenticationAudience is a type alias.

Field Description
name string  

Appears in:

VirtualClusterAuthenticationClaimsMapping

VirtualClusterAuthenticationClaimsMapping Maps JWT claims in the case when sub and scope are presented as different claims in your JWT token.

Field Description
scope string Maps the scope claim.
sub string Maps the subject claim.

Appears in:

VirtualClusterAuthenticationClientCertificate

VirtualClusterAuthenticationClientCertificate Client certificate (mTLS) authentication scheme for the virtual cluster.

Requires a minimum runtime version of 1.1.

Appears in:

VirtualClusterAuthenticationJWKS

VirtualClusterAuthenticationJWKS JSON Web Key Set configuration for verifying token signatures.

Field Description
cacheExpiration string Duration after which the gateway will fetch and cache JWKS.
endpoint string URL for JWKS endpoint.
timeout string Total time from establishing connection to receive a response from JWKS endpoint.

Appears in:

VirtualClusterAuthenticationOauthBearer

VirtualClusterAuthenticationOauthBearer Oauth Bearer authentication scheme for the virtual cluster.

Field Description
claimsMapping VirtualClusterAuthenticationClaimsMapping Maps JWT claims in the case when sub and scope are presented as different claims in your JWT token.
jwks VirtualClusterAuthenticationJWKS JSON Web Key Set configuration for verifying token signatures.
mediation string Methods to mediate authentication: * passthrough - pass authentication from the client through proxy to the backend cluster without any kind of

validation * validate_forward - pass authentication from the client through proxy to the backend cluster.

Proxy does the validation before forwarding it to the client. * terminate - terminate authentication at the proxy level and originate authentication to the backend cluster

using the configuration defined at BackendCluster’s authentication. SASL auth is not originated if authentication on the backend_cluster is not configured.
validate VirtualClusterAuthenticationValidate Validation rules.

Appears in:

VirtualClusterAuthenticationPrincipal

VirtualClusterAuthenticationPrincipal A principal for authentication containing username and password.

Field Description
password GatewaySecret A sensitive value containing the secret or a reference to a secret as a template string expression. If the value is provided as plain text, it is encrypted at rest and omitted from API responses. If provided as an expression, the expression itself is stored and returned by the API.
username GatewaySecretReferenceOrLiteral A literal value or a reference to an existing secret as a template string expression. The value is stored and returned by the API as-is, not treated as sensitive information.

Appears in:

VirtualClusterAuthenticationSaslPlain

VirtualClusterAuthenticationSaslPlain SASL/PLAIN authentication scheme for the virtual cluster containing principals with username and password.

Field Description
mediation string The mediation type for SASL/PLAIN authentication.
principals VirtualClusterAuthenticationPrincipal List of principals to be able to authenticate with, used with terminate mediation.

Appears in:

VirtualClusterAuthenticationSaslScram

VirtualClusterAuthenticationSaslScram SASL/SCRAM authentication scheme for the virtual cluster.

Field Description
algorithm string The algorithm used for SASL/SCRAM authentication.

Appears in:

VirtualClusterAuthenticationScheme

VirtualClusterAuthenticationScheme represents a union type for VirtualClusterAuthenticationScheme. Only one of the fields should be set based on the Type.

Field Description
type VirtualClusterAuthenticationSchemeType Type designates the type of configuration.
anonymous VirtualClusterAuthenticationAnonymous Anonymous configuration.
clientCertificate VirtualClusterAuthenticationClientCertificate ClientCertificate configuration.
oauthBearer VirtualClusterAuthenticationOauthBearer OauthBearer configuration.
saslPlain VirtualClusterAuthenticationSaslPlain SaslPlain configuration.
saslScram VirtualClusterAuthenticationSaslScram SaslScram configuration.

Appears in:

VirtualClusterAuthenticationSchemeType

Underlying type: string

VirtualClusterAuthenticationSchemeType represents the type of VirtualClusterAuthenticationScheme.

Appears in:

Allowed values:

Value Description
anonymous  
clientCertificate  
oauthBearer  
saslPlain  
saslScram  

VirtualClusterAuthenticationValidate

VirtualClusterAuthenticationValidate Validation rules.

Field Description
audiences VirtualClusterAuthenticationAudience List of expected audience values. One of them has to match the audience claim in the token.
issuer string Expected token issuer in the token.

Appears in:

VirtualClusterDNSLabel

Underlying type: string

VirtualClusterDNSLabel The DNS label used in the bootstrap server URL to identify the virtual cluster when using SNI routing. The format follows the RFC1035: 1-63 chars, lowercase alphanumeric or ‘-‘, must start and end with an alphanumeric character.

Appears in:

VirtualClusterName

Underlying type: string

VirtualClusterName The name of the virtual cluster.

Appears in:

VirtualClusterNamespace

VirtualClusterNamespace Namespace allows to implement multitenancy using a single backend cluster. It allows to either hide or enforce a static prefix on resources (topics, consumer group IDs, transaction IDs).

Field Description
additional VirtualClusterNamespaceAdditionalProperties  
mode string * hide_prefix - the configured prefix is hidden from clients for topics and IDs when reading.

Created resources are written with the prefix on the backend cluster. * enforce_prefix - the configured prefix remains visible to clients.

Created resources must include the prefix or the request will fail.
prefix string The namespace is differentiated by this chosen prefix. For example, if the prefix is set to “analytics_” the topic named “analytics_user_clicks” is available to the clients of the virtual cluster. Topics without the prefix will be ignored unless added via additional.topics.

Appears in:

VirtualClusterNamespaceAdditionalProperties

VirtualClusterNamespaceAdditionalProperties is a type alias.

Field Description
consumerGroups VirtualClusterNamespaceIDSelector Consumer group IDs to expose even if they don’t start with the namespace prefix.
topics VirtualClusterNamespaceTopicSelector Additional backend topics to expose even if they don’t match the namespace prefix. The topics are not affected by the hide/enforce prefix mode. If the client tries to create a topic that matches this list, the request is rejected.

Appears in:

VirtualClusterNamespaceIDSelector

VirtualClusterNamespaceIDSelector represents a union type for VirtualClusterNamespaceIDSelector. Only one of the fields should be set based on the Type.

Field Description
type VirtualClusterNamespaceIDSelectorType Type designates the type of configuration.
glob VirtualClusterNamespaceIDSelectorGlob Glob configuration.

Appears in:

VirtualClusterNamespaceIDSelectorGlob

VirtualClusterNamespaceIDSelectorGlob is a type alias.

Field Description
glob string Expose any id that matches this glob pattern (e.g., my_id_*).

Appears in:

VirtualClusterNamespaceIDSelectorType

Underlying type: string

VirtualClusterNamespaceIDSelectorType represents the type of VirtualClusterNamespaceIDSelector.

Appears in:

Allowed values:

Value Description
exactList  
glob  

VirtualClusterNamespaceTopicSelector

VirtualClusterNamespaceTopicSelector represents a union type for VirtualClusterNamespaceTopicSelector. Only one of the fields should be set based on the Type.

Field Description
type VirtualClusterNamespaceTopicSelectorType Type designates the type of configuration.
glob VirtualClusterNamespaceTopicSelectorGlob Glob configuration.

Appears in:

VirtualClusterNamespaceTopicSelectorGlob

VirtualClusterNamespaceTopicSelectorGlob is a type alias.

Field Description
conflict string How to inform the user about conflicts where multiple backend topics would map to the same virtual topic name. * warn - log in the Event Gateway logs. Additionally, it sets knep_namespace_topic_conflict to 1. * ignore - do not do anything. It does not cause knep_namespace_topic_conflict metric to be set to 1.
glob string Expose any backend topic that matches this glob pattern (e.g., operations_data_*).

Appears in:

VirtualClusterNamespaceTopicSelectorType

Underlying type: string

VirtualClusterNamespaceTopicSelectorType represents the type of VirtualClusterNamespaceTopicSelector.

Appears in:

Allowed values:

Value Description
exactList  
glob  

VirtualClusterReference

VirtualClusterReference is a type alias.

Field Description
id *string  
name VirtualClusterName  

Appears in:

VirtualClusterTopicAlias

VirtualClusterTopicAlias Pre-release Feature This feature is currently in beta and is subject to change.

A topic alias maps an alias name to a namespace-visible topic name. Clients can produce to, consume from, and discover the topic under the alias name. The original topic name remains accessible.

Requires a minimum runtime version of 1.2.

Field Description
alias string The client-visible topic name.
conflict VirtualClusterTopicAliasConflict How to handle conflicts where an alias shadows a physical topic. * warn - activate the alias but log a warning and set the conflict metric to 1. * ignore - activate the alias silently.
match string CEL expression evaluated against the connection’s auth context. If omitted or empty, the alias is active for all connections.
topic string The namespace-visible topic name this alias resolves to.

Appears in:

VirtualClusterTopicAliasConflict

Underlying type: string

VirtualClusterTopicAliasConflict How to handle conflicts where an alias shadows a physical topic.

  • warn - activate the alias but log a warning and set the conflict metric to 1.
  • ignore - activate the alias silently.

Appears in:

configuration.konghq.com/v1beta1

Package v1beta1 contains API Schema definitions for the configuration.konghq.com v1beta1 API group.

KongConsumerGroup

KongConsumerGroup is the Schema for the kongconsumergroups API.

KongConsumerGroup resources create Consumer Group resources.

Field Description
apiVersion string configuration.konghq.com/v1beta1
kind string KongConsumerGroup
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongConsumerGroupSpec  
status KongConsumerGroupStatus Status represents the current status of the KongConsumerGroup resource.

KongUpstreamPolicy

KongUpstreamPolicy allows configuring algorithm that should be used for load balancing traffic between Kong Upstream’s Targets. It also allows configuring health checks for Kong Upstream’s Targets.

Its configuration is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object), and it is applied to Kong Upstream objects created by the controller.

It can be attached to Services. To attach it to a Service, it has to be annotated with konghq.com/upstream-policy: <name>, where <name> is the name of the KongUpstreamPolicy object in the same namespace as the Service.

When attached to a Service, it will affect all Kong Upstreams created for the Service.

When attached to a Service used in a Gateway API Route rule with multiple BackendRefs, all of its Services MUST be configured with the same KongUpstreamPolicy. Otherwise, the controller will *ignore the KongUpstreamPolicy.

Note: KongUpstreamPolicy doesn’t implement Gateway API’s GEP-713 strictly. In particular, it doesn’t use the TargetRef for attaching to Services and Gateway API *Routes - annotations are used instead. This is to allow reusing the same KongUpstreamPolicy for multiple Services and Gateway API *Routes.

See customizing load balancing.

Field Description
apiVersion string configuration.konghq.com/v1beta1
kind string KongUpstreamPolicy
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongUpstreamPolicySpec Spec contains the configuration of the Kong upstream.
status sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyStatus Status defines the current state of KongUpstreamPolicy

Types

In this section you will find types that the CRDs rely on.

HTTPStatus

Underlying type: integer

HTTPStatus is an HTTP status code.

Appears in:

HashInput

Underlying type: string

HashInput is the input for consistent-hashing load balancing algorithm. Use “none” to disable hashing, it is required for sticky sessions.

Appears in:

KongConsumerGroupSpec

KongConsumerGroupSpec defines the desired state of KongConsumerGroup.

Field Description
name string Name is the name of the ConsumerGroup in Kong.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane this ConsumerGroup is associated with.
adopt AdoptOptions Adopt is the options for adopting a consumer group from an existing consumer group in Konnect.
tags Tags Tags is an optional set of tags applied to the ConsumerGroup.

Appears in:

KongConsumerGroupStatus

KongConsumerGroupStatus represents the current status of the KongConsumerGroup resource.

Field Description
konnect KonnectEntityStatusWithControlPlaneRef Konnect contains the Konnect entity status.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongConsumerGroup.

Known condition types are:

* “Programmed”

Appears in:

KongUpstreamActiveHealthcheck

KongUpstreamActiveHealthcheck configures active health check probing.

Field Description
type *string Type determines whether to perform active health checks using HTTP or HTTPS, or just attempt a TCP connection. Accepted values are “http”, “https”, “tcp”, “grpc”, “grpcs”.
concurrency *int Concurrency is the number of targets to check concurrently.
healthy KongUpstreamHealthcheckHealthy Healthy configures thresholds and HTTP status codes to mark targets healthy for an upstream.
unhealthy KongUpstreamHealthcheckUnhealthy Unhealthy configures thresholds and HTTP status codes to mark targets unhealthy for an upstream.
httpPath *string HTTPPath is the path to use in GET HTTP request to run as a probe.
httpsSni *string HTTPSSNI is the SNI to use in GET HTTPS request to run as a probe.
httpsVerifyCertificate *bool HTTPSVerifyCertificate is a boolean value that indicates if the certificate should be verified.
timeout *int Timeout is the probe timeout in seconds.
headers map[string][]string Headers is a list of HTTP headers to add to the probe request.

Appears in:

KongUpstreamHash

KongUpstreamHash defines how to calculate hash for consistent-hashing load balancing algorithm. Only one of the fields must be set.

Field Description
input HashInput Input allows using one of the predefined inputs (ip, consumer, path, none). Set this to none if you want to use sticky sessions. For other parameterized inputs, use one of the fields below.
header *string Header is the name of the header to use as hash input.
cookie *string Cookie is the name of the cookie to use as hash input.
cookiePath *string CookiePath is cookie path to set in the response headers.
queryArg *string QueryArg is the name of the query argument to use as hash input.
uriCapture *string URICapture is the name of the URI capture group to use as hash input.

Appears in:

KongUpstreamHealthcheck

KongUpstreamHealthcheck represents a health-check config of an Upstream in Kong.

Field Description
active KongUpstreamActiveHealthcheck Active configures active health check probing.
passive KongUpstreamPassiveHealthcheck Passive configures passive health check probing.
threshold *int Threshold is the minimum percentage of the upstream’s targets’ weight that must be available for the whole upstream to be considered healthy.

Appears in:

KongUpstreamHealthcheckHealthy

KongUpstreamHealthcheckHealthy configures thresholds and HTTP status codes to mark targets healthy for an upstream.

Field Description
httpStatuses HTTPStatus HTTPStatuses is a list of HTTP status codes that Kong considers a success.
interval *int Interval is the interval between active health checks for an upstream in seconds when in a healthy state.
successes *int Successes is the number of successes to consider a target healthy.

Appears in:

KongUpstreamHealthcheckUnhealthy

KongUpstreamHealthcheckUnhealthy configures thresholds and HTTP status codes to mark targets unhealthy.

Field Description
httpFailures *int HTTPFailures is the number of failures to consider a target unhealthy.
httpStatuses HTTPStatus HTTPStatuses is a list of HTTP status codes that Kong considers a failure.
tcpFailures *int TCPFailures is the number of TCP failures in a row to consider a target unhealthy.
timeouts *int Timeouts is the number of timeouts in a row to consider a target unhealthy.
interval *int Interval is the interval between active health checks for an upstream in seconds when in an unhealthy state.

Appears in:

KongUpstreamPassiveHealthcheck

KongUpstreamPassiveHealthcheck configures passive checks around passive health checks.

Field Description
type *string Type determines whether to perform passive health checks interpreting HTTP/HTTPS statuses, or just check for TCP connection success. Accepted values are “http”, “https”, “tcp”, “grpc”, “grpcs”.
healthy KongUpstreamHealthcheckHealthy Healthy configures thresholds and HTTP status codes to mark targets healthy for an upstream.
unhealthy KongUpstreamHealthcheckUnhealthy Unhealthy configures thresholds and HTTP status codes to mark targets unhealthy.

Appears in:

KongUpstreamPolicySpec

KongUpstreamPolicySpec contains the specification for KongUpstreamPolicy.

Field Description
algorithm *string Algorithm is the load balancing algorithm to use. Accepted values are: “round-robin”, “consistent-hashing”, “least-connections”, “latency”, “sticky-sessions”
slots *int Slots is the number of slots in the load balancer algorithm. If not set, the default value in Kong for the algorithm is used.
hashOn KongUpstreamHash HashOn defines how to calculate hash for consistent-hashing or sticky-sessions load balancing algorithm. Algorithm must be set to “consistent-hashing” or “sticky-sessions” for this field to have effect.
hashOnFallback KongUpstreamHash HashOnFallback defines how to calculate hash for consistent-hashing load balancing algorithm if the primary hash function fails. Algorithm must be set to “consistent-hashing” for this field to have effect.
healthchecks KongUpstreamHealthcheck Healthchecks defines the health check configurations in Kong.
stickySessions KongUpstreamStickySessions StickySessions defines the sticky session configuration for the upstream. When enabled, clients will be routed to the same backend target based on a cookie. This requires Kong Enterprise Gateway and setting hash_on to none.

Appears in:

KongUpstreamStickySessions

KongUpstreamStickySessions defines the sticky session configuration for Kong upstream. Sticky sessions ensure that requests from the same client are routed to the same backend target. This is achieved using cookies and requires Kong Enterprise Gateway.

Field Description
cookie string Cookie is the name of the cookie to use for sticky sessions. Kong will generate this cookie if it doesn’t exist in the request.
cookiePath *string CookiePath is the path to set in the cookie.

Appears in:

eventgateway.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the eventgateway.konghq.com v1alpha1 API group.

KegDataPlane

KegDataPlane is the Schema for the EventGateway data planes API. It manages a keg binary Deployment that connects to Konnect via a referenced KonnectEventGateway resource.

Field Description
apiVersion string eventgateway.konghq.com/v1alpha1
kind string KegDataPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KegDataPlaneSpec Spec defines the desired state of KegDataPlane.
status KegDataPlaneStatus Status defines the observed state of KegDataPlane.

Types

In this section you will find types that the CRDs rely on.

ControlPlaneRef

ControlPlaneRef identifies the control plane this DataPlane connects to. The Type field determines which sub-field is active.

Field Description
type ControlPlaneRefType Type indicates the type of the control plane being referenced. Currently only konnectNamespacedRef is supported.
konnectNamespacedRef KonnectNamespacedRef KonnectNamespacedRef references a KonnectEventGateway resource in the same namespace. Must be set when type is konnectNamespacedRef; validated by CEL rules on this struct.

Appears in:

ControlPlaneRefType

Underlying type: string

ControlPlaneRefType identifies the kind of control plane being referenced.

Appears in:

Allowed values:

Value Description
konnectNamespacedRef ControlPlaneRefTypeKonnectNamespacedRef references a KonnectEventGateway
resource in the same namespace as the DataPlane.

DebugEndpointsState

Underlying type: string

DebugEndpointsState controls whether keg debug endpoints are exposed.

Appears in:

Allowed values:

Value Description
Enabled DebugEndpointsStateEnabled enables the /debug/pprof/allocs endpoint.
Disabled DebugEndpointsStateDisabled disables the debug endpoints (default).

