ACME: ACME with Redis storage and Azure Managed Redis instance auth - Plugin

ACME with Redis storage and Azure Managed Redis instance auth

Configure the ACME plugin with Redis as a storage backend using Azure Managed Redis instance auth

Prerequisites

A public IP and a resolvable DNS
Kong Gateway accepts proxy traffic on port 80
A running Redis instance on an Azure Managed Redis instance with Entra authentication configured
Add the user/service principal/identity to the “Microsoft Entra Authentication Redis user” list for the Azure Managed Redis instance

Environment variables

EMAIL: The account identifier.
KEY_ID: The kid of a Key.
KEY_SET: The name of a Key Set to associate the Key ID with.
DOMAIN: An array of strings representing hosts.
INSTANCE_ADDRESS: The Azure Managed Redis instance address.
INSTANCE_USERNAME: The object (principal) ID of the Principal/Identity with essential access.
AZURE_CLIENT_ID: The client ID of the Principal/Identity.
AZURE_CLIENT_SECRET: (Optional) The client secret of the Principal/Identity.
AZURE_TENANT_ID: (Optional) The tenant ID of the Principal/Identity.

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: acme
    config:
      account_email: ${{ env "DECK_EMAIL" }}
      account_key:
        key_id: ${{ env "DECK_KEY_ID" }}
        key_set: ${{ env "DECK_KEY_SET" }}
      domains:
      - ${{ env "DECK_DOMAIN" }}
      tos_accepted: true
      storage: redis
      storage_config:
        redis:
          host: ${{ env "DECK_INSTANCE_ADDRESS" }}
          username: ${{ env "DECK_INSTANCE_USERNAME" }}
          port: 6379
          cloud_authentication:
            auth_provider: azure
            azure_client_id: ${{ env "DECK_AZURE_CLIENT_ID" }}
            azure_client_secret: ${{ env "DECK_AZURE_CLIENT_SECRET" }}
            azure_tenant_id: ${{ env "DECK_AZURE_TENANT_ID" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "acme",
      "config": {
        "account_email": "'$EMAIL'",
        "account_key": {
          "key_id": "'$KEY_ID'",
          "key_set": "'$KEY_SET'"
        },
        "domains": [
          "'$DOMAIN'"
        ],
        "tos_accepted": true,
        "storage": "redis",
        "storage_config": {
          "redis": {
            "host": "'$INSTANCE_ADDRESS'",
            "username": "'$INSTANCE_USERNAME'",
            "port": 6379,
            "cloud_authentication": {
              "auth_provider": "azure",
              "azure_client_id": "'$AZURE_CLIENT_ID'",
              "azure_client_secret": "'$AZURE_CLIENT_SECRET'",
              "azure_tenant_id": "'$AZURE_TENANT_ID'"
            }
          }
        }
      },
      "tags": []
    }
    '

Copied!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "acme",
      "config": {
        "account_email": "'$EMAIL'",
        "account_key": {
          "key_id": "'$KEY_ID'",
          "key_set": "'$KEY_SET'"
        },
        "domains": [
          "'$DOMAIN'"
        ],
        "tos_accepted": true,
        "storage": "redis",
        "storage_config": {
          "redis": {
            "host": "'$INSTANCE_ADDRESS'",
            "username": "'$INSTANCE_USERNAME'",
            "port": 6379,
            "cloud_authentication": {
              "auth_provider": "azure",
              "azure_client_id": "'$AZURE_CLIENT_ID'",
              "azure_client_secret": "'$AZURE_CLIENT_SECRET'",
              "azure_tenant_id": "'$AZURE_TENANT_ID'"
            }
          }
        }
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: acme
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
  labels:
    global: 'true'
config:
  account_email: '$EMAIL'
  account_key:
    key_id: '$KEY_ID'
    key_set: '$KEY_SET'
  domains:
  - '$DOMAIN'
  tos_accepted: true
  storage: redis
  storage_config:
    redis:
      host: '$INSTANCE_ADDRESS'
      username: '$INSTANCE_USERNAME'
      port: 6379
      cloud_authentication:
        auth_provider: azure
        azure_client_id: '$AZURE_CLIENT_ID'
        azure_client_secret: '$AZURE_CLIENT_SECRET'
        azure_tenant_id: '$AZURE_TENANT_ID'
plugin: acme
" | kubectl apply -f -

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_acme" "my_acme" {
  enabled = true

  config = {
    account_email = var.email

    account_key = {
      key_id = var.key_id
      key_set = var.key_set
    }
    domains = [var.domain]
    tos_accepted = true
    storage = "redis"

    storage_config = {

      redis = {
        host = var.instance_address
        username = var.instance_username
        port = 6379

        cloud_authentication = {
          auth_provider = "azure"
          azure_client_id = var.azure_client_id
          azure_client_secret = var.azure_client_secret
          azure_tenant_id = var.azure_tenant_id
        }
      }
    }
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "azure_tenant_id" {
  type = string
}

Copied!

ACME

ACME with Redis storage and Azure Managed Redis instance auth

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help