ACME: ACME with Redis storage and AWS ElastiCache instance auth - Plugin

ACME with Redis storage and AWS ElastiCache instance auth

Configure the ACME plugin with Redis as a storage backend using AWS ElastiCache instance auth

Prerequisites

A public IP and a resolvable DNS
Kong Gateway accepts proxy traffic on port 80
A running Redis instance on an AWS ElastiCache instance for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later
The ElastiCache user needs to set “Authentication mode” to “IAM”

The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "elasticache:Connect"
          ],
          "Resource": [
              "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE",
              "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER"
          ]
      }
  ]
}

Copied!

Environment variables

EMAIL: The account identifier.
KEY_ID: The kid of a Key.
KEY_SET: The name of a Key Set to associate the Key ID with.
DOMAIN: An array of strings representing hosts.
INSTANCE_ADDRESS: The ElastiCache instance address.
INSTANCE_USERNAME: The ElastiCache username with IAM Auth mode configured.
AWS_CACHE_NAME: Name of your AWS ElastiCache instance.
AWS_REGION: Your AWS ElastiCache instance region.
AWS_ACCESS_KEY_ID: (Optional) Your AWS access key ID.
AWS_ACCESS_SECRET_KEY: (Optional) Your AWS secret access key.

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: acme
    config:
      account_email: ${{ env "DECK_EMAIL" }}
      account_key:
        key_id: ${{ env "DECK_KEY_ID" }}
        key_set: ${{ env "DECK_KEY_SET" }}
      domains:
      - ${{ env "DECK_DOMAIN" }}
      tos_accepted: true
      storage: redis
      storage_config:
        redis:
          host: ${{ env "DECK_INSTANCE_ADDRESS" }}
          username: ${{ env "DECK_INSTANCE_USERNAME" }}
          port: 6379
          cloud_authentication:
            auth_provider: aws
            aws_cache_name: ${{ env "DECK_AWS_CACHE_NAME" }}
            aws_is_serverless: false
            aws_region: ${{ env "DECK_AWS_REGION" }}
            aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
            aws_secret_access_key: ${{ env "DECK_AWS_ACCESS_SECRET_KEY" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "acme",
      "config": {
        "account_email": "'$EMAIL'",
        "account_key": {
          "key_id": "'$KEY_ID'",
          "key_set": "'$KEY_SET'"
        },
        "domains": [
          "'$DOMAIN'"
        ],
        "tos_accepted": true,
        "storage": "redis",
        "storage_config": {
          "redis": {
            "host": "'$INSTANCE_ADDRESS'",
            "username": "'$INSTANCE_USERNAME'",
            "port": 6379,
            "cloud_authentication": {
              "auth_provider": "aws",
              "aws_cache_name": "'$AWS_CACHE_NAME'",
              "aws_is_serverless": false,
              "aws_region": "'$AWS_REGION'",
              "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
              "aws_secret_access_key": "'$AWS_ACCESS_SECRET_KEY'"
            }
          }
        }
      },
      "tags": []
    }
    '

Copied!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "acme",
      "config": {
        "account_email": "'$EMAIL'",
        "account_key": {
          "key_id": "'$KEY_ID'",
          "key_set": "'$KEY_SET'"
        },
        "domains": [
          "'$DOMAIN'"
        ],
        "tos_accepted": true,
        "storage": "redis",
        "storage_config": {
          "redis": {
            "host": "'$INSTANCE_ADDRESS'",
            "username": "'$INSTANCE_USERNAME'",
            "port": 6379,
            "cloud_authentication": {
              "auth_provider": "aws",
              "aws_cache_name": "'$AWS_CACHE_NAME'",
              "aws_is_serverless": false,
              "aws_region": "'$AWS_REGION'",
              "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
              "aws_secret_access_key": "'$AWS_ACCESS_SECRET_KEY'"
            }
          }
        }
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: acme
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
  labels:
    global: 'true'
config:
  account_email: '$EMAIL'
  account_key:
    key_id: '$KEY_ID'
    key_set: '$KEY_SET'
  domains:
  - '$DOMAIN'
  tos_accepted: true
  storage: redis
  storage_config:
    redis:
      host: '$INSTANCE_ADDRESS'
      username: '$INSTANCE_USERNAME'
      port: 6379
      cloud_authentication:
        auth_provider: aws
        aws_cache_name: '$AWS_CACHE_NAME'
        aws_is_serverless: false
        aws_region: '$AWS_REGION'
        aws_access_key_id: '$AWS_ACCESS_KEY_ID'
        aws_secret_access_key: '$AWS_ACCESS_SECRET_KEY'
plugin: acme
" | kubectl apply -f -

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_acme" "my_acme" {
  enabled = true

  config = {
    account_email = var.email

    account_key = {
      key_id = var.key_id
      key_set = var.key_set
    }
    domains = [var.domain]
    tos_accepted = true
    storage = "redis"

    storage_config = {

      redis = {
        host = var.instance_address
        username = var.instance_username
        port = 6379

        cloud_authentication = {
          auth_provider = "aws"
          aws_cache_name = var.aws_cache_name
          aws_is_serverless = false
          aws_region = var.aws_region
          aws_access_key_id = var.aws_access_key_id
          aws_secret_access_key = var.aws_access_secret_key
        }
      }
    }
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_access_secret_key" {
  type = string
}

Copied!

ACME

ACME with Redis storage and AWS ElastiCache instance auth

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help