DeploymentOptions

DeploymentOptions specifies options for the Deployment managed by the KegDataPlane controller.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This is effectively shorthand for setting a scaling minimum and maximum to the same value. This field and the scaling field are mutually exclusive: You can only configure one or the other.
scaling Scaling Scaling defines the scaling options for the deployment.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods. It’s being applied on top of the generated Deployments using StrategicMergePatch.

Note: environment variables set here take precedence over strongly-typed fields in Spec.Config. Using raw env vars is discouraged and intended for advanced use cases only.

Appears in:

HorizontalScaling

HorizontalScaling defines horizontal scaling options for the deployment. It holds all the options from the HorizontalPodAutoscalerSpec besides the ScaleTargetRef which is being controlled by the Operator.

Field Description
minReplicas *int32 minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.
maxReplicas int32 maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less than minReplicas.
metrics MetricSpec array metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.
behavior HorizontalPodAutoscalerBehavior behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.

Appears in:

KegDataPlaneConfiguration

KegDataPlaneConfiguration provides optional overrides for keg runtime settings. All fields map 1-to-1 to keg configuration variables.

Field Description
konnect KonnectConfig Konnect provides optional overrides for the keg to Konnect connection parameters. All other connection values (region, gateway_cluster_id, cert paths) are derived automatically and cannot be overridden here.
configPollIntervalSeconds *int32 ConfigPollIntervalSeconds overrides how often keg polls Konnect for config changes, in seconds. Corresponds to config_poll_interval / KEG__CONFIG_POLL_INTERVAL.
enableDebugEndpoints DebugEndpointsState EnableDebugEndpoints enables the /debug/pprof/allocs endpoint. Corresponds to enable_debug_endpoints / KEG__ENABLE_DEBUG_ENDPOINTS.
observability ObservabilityConfig Observability configures logging, metrics, and tracing.
runtime RuntimeOptions Runtime configures graceful shutdown and health endpoint behaviour.

Appears in:

KegDataPlaneSpec

KegDataPlaneSpec defines the desired state of KegDataPlane.

Field Description
controlPlaneRef ControlPlaneRef ControlPlaneRef references the control plane this KegDataPlane connects to. The type field identifies which kind of control plane is being referenced. Currently only konnectNamespacedRef is supported, which references a KonnectEventGateway resource in the same namespace.
deployment DeploymentOptions Deployment configures the keg Deployment: image, replicas, resources, extra env vars, volume mounts, etc.
network NetworkOptions Network configures how the keg pod is exposed to Kafka clients.
config KegDataPlaneConfiguration Config provides optional overrides for keg runtime settings. When omitted, the keg built-in defaults are used. https://developer.konghq.com/event-gateway/configuration/#applying-configuration

Appears in:

KegDataPlaneStatus

KegDataPlaneStatus defines the observed state of KegDataPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the KegDataPlane.
readyReplicas int32 ReadyReplicas indicates how many replicas have reported to be ready.
replicas int32 Replicas indicates how many replicas have been set for the KegDataPlane.

Appears in:

KonnectConfig

KonnectConfig exposes the small subset of konnect.* config keys that are user-tunable (all others are set automatically by the controller).

Field Description
domain *string Domain overrides the Konnect domain. Corresponds to konnect.domain / KONG_KONNECT_DOMAIN.
apiRequestTimeoutSeconds *int32 APIRequestTimeoutSeconds overrides the Konnect API request timeout, in seconds. Corresponds to konnect.api_request_timeout / KONG_KONNECT_API_REQUEST_TIMEOUT.
insecureSkipVerify TLSVerificationState InsecureSkipVerify disables TLS verification for the Konnect connection. For testing only, do not use in production. Corresponds to konnect.insecure_skip_verify / KONG_KONNECT_INSECURE_SKIP_VERIFY.

Appears in:

KonnectNamespacedRef

KonnectNamespacedRef is a reference to a KonnectEventGateway resource in the same namespace.

Field Description
name string Name is the name of the KonnectEventGateway resource.

Appears in:

LabelName

Underlying type: string

LabelName is a label key with constraints matching Kubernetes label key requirements.

Appears in:

LabelValue

Underlying type: string

LabelValue is a label value with constraints matching Kubernetes label value requirements.

Appears in:

NetworkOptions

NetworkOptions defines network-related options for a KegDataPlane.

Field Description
services Services Services configures the Kubernetes Services that expose the keg pod to Kafka clients.

Appears in:

ObservabilityConfig

ObservabilityConfig configures logging, metrics, and tracing for KEG.

Field Description
logFlags *string LogFlags sets the log level. Corresponds to observability.log_flags / KEG__OBSERVABILITY__LOG_FLAGS.
logFormat *string LogFormat sets the log output format. Corresponds to observability.log_format / KEG__OBSERVABILITY__LOG_FORMAT.
metricsRollupAllowMap *string MetricsRollupAllowMap prevents high-cardinality metrics by collapsing unmatched label values to “other”. Corresponds to observability.metrics_rollup_allow_map / KEG__OBSERVABILITY__METRICS_ROLLUP_ALLOW_MAP.
policyErrorsInfoLogIntervalSeconds *int32 PolicyErrorsInfoLogIntervalSeconds sets the interval for INFO-level logging of policy errors, in seconds. Set to 0 to disable. Corresponds to observability.policy_errors_info_log_interval / KEG__OBSERVABILITY__POLICY_ERRORS_INFO_LOG_INTERVAL.

Appears in:

RuntimeOptions

RuntimeOptions configures graceful shutdown and health endpoint behaviour for keg.

Field Description
healthListenerAddressPort *string HealthListenerAddressPort sets the address:port for the health endpoint. Corresponds to runtime.health_listener_address_port / KEG__RUNTIME__HEALTH_LISTENER_ADDRESS_PORT.
drainDurationSeconds *int32 DrainDurationSeconds sets how long keg drains existing connections on shutdown, in seconds. Corresponds to runtime.drain_duration / KEG__RUNTIME__DRAIN_DURATION.
shutdownTimeoutSeconds *int32 ShutdownTimeoutSeconds sets the graceful shutdown timeout, in seconds. Corresponds to runtime.shutdown_timeout / KEG__RUNTIME__SHUTDOWN_TIMEOUT.

Appears in:

Scaling

Scaling defines the scaling options for the deployment.

Field Description
horizontal HorizontalScaling HorizontalScaling defines horizontal scaling options for the deployment.

Appears in:

ServiceOptions

ServiceOptions contains Service configuration for the KegDataPlane.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to ClusterIP.
annotations map[string]string Annotations is an unstructured key value map stored with the Service resource.
labels LabelValue Labels are propagated to the KegDataPlane’s Kafka Service.
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s externally-facing addresses.
ports ServicePort Ports defines the list of ports that are exposed by the service.

Appears in:

ServicePort

ServicePort contains information on a service port.

Field Description
name *string The name of this port within the service.
port int32 The port that will be exposed by this service.
targetPort *k8s.io/apimachinery/pkg/util/intstr.IntOrString Number or name of the port to access on the pods targeted by the service.
nodePort *int32 The port on each node on which this service is exposed when type is NodePort or LoadBalancer.

Appears in:

Services

Services configures the Kubernetes Services created for a keg pod.

keg exposes a single TCP port for Kafka client traffic. In production the recommended approach is SNI mapping, one port (default 9092), multiple backend clusters via distinct TLS hostnames. For external access the Service type must be LoadBalancer (or a Gateway API TLSRoute passthrough can be used).

Field Description
kafka ServiceOptions Kafka is the Service that exposes the Kafka protocol listener to clients.

In SNI mapping mode (production) this is a single port that defaults to 9092. Konnect Listeners configure which hostnames keg advertises to clients; those hostnames must resolve to this Service’s external address.

Set type to LoadBalancer for external access, or use a TLSRoute (Gateway API passthrough) to route to this Service from a shared ingress Gateway.

Appears in:

TLSVerificationState

Underlying type: string

TLSVerificationState controls whether TLS verification is skipped.

Appears in:

Allowed values:

Value Description
Enabled TLSVerificationStateEnabled skips TLS verification. For testing only.
Disabled TLSVerificationStateDisabled enforces TLS verification (default).

gateway-operator.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the gateway-operator.konghq.com v1alpha1 API group.

AIGateway

AIGateway is a network Gateway enabling access and management for AI & Machine Learning models such as Large Language Models (LLM).

The underlying technology for the AIGateway is the Kong Gateway configured with a variety of plugins which provide the AI featureset.

This is a list of the plugins, which are available in Kong Gateway v3.6.x+:

- ai-proxy (https://github.com/kong/kong/tree/master/kong/plugins/ai-proxy)

  • ai-request-transformer (https://github.com/kong/kong/tree/master/kong/plugins/ai-request-transformer)
  • ai-response-transformers (https://github.com/kong/kong/tree/master/kong/plugins/ai-response-transformer)
  • ai-prompt-template (https://github.com/kong/kong/tree/master/kong/plugins/ai-prompt-template)
  • ai-prompt-guard-plugin (https://github.com/kong/kong/tree/master/kong/plugins/ai-prompt-guard)
  • ai-prompt-decorator-plugin (https://github.com/kong/kong/tree/master/kong/plugins/ai-prompt-decorator)

    So effectively the AIGateway resource provides a bespoke Gateway resource (which it owns and manages) with the gateway, consumers and plugin configurations automated and configurable via Kubernetes APIs.

    The current iteration only supports the proxy itself, but the API is being built with room for future growth in several dimensions. For instance:

    - Supporting auxiliary functions (e.g. decorator, guard, templater, token-rate-limit)
  • Supporting request/response transformers
  • Supporting more than just LLMs (e.g. CCNs, GANs, e.t.c.)
  • Supporting more hosting options for LLMs (e.g. self hosted)
  • Supporting more AI cloud providers
  • Supporting more AI cloud provider features

    The validation rules throughout are set up to ensure at least one cloud-provider-based LLM is specified, but in the future when we have more model types and more hosting options for those types so we may want to look into using CEL validation to ensure that at least one model configuration is provided. We may also want to use CEL to validate things like identifier unique-ness, e.t.c.

    See: https://kubernetes.io/docs/reference/using-api/cel/
Field Description
apiVersion string gateway-operator.konghq.com/v1alpha1
kind string AIGateway
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec AIGatewaySpec Spec is the desired state of the AIGateway.
status AIGatewayStatus Status is the observed state of the AIGateway.

DataPlaneMetricsExtension

DataPlaneMetricsExtension holds the configuration for the DataPlane metrics extension. It can be attached to a ControlPlane using its spec.extensions. When attached it will make the ControlPlane configure its DataPlane with the specified metrics configuration. Additionally, it will also make the operator expose DataPlane’s metrics enriched with metadata required for in-cluster Kubernetes autoscaling.

Field Description
apiVersion string gateway-operator.konghq.com/v1alpha1
kind string DataPlaneMetricsExtension
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec DataPlaneMetricsExtensionSpec  
status DataPlaneMetricsExtensionStatus  

KongPluginInstallation

KongPluginInstallation allows using a custom Kong Plugin distributed as a container image available in a registry. Such a plugin can be associated with GatewayConfiguration or DataPlane to be available for particular Kong Gateway and configured with KongPlugin CRD.

Field Description
apiVersion string gateway-operator.konghq.com/v1alpha1
kind string KongPluginInstallation
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongPluginInstallationSpec  
status KongPluginInstallationStatus  

WatchNamespaceGrant

WatchNamespaceGrant is a grant that allows a trusted namespace to watch resources in the namespace this grant exists in.

Field Description
apiVersion string gateway-operator.konghq.com/v1alpha1
kind string WatchNamespaceGrant
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec WatchNamespaceGrantSpec Spec is the desired state of the WatchNamespaceGrant.

Types

In this section you will find types that the CRDs rely on.

AICloudProvider

AICloudProvider is the organization that provides API access to Large Language Models (LLMs).

Field Description
name AICloudProviderName Name is the unique name of an LLM provider.

Appears in:

AICloudProviderAPITokenRef

AICloudProviderAPITokenRef is an reference to another object which contains the API token for an AI cloud provider.

Field Description
name string Name is the name of the reference object.
namespace *string Namespace is the namespace of the reference object.

If not specified, it will be assumed to be the same namespace as the object which references it.
kind *string Kind is the API object kind

If not specified, it will be assumed to be “Secret”. If a Secret is used as the Kind, the secret must contain a single key-value pair where the value is the secret API token. The key can be named anything, as long as there’s only one entry, but by convention it should be “apiToken”.

Appears in:

AICloudProviderName

Underlying type: string

AICloudProviderName indicates the unique name of a supported AI cloud provider.

Appears in:

Allowed values:

Value Description
openai AICloudProviderOpenAI is the OpenAI cloud provider.
They are known for models such as ChatGPT 3.5, 4, Dall-e, e.t.c.
azure AICloudProviderAzure is the Azure cloud provider.
They are known for models such as PHI-2.
cohere AICloudProviderCohere is the Cohere cloud provider.
They are known for models such as Cohere-Embed, and Cohere-Rerank.
mistral AICloudProviderMistral is the Mistral.AI cloud provider.
They are known for models such as mistral-tiny.

AIGatewayConsumerRef

AIGatewayConsumerRef indicates the Secret resource containing the credentials for the Kong consumer.

Field Description
name string Name is the name of the reference object.
namespace string Namespace is the namespace of the reference object.

Appears in:

AIGatewayEndpoint

AIGatewayEndpoint is a network endpoint for accessing an AIGateway.

Field Description
network EndpointNetworkAccessHint NetworkAccessHint is a hint to the user about what kind of network access is expected for the reachability of this endpoint.
url string URL is the URL to access the endpoint from the network indicated by the NetworkAccessHint.
models []string AvailableModels is a list of the identifiers of all the AI models that are accessible from this endpoint.
consumer AIGatewayConsumerRef Consumer is a reference to the Secret that contains the credentials for the Kong consumer that is allowed to access this endpoint.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the AIGatewayEndpoint.

Known condition types are:


- “Provisioning”
- “EndpointReady”

Appears in:

AIGatewaySpec

AIGatewaySpec defines the desired state of an AIGateway.

Field Description
gatewayClassName string GatewayClassName is the name of the GatewayClass which is responsible for the AIGateway.
largeLanguageModels LargeLanguageModels LargeLanguageModels is a list of Large Language Models (LLMs) to be managed by the AI Gateway.

This is a required field because we only support LLMs at the moment. In future iterations we may support other model types.
cloudProviderCredentials AICloudProviderAPITokenRef CloudProviderCredentials is a reference to an object (e.g. a Kubernetes Secret) which contains the credentials needed to access the APIs of cloud providers.

This is the global configuration that will be used by DEFAULT for all model configurations. A secret configured this way MAY include any number of key-value pairs equal to the number of providers you have, but used this way the keys MUST be named according to their providers (e.g. “openai”, “azure”, “cohere”, e.t.c.). For example:

apiVersion: v1 kind: Secret metadata: name: devteam-ai-cloud-providers type: Opaque data: openai: ******* azure: ******* cohere: *********

See AICloudProviderName for a list of known and valid cloud providers.

Note that the keys are NOT case-sensitive (e.g. “OpenAI”, “openai”, and “openAI” are all valid and considered the same keys) but if there are duplicates endpoints failures conditions will be emitted and endpoints will not be configured until the duplicates are resolved.

This is currently considered required, but in future iterations will be optional as we do things like enable configuring credentials at the model level.

Appears in:

AIGatewayStatus

AIGatewayStatus defines the observed state of AIGateway.

Field Description
endpoints AIGatewayEndpoint Endpoints are collections of the URL, credentials and metadata needed in order to access models served by the AIGateway for inference.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the AIGateway.

Known condition types are:


- “Accepted”
- “Provisioning”
- “EndpointsReady”

Appears in:

CloudHostedLargeLanguageModel

CloudHostedLargeLanguageModel is the configuration for Large Language Models (LLM) hosted by a known and supported AI cloud provider (e.g. OpenAI, Cohere, Azure, e.t.c.).

Field Description
identifier string Identifier is the unique name which identifies the LLM. This will be used as part of the requests made to an AIGateway endpoint. For instance: if you provided the identifier “devteam-gpt-access”, then you would access this model via “https://${endpoint}/devteam-gpt-access” and supply it with your consumer credentials to authenticate requests.
model *string Model is the model name of the LLM (e.g. gpt-3.5-turbo, phi-2, e.t.c.).

If not specified, whatever the cloud provider specifies as the default model will be used.
promptType LLMPromptType PromptType is the type of prompt to be used for inference requests to the LLM (e.g. “chat”, “completions”).

If “chat” is specified, prompts sent by the user will be interactive, contextual and stateful. The LLM will dynamically answer questions and simulate a dialogue, while also keeping track of the conversation to provide contextually relevant responses.

If “completions” is specified, prompts sent by the user will be stateless and “one-shot”. The LLM will provide a single response to the prompt, without any context from previous prompts.

If not specified, “completions” will be used as the default.
defaultPrompts LLMPrompt DefaultPrompts is a list of prompts that should be provided to the LLM by default. This is generally used to influence inference behavior, for instance by providing a “system” role prompt that instructs the LLM to take on a certain persona.
defaultPromptParams LLMPromptParams DefaultPromptParams configures the parameters which will be sent with any and every inference request.

If this is set, there is currently no way to override these parameters at the individual prompt level. This is an expected feature from later releases of our AI plugins.
aiCloudProvider AICloudProvider AICloudProvider defines the cloud provider that will fulfill the LLM requests for this CloudHostedLargeLanguageModel

Appears in:

DataPlaneMetricsExtensionSpec

DataPlaneMetricsExtensionSpec defines the spec for the DataPlaneMetricsExtension.

Field Description
serviceSelector ServiceSelector ServiceSelector holds the service selector specifying the services for which metrics should be collected.
config MetricsConfig Config holds the configuration for the DataPlane metrics.

Appears in:

DataPlaneMetricsExtensionStatus

DataPlaneMetricsExtensionStatus defines the status of the DataPlaneMetricsExtension.

Field Description
controlPlaneRef NamespacedRef ControlPlaneRef is a reference to the ControlPlane that this is associated with. This field is set by the operator when this extension is associated with a ControlPlane through its extensions spec. There can only be one ControlPlane associated with a given DataPlaneMetricsExtension. When this is unset it means that the association has been removed.

Appears in:

EndpointNetworkAccessHint

Underlying type: string

EndpointNetworkAccessHint provides a human readable indication of what kind of network access is expected for a Gateway.

This isn’t meant to reflect knowledge of any specific network by name, which is why it includes “hint” in the name. It’s meant to be a hint to the user such as “internet-accessible”, “internal-only”.

