RAG injection with ACLs using OpenAI and Redis
v3.13+ Configure the AI RAG Injector plugin with access control lists (ACLs) to restrict which consumer groups can access specific knowledge base collections. This configuration uses Redis as the vector database and OpenAI text-embedding-3-large for embeddings.
The example demonstrates a three-tier access model:
- Public documents accessible to all authenticated users
- Finance reports restricted to finance and executive groups
- Executive confidential content accessible only to executives
Check this how-to guide for a detailed walkthrough.
Prerequisites
-
You have enabled the AI Proxy or AI Proxy Advanced plugin
-
You have configured Key Auth or another authentication plugin
-
You have created Consumer Groups that match your ACL configuration
-
You have an OpenAI account
-
A Redis instance
-
Port
6379, or your custom Redis port is open and reachable from Kong Gateway
Environment variables
-
OPENAI_API_KEY: The API key to use to connect to OpenAI -
REDIS_HOST: The Redis server’s host
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-rag-injector
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
distance_metric: cosine
dimensions: 3072
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-rag-injector
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: '$REDIS_HOST'
port: 6379
distance_metric: cosine
dimensions: 3072
plugin: ai-rag-injector
" | kubectl apply -f -
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_rag_injector" "my_ai_rag_injector" {
enabled = true
config = {
inject_template = <<EOF
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
EOF
inject_as_role = "system"
consumer_identifier = "consumer_group"
global_acl_config = {
allow = ["public"]
deny = []
}
collection_acl_config = {
public-docs = {
allow = []
deny = []
}
finance-reports = {
allow = ["finance", "executive"]
deny = ["contractor"]
}
executive-confidential = {
allow = ["executive"]
}
}
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
provider = "openai"
name = "text-embedding-3-large"
}
}
vectordb = {
strategy = "redis"
redis = {
host = var.redis_host
port = 6379
}
distance_metric = "cosine"
dimensions = 3072
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-rag-injector
service: serviceName|Id
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
distance_metric: cosine
dimensions: 3072
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-rag-injector
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: '$REDIS_HOST'
port: 6379
distance_metric: cosine
dimensions: 3072
plugin: ai-rag-injector
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-rag-injector
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_rag_injector" "my_ai_rag_injector" {
enabled = true
config = {
inject_template = <<EOF
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
EOF
inject_as_role = "system"
consumer_identifier = "consumer_group"
global_acl_config = {
allow = ["public"]
deny = []
}
collection_acl_config = {
public-docs = {
allow = []
deny = []
}
finance-reports = {
allow = ["finance", "executive"]
deny = ["contractor"]
}
executive-confidential = {
allow = ["executive"]
}
}
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
provider = "openai"
name = "text-embedding-3-large"
}
}
vectordb = {
strategy = "redis"
redis = {
host = var.redis_host
port = 6379
}
distance_metric = "cosine"
dimensions = 3072
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-rag-injector
route: routeName|Id
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
distance_metric: cosine
dimensions: 3072
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-rag-injector
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: '$REDIS_HOST'
port: 6379
distance_metric: cosine
dimensions: 3072
plugin: ai-rag-injector
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-rag-injector
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=ai-rag-injector
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_rag_injector" "my_ai_rag_injector" {
enabled = true
config = {
inject_template = <<EOF
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
EOF
inject_as_role = "system"
consumer_identifier = "consumer_group"
global_acl_config = {
allow = ["public"]
deny = []
}
collection_acl_config = {
public-docs = {
allow = []
deny = []
}
finance-reports = {
allow = ["finance", "executive"]
deny = ["contractor"]
}
executive-confidential = {
allow = ["executive"]
}
}
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
provider = "openai"
name = "text-embedding-3-large"
}
}
vectordb = {
strategy = "redis"
redis = {
host = var.redis_host
port = 6379
}
distance_metric = "cosine"
dimensions = 3072
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-rag-injector
consumer: consumerName|Id
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
distance_metric: cosine
dimensions: 3072
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-rag-injector
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: '$REDIS_HOST'
port: 6379
distance_metric: cosine
dimensions: 3072
plugin: ai-rag-injector
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong kongconsumer CONSUMER_NAME konghq.com/plugins=ai-rag-injector
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_rag_injector" "my_ai_rag_injector" {
enabled = true
config = {
inject_template = <<EOF
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
EOF
inject_as_role = "system"
consumer_identifier = "consumer_group"
global_acl_config = {
allow = ["public"]
deny = []
}
collection_acl_config = {
public-docs = {
allow = []
deny = []
}
finance-reports = {
allow = ["finance", "executive"]
deny = ["contractor"]
}
executive-confidential = {
allow = ["executive"]
}
}
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
provider = "openai"
name = "text-embedding-3-large"
}
}
vectordb = {
strategy = "redis"
redis = {
host = var.redis_host
port = 6379
}
distance_metric = "cosine"
dimensions = 3072
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-rag-injector
consumer_group: consumerGroupName|Id
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
distance_metric: cosine
dimensions: 3072
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-rag-injector",
"config": {
"inject_template": "Use the following context to answer the question. If the context doesnt contain relevant information, say so.\nContext:\n<CONTEXT>\nQuestion: <PROMPT>\n",
"inject_as_role": "system",
"consumer_identifier": "consumer_group",
"global_acl_config": {
"allow": [
"public"
],
"deny": []
},
"collection_acl_config": {
"public-docs": {
"allow": [],
"deny": []
},
"finance-reports": {
"allow": [
"finance",
"executive"
],
"deny": [
"contractor"
]
},
"executive-confidential": {
"allow": [
"executive"
]
}
},
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"provider": "openai",
"name": "text-embedding-3-large"
}
},
"vectordb": {
"strategy": "redis",
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
},
"distance_metric": "cosine",
"dimensions": 3072
}
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-rag-injector
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
inject_template: |
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
inject_as_role: system
consumer_identifier: consumer_group
global_acl_config:
allow:
- public
deny: []
collection_acl_config:
public-docs:
allow: []
deny: []
finance-reports:
allow:
- finance
- executive
deny:
- contractor
executive-confidential:
allow:
- executive
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
provider: openai
name: text-embedding-3-large
vectordb:
strategy: redis
redis:
host: '$REDIS_HOST'
port: 6379
distance_metric: cosine
dimensions: 3072
plugin: ai-rag-injector
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong kongconsumergroup CONSUMERGROUP_NAME konghq.com/plugins=ai-rag-injector
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_rag_injector" "my_ai_rag_injector" {
enabled = true
config = {
inject_template = <<EOF
Use the following context to answer the question. If the context doesnt contain relevant information, say so.
Context:
<CONTEXT>
Question: <PROMPT>
EOF
inject_as_role = "system"
consumer_identifier = "consumer_group"
global_acl_config = {
allow = ["public"]
deny = []
}
collection_acl_config = {
public-docs = {
allow = []
deny = []
}
finance-reports = {
allow = ["finance", "executive"]
deny = ["contractor"]
}
executive-confidential = {
allow = ["executive"]
}
}
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
provider = "openai"
name = "text-embedding-3-large"
}
}
vectordb = {
strategy = "redis"
redis = {
host = var.redis_host
port = 6379
}
distance_metric = "cosine"
dimensions = 3072
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied!