Home / Kong Operator / Gateway Deployment
Edit
Report

LabelSelectors

Uses: Kong Gateway Operator
Related Documentation
All Operator Documentation
Minimum Version
Kong Gateway Operator - 2.0

There can be many Secrets and ConfigMaps in the cluster, but only a few are actually used by Kong Operator. To reduce the number of Secrets and ConfigMaps taken into reconciliation for reducing the memory cost, Kong Operator supports to set label selectors to limit the Secrets and ConfigMaps to reconcile.

Kong Operator level label selectors

Kong Operator allows you to set label selectors for Secrets and ConfigMaps globally using the CLI flags --secret-label-selector and --config-map-label-selector.

Secrets:

  • When --secret-label-selector is not empty, only secrets that have a label matching the key specified in --secret-label-selector and with the value "true" will be reconciled by Kong Operator.
  • This filter applies to all secrets reconciled by any controllers spawned for ControlPlanes.
  • By default, --secret-label-selector is set to konghq.com/secret.

ConfigMaps

  • Similarly, only configMaps that have a label matching the key specified in --config-map-label-selector and with the value "true" will be reconciled if the flag is set.
  • By default, --config-map-label-selector is set to konghq.com/configmap.

For example, if the --secret-label-selector is set to konghq.com/secret, you need to add the label konghq.com/secret=true for you cluster CA secret to get it reconciled by Kong Operator. Otherwise Kong Operator cannot find the secret in its cached client then the deployment of Kong Gateway cannot continue.

Label selectors per ControlPlane

The ControlPlane CRD also supports configuring label selectors of reconciled Secrets and ConfigMaps by spec.objectFilters.secrets.matchLabels and spec.objectFilters.configMaps.matchLabels.

For example, the ControlPlane is configured to reconcile only secrets with the label kong-cp-secret set to true:

apiVersion: gateway-operator.konghq.com/v2beta1
kind: ControlPlane
metadata:
  name: controlplane-v2-label-selector-example
spec:
  ingressClass: kong
  dataplane:
    type: ref
    ref:
      name: dataplane-name
  featureGates:
  - name: GatewayAlpha
    state: enabled
  controllers:
  - name: Konnect
    state: enabled
  objectFilters:
    secrets:
      matchLabels:
        kong-cp-secret: "true"

Only the secrets with the label kong-cp-secret set to “true” are reconciled by the controller spawned for the ControlPlane. If the --secret-label-selector is also configured in the Kong Operator, the secrets must also set the label in --secret-label-selector set to true to get reconciled by the controller.

Conflicts with Kong Operator level label selectors

If the label selectors configured in the ControlPlane include the same key as configured in Kong Operator, it is considered as a conflict.

In this scenario, the controllers cannot be started for the ControlPlane. The ControlPlane’s status will be updated to include a OptionsValid condition set to False with the message to indicate that the conflict of label selectors happens.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support