Appears in:

Allowed values:

Value Description
internet-accessible NetworkInternetAccessible indicates that the endpoint is accessible from
the public internet.

KongPluginInstallationSpec

KongPluginInstallationSpec provides the information necessary to retrieve and install a Kong custom plugin.

Field Description
image string The image is an OCI image URL for a packaged custom Kong plugin.
imagePullSecretRef *sigs.k8s.io/gateway-api/apis/v1.SecretObjectReference ImagePullSecretRef is a reference to a Kubernetes Secret containing credentials necessary to pull the OCI image in Image. It must follow the format in https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry. It is optional. If the image is public, omit this field.

Appears in:

KongPluginInstallationStatus

KongPluginInstallationStatus defines the observed state of KongPluginInstallation.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of this KongPluginInstallation.
underlyingConfigMapName string UnderlyingConfigMapName is the name of the ConfigMap that contains the plugin’s content. It is set when the plugin is successfully fetched and unpacked.

Appears in:

LLMPrompt

LLMPrompt is a text prompt that includes parameters, a role and content.

This is intended for situations like when you need to provide roles in a prompt to an LLM in order to influence its behavior and responses.

For example, you might want to provide a “system” role and tell the LLM something like “you are a helpful assistant who responds in the style of Sherlock Holmes”.

Field Description
content string Content is the prompt text sent for inference.
role LLMPromptRole Role indicates the role of the prompt. This is used to identify the prompt’s purpose, such as “system” or “user” and can influence the behavior of the LLM.

If not specified, “user” will be used as the default.

Appears in:

LLMPromptParams

LLMPromptParams contains parameters that can be used to control the behavior of a large language model (LLM) when generating text based on a prompt.

Field Description
temperature *string Temperature controls the randomness of predictions by scaling the logits before applying softmax. A lower temperature (e.g., 0.0 to 0.7) makes the model more confident in its predictions, leading to more repetitive and deterministic outputs. A higher temperature (e.g., 0.8 to 1.0) increases randomness, generating more diverse and creative outputs. At very high temperatures, the outputs may become nonsensical or highly unpredictable.
maxTokens *int Max Tokens specifies the maximum length of the model’s output in terms of the number of tokens (words or pieces of words). This parameter limits the output’s size, ensuring the model generates content within a manageable scope. A token can be a word or part of a word, depending on the model’s tokenizer.
topK *int TopK sampling is a technique where the model’s prediction is limited to the K most likely next tokens at each step of the generation process. The probability distribution is truncated to these top K tokens, and the next token is randomly sampled from this subset. This method helps in reducing the chance of selecting highly improbable tokens, making the text more coherent. A smaller K leads to more predictable text, while a larger K allows for more diversity but with an increased risk of incoherence.
topP *string TopP (also known as nucleus sampling) is an alternative to top K sampling. Instead of selecting the top K tokens, top P sampling chooses from the smallest set of tokens whose cumulative probability exceeds the threshold P. This method dynamically adjusts the number of tokens considered at each step, depending on their probability distribution. It helps in maintaining diversity while also avoiding very unlikely tokens. A higher P value increases diversity but can lead to less coherence, whereas a lower P value makes the model’s outputs more focused and coherent.

Appears in:

LLMPromptRole

Underlying type: string

LLMPromptRole indicates the role of a prompt for a large language model (LLM).

Appears in:

Allowed values:

Value Description
user LLMPromptRoleUser indicates that the prompt is for the user.
system LLMPromptRoleSystem indicates that the prompt is for the system.
assistance LLMPromptRoleAssistant indicates that the prompt is for the ‘virtual assistant’.
It represents something that the chat bot “did”, or “theoretically could have,” said.

LLMPromptType

Underlying type: string

LLMPromptType indicates the type of prompt to be used for a large language model (LLM).

Appears in:

Allowed values:

Value Description
chat LLMPromptTypeChat indicates that the prompt is for a chat.
completions LLMPromptTypeCompletion indicates that the prompt is for a completion.

LargeLanguageModels

LargeLanguageModels is a list of Large Language Models (LLM) hosted in various ways (cloud hosted, self hosted, e.t.c.) which the AIGateway should serve and manage traffic for.

Field Description
cloudHosted CloudHostedLargeLanguageModel CloudHosted configures LLMs hosted and served by cloud providers.

This is currently a required field, requiring at least one cloud-hosted LLM be specified, however in future iterations we may add other hosting options such as self-hosted LLMs as separate fields.

Appears in:

MetricsConfig

MetricsConfig holds the configuration for the DataPlane metrics.

Field Description
latency bool Latency indicates whether latency metrics are enabled for the DataPlane. This translates into deployed instances having latency_metrics option set on the Prometheus plugin.
bandwidth bool Bandwidth indicates whether bandwidth metrics are enabled for the DataPlane. This translates into deployed instances having bandwidth_metrics option set on the Prometheus plugin.
upstreamHealth bool UpstreamHealth indicates whether upstream health metrics are enabled for the DataPlane. This translates into deployed instances having upstream_health_metrics option set on the Prometheus plugin.
statusCode bool StatusCode indicates whether status code metrics are enabled for the DataPlane. This translates into deployed instances having status_code_metrics option set on the Prometheus plugin.

Appears in:

ServiceSelector

ServiceSelector holds the service selector specification.

Field Description
matchNames ServiceSelectorEntry MatchNames holds the list of Services names to match.

Appears in:

ServiceSelectorEntry

ServiceSelectorEntry holds the name of a service to match.

Field Description
name string Name is the name of the service to match.

Appears in:

WatchNamespaceGrantFrom

WatchNamespaceGrantFrom describes trusted namespaces.

Field Description
group string Group is the group of the referent.
kind string Kind is the kind of the referent.
namespace string Namespace is the namespace of the referent.

Appears in:

WatchNamespaceGrantSpec

WatchNamespaceGrantSpec defines the desired state of an WatchNamespaceGrant.

Field Description
from WatchNamespaceGrantFrom From describes the trusted namespaces and kinds that can reference the namespace this grant exists in.

Appears in:

gateway-operator.konghq.com/v1beta1

Package v1beta1 contains API Schema definitions for the gateway-operator.konghq.com v1beta1 API group.

ControlPlane

ControlPlane is the Schema for the controlplanes API

Field Description
apiVersion string gateway-operator.konghq.com/v1beta1
kind string ControlPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ControlPlaneSpec  
status ControlPlaneStatus  

DataPlane

DataPlane is the Schema for the dataplanes API

Field Description
apiVersion string gateway-operator.konghq.com/v1beta1
kind string DataPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec DataPlaneSpec  
status DataPlaneStatus  

GatewayConfiguration

GatewayConfiguration is the Schema for the gatewayconfigurations API.

Field Description
apiVersion string gateway-operator.konghq.com/v1beta1
kind string GatewayConfiguration
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewayConfigurationSpec  
status GatewayConfigurationStatus  

Types

In this section you will find types that the CRDs rely on.

Address

Address describes an address which can be either an IP address or a hostname.

Field Description
type AddressType Type of the address.
value string Value of the address. The validity of the values will depend on the type and support by the controller.

Examples: 1.2.3.4, 128::1, my-ip-address.
sourceType AddressSourceType Source type of the address.

Appears in:

AddressSourceType

Underlying type: string

AddressSourceType defines the type of source this address represents.

Can be one of:

* PublicLoadBalancer

  • PrivateLoadBalancer
  • PublicIP
  • PrivateIP

Appears in:

Allowed values:

Value Description
PublicLoadBalancer PublicLoadBalancerAddressSourceType represents an address belonging to
a public Load Balancer.
PrivateLoadBalancer PrivateLoadBalancerAddressSourceType represents an address belonging to
a private Load Balancer.
PublicIP PublicIPAddressSourceType represents an address belonging to a public IP.
PrivateIP PrivateIPAddressSourceType represents an address belonging to a private IP.

AddressType

Underlying type: string

AddressType defines how a network address is represented as a text string.

Can be one of:

* IPAddress

  • Hostname

Appears in:

Allowed values:

Value Description
IPAddress IPAddressType is a textual representation of a numeric IP address. IPv4
addresses must be in dotted-decimal form. IPv6 addresses
must be in a standard IPv6 text representation
(see RFC 5952).
This type is intended for specific addresses. Address ranges are not
supported (e.g. you can not use a CIDR range like 127.0.0.0/24 as an
IPAddress).
Hostname HostnameAddressType represents a DNS based ingress point. This is similar to the
corresponding hostname field in Kubernetes load balancer status. For
example, this concept may be used for cloud load balancers where a DNS
name is used to expose a load balancer.

BlueGreenStrategy

BlueGreenStrategy defines the Blue Green deployment strategy.

Field Description
promotion Promotion Promotion defines how the operator handles promotion of resources.
resources RolloutResources Resources controls what happens to operator managed resources during or after a rollout.

Appears in:

ControlPlaneDeploymentOptions

ControlPlaneDeploymentOptions is a shared type used on objects to indicate that their configuration results in a Deployment which is managed by the Operator and includes options for managing Deployments such as the number of replicas or pod options like container image and resource requirements. version, as well as Env variable overrides.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This only affects the DataPlane deployments for now, for more details on ControlPlane scaling please see https://github.com/Kong/gateway-operator/issues/736.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods.

Appears in:

ControlPlaneOptions

ControlPlaneOptions indicates the specific information needed to deploy and connect a ControlPlane to a DataPlane object.

Field Description
deployment ControlPlaneDeploymentOptions  
dataplane *string DataPlanes refers to the named DataPlane objects which this ControlPlane is responsible for. Currently they must be in the same namespace as the DataPlane.
extensions ExtensionRef Extensions provide additional or replacement features for the ControlPlane resources to influence or enhance functionality.
watchNamespaces WatchNamespaces WatchNamespaces indicates the namespaces to watch for resources.

Appears in:

ControlPlaneSpec

ControlPlaneSpec defines the desired state of ControlPlane.

Field Description
deployment ControlPlaneDeploymentOptions  
dataplane *string DataPlanes refers to the named DataPlane objects which this ControlPlane is responsible for. Currently they must be in the same namespace as the DataPlane.
extensions ExtensionRef Extensions provide additional or replacement features for the ControlPlane resources to influence or enhance functionality.
watchNamespaces WatchNamespaces WatchNamespaces indicates the namespaces to watch for resources.
gatewayClass *sigs.k8s.io/gateway-api/apis/v1.ObjectName GatewayClass indicates the Gateway resources which this ControlPlane should be responsible for configuring routes for (e.g. HTTPRoute, TCPRoute, UDPRoute, TLSRoute, e.t.c.).

Required for the ControlPlane to have any effect: at least one Gateway must be present for configuration to be pushed to the data-plane and only Gateway resources can be used to identify data-plane entities.
ingressClass *string IngressClass enables support for the older Ingress resource and indicates which Ingress resources this ControlPlane should be responsible for.

Routing configured this way will be applied to the Gateway resources indicated by GatewayClass.

If omitted, Ingress resources will not be supported by the ControlPlane.

Appears in:

ControlPlaneStatus

ControlPlaneStatus defines the observed state of ControlPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the Gateway.

Appears in:

DataPlaneDeploymentOptions

DataPlaneDeploymentOptions specifies options for the Deployments (as in the Kubernetes resource “Deployment”) which are created and managed for the DataPlane resource.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This is effectively shorthand for setting a scaling minimum and maximum to the same value. This field and the scaling field are mutually exclusive: You can only configure one or the other.
scaling Scaling Scaling defines the scaling options for the deployment.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods. It’s being applied on top of the generated Deployments using StrategicMergePatch.
rollout Rollout Rollout describes a custom rollout strategy.

Appears in:

DataPlaneNetworkOptions

DataPlaneNetworkOptions defines network related options for a DataPlane.

Field Description
services DataPlaneServices Services indicates the configuration of Kubernetes Services needed for the topology of various forms of traffic (including ingress, e.t.c.) to and from the DataPlane.
konnectCertificate KonnectCertificateOptions KonnectCA is the certificate authority that the operator uses to provision client certificates the DataPlane will use to authenticate itself to the Konnect API. Requires Enterprise.

Appears in:

DataPlaneOptions

DataPlaneOptions defines the information specifically needed to deploy the DataPlane.

Field Description
deployment DataPlaneDeploymentOptions  
network DataPlaneNetworkOptions  
resources DataPlaneResources  
extensions ExtensionRef Extensions provide additional or replacement features for the DataPlane resources to influence or enhance functionality. NOTE: since we have one extension only (KonnectExtension), we limit the amount of extensions to 1.
pluginsToInstall NamespacedName PluginsToInstall is a list of KongPluginInstallation resources that will be installed and available in the DataPlane.

Appears in:

DataPlaneResources

DataPlaneResources defines the resources that will be created and managed for the DataPlane.

Field Description
podDisruptionBudget PodDisruptionBudget PodDisruptionBudget is the configuration for the PodDisruptionBudget that will be created for the DataPlane.

Appears in:

DataPlaneRolloutStatus

DataPlaneRolloutStatus describes the DataPlane rollout status.

Field Description
services DataPlaneRolloutStatusServices Services contain the information about the services which are available through which user can access the preview deployment.
deployment DataPlaneRolloutStatusDeployment Deployment contains the information about the preview deployment.
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions contains the status conditions about the rollout.

Appears in:

DataPlaneRolloutStatusDeployment

DataPlaneRolloutStatusDeployment is a rollout status field which contains fields specific for Deployments during the rollout.

Field Description
selector string Selector is a stable label selector value assigned to a DataPlane rollout status which is used throughout the rollout as a deterministic labels selector for Services and Deployments.

Appears in:

DataPlaneRolloutStatusServices

DataPlaneRolloutStatusServices describes the status of the services during DataPlane rollout.

Field Description
ingress RolloutStatusService Ingress contains the name and the address of the preview service for ingress. Using this service users can send requests that will hit the preview deployment.
adminAPI RolloutStatusService AdminAPI contains the name and the address of the preview service for Admin API. Using this service users can send requests to configure the DataPlane’s preview deployment.

Appears in:

DataPlaneServiceOptions

DataPlaneServiceOptions contains Services related DataPlane configuration.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to LoadBalancer.

ClusterIP allocates a cluster-internal IP address for load-balancing to endpoints.

NodePort exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.

LoadBalancer builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP.

More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
name *string Name defines the name of the service. If Name is empty, the controller will generate a service name from the owning object.
annotations map[string]string Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

More info: http://kubernetes.io/docs/user-guide/annotations
labels LabelValue Labels are an unstructured key value map that may be used to organize and categorize resources and that are propagated to the DataPlane’s ingress Service by the operator.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to “Local”, the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, “Cluster”, uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get “Cluster” semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
ports DataPlaneServicePort Ports defines the list of ports that are exposed by the service. The ports field allows defining the name, port and targetPort of the underlying service ports, while the protocol is defaulted to TCP, as it is the only protocol currently supported.

Appears in:

DataPlaneServicePort

DataPlaneServicePort contains information on service’s port.

Field Description
name string The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the ‘name’ field in the EndpointPort. Optional if only one ServicePort is defined on this service.
port int32 The port that will be exposed by this service.
targetPort k8s.io/apimachinery/pkg/util/intstr.IntOrString Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod’s container ports. If this is not specified, the value of the ‘port’ field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the ‘port’ field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
nodePort int32 The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP).

More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

Can only be specified if type is NodePort or LoadBalancer.

Appears in:

DataPlaneServices

DataPlaneServices contains Services related DataPlane configuration, shared with the GatewayConfiguration.

Field Description
ingress DataPlaneServiceOptions Ingress is the Kubernetes Service that will be used to expose ingress traffic for the DataPlane. Here you can determine whether the DataPlane will be exposed outside the cluster (e.g. using a LoadBalancer type Services) or only internally (e.g. ClusterIP), and inject any additional annotations you need on the service (for instance, if you need to influence a cloud provider LoadBalancer configuration).

Appears in:

DataPlaneSpec

DataPlaneSpec defines the desired state of DataPlane.

Field Description
deployment DataPlaneDeploymentOptions  
network DataPlaneNetworkOptions  
resources DataPlaneResources  
extensions ExtensionRef Extensions provide additional or replacement features for the DataPlane resources to influence or enhance functionality. NOTE: since we have one extension only (KonnectExtension), we limit the amount of extensions to 1.
pluginsToInstall NamespacedName PluginsToInstall is a list of KongPluginInstallation resources that will be installed and available in the DataPlane.

Appears in:

DataPlaneStatus

DataPlaneStatus defines the observed state of DataPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the DataPlane.
service string Service indicates the Service that exposes the DataPlane’s configured routes
addresses Address Addresses lists the addresses that have actually been bound to the DataPlane.
selector string Selector contains a unique DataPlane identifier used as a deterministic label selector that is used throughout its dependent resources. This is used e.g. as a label selector for DataPlane’s Services, Deployments and PodDisruptionBudgets.
readyReplicas int32 ReadyReplicas indicates how many replicas have reported to be ready.
replicas int32 Replicas indicates how many replicas have been set for the DataPlane.
rollout DataPlaneRolloutStatus RolloutStatus contains information about the rollout. It is set only if a rollout strategy was configured in the spec.

Appears in:

DeploymentOptions

DeploymentOptions is a shared type used on objects to indicate that their configuration results in a Deployment which is managed by the Operator and includes options for managing Deployments such as the number of replicas or pod options like container image and resource requirements. version, as well as Env variable overrides.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This is effectively shorthand for setting a scaling minimum and maximum to the same value. This field and the scaling field are mutually exclusive: You can only configure one or the other.
scaling Scaling Scaling defines the scaling options for the deployment.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods. It’s being applied on top of the generated Deployments using StrategicMergePatch.

Appears in:

GatewayConfigDataPlaneNetworkOptions

GatewayConfigDataPlaneNetworkOptions defines network related options for a DataPlane.

Field Description
services GatewayConfigDataPlaneServices Services indicates the configuration of Kubernetes Services needed for the topology of various forms of traffic (including ingress, etc.) to and from the DataPlane.

Appears in:

GatewayConfigDataPlaneOptions

GatewayConfigDataPlaneOptions indicates the specific information needed to configure and deploy a DataPlane object.

Field Description
deployment DataPlaneDeploymentOptions  
network GatewayConfigDataPlaneNetworkOptions  
resources GatewayConfigDataPlaneResources  
extensions ExtensionRef Extensions provide additional or replacement features for the DataPlane resources to influence or enhance functionality. NOTE: since we have one extension only (KonnectExtension), we limit the amount of extensions to 1.
pluginsToInstall NamespacedName PluginsToInstall is a list of KongPluginInstallation resources that will be installed and available in the Gateways (DataPlanes) that use this GatewayConfig.

Appears in:

GatewayConfigDataPlaneResources

GatewayConfigDataPlaneResources defines the resources that will be created and managed for Gateway’s DataPlane.

