Kong Operator uses a strict filtering mechanism for watching Kubernetes Secrets. To prevent Kong Operator from reconciling every Secret in the cluster, which can be expensive and insecure, it only watches Secrets that are explicitly labeled.
All Secrets referenced by Kong resources must have the following label:
metadata:
labels:
konghq.com/secret: "true"
If this label is missing, Kong Operator will ignore the Secret, even if it’s correctly referenced in other resources.
The following Secret types can be configured with Kong Operator.
TLS certificates can be references in Gateway listeners or KongPlugin configuration.
apiVersion: v1
kind: Secret
metadata:
name: my-cert
namespace: kong
labels:
konghq.com/secret: "true"
type: kubernetes.io/tls
data:
tls.crt: $CERT_CONTENT
tls.key: $KEY_CONTENT
Consumer credentials can be referenced in KongConsumer resources. In addition to the konghq.com/secret: "true" label, these Secrets usually require a type-specific credential label. In this example, konghq.com/credential: key-auth is needed to identify the credential type:
apiVersion: v1
kind: Secret
metadata:
name: my-apikey
namespace: kong
labels:
konghq.com/secret: "true"
konghq.com/credential: key-auth
type: Opaque
stringData:
key: my-secret-key
Some plugins allow referencing a Secret for sensitive configuration values:
apiVersion: v1
kind: Secret
metadata:
name: plugin-secret
namespace: kong
labels:
konghq.com/secret: "true"
type: Opaque
stringData:
secret-value: "super-secure"
If your Gateway, KongConsumer, or KongPlugin has the status Programmed or Created but is returning an error, such as 401 Unauthorized, default certificate served, check the labels on your referenced Secret and ensure konghq.com/secret is present and set to "true":
kubectl get secret $SECRET_NAME -n $NAMESPACE --show-labels