Authenticate Kong to a third-party servicev3.11+
Use internal auth within your ecosystem to inject request headers before proxying a request.
This example contains the following nodes:
- The node
STATIC_INPUTSsets some static values that will be used as inputs to other nodes. - The node
BUILD_HEADERSfetches an API key from the client query and injects it into the request headers that will be sent to the auth service. - The node
AUTH_REQUESTmakes a POST request to the auth service. - The node
UPSTREAM_AUTH_HEADERcomposes an Authorization header from the access token received from the auth service and adds it to the service request headers before proxying the request.
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: datakit
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
'X-Api-Key': (.query.api_key // 'none')
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
query = "request.query"
}
jq = <<EOF
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: datakit
service: serviceName|Id
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
'X-Api-Key': (.query.api_key // 'none')
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=datakit
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
query = "request.query"
}
jq = <<EOF
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: datakit
route: routeName|Id
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
'X-Api-Key': (.query.api_key // 'none')
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=datakit
kubectl annotate -n kong ingress konghq.com/plugins=datakit
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
query = "request.query"
}
jq = <<EOF
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: datakit
consumer: consumerName|Id
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
'X-Api-Key': (.query.api_key // 'none')
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=datakit
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
query = "request.query"
}
jq = <<EOF
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: datakit
consumer_group: consumerGroupName|Id
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"query": "request.query"
},
"jq": ".headers * {\n \"X-Api-Key\": (.query.api_key // \"none\")\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
query: request.query
jq: |
.headers * {
'X-Api-Key': (.query.api_key // 'none')
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=datakit
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
query = "request.query"
}
jq = <<EOF
.headers * {
"X-Api-Key": (.query.api_key // "none")
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}