Field Description
podDisruptionBudget PodDisruptionBudget PodDisruptionBudget is the configuration for the PodDisruptionBudget that will be created for the DataPlane.

Appears in:

GatewayConfigDataPlaneServices

GatewayConfigDataPlaneServices contains Services related DataPlane configuration.

Field Description
ingress GatewayConfigServiceOptions Ingress is the Kubernetes Service that will be used to expose ingress traffic for the DataPlane. Here you can determine whether the DataPlane will be exposed outside the cluster (e.g. using a LoadBalancer type Services) or only internally (e.g. ClusterIP), and inject any additional annotations you need on the service (for instance, if you need to influence a cloud provider LoadBalancer configuration).

Appears in:

GatewayConfigServiceOptions

GatewayConfigServiceOptions is used to includes options to customize the ingress service, such as the annotations.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to LoadBalancer.

ClusterIP allocates a cluster-internal IP address for load-balancing to endpoints.

NodePort exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.

LoadBalancer builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP.

More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
name *string Name defines the name of the service. If Name is empty, the controller will generate a service name from the owning object.
annotations map[string]string Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

More info: http://kubernetes.io/docs/user-guide/annotations
labels LabelValue Labels are an unstructured key value map that may be used to organize and categorize resources and that are propagated to the DataPlane’s ingress Service by the operator.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to “Local”, the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, “Cluster”, uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get “Cluster” semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

Appears in:

GatewayConfigurationListenerOptions

GatewayConfigurationListenerOptions specifies configuration overrides of defaults on certain listener of the Gateway. The name must match the name of a listener in the Gateway and the options are applied to the configuration of the matching listener. For example, if the option for listener “http” specified the nodeport number to 30080, The ingress service will expose the nodeport 30080 for the “http” listener of the Gateway. For listeners without an item in listener options of GatewayConfiguration, default configuration is used for it.

Field Description
name sigs.k8s.io/gateway-api/apis/v1.SectionName Name is the name of the Listener.
nodePort int32 The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP).

More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

Can only be specified if type of the dataplane ingress service (specified in spec.dataplaneOptions.network.services.ingress.type) is NodePort or LoadBalancer.

Appears in:

GatewayConfigurationSpec

GatewayConfigurationSpec defines the desired state of GatewayConfiguration

Field Description
dataPlaneOptions GatewayConfigDataPlaneOptions DataPlaneOptions is the specification for configuration overrides for DataPlane resources that will be created for the Gateway.
controlPlaneOptions ControlPlaneOptions ControlPlaneOptions is the specification for configuration overrides for ControlPlane resources that will be created for the Gateway.
listenersOptions GatewayConfigurationListenerOptions ListenerOptions is the specification for configuration bound to specific listeners in the Gateway. It will override the default configuration of control plane or data plane for the specified listener.
extensions ExtensionRef Extensions provide additional or replacement features for the Gateway resource to influence or enhance functionality. NOTE: currently, there’s only 1 extension that can be attached at the Gateway level (KonnectExtension), so the amount of extensions is limited to 1.

Appears in:

GatewayConfigurationStatus

GatewayConfigurationStatus defines the observed state of GatewayConfiguration.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the GatewayConfigurationStatus.

Appears in:

HorizontalScaling

HorizontalScaling defines horizontal scaling options for the deployment. It holds all the options from the HorizontalPodAutoscalerSpec besides the ScaleTargetRef which is being controlled by the Operator.

Field Description
minReplicas *int32 minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.
maxReplicas int32 maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
metrics MetricSpec array metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.
behavior HorizontalPodAutoscalerBehavior behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.

Appears in:

KonnectCertificateOptions

KonnectCertificateOptions indicates how the operator should manage the certificates that managed entities will use to interact with Konnect.

Field Description
issuer NamespacedName Issuer is the cert-manager Issuer or ClusterIssuer the operator will use to request certificates. When Namespace is set, the operator will retrieve the Issuer with that Name in that Namespace. When Namespace is omitted, the operator will retrieve the ClusterIssuer with that name.

Appears in:

LabelName

Underlying type: string

LabelName is a label key with constraints matching Kubernetes label key requirements.

Appears in:

LabelValue

Underlying type: string

LabelValue is a label value with constraints matching Kubernetes label value requirements.

Appears in:

NamespacedName

NamespacedName is a resource identified by name and optional namespace.

Field Description
namespace string  
name string  

Appears in:

PodDisruptionBudget

PodDisruptionBudget defines the configuration for the PodDisruptionBudget.

Field Description
spec PodDisruptionBudgetSpec Spec defines the specification of the PodDisruptionBudget. Selector is managed by the controller and cannot be set by the user.

Appears in:

PodDisruptionBudgetSpec

PodDisruptionBudgetSpec defines the specification of a PodDisruptionBudget.

Field Description
minAvailable *k8s.io/apimachinery/pkg/util/intstr.IntOrString An eviction is allowed if at least “minAvailable” pods selected by “selector” will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying “100%”.
maxUnavailable *k8s.io/apimachinery/pkg/util/intstr.IntOrString An eviction is allowed if at most “maxUnavailable” pods selected by “selector” are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with “minAvailable”.
unhealthyPodEvictionPolicy UnhealthyPodEvictionPolicyType UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=”Ready”,status=”True”.

Valid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.

IfHealthyBudget policy means that running pods (status.phase=”Running”), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.

AlwaysAllow policy means that all running pods (status.phase=”Running”), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.

Additional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.

This field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).

Appears in:

Promotion

Promotion is a type that contains fields that define how the operator handles promotion of resources during a blue/green rollout.

Field Description
strategy PromotionStrategy Strategy indicates how you want the operator to handle the promotion of the preview (green) resources (Deployments and Services) after all workflows and tests succeed, OR if you even want it to break before performing the promotion to allow manual inspection.

Appears in:

PromotionStrategy

Underlying type: string

PromotionStrategy is the type of promotion strategy consts.

Allowed values:

- BreakBeforePromotion is a promotion strategy which will ensure all new resources are ready and then break, to enable manual inspection. The user must indicate manually when they want the promotion to continue. That can be done by annotating the DataPlane object with "gateway-operator.konghq.com/promote-when-ready": "true".

Appears in:

Allowed values:

Value Description
AutomaticPromotion AutomaticPromotion indicates that once all workflows and tests have completed successfully,
the new resources should be promoted and replace the previous resources.
BreakBeforePromotion BreakBeforePromotion is the same as AutomaticPromotion but with an added breakpoint
to enable manual inspection.
The user must indicate manually when they want the promotion to continue.
That can be done by annotating the DataPlane object with
"gateway-operator.konghq.com/promote-when-ready": "true".

Rollout

Rollout defines options for rollouts.

Field Description
strategy RolloutStrategy Strategy contains the deployment strategy for rollout.

Appears in:

RolloutResourcePlan

RolloutResourcePlan is a type that holds rollout resource plan related fields which control how the operator handles resources during and after a rollout.

Field Description
deployment RolloutResourcePlanDeployment Deployment describes how the operator manages Deployments during and after a rollout.

Appears in:

RolloutResourcePlanDeployment

Underlying type: string

RolloutResourcePlanDeployment is the type that holds the resource plan for managing the Deployment objects during and after a rollout.

Allowed values:

- ScaleDownOnPromotionScaleUpOnRollout is a rollout resource plan for Deployment which makes the operator scale down the Deployment to 0 when the rollout is not initiated by a spec change and then to scale it up when the rollout is initiated (the owner resource like a DataPlane is patched or updated).

Appears in:

Allowed values:

Value Description
ScaleDownOnPromotionScaleUpOnRollout RolloutResourcePlanDeploymentScaleDownOnPromotionScaleUpOnRollout is a rollout
resource plan for Deployment which makes the operator scale down
the Deployment to 0 when the rollout is not initiated by a spec change
and then to scale it up when the rollout is initiated (the owner resource
like a DataPlane is patched or updated).
DeleteOnPromotionRecreateOnRollout RolloutResourcePlanDeploymentDeleteOnPromotionRecreateOnRollout which makes the operator delete the
Deployment the rollout is not initiated by a spec change and then to
re-create it when the rollout is initiated (the owner resource like
a DataPlane is patched or updated).

RolloutResources

RolloutResources is the type which contains the fields which control how the operator manages the resources it manages during or after the rollout concludes.

Field Description
plan RolloutResourcePlan Plan defines the resource plan for managing resources during and after a rollout.

Appears in:

RolloutStatusService

RolloutStatusService is a struct which contains status information about services that are exposed as part of the rollout.

Field Description
name string Name indicates the name of the service.
addresses Address Addresses contains the addresses of a Service.

Appears in:

RolloutStrategy

RolloutStrategy holds the rollout strategy options.

Field Description
blueGreen BlueGreenStrategy BlueGreen holds the options specific for Blue Green Deployments.

Appears in:

Scaling

Scaling defines the scaling options for the deployment.

Field Description
horizontal HorizontalScaling HorizontalScaling defines horizontal scaling options for the deployment.

Appears in:

ServiceOptions

ServiceOptions is used to includes options to customize the ingress service, such as the annotations.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to LoadBalancer.

ClusterIP allocates a cluster-internal IP address for load-balancing to endpoints.

NodePort exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.

LoadBalancer builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP.

More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
name *string Name defines the name of the service. If Name is empty, the controller will generate a service name from the owning object.
annotations map[string]string Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

More info: http://kubernetes.io/docs/user-guide/annotations
labels LabelValue Labels are an unstructured key value map that may be used to organize and categorize resources and that are propagated to the DataPlane’s ingress Service by the operator.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to “Local”, the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, “Cluster”, uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get “Cluster” semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

Appears in:

WatchNamespaces

WatchNamespaces defines the namespaces to watch for resources

Field Description
type WatchNamespacesType Type indicates the type of namespace watching to be done. By default, all namespaces are watched.
list []string List is a list of namespaces to watch for resources. Only used when Type is set to List.

Appears in:

WatchNamespacesType

Underlying type: string

WatchNamespacesType indicates the type of namespace watching to be done.

Appears in:

Allowed values:

Value Description
all WatchNamespacesTypeAll indicates that all namespaces should be watched
for resources.
list WatchNamespacesTypeList indicates that only the namespaces listed in
the Namespaces field should be watched for resources.
All the namespaces enumerated in the list will be watched in addition to
the namespace of the object.
own WatchNamespacesTypeOwn indicates that only the namespace of the
object should be watched for resources.

gateway-operator.konghq.com/v2beta1

Package v2beta1 contains API Schema definitions for the gateway-operator.konghq.com v2beta1 API group.

ControlPlane

ControlPlane is the Schema for the controlplanes API

Field Description
apiVersion string gateway-operator.konghq.com/v2beta1
kind string ControlPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ControlPlaneSpec Spec is the specification of the ControlPlane resource.
status ControlPlaneStatus Status is the status of the ControlPlane resource.

GatewayConfiguration

GatewayConfiguration is the Schema for the gatewayconfigurations API.

Field Description
apiVersion string gateway-operator.konghq.com/v2beta1
kind string GatewayConfiguration
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewayConfigurationSpec Spec defines the desired state of GatewayConfiguration.
status GatewayConfigurationStatus Status defines the observed state of GatewayConfiguration.

Types

In this section you will find types that the CRDs rely on.

BlueGreenStrategy

BlueGreenStrategy defines the Blue Green deployment strategy.

Field Description
promotion Promotion Promotion defines how the operator handles promotion of resources.
resources RolloutResources Resources controls what happens to operator managed resources during or after a rollout.

Appears in:

ConfigDumpState

Underlying type: string

ConfigDumpState defines the state of configuration dump.

Appears in:

Allowed values:

Value Description
enabled ConfigDumpStateEnabled indicates that configuration dump is enabled.
disabled ConfigDumpStateDisabled indicates that the configuration dump is disabled.

ControlPlaneCombinedServicesFromDifferentHTTPRoutesState

Underlying type: string

ControlPlaneCombinedServicesFromDifferentHTTPRoutesState defines the state of the feature that allows the ControlPlane to combine services from different HTTPRoutes.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneCombinedServicesFromDifferentHTTPRoutesStateEnabled indicates that the feature is enabled.
disabled ControlPlaneCombinedServicesFromDifferentHTTPRoutesStateDisabled indicates that the feature is disabled.

ControlPlaneConfigDump

ControlPlaneConfigDump defines the options for dumping translated Kong configuration from a diagnostics server.

Field Description
state ConfigDumpState When State is enabled, Operator will dump the translated Kong configuration by it from a diagnostics server.
dumpSensitive ConfigDumpState When DumpSensitive is enabled, the configuration will be dumped unchanged, including sensitive parts like private keys and credentials. When DumpSensitive is disabled, the sensitive configuration parts like private keys and credentials are redacted.

Appears in:

ControlPlaneController

ControlPlaneController defines a controller state for the ControlPlane. It overrides the default behavior as defined in the deployed operator version.

Field Description
name string Name is the name of the controller.
state ControllerState State indicates whether the feature gate is enabled or disabled.

Appears in:

ControlPlaneDataPlaneStatus

ControlPlaneDataPlaneStatus defines the status of the DataPlane that the ControlPlane is responsible for configuring.

Field Description
name string Name is the name of the DataPlane.

Appears in:

ControlPlaneDataPlaneSync

ControlPlaneDataPlaneSync defines the configuration for syncing Kong configuration to the DataPlane.

Field Description
reverseSync ControlPlaneReverseSyncState ReverseSync sends configuration to DataPlane (Kong Gateway) even if the configuration checksum has not changed since previous update.
interval *k8s.io/apimachinery/pkg/apis/meta/v1.Duration Interval is the interval between two rounds of syncing Kong configuration with dataplanes.
timeout *k8s.io/apimachinery/pkg/apis/meta/v1.Duration Timeout is the timeout of a single run of syncing Kong configuration with dataplanes.

Appears in:

ControlPlaneDataPlaneTarget

ControlPlaneDataPlaneTarget defines the target for the DataPlane that the ControlPlane is responsible for configuring.

Field Description
type ControlPlaneDataPlaneTargetType Type indicates the type of the DataPlane target.
ref ControlPlaneDataPlaneTargetRef Ref is the name of the DataPlane to configure.

Appears in:

ControlPlaneDataPlaneTargetRef

ControlPlaneDataPlaneTargetRef defines the reference to a DataPlane resource that the ControlPlane is responsible for configuring.

Field Description
name string Ref is the name of the DataPlane to configure.

Appears in:

ControlPlaneDataPlaneTargetType

Underlying type: string

ControlPlaneDataPlaneTargetType defines the type of the DataPlane target that the ControlPlane is responsible for configuring.

Appears in:

Allowed values:

Value Description
ref ControlPlaneDataPlaneTargetRefType indicates that the DataPlane target is a ref
of a DataPlane resource managed by the operator.
This is used for configuring DataPlanes that are managed by the operator.
managedByOwner ControlPlaneDataPlaneTargetManagedByType indicates that the DataPlane target
is managed by the owner of the ControlPlane.
This is the case when using a Gateway resource to manage the DataPlane
and the ControlPlane is responsible for configuring it.

ControlPlaneDrainSupportState

Underlying type: string

ControlPlaneDrainSupportState defines the state of the feature that allows the ControlPlane to include terminating endpoints in Kong upstreams with weight=0 for graceful connection draining.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneDrainSupportStateEnabled indicates that the feature is enabled.
disabled ControlPlaneDrainSupportStateDisabled indicates that the feature is disabled.

ControlPlaneFallbackConfiguration

ControlPlaneFallbackConfiguration defines the fallback configuration options for the ControlPlane.

Field Description
useLastValidConfig ControlPlaneFallbackConfigurationState UseLastValidConfig indicates whether the ControlPlane should use the last valid configuration when the current configuration is invalid.

Appears in:

ControlPlaneFallbackConfigurationState

Underlying type: string

ControlPlaneFallbackConfigurationState defines the state of the fallback configuration feature.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneFallbackConfigurationStateEnabled indicates that the fallback configuration is enabled.
disabled ControlPlaneFallbackConfigurationStateDisabled indicates that the fallback configuration is disabled.

ControlPlaneFeatureGate

ControlPlaneFeatureGate defines a feature gate state for the ControlPlane. It overrides the default behavior as defined in the deployed operator version.

Field Description
name string Name is the name of the feature gate.
state FeatureGateState State indicates whether the feature gate is enabled or disabled.

Appears in:

ControlPlaneFilterForObjectType

ControlPlaneFilterForObjectType defines the filters for a certain type of object.

Field Description
matchLabels map[string]string MatchLabels defines the labels that the object must match to get reconciled by the controller for the ControlPlane. For example, if secrets.matchLabels is {"label1":"val1","label2":"val2"}, only secrets with labels label1=val1 and label2=val2 are reconciled.

Appears in:

ControlPlaneGatewayDiscovery

ControlPlaneGatewayDiscovery defines the configuration for the Gateway Discovery feature of the ControlPlane.

Field Description
readinessCheckInterval *k8s.io/apimachinery/pkg/apis/meta/v1.Duration ReadinessCheckInterval defines the interval at which the ControlPlane checks the readiness of the DataPlanes it is responsible for. If not specified, the default interval as defined by the operator will be used.
readinessCheckTimeout *k8s.io/apimachinery/pkg/apis/meta/v1.Duration ReadinessCheckTimeout defines the timeout for the DataPlane readiness check. If not specified, the default interval as defined by the operator will be used.

Appears in:

ControlPlaneK8sCache

ControlPlaneK8sCache defines the configuration related to Kubernetes object caches of the ControlPlane.

Field Description
initSyncDuration *k8s.io/apimachinery/pkg/apis/meta/v1.Duration InitSyncDuration defines the initial delay to wait for Kubernetes object caches to be synced before the initial configuration. If omitted, the default value (5s) is used.

Appears in:

ControlPlaneKonnectConsumersSyncState

Underlying type: string

ControlPlaneKonnectConsumersSyncState defines the state of consumer synchronization with Konnect.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneKonnectConsumersSyncStateEnabled indicates that consumer synchronization is enabled.
disabled ControlPlaneKonnectConsumersSyncStateDisabled indicates that consumer synchronization is disabled.

ControlPlaneKonnectLicenseStorageState

Underlying type: string

ControlPlaneKonnectLicenseStorageState defines the state of Konnect licensing.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneKonnectLicenseStorageStateEnabled indicates that Konnect license storage is enabled.
disabled ControlPlaneKonnectLicenseStorageStateDisabled indicates that Konnect license storage is disabled.

ControlPlaneKonnectLicensing

ControlPlaneKonnectLicensing defines the configuration for Konnect licensing.

Field Description
state ControlPlaneKonnectLicensingState State indicates whether Konnect licensing is enabled.
initialPollingPeriod *k8s.io/apimachinery/pkg/apis/meta/v1.Duration InitialPollingPeriod is the initial polling period for license checks.
pollingPeriod *k8s.io/apimachinery/pkg/apis/meta/v1.Duration PollingPeriod is the polling period for license checks.
storageState ControlPlaneKonnectLicenseStorageState StorageState indicates whether to store licenses fetched from Konnect to Secrets locally to use them later when connection to Konnect is broken. Only effective when State is set to enabled.

Appears in:

ControlPlaneKonnectLicensingState

Underlying type: string

ControlPlaneKonnectLicensingState defines the state of Konnect licensing.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneKonnectLicensingStateEnabled indicates that Konnect licensing is enabled.
disabled ControlPlaneKonnectLicensingStateDisabled indicates that Konnect licensing is disabled.

ControlPlaneKonnectOptions

ControlPlaneKonnectOptions defines the Konnect-related configuration options for the ControlPlane.

Field Description
consumersSync ControlPlaneKonnectConsumersSyncState ConsumersSync indicates whether consumer synchronization with Konnect is enabled.
licensing ControlPlaneKonnectLicensing Licensing defines the configuration for Konnect licensing.
nodeRefreshPeriod *k8s.io/apimachinery/pkg/apis/meta/v1.Duration NodeRefreshPeriod is the period for refreshing the node information in Konnect.
configUploadPeriod *k8s.io/apimachinery/pkg/apis/meta/v1.Duration ConfigUploadPeriod is the period for uploading configuration to Konnect.
configUploadConcurrency *int32 ConfigUploadConcurrency is the concurrency of the client for uploading configuration to Konnect. In case of large configuration with many entities, too high concurrency may trigger rate limiting on Konnect API service and fail with 429 responses on requests.

Appears in:

ControlPlaneObjectFilters

ControlPlaneObjectFilters defines filters to limit watched objects by the controllers.

Field Description
secrets ControlPlaneFilterForObjectType Secrets defines the filters for watched secrets.
configMaps ControlPlaneFilterForObjectType ConfigMaps defines the filters for watched config maps.

Appears in:

ControlPlaneOptions

ControlPlaneOptions indicates the specific information needed to deploy and connect a ControlPlane to a DataPlane object.

Field Description
ingressClass *string IngressClass enables support for the Ingress resources and indicates which Ingress resources this ControlPlane should be responsible for.

If omitted, Ingress resources will not be supported by the ControlPlane.
watchNamespaces WatchNamespaces WatchNamespaces indicates the namespaces to watch for resources.
featureGates ControlPlaneFeatureGate FeatureGates is a list of feature gates that are enabled for this ControlPlane.
controllers ControlPlaneController Controllers defines the controllers that are enabled for this ControlPlane.
gatewayDiscovery ControlPlaneGatewayDiscovery GatewayDiscovery defines the configuration for the Gateway Discovery feature.
cache ControlPlaneK8sCache Cache defines the configuration related to the kubernetes object caches.
dataplaneSync ControlPlaneDataPlaneSync DataPlaneSync defines the configuration for syncing Kong configuration to the DataPlane.
translation ControlPlaneTranslationOptions Translation defines the configuration for translating Kong configuration.
configDump ControlPlaneConfigDump ConfigDump defines the options for dumping generated Kong configuration from a diagnostics server.
objectFilters ControlPlaneObjectFilters ObjectFilters defines the filters to limit watched objects by the controllers.
konnect ControlPlaneKonnectOptions Konnect defines the Konnect-related configuration options for the ControlPlane.

Appears in:

ControlPlaneReverseSyncState

Underlying type: string

ControlPlaneReverseSyncState defines the state of the reverse sync feature.

Appears in:

Allowed values:

Value Description
enabled ControlPlaneReverseSyncStateEnabled indicates that reverse sync is enabled.
disabled ControlPlaneReverseSyncStateDisabled indicates that reverse sync is disabled.

ControlPlaneSpec

ControlPlaneSpec defines the desired state of ControlPlane

Field Description
ingressClass *string IngressClass enables support for the Ingress resources and indicates which Ingress resources this ControlPlane should be responsible for.

If omitted, Ingress resources will not be supported by the ControlPlane.
watchNamespaces WatchNamespaces WatchNamespaces indicates the namespaces to watch for resources.
featureGates ControlPlaneFeatureGate FeatureGates is a list of feature gates that are enabled for this ControlPlane.
controllers ControlPlaneController Controllers defines the controllers that are enabled for this ControlPlane.
gatewayDiscovery ControlPlaneGatewayDiscovery GatewayDiscovery defines the configuration for the Gateway Discovery feature.
cache ControlPlaneK8sCache Cache defines the configuration related to the kubernetes object caches.
dataplaneSync ControlPlaneDataPlaneSync DataPlaneSync defines the configuration for syncing Kong configuration to the DataPlane.
translation ControlPlaneTranslationOptions Translation defines the configuration for translating Kong configuration.
configDump ControlPlaneConfigDump ConfigDump defines the options for dumping generated Kong configuration from a diagnostics server.
objectFilters ControlPlaneObjectFilters ObjectFilters defines the filters to limit watched objects by the controllers.
konnect ControlPlaneKonnectOptions Konnect defines the Konnect-related configuration options for the ControlPlane.
dataplane ControlPlaneDataPlaneTarget DataPlane designates the target data plane to configure.

It can be: - a name of a DataPlane resource that is managed by the operator, - a DataPlane that is managed by the owner of the ControlPlane (e.g. a Gateway resource)
extensions ExtensionRef Extensions provide additional or replacement features for the ControlPlane resources to influence or enhance functionality.

Appears in:

ControlPlaneStatus

ControlPlaneStatus defines the observed state of ControlPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the Gateway.
dataPlane ControlPlaneDataPlaneStatus DataPlane describes the status of the DataPlane that the ControlPlane is responsible for configuring.
featureGates ControlPlaneFeatureGate FeatureGates is a list of effective feature gates for this ControlPlane.
controllers ControlPlaneController Controllers is a list of enabled and disabled controllers for this ControlPlane.

Appears in:

ControlPlaneTranslationOptions

ControlPlaneTranslationOptions defines the configuration for translating cluster resources into Kong configuration.

Field Description
combinedServicesFromDifferentHTTPRoutes ControlPlaneCombinedServicesFromDifferentHTTPRoutesState CombinedServicesFromDifferentHTTPRoutes indicates whether the ControlPlane should combine services from different HTTPRoutes into a single Kong DataPlane service.
fallbackConfiguration ControlPlaneFallbackConfiguration FallbackConfiguration defines the fallback configuration options for the ControlPlane.
drainSupport ControlPlaneDrainSupportState DrainSupport defines the configuration for the ControlPlane to include terminating endpoints in Kong upstreams with weight=0 for graceful connection draining.

Appears in:

ControllerState

Underlying type: string

ControllerState defines the state of a controller.

Appears in:

Allowed values:

Value Description
enabled ControllerStateEnabled indicates that the controller is enabled.
disabled ControllerStateDisabled indicates that the controller is disabled.

DataPlaneDeploymentOptions

DataPlaneDeploymentOptions specifies options for the Deployments (as in the Kubernetes resource “Deployment”) which are created and managed for the DataPlane resource.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This is effectively shorthand for setting a scaling minimum and maximum to the same value. This field and the scaling field are mutually exclusive: You can only configure one or the other.
scaling Scaling Scaling defines the scaling options for the deployment.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods. It’s being applied on top of the generated Deployments using StrategicMergePatch.
rollout Rollout Rollout describes a custom rollout strategy.

Appears in:

DeploymentOptions

DeploymentOptions is a shared type used on objects to indicate that their configuration results in a Deployment which is managed by the Operator and includes options for managing Deployments such as the number of replicas or pod options like container image and resource requirements. version, as well as Env variable overrides.

Field Description
replicas *int32 Replicas describes the number of desired pods. This is a pointer to distinguish between explicit zero and not specified. This is effectively shorthand for setting a scaling minimum and maximum to the same value. This field and the scaling field are mutually exclusive: You can only configure one or the other.
scaling Scaling Scaling defines the scaling options for the deployment.
podTemplateSpec PodTemplateSpec PodTemplateSpec defines PodTemplateSpec for Deployment’s pods. It’s being applied on top of the generated Deployments using StrategicMergePatch.

Appears in:

FeatureGateState

Underlying type: string

FeatureGateState defines the state of a feature gate.

Appears in:

Allowed values:

Value Description
enabled FeatureGateStateEnabled indicates that the feature gate is enabled.
disabled FeatureGateStateDisabled indicates that the feature gate is disabled.

GatewayConfigControlPlaneOptions

GatewayConfigControlPlaneOptions contains the options for configuring ControlPlane resources that will be managed as part of the Gateway.

Field Description
ingressClass *string IngressClass enables support for the Ingress resources and indicates which Ingress resources this ControlPlane should be responsible for.

If omitted, Ingress resources will not be supported by the ControlPlane.
watchNamespaces WatchNamespaces WatchNamespaces indicates the namespaces to watch for resources.
featureGates ControlPlaneFeatureGate FeatureGates is a list of feature gates that are enabled for this ControlPlane.
controllers ControlPlaneController Controllers defines the controllers that are enabled for this ControlPlane.
gatewayDiscovery ControlPlaneGatewayDiscovery GatewayDiscovery defines the configuration for the Gateway Discovery feature.
cache ControlPlaneK8sCache Cache defines the configuration related to the kubernetes object caches.
dataplaneSync ControlPlaneDataPlaneSync DataPlaneSync defines the configuration for syncing Kong configuration to the DataPlane.
translation ControlPlaneTranslationOptions Translation defines the configuration for translating Kong configuration.
configDump ControlPlaneConfigDump ConfigDump defines the options for dumping generated Kong configuration from a diagnostics server.
objectFilters ControlPlaneObjectFilters ObjectFilters defines the filters to limit watched objects by the controllers.
konnect ControlPlaneKonnectOptions Konnect defines the Konnect-related configuration options for the ControlPlane.

Appears in:

GatewayConfigDataPlaneNetworkOptions

GatewayConfigDataPlaneNetworkOptions defines network related options for a DataPlane.

Field Description
services GatewayConfigDataPlaneServices Services indicates the configuration of Kubernetes Services needed for the topology of various forms of traffic (including ingress, etc.) to and from the DataPlane.

Appears in:

GatewayConfigDataPlaneOptions

GatewayConfigDataPlaneOptions indicates the specific information needed to configure and deploy a DataPlane object.

Field Description
deployment DataPlaneDeploymentOptions  
network GatewayConfigDataPlaneNetworkOptions  
resources GatewayConfigDataPlaneResources  
pluginsToInstall NamespacedName PluginsToInstall is a list of KongPluginInstallation resources that will be installed and available in the Gateways (DataPlanes) that use this GatewayConfig.

Appears in:

GatewayConfigDataPlaneResources

GatewayConfigDataPlaneResources defines the resources that will be created and managed for Gateway’s DataPlane.

Field Description
podDisruptionBudget PodDisruptionBudget PodDisruptionBudget is the configuration for the PodDisruptionBudget that will be created for the DataPlane.

Appears in:

GatewayConfigDataPlaneServices

GatewayConfigDataPlaneServices contains Services related DataPlane configuration.

Field Description
ingress GatewayConfigServiceOptions Ingress is the Kubernetes Service that will be used to expose ingress traffic for the DataPlane. Here you can determine whether the DataPlane will be exposed outside the cluster (e.g. using a LoadBalancer type Services) or only internally (e.g. ClusterIP), and inject any additional annotations you need on the service (for instance, if you need to influence a cloud provider LoadBalancer configuration).

Appears in:

GatewayConfigServiceOptions

GatewayConfigServiceOptions is used to includes options to customize the ingress service, such as the annotations.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to LoadBalancer.

ClusterIP allocates a cluster-internal IP address for load-balancing to endpoints.

NodePort exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.

LoadBalancer builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP.

More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
name *string Name defines the name of the service. If Name is empty, the controller will generate a service name from the owning object.
annotations map[string]string Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

More info: http://kubernetes.io/docs/user-guide/annotations
labels LabelValue Labels are an unstructured key value map that may be used to organize and categorize resources and that are propagated to the DataPlane’s ingress Service by the operator.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to “Local”, the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, “Cluster”, uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get “Cluster” semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

Appears in:

GatewayConfigurationListenerOptions

GatewayConfigurationListenerOptions specifies configuration overrides of defaults on certain listener of the Gateway. The name must match the name of a listener in the Gateway and the options are applied to the configuration of the matching listener. For example, if the option for listener “http” specified the nodeport number to 30080, The ingress service will expose the nodeport 30080 for the “http” listener of the Gateway. For listeners without an item in listener options of GatewayConfiguration, default configuration is used for it.

Field Description
name sigs.k8s.io/gateway-api/apis/v1.SectionName Name is the name of the Listener.
nodePort int32 The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP).

More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

Can only be specified if type of the dataplane ingress service (specified in spec.dataplaneOptions.network.services.ingress.type) is NodePort or LoadBalancer.

Appears in:

GatewayConfigurationSpec

GatewayConfigurationSpec defines the desired state of GatewayConfiguration Only one of ‘konnect’ or ‘extensions’ can be specified.

Field Description
dataPlaneOptions GatewayConfigDataPlaneOptions DataPlaneOptions is the specification for configuration overrides for DataPlane resources that will be created for the Gateway.
controlPlaneOptions GatewayConfigControlPlaneOptions ControlPlaneOptions is the specification for configuration overrides for ControlPlane resources that will be managed as part of the Gateway.
listenersOptions GatewayConfigurationListenerOptions ListenerOptions is the specification for configuration bound to specific listeners in the Gateway. It will override the default configuration of control plane or data plane for the specified listener.
extensions ExtensionRef Extensions provide additional or replacement features for the Gateway resource to influence or enhance functionality. NOTE: currently, there are only 2 extensions that can be attached at the Gateway level (KonnectExtension, DataPlaneMetricsExtension), so the amount of extensions is limited to 2.
konnect KonnectOptions Konnect holds the configuration for a Konnect-managed control plane. If this field is set, the operator will provision a Gateway that is connected to a Konnect Control Plane.

Appears in:

GatewayConfigurationStatus

GatewayConfigurationStatus defines the observed state of GatewayConfiguration.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the GatewayConfigurationStatus.

Appears in:

HorizontalScaling

HorizontalScaling defines horizontal scaling options for the deployment. It holds all the options from the HorizontalPodAutoscalerSpec besides the ScaleTargetRef which is being controlled by the Operator.

Field Description
minReplicas *int32 minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.
maxReplicas int32 maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
metrics MetricSpec array metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.
behavior HorizontalPodAutoscalerBehavior behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.

Appears in:

KonnectOptions

KonnectOptions contains the options for configuring a Konnect-managed ControlPlane.

Field Description
authRef ControlPlaneKonnectAPIAuthConfigurationRef APIAuthConfigurationRef contains the Konnect API authentication configuration. If this field is not set, the operator will not be able to connect the Gateway to Konnect.
source EntitySource Source represents the source type of the Konnect entity.
mirror MirrorSpec Mirror is the Konnect Mirror configuration. It is only applicable for ControlPlanes that are created as Mirrors.

Appears in:

LabelName

Underlying type: string

LabelName is a label key with constraints matching Kubernetes label key requirements.

Appears in:

LabelValue

Underlying type: string

LabelValue is a label value with constraints matching Kubernetes label value requirements.

Appears in:

NamespacedName

NamespacedName is a resource identified by name and optional namespace.

Field Description
name string Name is the name of the resource.
namespace string Namespace is the namespace of the resource.

Appears in:

PodDisruptionBudget

PodDisruptionBudget defines the configuration for the PodDisruptionBudget.

Field Description
spec PodDisruptionBudgetSpec Spec defines the specification of the PodDisruptionBudget. Selector is managed by the controller and cannot be set by the user.

Appears in:

PodDisruptionBudgetSpec

PodDisruptionBudgetSpec defines the specification of a PodDisruptionBudget.

Field Description
minAvailable *k8s.io/apimachinery/pkg/util/intstr.IntOrString An eviction is allowed if at least “minAvailable” pods selected by “selector” will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying “100%”.
maxUnavailable *k8s.io/apimachinery/pkg/util/intstr.IntOrString An eviction is allowed if at most “maxUnavailable” pods selected by “selector” are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with “minAvailable”.
unhealthyPodEvictionPolicy UnhealthyPodEvictionPolicyType UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=”Ready”,status=”True”.

Valid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.

IfHealthyBudget policy means that running pods (status.phase=”Running”), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.

AlwaysAllow policy means that all running pods (status.phase=”Running”), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.

Additional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.

This field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).

Appears in:

Promotion

Promotion is a type that contains fields that define how the operator handles promotion of resources during a blue/green rollout.

Field Description
strategy PromotionStrategy Strategy indicates how you want the operator to handle the promotion of the preview (green) resources (Deployments and Services) after all workflows and tests succeed, OR if you even want it to break before performing the promotion to allow manual inspection.

Appears in:

PromotionStrategy

Underlying type: string

PromotionStrategy is the type of promotion strategy consts.

Allowed values:

- BreakBeforePromotion is a promotion strategy which will ensure all new resources are ready and then break, to enable manual inspection. The user must indicate manually when they want the promotion to continue. That can be done by annotating the DataPlane object with "gateway-operator.konghq.com/promote-when-ready": "true".

Appears in:

Allowed values:

Value Description
AutomaticPromotion AutomaticPromotion indicates that once all workflows and tests have completed successfully,
the new resources should be promoted and replace the previous resources.
BreakBeforePromotion BreakBeforePromotion is the same as AutomaticPromotion but with an added breakpoint
to enable manual inspection.
The user must indicate manually when they want the promotion to continue.
That can be done by annotating the DataPlane object with
"gateway-operator.konghq.com/promote-when-ready": "true".

Rollout

Rollout defines options for rollouts.

Field Description
strategy RolloutStrategy Strategy contains the deployment strategy for rollout.

Appears in:

RolloutResourcePlan

RolloutResourcePlan is a type that holds rollout resource plan related fields which control how the operator handles resources during and after a rollout.

Field Description
deployment RolloutResourcePlanDeployment Deployment describes how the operator manages Deployments during and after a rollout.

Appears in:

RolloutResourcePlanDeployment

Underlying type: string

RolloutResourcePlanDeployment is the type that holds the resource plan for managing the Deployment objects during and after a rollout.

Allowed values:

- ScaleDownOnPromotionScaleUpOnRollout is a rollout resource plan for Deployment which makes the operator scale down the Deployment to 0 when the rollout is not initiated by a spec change and then to scale it up when the rollout is initiated (the owner resource like a DataPlane is patched or updated).

Appears in:

Allowed values:

Value Description
ScaleDownOnPromotionScaleUpOnRollout RolloutResourcePlanDeploymentScaleDownOnPromotionScaleUpOnRollout is a rollout
resource plan for Deployment which makes the operator scale down
the Deployment to 0 when the rollout is not initiated by a spec change
and then to scale it up when the rollout is initiated (the owner resource
like a DataPlane is patched or updated).
DeleteOnPromotionRecreateOnRollout RolloutResourcePlanDeploymentDeleteOnPromotionRecreateOnRollout which makes the operator delete the
Deployment the rollout is not initiated by a spec change and then to
re-create it when the rollout is initiated (the owner resource like
a DataPlane is patched or updated).

RolloutResources

RolloutResources is the type which contains the fields which control how the operator manages the resources it manages during or after the rollout concludes.

Field Description
plan RolloutResourcePlan Plan defines the resource plan for managing resources during and after a rollout.

Appears in:

RolloutStrategy

RolloutStrategy holds the rollout strategy options.

Field Description
blueGreen BlueGreenStrategy BlueGreen holds the options specific for Blue Green Deployments.

Appears in:

Scaling

Scaling defines the scaling options for the deployment.

Field Description
horizontal HorizontalScaling HorizontalScaling defines horizontal scaling options for the deployment.

Appears in:

ServiceOptions

ServiceOptions is used to includes options to customize the ingress service, such as the annotations.

Field Description
type ServiceType Type determines how the Service is exposed. Defaults to LoadBalancer.

ClusterIP allocates a cluster-internal IP address for load-balancing to endpoints.

NodePort exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.

LoadBalancer builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP.

More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
name *string Name defines the name of the service. If Name is empty, the controller will generate a service name from the owning object.
annotations map[string]string Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

More info: http://kubernetes.io/docs/user-guide/annotations
labels LabelValue Labels are an unstructured key value map that may be used to organize and categorize resources and that are propagated to the DataPlane’s ingress Service by the operator.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to “Local”, the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, “Cluster”, uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get “Cluster” semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

Appears in:

WatchNamespaces

WatchNamespaces defines the namespaces to watch for resources

Field Description
type WatchNamespacesType Type indicates the type of namespace watching to be done. By default, all namespaces are watched.
list []string List is a list of namespaces to watch for resources. Only used when Type is set to List.

Appears in:

WatchNamespacesType

Underlying type: string

WatchNamespacesType indicates the type of namespace watching to be done.

Appears in:

Allowed values:

Value Description
all WatchNamespacesTypeAll indicates that all namespaces should be watched
for resources.
list WatchNamespacesTypeList indicates that only the namespaces listed in
the Namespaces field should be watched for resources.
All the namespaces enumerated in the list will be watched in addition to
the namespace of the object.
own WatchNamespacesTypeOwn indicates that only the namespace of the
object should be watched for resources.

incubator.ingress-controller.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the incubator.ingress-controller.konghq.com v1alpha1 API group.

KongServiceFacade

KongServiceFacade allows creating separate Kong Services for a single Kubernetes Service. It can be used as Kubernetes Ingress’ backend (via its path’s backend.resource field). It’s designed to enable creating two “virtual” Services in Kong that will point to the same Kubernetes Service, but will have different configuration (e.g. different set of plugins, different load balancing algorithm, etc.).

KongServiceFacade requires kubernetes.io/ingress.class annotation with a value matching the ingressClass of the Kong Ingress Controller (kong by default) to be reconciled.

Field Description
apiVersion string incubator.ingress-controller.konghq.com/v1alpha1
kind string KongServiceFacade
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KongServiceFacadeSpec  
status KongServiceFacadeStatus  

Types

In this section you will find types that the CRDs rely on.

KongServiceFacadeBackend

KongServiceFacadeBackend is a reference to a Kubernetes Service that is used as a backend for a Kong Service Facade.

Field Description
name string Name is the name of the referenced Kubernetes Service.
port int32 Port is the port of the referenced Kubernetes Service.

Appears in:

KongServiceFacadeSpec

KongServiceFacadeSpec defines the desired state of KongServiceFacade.

Field Description
backendRef KongServiceFacadeBackend Backend is a reference to a Kubernetes Service that is used as a backend for this Kong Service Facade.

Appears in:

KongServiceFacadeStatus

KongServiceFacadeStatus defines the observed state of KongServiceFacade.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KongServiceFacade.

Known condition types are:

* “Programmed”

Appears in:

konnect.konghq.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the konnect.konghq.com v1alpha1 API group.

KonnectAPIAuthConfiguration

KonnectAPIAuthConfiguration is the Schema for the Konnect configuration type.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectAPIAuthConfiguration
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectAPIAuthConfigurationSpec Spec is the specification of the KonnectAPIAuthConfiguration resource.
status KonnectAPIAuthConfigurationStatus Status is the status of the KonnectAPIAuthConfiguration resource.

KonnectCloudGatewayDataPlaneGroupConfiguration

KonnectCloudGatewayDataPlaneGroupConfiguration is the Schema for the Konnect Network API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectCloudGatewayDataPlaneGroupConfiguration
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectCloudGatewayDataPlaneGroupConfigurationSpec Spec defines the desired state of KonnectCloudGatewayDataPlaneGroupConfiguration.
status KonnectCloudGatewayDataPlaneGroupConfigurationStatus Status defines the observed state of KonnectCloudGatewayDataPlaneGroupConfiguration.

KonnectCloudGatewayNetwork

KonnectCloudGatewayNetwork is the Schema for the Konnect Network API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectCloudGatewayNetwork
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectCloudGatewayNetworkSpec Spec defines the desired state of KonnectCloudGatewayNetwork.
status KonnectCloudGatewayNetworkStatus Status defines the observed state of KonnectCloudGatewayNetwork.

KonnectCloudGatewayTransitGateway

KonnectCloudGatewayTransitGateway is the Schema for the Konnect Transit Gateway API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectCloudGatewayTransitGateway
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectCloudGatewayTransitGatewaySpec Spec defines the desired state of KonnectCloudGatewayTransitGateway.
status KonnectCloudGatewayTransitGatewayStatus Status defines the observed state of KonnectCloudGatewayTransitGateway.

KonnectEventGateway

KonnectEventGateway is the Schema for the konnecteventgateways API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectEventGateway
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectEventGatewaySpec  
status KonnectEventGatewayStatus  

KonnectExtension

KonnectExtension is the Schema for the KonnectExtension API, and is intended to be referenced as extension by the DataPlane, ControlPlane or GatewayConfiguration APIs. If one of the above mentioned resources successfully refers a KonnectExtension, the underlying deployment(s) spec gets customized to include the konnect-related configuration.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectExtension
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectExtensionSpec Spec is the specification of the KonnectExtension resource.
status KonnectExtensionStatus Status is the status of the KonnectExtension resource.

KonnectGatewayControlPlane

KonnectGatewayControlPlane is the Schema for the KonnectGatewayControlplanes API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string KonnectGatewayControlPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectGatewayControlPlaneSpec Spec defines the desired state of KonnectGatewayControlPlane.
status KonnectGatewayControlPlaneStatus Status defines the observed state of KonnectGatewayControlPlane.

MCPServer

MCPServer is the Schema for the MCPServer API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string MCPServer
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec MCPServerSpec  
status MCPServerStatus  

Portal

Portal is the Schema for the portals API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string Portal
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalSpec  
status PortalStatus  

PortalCustomDomain

PortalCustomDomain is the Schema for the portalcustomdomains API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalCustomDomain
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalCustomDomainSpec  
status PortalCustomDomainStatus  

PortalCustomization

PortalCustomization is the Schema for the portalcustomizations API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalCustomization
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalCustomizationSpec  
status PortalCustomizationStatus  

PortalEmailConfig

PortalEmailConfig is the Schema for the portalemailconfigs API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalEmailConfig
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalEmailConfigSpec  
status PortalEmailConfigStatus  

PortalIdentityProviderRequest

PortalIdentityProviderRequest is the Schema for the portalidentityproviderrequests API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalIdentityProviderRequest
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalIdentityProviderRequestSpec  
status PortalIdentityProviderRequestStatus  

PortalPage

PortalPage is the Schema for the portalpages API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalPage
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalPageSpec  
status PortalPageStatus  

PortalTeam

PortalTeam is the Schema for the portalteams API.

Field Description
apiVersion string konnect.konghq.com/v1alpha1
kind string PortalTeam
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec PortalTeamSpec  
status PortalTeamStatus  

Types

In this section you will find types that the CRDs rely on.

AWSTransitGateway

AWSTransitGateway is the configuration of an AWS transit gateway.

Field Description
name string Human-readable name of the transit gateway.
dns_config TransitGatewayDNSConfig List of mappings from remote DNS server IP address sets to proxied internal domains, for a transit gateway attachment.
cidr_blocks []string CIDR blocks for constructing a route table for the transit gateway, when attaching to the owning network.
attachment_config AwsTransitGatewayAttachmentConfig configuration to attach to AWS transit gateway on the AWS side.

Appears in:

AwsTransitGatewayAttachmentConfig

AwsTransitGatewayAttachmentConfig is the configuration to attach to a AWS transit gateway.

Field Description
transit_gateway_id string TransitGatewayID is the AWS transit gateway ID to create attachment to.
ram_share_arn string RAMShareArn is the resource share ARN to verify request to create transit gateway attachment.

Appears in:

AzureTransitGateway

AzureTransitGateway is the configuration of an Azure transit gateway.

Field Description
name string Human-readable name of the transit gateway.
dns_config TransitGatewayDNSConfig List of mappings from remote DNS server IP address sets to proxied internal domains, for a transit gateway attachment.
attachment_config AzureVNETPeeringAttachmentConfig configuration to attach to Azure VNET peering gateway.

Appears in:

AzureVNETPeeringAttachmentConfig

AzureVNETPeeringAttachmentConfig is the configuration to attach to a Azure VNET peering gateway.

Field Description
tenant_id string TenantID is the tenant ID for the Azure VNET Peering attachment.
subscription_id string SubscriptionID is the subscription ID for the Azure VNET Peering attachment.
resource_group_name string ResourceGroupName is the resource group name for the Azure VNET Peering attachment.
vnet_name string VnetName is the VNET Name for the Azure VNET Peering attachment.

Appears in:

CertificateSecret

CertificateSecret contains the information to access the client certificate.

Field Description
provisioning ProvisioningMethod Provisioning is the method used to provision the certificate. It can be either Manual or Automatic. In case manual provisioning is used, the certificate must be provided by the user. In case automatic provisioning is used, the certificate will be automatically generated by the system.
secretRef SecretRef CertificateSecretRef is the reference to the Secret containing the client certificate.

Appears in:

Colors

Colors is a type alias.

Field Description
primary string  

Appears in:

ConfigurationDataPlaneGroupAutoscale

ConfigurationDataPlaneGroupAutoscale specifies the autoscale configuration for the data-plane group.

Field Description
static ConfigurationDataPlaneGroupAutoscaleStatic Static specifies the static configuration for the data-plane group.
autopilot ConfigurationDataPlaneGroupAutoscaleAutopilot Autopilot specifies the autoscale configuration for the data-plane group.
type ConfigurationDataPlaneGroupAutoscaleType Type of autoscaling to use.

Appears in:

ConfigurationDataPlaneGroupAutoscaleAutopilot

ConfigurationDataPlaneGroupAutoscaleAutopilot specifies the autoscale configuration for the data-plane group.

Field Description
base_rps int64 Base number of requests per second that the deployment target should support.
max_rps *int64 Max number of requests per second that the deployment target should support. If not set, this defaults to 10x base_rps.

Appears in:

ConfigurationDataPlaneGroupAutoscaleStatic

ConfigurationDataPlaneGroupAutoscaleStatic specifies the static configuration for the data-plane group.

Field Description
instance_type github.com/Kong/sdk-konnect-go/models/components.InstanceTypeName Instance type name to indicate capacity. Currently supported values are small, medium, large but this list might be expanded in the future. For all the allowed values, please refer to the Konnect API documentation at https://docs.konghq.com/konnect/api/cloud-gateways/latest/#/Data-Plane%20Group%20Configurations/create-configuration.
requested_instances int64 Number of data-planes the deployment target will contain.

Appears in:

ConfigurationDataPlaneGroupAutoscaleType

Underlying type: string

ConfigurationDataPlaneGroupAutoscaleType is the type of autoscale configuration for the data-plane group.

Appears in:

Allowed values:

Value Description
static ConfigurationDataPlaneGroupAutoscaleTypeStatic is the autoscale type for static configuration.
autopilot ConfigurationDataPlaneGroupAutoscaleTypeAutopilot is the autoscale type for autopilot configuration.

ConfigurationDataPlaneGroupEnvironmentField

ConfigurationDataPlaneGroupEnvironmentField specifies an environment variable field for the data-plane group.

Field Description
name string Name of the environment variable field to set for the data-plane group. Must be prefixed by KONG_.
value string Value assigned to the environment variable field for the data-plane group.

Appears in:

CreateControlPlaneRequest

CreateControlPlaneRequest - The request schema for the create control plane request.

Field Description
name *string The name of the control plane.
description *string The description of the control plane in Konnect.
cluster_type *github.com/Kong/sdk-konnect-go/models/components.CreateControlPlaneRequestClusterType The ClusterType value of the cluster associated with the Control Plane.
auth_type *github.com/Kong/sdk-konnect-go/models/components.AuthType The auth type value of the cluster associated with the Runtime Group.
cloud_gateway *bool Whether this control-plane can be used for cloud-gateways.
proxy_urls []github.com/Kong/sdk-konnect-go/models/components.ProxyURL Array of proxy URLs associated with reaching the data-planes connected to a control-plane.
labels map[string]string Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.

Appears in:

CreatePortalCustomDomainSSLStandard

CreatePortalCustomDomainSSLStandard is a type alias.

Field Description
domainVerificationMethod string  

Appears in:

CreatePortalCustomDomainSSLWithCustomCertificate

CreatePortalCustomDomainSSLWithCustomCertificate is a type alias.

Field Description
customCertificate string Custom certificate to be used for the SSL termination.
customPrivateKey string Custom certificate private key to be used for the SSL termination.
domainVerificationMethod string  
skipCaCheck string Advanced option. If true, the custom certificate is served exactly as provided, without attempting to bundle against a public trust store. Required for certificates issued by an internal/private CA.

Appears in:

DataPlaneClientAuthStatus

DataPlaneClientAuthStatus contains the status information related to the ClientAuth configuration.

Field Description
certificateSecretRef SecretRef CertificateSecretRef is the reference to the Secret containing the client certificate.

Appears in:

DataPlaneLabelValue

Underlying type: string

DataPlaneLabelValue is the type that defines the value of a label that will be applied to the Konnect DataPlane.

Appears in:

Description

Underlying type: string

Description is a type alias.

Appears in:

GatewayDescription

Underlying type: string

GatewayDescription A human-readable description of the Gateway.

Appears in:

GatewayName

Underlying type: string

GatewayName The name of the Gateway.

Appears in:

IdentityProviderType

Underlying type: string

IdentityProviderType Specifies the type of identity provider.

Appears in:

KonnectAPIAuthConfigurationSpec

KonnectAPIAuthConfigurationSpec is the specification of the KonnectAPIAuthConfiguration resource.

Field Description
type KonnectAPIAuthType  
token string Token is the Konnect token used to authenticate with the Konnect API.
secretRef SecretReference SecretRef is a reference to a Kubernetes Secret containing the Konnect token. This secret is required to have the konghq.com/credential label set to “konnect”.
serverURL string ServerURL is the URL of the Konnect server. It can be either a full URL with an HTTPs scheme or just a hostname. Please refer to https://docs.konghq.com/konnect/network/ for the list of supported hostnames.

Appears in:

KonnectAPIAuthConfigurationStatus

KonnectAPIAuthConfigurationStatus is the status of the KonnectAPIAuthConfiguration resource.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the status of the Konnect configuration.
organizationID string OrganizationID is the unique identifier of the organization in Konnect.
serverURL string ServerURL is configured server URL.

Appears in:

KonnectAPIAuthType

Underlying type: string

KonnectAPIAuthType is the type of authentication used to authenticate with the Konnect API.

Appears in:

Allowed values:

Value Description
token KonnectAPIAuthTypeToken is the token authentication type.
secretRef KonnectAPIAuthTypeSecretRef is the secret reference authentication type.

KonnectCloudGatewayDataPlaneGroupConfigurationSpec

KonnectCloudGatewayDataPlaneGroupConfigurationSpec defines the desired state of KonnectCloudGatewayDataPlaneGroupConfiguration.

Field Description
version string Version specifies the desired Kong Gateway version.
dataplane_groups KonnectConfigurationDataPlaneGroup DataplaneGroups is a list of desired data-plane groups that describe where to deploy instances, along with how many instances.
api_access *github.com/Kong/sdk-konnect-go/models/components.APIAccess APIAccess is the desired type of API access for data-plane groups.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a ControlPlane which DataPlanes from this configuration will connect to.
adopt AdoptOptions Adopt is the options for adopting a cloud gateway dataplane group configuration from an existing transit dataplane group configuration in Konnect.

Appears in:

KonnectCloudGatewayDataPlaneGroupConfigurationStatus

KonnectCloudGatewayDataPlaneGroupConfigurationStatus defines the observed state of KonnectCloudGatewayDataPlaneGroupConfiguration.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectCloudGatewayDataPlaneGroupConfiguration.

Known condition types are:

* “Programmed”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this Route is associated with.
dataplane_groups KonnectCloudGatewayDataPlaneGroupConfigurationStatusGroup DataPlaneGroups is a list of deployed data-plane groups.

Appears in:

KonnectCloudGatewayDataPlaneGroupConfigurationStatusGroup

KonnectCloudGatewayDataPlaneGroupConfigurationStatusGroup defines the observed state of a deployed data-plane group.

Field Description
id string ID is the ID of the deployed data-plane group.
cloud_gateway_network_id string CloudGatewayNetworkID is the ID of the cloud gateway network.
provider github.com/Kong/sdk-konnect-go/models/components.ProviderName Name of cloud provider.
region string Region ID for cloud provider region.
private_ip_addresses []string PrivateIPAddresses is a list of private IP addresses of the internal load balancer that proxies traffic to this data-plane group.
egress_ip_addresses []string EgressIPAddresses is a list of egress IP addresses for the network that this data-plane group runs on.
state string State is the current state of the data plane group. Can be e.g. initializing, ready, terminating.

Appears in:

KonnectCloudGatewayNetworkSpec

KonnectCloudGatewayNetworkSpec defines the desired state of KonnectCloudGatewayNetwork.

Field Description
name string Specifies the name of the network on Konnect.
cloud_gateway_provider_account_id string Specifies the provider Account ID.
region string Region ID for cloud provider region.
availability_zones []string List of availability zones that the network is attached to.
cidr_block string CIDR block configuration for the network.
state *github.com/Kong/sdk-konnect-go/models/components.NetworkCreateState Initial state for creating a network.
adopt AdoptOptions Adopt is the options for adopting a cloud gateway network from an existing network in Konnect.
konnect KonnectConfiguration  

Appears in:

KonnectCloudGatewayNetworkStatus

KonnectCloudGatewayNetworkStatus defines the observed state of KonnectCloudGatewayNetwork.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectCloudGatewayNetwork.

Known condition types are:

* “Programmed”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
state string State is the current state of the network. Can be e.g. initializing, ready, terminating.

Appears in:

KonnectCloudGatewayTransitGatewaySpec

KonnectCloudGatewayTransitGatewaySpec defines the desired state of KonnectCloudGatewayTransitGateway.

Field Description
type TransitGatewayType Type is the type of the Konnect transit gateway.
awsTransitGateway AWSTransitGateway AWSTransitGateway is the configuration of an AWS transit gateway. Used when type is “AWS Transit Gateway”.
azureTransitGateway AzureTransitGateway AzureTransitGateway is the configuration of an Azure transit gateway. Used when type is “Azure Transit Gateway”.
networkRef ObjectRef NetworkRef is the schema for the NetworkRef type.
adopt AdoptOptions Adopt is the options for adopting a cloud gateway transit gateway from an existing transit gateway in Konnect.

Appears in:

KonnectCloudGatewayTransitGatewayStatus

KonnectCloudGatewayTransitGatewayStatus defines the current state of KonnectCloudGatewayTransitGateway.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectCloudGatewayDataPlaneGroupConfiguration.

Known condition types are:

* “Programmed”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
networkID string NetworkID is the Konnect ID of the Konnect cloud gateway network this entity is associated with.
state github.com/Kong/sdk-konnect-go/models/components.TransitGatewayState State is the state of the transit gateway on Konnect side.

Appears in:

KonnectConfigurationDataPlaneGroup

KonnectConfigurationDataPlaneGroup is the schema for the KonnectConfiguration type.

Field Description
provider github.com/Kong/sdk-konnect-go/models/components.ProviderName Name of cloud provider.
region string Region for cloud provider region.
networkRef ObjectRef NetworkRef is the reference to the network that this data-plane group will be deployed on.

Cross namespace references are not supported for networkRef of type namespacedRef. This will be enforced in the future but currently (due to limitation in CEL validation in Kubernetes 1.31 and older) it is not.
autoscale ConfigurationDataPlaneGroupAutoscale Autoscale configuration for the data-plane group.
environment ConfigurationDataPlaneGroupEnvironmentField Array of environment variables to set for a data-plane group.

Appears in:

KonnectEndpoints

KonnectEndpoints defines the Konnect endpoints for the control plane.

Field Description
telemetry string TelemetryEndpoint is the endpoint for telemetry.
controlPlane string ControlPlaneEndpoint is the endpoint for the control plane.

Appears in:

KonnectEntityRef

KonnectEntityRef is a reference to a Konnect entity.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API.

Appears in:

KonnectEventGatewayAPISpec

KonnectEventGatewayAPISpec defines the API spec fields for KonnectEventGateway.

Field Description
description GatewayDescription A human-readable description of the Gateway.
labels Labels Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
minRuntimeVersion MinRuntimeVersion The minimum runtime version supported by the API. This is the lowest version of the data plane release that can be used with the entity model. When not specified, the minimum runtime version will be pinned to the latest available release.
name GatewayName The name of the Gateway.

Appears in:

KonnectEventGatewaySpec

KonnectEventGatewaySpec defines the desired state of KonnectEventGateway.

Field Description
konnect KonnectConfiguration KonnectConfiguration is the Konnect configuration for this entity.
apiSpec KonnectEventGatewayAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

KonnectEventGatewayStatus

KonnectEventGatewayStatus defines the observed state of KonnectEventGateway.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

KonnectExtensionClientAuth

KonnectExtensionClientAuth contains the configuration for the client authentication for the DataPlane. At the moment authentication is only supported through client certificate, but it might be extended in the future, with e.g., token-based authentication.

Field Description
certificateSecret CertificateSecret CertificateSecret contains the information to access the client certificate.

Appears in:

KonnectExtensionClusterType

Underlying type: string

KonnectExtensionClusterType is the type of the Konnect Control Plane.

Appears in:

Allowed values:

Value Description
ControlPlane ClusterTypeControlPlane is the type of the Konnect Control Plane.
K8SIngressController ClusterTypeK8sIngressController is the type of the Kubernetes Control Plane.

KonnectExtensionControlPlane

KonnectExtensionControlPlane is the configuration for the Konnect Control Plane.

Field Description
ref ControlPlaneRef Ref is a reference to a Konnect ControlPlane this KonnectExtension is associated with.

Appears in:

KonnectExtensionControlPlaneStatus

KonnectExtensionControlPlaneStatus contains the Konnect Control Plane status information.

Field Description
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this KonnectExtension is associated with.
clusterType KonnectExtensionClusterType ClusterType is the type of the Konnect Control Plane.
endpoints KonnectEndpoints Endpoints defines the Konnect endpoints for the control plane.

Appears in:

KonnectExtensionDataPlane

KonnectExtensionDataPlane is the configuration for the Konnect DataPlane.

Field Description
labels DataPlaneLabelValue Labels is a set of labels that will be applied to the Konnect DataPlane.

Appears in:

KonnectExtensionKonnectSpec

KonnectExtensionKonnectSpec holds the konnect-related configuration.

Field Description
controlPlane KonnectExtensionControlPlane ControlPlane is the configuration for the Konnect Control Plane.
dataPlane KonnectExtensionDataPlane DataPlane is the configuration for the Konnect DataPlane.
configuration KonnectConfiguration Configuration holds the information needed to set up the Konnect Configuration.

Appears in:

KonnectExtensionSpec

KonnectExtensionSpec defines the desired state of KonnectExtension.

Field Description
konnect KonnectExtensionKonnectSpec Konnect holds the konnect-related configuration
clientAuth KonnectExtensionClientAuth ClientAuth is the configuration for the client certificate authentication. In case the ControlPlaneRef is of type KonnectID, it is required to set up the connection with the Konnect Platform.

Appears in:

KonnectExtensionStatus

KonnectExtensionStatus defines the observed state of KonnectExtension.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectExtensionStatus.
dataPlaneRefs NamespacedRef DataPlaneRefs is the array of DataPlane references this is associated with. A new reference is set by the operator when this extension is associated with a DataPlane through its extensions spec.
controlPlaneRefs NamespacedRef ControlPlaneRefs is the array of ControlPlane references this is associated with. A new reference is set by the operator when this extension is associated with a ControlPlane through its extensions spec.
dataPlaneClientAuth DataPlaneClientAuthStatus DataPlaneClientAuth contains the configuration for the client certificate authentication for the DataPlane.
konnect KonnectExtensionControlPlaneStatus Konnect contains the status information related to the Konnect Control Plane.

Appears in:

KonnectGatewayControlPlaneSpec

KonnectGatewayControlPlaneSpec defines the desired state of KonnectGatewayControlPlane.

Field Description
name *string The name of the control plane.
description *string The description of the control plane in Konnect.
cluster_type *github.com/Kong/sdk-konnect-go/models/components.CreateControlPlaneRequestClusterType The ClusterType value of the cluster associated with the Control Plane.
auth_type *github.com/Kong/sdk-konnect-go/models/components.AuthType The auth type value of the cluster associated with the Runtime Group.
cloud_gateway *bool Whether this control-plane can be used for cloud-gateways.
proxy_urls []github.com/Kong/sdk-konnect-go/models/components.ProxyURL Array of proxy URLs associated with reaching the data-planes connected to a control-plane.
labels map[string]string Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
mirror MirrorSpec Mirror is the Konnect Mirror configuration. It is only applicable for ControlPlanes that are created as Mirrors.
source EntitySource Source represents the source type of the Konnect entity.
members LocalObjectReference array Members is a list of references to the KonnectGatewayControlPlaneMembers that are part of this control plane group. Only applicable for ControlPlanes that are created as groups.
konnect KonnectConfiguration KonnectConfiguration contains the Konnect configuration for the control plane.

Appears in:

KonnectGatewayControlPlaneStatus

KonnectGatewayControlPlaneStatus defines the observed state of KonnectGatewayControlPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectGatewayControlPlane.

Known condition types are:

* “Programmed”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
konnectEndpoints KonnectEndpoints Endpoints defines the Konnect endpoints for the control plane. They are required by the DataPlane to be properly configured in Konnect and connect to the control plane.

Appears in:

KonnectTransitGatewayAPISpec

KonnectTransitGatewayAPISpec specifies a transit gateway on the Konnect side. The type and all the types it referenced are mostly copied github.com/Kong/sdk-konnect-go/models/components.CreateTransitGatewayRequest.

Field Description
type TransitGatewayType Type is the type of the Konnect transit gateway.
awsTransitGateway AWSTransitGateway AWSTransitGateway is the configuration of an AWS transit gateway. Used when type is “AWS Transit Gateway”.
azureTransitGateway AzureTransitGateway AzureTransitGateway is the configuration of an Azure transit gateway. Used when type is “Azure Transit Gateway”.

Appears in:

Labels

Underlying type: [map[string]LabelsValue](#map[string]labelsvalue)

Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.

Appears in:

LabelsUpdate

Underlying type: [map[string]LabelsUpdateValue](#map[string]labelsupdatevalue)

LabelsUpdate Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Labels are intended to store INTERNAL metadata.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.

Appears in:

LabelsUpdateValue

Underlying type: string

LabelsUpdateValue is the value type for LabelsUpdate.

Appears in:

LabelsValue

Underlying type: string

LabelsValue is the value type for Labels.

Appears in:

MCPServerKonnectSpec

MCPServerKonnectSpec defines the observed state of the MCPServer on Konnect.

Field Description
name *string Name is the name of the MCPServer on Konnect.
version *string Version is the version of the MCPServer on Konnect.

Appears in:

MCPServerSpec

MCPServerSpec is the specification of the MCPServer resource.

Field Description
mirror MirrorSpec Mirror is the Konnect Mirror configuration. It is only applicable for ControlPlanes that are created as Mirrors.
source EntitySource Source represents the source type of the Konnect entity.
controlPlaneRef ControlPlaneRef ControlPlaneRef is a reference to a Konnect ControlPlane this MCP server belongs to. The auth token is inferred from the referenced control plane’s KonnectAPIAuthConfiguration.

Appears in:

MCPServerStatus

MCPServerStatus defines the observed state of MCPServer.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the MCPServer.

Known condition types are:

* “Programmed” * “Mirrored”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this Route is associated with.
konnectSpec MCPServerKonnectSpec KonnectSpec holds MCPServer-specific status fields related to its state on Konnect, such as the remote name and version.

Appears in:

Menu

Menu is a type alias.

Field Description
footerBottom PortalMenuItem  
footerSections PortalFooterMenuSection  
main PortalMenuItem  

Appears in:

MinRuntimeVersion

Underlying type: string

MinRuntimeVersion The minimum runtime version supported by the API. This is the lowest version of the data plane release that can be used with the entity model. When not specified, the minimum runtime version will be pinned to the latest available release.

Appears in:

MirrorKonnect

MirrorKonnect contains the Konnect Mirror configuration.

Field Description
id KonnectIDType ID is the ID of the Konnect entity. It can be set only in case the ControlPlane type is Mirror.

Appears in:

MirrorSpec

MirrorSpec contains the Konnect Mirror configuration.

Field Description
konnect MirrorKonnect Konnect contains the KonnectID of the KonnectGatewayControlPlane that is mirrored.

Appears in:

OIDCIdentityProviderClaimMappings

OIDCIdentityProviderClaimMappings Defines the mappings between OpenID Connect (OIDC) claims and local claims used by your application for authentication.

Field Description
email string The claim mapping for the user’s email address.
groups string The claim mapping for the user’s group membership information.
name string The claim mapping for the user’s name.

Appears in:

OIDCIdentityProviderClientID

Underlying type: string

OIDCIdentityProviderClientID The client ID assigned to your application by the identity provider.

Appears in:

OIDCIdentityProviderClientSecret

Underlying type: string

OIDCIdentityProviderClientSecret The Client Secret assigned to your application by the identity provider.

Appears in:

OIDCIdentityProviderConfig

OIDCIdentityProviderConfig The identity provider that contains configuration data for the OIDC authentication integration.

Field Description
claimMappings OIDCIdentityProviderClaimMappings Defines the mappings between OpenID Connect (OIDC) claims and local claims used by your application for authentication.
clientID OIDCIdentityProviderClientID The client ID assigned to your application by the identity provider.
clientSecret OIDCIdentityProviderClientSecret The Client Secret assigned to your application by the identity provider.
issuerURL OIDCIdentityProviderIssuer The issuer URI of the identity provider. This is the URL where the provider’s metadata can be obtained.
scopes []string The scopes requested by your application when authenticating with the identity provider.

Appears in:

OIDCIdentityProviderIssuer

Underlying type: string

OIDCIdentityProviderIssuer The issuer URI of the identity provider. This is the URL where the provider’s metadata can be obtained.

Appears in:

PageContent

Underlying type: string

PageContent The renderable markdown content of a page in a portal.

Appears in:

PageSlug

Underlying type: string

PageSlug The slug of a page in a portal, used to compute its full URL path within the portal hierarchy. When a page has a parent_page_id, its full path is built by joining the parent’s slug with its own. For example, if a parent page has the slug slug1 and this page’s slug is slug2, the resulting path will be /slug1/slug2. This enables nested page structures like /slug1/slug2/slug3.

Appears in:

PageTitle

Underlying type: string

PageTitle The title of a page in a portal.

Appears in:

PageVisibilityStatus

Underlying type: string

PageVisibilityStatus Whether a page is publicly accessible to non-authenticated users. If not provided, the default_page_visibility value of the portal will be used.

Appears in:

PortalAPISpec

PortalAPISpec defines the API spec fields for Portal.

Field Description
authenticationEnabled string Whether the portal supports developer authentication. If disabled, developers cannot register for accounts or create applications.
autoApproveApplications string Whether requests from applications to register for APIs will be automatically approved, or if they will be set to pending until approved by an admin.
autoApproveDevelopers string Whether developer account registrations will be automatically approved, or if they will be set to pending until approved by an admin.
defaultAPIVisibility string The default visibility of APIs in the portal. If set to public, newly published APIs are visible to unauthenticated developers. If set to private, newly published APIs are hidden from unauthenticated developers.
defaultApplicationAuthStrategyIDRef ObjectRef The default authentication strategy for APIs published to the portal. Newly published APIs will use this authentication strategy unless overridden during publication. If set to null, API publications will not use an authentication strategy unless set during publication.
defaultPageVisibility string The default visibility of pages in the portal. If set to public, newly created pages are visible to unauthenticated developers. If set to private, newly created pages are hidden from unauthenticated developers.
description *string A description of the portal.
displayName string The display name of the portal. This value will be the portal’s name in Portal API.
labels LabelsUpdate Labels store metadata of an entity that can be used for filtering an entity list or for searching across entity types.

Labels are intended to store INTERNAL metadata.

Keys must be of length 1-63 characters, and cannot start with “kong”, “konnect”, “mesh”, “kic”, or “_”.
name string The name of the portal, used to distinguish it from other portals. Name must be unique.
rbacEnabled string Whether the portal resources are protected by Role Based Access Control (RBAC). If enabled, developers view or register for APIs until unless assigned to teams with access to view and consume specific APIs. Authentication must be enabled to use RBAC.
siprEnabled string Whether ip allow list is enabled for the portal.

Appears in:

PortalCustomDomainAPISpec

PortalCustomDomainAPISpec defines the API spec fields for PortalCustomDomain.

Field Description
enabled string  
hostname string  
ssl PortalCustomDomainSSL  

Appears in:

PortalCustomDomainSSL

PortalCustomDomainSSL represents a union type for ssl. Only one of the fields should be set based on the Type.

Field Description
type PortalCustomDomainSSLType Type designates the type of configuration.
withCustomCertificate CreatePortalCustomDomainSSLWithCustomCertificate WithCustomCertificate configuration.
standard CreatePortalCustomDomainSSLStandard Standard configuration.

Appears in:

PortalCustomDomainSSLType

Underlying type: string

PortalCustomDomainSSLType represents the type of ssl.

Appears in:

Allowed values:

Value Description
withCustomCertificate  
standard  

PortalCustomDomainSpec

PortalCustomDomainSpec defines the desired state of PortalCustomDomain.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalCustomDomainAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalCustomDomainStatus

PortalCustomDomainStatus defines the observed state of PortalCustomDomain.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalCustomizationAPISpec

PortalCustomizationAPISpec defines the API spec fields for PortalCustomization.

Field Description
css *string  
layout string  
menu Menu  
robots *string  
specRenderer SpecRenderer  
theme Theme  

Appears in:

PortalCustomizationSpec

PortalCustomizationSpec defines the desired state of PortalCustomization.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalCustomizationAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalCustomizationStatus

PortalCustomizationStatus defines the observed state of PortalCustomization.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalEmailConfigAPISpec

PortalEmailConfigAPISpec defines the API spec fields for PortalEmailConfig.

Field Description
domainName *string The domain name to use for sending emails. Null means default.
fromEmail *string The email address to use in the ‘From’ field.
fromName *string The name to display in the ‘From’ field of emails.
replyToEmail *string The email address to use in the ‘Reply-To’ field. ‘Reply-To’ header is omitted if omitted or null.

Appears in:

PortalEmailConfigSpec

PortalEmailConfigSpec defines the desired state of PortalEmailConfig.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalEmailConfigAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalEmailConfigStatus

PortalEmailConfigStatus defines the observed state of PortalEmailConfig.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalFooterMenuSection

PortalFooterMenuSection is a type alias.

Field Description
items PortalMenuItem  
title string The footer menu section title

Appears in:

PortalIPAllowListAPISpec

PortalIPAllowListAPISpec defines the API spec fields for PortalIPAllowList.

Field Description
allowedIps []string The list of allowed ips for the portal.

Appears in:

PortalIdentityProviderRequestAPISpec

PortalIdentityProviderRequestAPISpec defines the API spec fields for PortalIdentityProviderRequest.

Field Description
config PortalIdentityProviderRequestConfig  
enabled string Indicates whether the identity provider is enabled. Only one identity provider can be active at a time, such as SAML or OIDC.
type IdentityProviderType Specifies the type of identity provider.

Appears in:

PortalIdentityProviderRequestConfig

PortalIdentityProviderRequestConfig represents a union type for config. Only one of the fields should be set based on the Type.

Field Description
type PortalIdentityProviderRequestConfigType Type designates the type of configuration.
oIDC OIDCIdentityProviderConfig OIDC configuration.
portalSAML PortalSAMLIdentityProviderConfig PortalSAML configuration.

Appears in:

PortalIdentityProviderRequestConfigType

Underlying type: string

PortalIdentityProviderRequestConfigType represents the type of config.

Appears in:

Allowed values:

Value Description
oIDC  
portalSAML  

PortalIdentityProviderRequestSpec

PortalIdentityProviderRequestSpec defines the desired state of PortalIdentityProviderRequest.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalIdentityProviderRequestAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalIdentityProviderRequestStatus

PortalIdentityProviderRequestStatus defines the observed state of PortalIdentityProviderRequest.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalMenuItem

PortalMenuItem is a type alias.

Field Description
external string When clicked, open the link in a new window
path string The absolute path of a page in a portal with a leading slash.
title string The link display text
visibility string Whether a menu item is public or private. Private menu items are only accessible to authenticated users.

Appears in:

PortalPageAPISpec

PortalPageAPISpec defines the API spec fields for PortalPage.

Field Description
content PageContent The renderable markdown content of a page in a portal.
description Description  
parentPageIDRef ObjectRef Pages may be rendered as a tree of files.

Specify the id of another page as the parent_page_id to add some hierarchy to your pages.
slug PageSlug The slug of a page in a portal, used to compute its full URL path within the portal hierarchy. When a page has a parent_page_id, its full path is built by joining the parent’s slug with its own. For example, if a parent page has the slug slug1 and this page’s slug is slug2, the resulting path will be /slug1/slug2. This enables nested page structures like /slug1/slug2/slug3.
status PublishedStatus Whether the resource is visible on a given portal. Defaults to unpublished.
title PageTitle The title of a page in a portal.
visibility PageVisibilityStatus Whether a page is publicly accessible to non-authenticated users. If not provided, the default_page_visibility value of the portal will be used.

Appears in:

PortalPageSpec

PortalPageSpec defines the desired state of PortalPage.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalPageAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalPageStatus

PortalPageStatus defines the observed state of PortalPage.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalSAMLIdentityProviderConfig

PortalSAMLIdentityProviderConfig The identity provider that contains configuration data for the SAML authentication integration.

Field Description
idpMetadataURL SAMLIdentityProviderMetadataURL The identity provider’s metadata URL where the identity provider’s metadata can be obtained.
idpMetadataXML SAMLIdentityProviderMetadata The identity provider’s SAML metadata. If the identity provider supports a metadata URL, you can use the idp_metadata_url field instead.

Appears in:

PortalSpec

PortalSpec defines the desired state of Portal.

Field Description
konnect KonnectConfiguration KonnectConfiguration is the Konnect configuration for this entity.
apiSpec PortalAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalStatus

PortalStatus defines the observed state of Portal.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

PortalTeamAPISpec

PortalTeamAPISpec defines the API spec fields for PortalTeam.

Field Description
canOwnApplications string Whether the team is allowed to own applications
description string  
name string  

Appears in:

PortalTeamSpec

PortalTeamSpec defines the desired state of PortalTeam.

Field Description
portalRef ObjectRef PortalRef is the reference to the parent Portal object.
apiSpec PortalTeamAPISpec APISpec defines the desired state of the resource’s API spec fields.

Appears in:

PortalTeamStatus

PortalTeamStatus defines the observed state of PortalTeam.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions represent the current state of the resource.
portalID KonnectEntityRef PortalID is the Konnect ID of the parent Portal.
observedGeneration int64 ObservedGeneration is the most recent generation observed

Appears in:

ProvisioningMethod

Underlying type: string

ProvisioningMethod is the type of the provisioning methods available to provision the certificate.

Appears in:

Allowed values:

Value Description
Manual ManualSecretProvisioning is the method used to provision the certificate manually.
Automatic AutomaticSecretProvisioning is the method used to provision the certificate automatically.

PublishedStatus

Underlying type: string

PublishedStatus Whether the resource is visible on a given portal. Defaults to unpublished.

Appears in:

SAMLIdentityProviderMetadata

Underlying type: string

SAMLIdentityProviderMetadata The identity provider’s SAML metadata. If the identity provider supports a metadata URL, you can use the idp_metadata_url field instead.

Appears in:

SAMLIdentityProviderMetadataURL

Underlying type: string

SAMLIdentityProviderMetadataURL The identity provider’s metadata URL where the identity provider’s metadata can be obtained.

Appears in:

SecretRef

SecretRef contains the reference to the Secret containing the Konnect Control Plane’s cluster certificate.

Field Description
name string Name is the name of the Secret containing the Konnect Control Plane’s cluster certificate.

Appears in:

SpecRenderer

SpecRenderer is a type alias.

Field Description
allowCustomServerUrls string Let users define a custom server URL for endpoints. This will be used to generate code snippets and to test the API. The URL is client-side only and is not saved.
hideDeprecated string Manage visibility of deprecated endpoints and models.
hideInternal string Manage visibility of internal endpoints and models.
infiniteScroll string Display the full spec on a single, scrollable page. If disabled, documentation, endpoints, and schemas appear on separate pages.
showSchemas string Control whether schemas are visible in your API specs. When enabled, schemas appear in the side navigation below the endpoints.
tryItInsomnia string Enables users to open API specifications in Insomnia to explore and send requests with the native client. Only public API specifications are supported.
tryItUi string Enable in-browser testing for your APIs. All linked gateways must have the CORS plugin configured.

Appears in:

Theme

Theme is a type alias.

Field Description
colors Colors  
mode string  
name string  

Appears in:

TransitGatewayDNSConfig

TransitGatewayDNSConfig is the DNS configuration of a tansit gateway.

Field Description
remote_dns_server_ip_addresses []string RemoteDNSServerIPAddresses is the list of remote DNS server IP Addresses to connect to for resolving internal DNS via a transit gateway.
domain_proxy_list []string DomainProxyList is the list of internal domain names to proxy for DNS resolution from the listed remote DNS server IP addresses, for a transit gateway.

Appears in:

TransitGatewayType

Underlying type: string

TransitGatewayType defines the type of Konnect transit gateway.

Appears in:

Allowed values:

Value Description
AWSTransitGateway TransitGatewayTypeAWSTransitGateway defines the AWS transit gateway type.
AzureTransitGateway TransitGatewayTypeAzureTransitGateway defines the Azure transit gateway type.

konnect.konghq.com/v1alpha2

Package v1alpha2 contains API Schema definitions for the konnect.konghq.com v1alpha2 API group.

KonnectExtension

KonnectExtension is the Schema for the KonnectExtension API, and is intended to be referenced as extension by the DataPlane, ControlPlane or GatewayConfiguration APIs.

If one of the above mentioned resources successfully refers a KonnectExtension, the underlying deployment(s) spec gets customized to include the konnect-related configuration.

Field Description
apiVersion string konnect.konghq.com/v1alpha2
kind string KonnectExtension
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectExtensionSpec Spec is the specification of the KonnectExtension resource.
status KonnectExtensionStatus Status is the status of the KonnectExtension resource.

KonnectGatewayControlPlane

KonnectGatewayControlPlane is the Schema for the KonnectGatewayControlplanes API.

Field Description
apiVersion string konnect.konghq.com/v1alpha2
kind string KonnectGatewayControlPlane
metadata k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec KonnectGatewayControlPlaneSpec Spec defines the desired state of KonnectGatewayControlPlane.
status KonnectGatewayControlPlaneStatus Status defines the observed state of KonnectGatewayControlPlane.

Types

In this section you will find types that the CRDs rely on.

CertificateSecret

CertificateSecret contains the information to access the client certificate.

Field Description
provisioning ProvisioningMethod Provisioning is the method used to provision the certificate. It can be either Manual or Automatic. In case manual provisioning is used, the certificate must be provided by the user. In case automatic provisioning is used, the certificate will be automatically generated by the system.
secretRef SecretRef CertificateSecretRef is the reference to the Secret containing the client certificate.

Appears in:

ControlPlaneKonnectAPIAuthConfigurationRef

ControlPlaneKonnectAPIAuthConfigurationRef is a reference to a KonnectAPIAuthConfiguration resource in the control plane.

Field Description
name string Name is the name of the KonnectAPIAuthConfiguration resource.
namespace *string Namespace is the namespace of the KonnectAPIAuthConfiguration resource. If not specified, defaults to the same namespace as the KonnectConfiguration resource.

Appears in:

ControlPlaneKonnectConfiguration

ControlPlaneKonnectConfiguration is the Schema for the KonnectConfiguration API in the control plane.

Field Description
authRef ControlPlaneKonnectAPIAuthConfigurationRef APIAuthConfigurationRef is the reference to the API Auth Configuration that should be used for this Konnect Configuration.

Appears in:

DataPlaneClientAuthStatus

DataPlaneClientAuthStatus contains the status information related to the ClientAuth configuration.

Field Description
certificateSecretRef SecretRef CertificateSecretRef is the reference to the Secret containing the client certificate.

Appears in:

DataPlaneLabelValue

Underlying type: string

DataPlaneLabelValue is the type that defines the value of a label that will be applied to the Konnect DataPlane.

Appears in:

KonnectAPIAuthConfigurationRef

KonnectAPIAuthConfigurationRef is a reference to a KonnectAPIAuthConfiguration resource.

Field Description
name string Name is the name of the KonnectAPIAuthConfiguration resource.

Appears in:

KonnectConfiguration

KonnectConfiguration is the Schema for the KonnectConfiguration API.

Field Description
authRef KonnectAPIAuthConfigurationRef APIAuthConfigurationRef is the reference to the API Auth Configuration that should be used for this Konnect Configuration.

Appears in:

KonnectEndpoints

KonnectEndpoints defines the Konnect endpoints for the control plane.

Field Description
telemetry string TelemetryEndpoint is the endpoint for telemetry.
controlPlane string ControlPlaneEndpoint is the endpoint for the control plane.

Appears in:

KonnectEntityStatus

KonnectEntityStatus represents the status of a Konnect entity.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.

Appears in:

KonnectEntityStatusWithControlPlaneAndCertificateAndCACertificatesRefs

KonnectEntityStatusWithControlPlaneAndCertificateAndCACertificatesRefs represents the status of a Konnect entity with references to a ControlPlane, a (client) Certificate, and a list of CA Certificates.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this entity is associated with.
certificateID string CertificateID is the Konnect ID of the client Certificate referenced by this entity.
caCertificateIDs []string CACertificateIDs lists the Konnect IDs of the CA Certificates referenced by this entity.

Appears in:

KonnectEntityStatusWithControlPlaneAndCertificateRefs

KonnectEntityStatusWithControlPlaneAndCertificateRefs represents the status of a Konnect entity with references to a ControlPlane and a Certificate.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this entity is associated with.
certificateID string CertificateID is the Konnect ID of the Certificate this entity is associated with.

Appears in:

KonnectEntityStatusWithControlPlaneAndConsumerRefs

KonnectEntityStatusWithControlPlaneAndConsumerRefs represents the status of a Konnect entity with references to a ControlPlane and a Consumer.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this Route is associated with.
consumerID string ConsumerID is the Konnect ID of the Consumer this entity is associated with.

Appears in:

KonnectEntityStatusWithControlPlaneAndKeySetRef

KonnectEntityStatusWithControlPlaneAndKeySetRef represents the status of a Konnect entity with references to a ControlPlane and a KeySet.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this entity is associated with.
keySetID string KeySetID is the Konnect ID of the KeySet this entity is associated with.

Appears in:

KonnectEntityStatusWithControlPlaneAndServiceRefs

KonnectEntityStatusWithControlPlaneAndServiceRefs represents the status of a Konnect entity with references to a ControlPlane and a Service.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this entity is associated with.
serviceID string ServiceID is the Konnect ID of the Service this entity is associated with.

Appears in:

KonnectEntityStatusWithControlPlaneAndUpstreamRefs

KonnectEntityStatusWithControlPlaneAndUpstreamRefs represents the status of a Konnect entity with references to a ControlPlane and an Upstream.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this entity is associated with.
upstreamID string UpstreamID is the Konnect ID of the Upstream this entity is associated with.

Appears in:

KonnectEntityStatusWithControlPlaneRef

KonnectEntityStatusWithControlPlaneRef represents the status of a Konnect entity with a reference to a ControlPlane.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this Route is associated with.

Appears in:

KonnectEntityStatusWithNetworkRef

KonnectEntityStatusWithNetworkRef represents the status of a Konnect entity with reference to a Konnect cloud gateway network.

Field Description
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
networkID string NetworkID is the Konnect ID of the Konnect cloud gateway network this entity is associated with.

Appears in:

KonnectExtensionClientAuth

KonnectExtensionClientAuth contains the configuration for the client authentication for the DataPlane. At the moment authentication is only supported through client certificate, but it might be extended in the future, with e.g., token-based authentication.

Field Description
certificateSecret CertificateSecret CertificateSecret contains the information to access the client certificate.

Appears in:

KonnectExtensionClusterType

Underlying type: string

KonnectExtensionClusterType is the type of the Konnect Control Plane.

Appears in:

Allowed values:

Value Description
ControlPlane ClusterTypeControlPlane is the type of the Konnect Control Plane.
K8SIngressController ClusterTypeK8sIngressController is the type of the Kubernetes Control Plane.
ControlPlaneGroup ClusterTypeControlPlaneGroup is the type of the Control Plane Group.

KonnectExtensionControlPlane

KonnectExtensionControlPlane is the configuration for the Konnect Control Plane.

Field Description
ref KonnectExtensionControlPlaneRef Ref is a reference to a Konnect ControlPlane this KonnectExtension is associated with.

Appears in:

KonnectExtensionControlPlaneStatus

KonnectExtensionControlPlaneStatus contains the Konnect Control Plane status information.

Field Description
controlPlaneID string ControlPlaneID is the Konnect ID of the ControlPlane this KonnectExtension is associated with.
clusterType KonnectExtensionClusterType ClusterType is the type of the Konnect Control Plane.
endpoints KonnectEndpoints Endpoints defines the Konnect endpoints for the control plane.
authRef ControlPlaneKonnectAPIAuthConfigurationRef AuthRef is the reference to the KonnectAPIAuthConfiguration used to authenticate with Konnect. For particular KonnectExtension and ControlPlane combination.

Appears in:

KonnectExtensionDataPlane

KonnectExtensionDataPlane is the configuration for the Konnect DataPlane.

Field Description
labels DataPlaneLabelValue Labels is a set of labels that will be applied to the Konnect DataPlane.

Appears in:

KonnectExtensionKonnectSpec

KonnectExtensionKonnectSpec holds the konnect-related configuration.

Field Description
controlPlane KonnectExtensionControlPlane ControlPlane is the configuration for the Konnect Control Plane.
dataPlane KonnectExtensionDataPlane DataPlane is the configuration for the Konnect DataPlane.

Appears in:

KonnectExtensionSpec

KonnectExtensionSpec defines the desired state of KonnectExtension.

Field Description
konnect KonnectExtensionKonnectSpec Konnect holds the konnect-related configuration
clientAuth KonnectExtensionClientAuth ClientAuth is the configuration for the client certificate authentication.

Appears in:

KonnectExtensionStatus

KonnectExtensionStatus defines the observed state of KonnectExtension.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectExtensionStatus. Known condition types are:
dataPlaneRefs NamespacedRef DataPlaneRefs is the array of DataPlane references this is associated with. A new reference is set by the operator when this extension is associated with a DataPlane through its extensions spec.
controlPlaneRefs NamespacedRef ControlPlaneRefs is the array of ControlPlane references this is associated with. A new reference is set by the operator when this extension is associated with a ControlPlane through its extensions spec.
dataPlaneClientAuth DataPlaneClientAuthStatus DataPlaneClientAuth contains the configuration for the client certificate authentication for the DataPlane.
konnect KonnectExtensionControlPlaneStatus Konnect contains the status information related to the Konnect Control Plane.

Appears in:

KonnectGatewayControlPlaneSpec

KonnectGatewayControlPlaneSpec defines the desired state of KonnectGatewayControlPlane.

Field Description
createControlPlaneRequest *github.com/Kong/sdk-konnect-go/models/components.CreateControlPlaneRequest CreateControlPlaneRequest is the request to create a Konnect Control Plane.
mirror MirrorSpec Mirror is the Konnect Mirror configuration. It is only applicable for ControlPlanes that are created as Mirrors.
source EntitySource Source represents the source type of the Konnect entity.
members LocalObjectReference array Members is a list of references to the KonnectGatewayControlPlaneMembers that are part of this control plane group. Only applicable for ControlPlanes that are created as groups.
konnect ControlPlaneKonnectConfiguration KonnectConfiguration contains the Konnect configuration for the control plane.

Appears in:

KonnectGatewayControlPlaneStatus

KonnectGatewayControlPlaneStatus defines the observed state of KonnectGatewayControlPlane.

Field Description
conditions []k8s.io/apimachinery/pkg/apis/meta/v1.Condition Conditions describe the current conditions of the KonnectGatewayControlPlane.

Known condition types are:

* “Programmed”
id string ID is the unique identifier of the Konnect entity as assigned by Konnect API. If it’s unset (empty string), it means the Konnect entity hasn’t been created yet.
serverURL string ServerURL is the URL of the Konnect server in which the entity exists.
organizationID string OrgID is ID of Konnect Org that this entity has been created in.
clusterType github.com/Kong/sdk-konnect-go/models/components.ControlPlaneClusterType ClusterType is the cluster type of the Konnect control plane. When the KonnectGatewayControlPlane is attached to a control plane in Konnect, ClusterType is filled with the cluster type of the control plane.
konnectEndpoints KonnectEndpoints Endpoints defines the Konnect endpoints for the control plane. They are required by the DataPlane to be properly configured in Konnect and connect to the control plane.

Appears in:

MirrorKonnect

MirrorKonnect contains the Konnect Mirror configuration.

Field Description
id KonnectIDType ID is the ID of the Konnect entity. It can be set only in case the ControlPlane type is Mirror.

Appears in:

MirrorSpec

MirrorSpec contains the Konnect Mirror configuration.

Field Description
konnect MirrorKonnect Konnect contains the KonnectID of the KonnectGatewayControlPlane that is mirrored.

Appears in:

ProvisioningMethod

Underlying type: string

ProvisioningMethod is the type of the provisioning methods available to provision the certificate.

Appears in:

Allowed values:

Value Description
Manual ManualSecretProvisioning is the method used to provision the certificate manually.
Automatic AutomaticSecretProvisioning is the method used to provision the certificate automatically.

SecretRef

SecretRef contains the reference to the Secret containing the Konnect Control Plane’s cluster certificate.

Field Description
name string Name is the name of the Secret containing the Konnect Control Plane’s cluster certificate.

Appears in:

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support