Authenticate to a third-party service using Vault secretsv3.12+
Authenticate to a third-party service using Vault secrets. Refer to the Vault documentation for more information on how to set up and use Vault secrets.
This example contains the following nodes:
- The node
STATIC_INPUTSsets some static values that will be used as inputs to other nodes. - The node
BUILD_HEADERSfetches an API key from a Vault reference and injects it into the request headers that will be sent to the auth service. - The node
AUTH_REQUESTmakes a POST request to the auth service. - The node
UPSTREAM_AUTH_HEADERcomposes an Authorization header from the access token received from the auth service and adds it to the service request headers before proxying the request.
Prerequisites
- You have configured a Vault secret
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
config:
resources:
vault:
token: "{vault://my-vault/my-token}"
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
"X-Api-Key": .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
resources:
vault:
token: '{vault://my-vault/my-token}'
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
'X-Api-Key': .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
token = "{vault://my-vault/my-token}"
}
}
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
apikey = "vault.token"
}
jq = <<EOF
.headers * {
"X-Api-Key": .apikey
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
service: serviceName|Id
config:
resources:
vault:
token: "{vault://my-vault/my-token}"
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
"X-Api-Key": .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
resources:
vault:
token: '{vault://my-vault/my-token}'
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
'X-Api-Key': .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
token = "{vault://my-vault/my-token}"
}
}
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
apikey = "vault.token"
}
jq = <<EOF
.headers * {
"X-Api-Key": .apikey
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
route: routeName|Id
config:
resources:
vault:
token: "{vault://my-vault/my-token}"
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
"X-Api-Key": .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
resources:
vault:
token: '{vault://my-vault/my-token}'
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
'X-Api-Key': .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=datakit
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
token = "{vault://my-vault/my-token}"
}
}
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
apikey = "vault.token"
}
jq = <<EOF
.headers * {
"X-Api-Key": .apikey
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
consumer: consumerName|Id
config:
resources:
vault:
token: "{vault://my-vault/my-token}"
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
"X-Api-Key": .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
resources:
vault:
token: '{vault://my-vault/my-token}'
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
'X-Api-Key': .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
token = "{vault://my-vault/my-token}"
}
}
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
apikey = "vault.token"
}
jq = <<EOF
.headers * {
"X-Api-Key": .apikey
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
consumer_group: consumerGroupName|Id
config:
resources:
vault:
token: "{vault://my-vault/my-token}"
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
"X-Api-Key": .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + " " + .access_token)
}
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"token": "{vault://my-vault/my-token}"
}
},
"nodes": [
{
"name": "STATIC_INPUTS",
"type": "static",
"values": {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "grant_type=client_credentials"
}
},
{
"name": "BUILD_HEADERS",
"type": "jq",
"inputs": {
"headers": "STATIC_INPUTS.headers",
"apikey": "vault.token"
},
"jq": ".headers * {\n \"X-Api-Key\": .apikey\n}\n"
},
{
"name": "AUTH_REQUEST",
"type": "call",
"inputs": {
"headers": "BUILD_HEADERS",
"body": "STATIC_INPUTS.body"
},
"url": "https://my-token-service/auth-token",
"method": "POST"
},
{
"name": "UPSTREAM_AUTH_HEADER",
"type": "jq",
"input": "AUTH_REQUEST.body",
"output": "service_request.headers",
"jq": "{\n Authorization: (.token_type + \" \" + .access_token)\n}\n"
}
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
resources:
vault:
token: '{vault://my-vault/my-token}'
nodes:
- name: STATIC_INPUTS
type: static
values:
headers:
Content-Type: application/x-www-form-urlencoded
body: grant_type=client_credentials
- name: BUILD_HEADERS
type: jq
inputs:
headers: STATIC_INPUTS.headers
apikey: vault.token
jq: |
.headers * {
'X-Api-Key': .apikey
}
- name: AUTH_REQUEST
type: call
inputs:
headers: BUILD_HEADERS
body: STATIC_INPUTS.body
url: https://my-token-service/auth-token
method: POST
- name: UPSTREAM_AUTH_HEADER
type: jq
input: AUTH_REQUEST.body
output: service_request.headers
jq: |
{
Authorization: (.token_type + ' ' + .access_token)
}
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
token = "{vault://my-vault/my-token}"
}
}
nodes = [
{
name = "STATIC_INPUTS"
type = "static"
values = {
headers = {
Content-Type = "application/x-www-form-urlencoded"
}
body = "grant_type=client_credentials"
}
},
{
name = "BUILD_HEADERS"
type = "jq"
inputs = {
headers = "STATIC_INPUTS.headers"
apikey = "vault.token"
}
jq = <<EOF
.headers * {
"X-Api-Key": .apikey
}
EOF
},
{
name = "AUTH_REQUEST"
type = "call"
inputs = {
headers = "BUILD_HEADERS"
body = "STATIC_INPUTS.body"
}
url = "https://my-token-service/auth-token"
method = "POST"
},
{
name = "UPSTREAM_AUTH_HEADER"
type = "jq"
input = "AUTH_REQUEST.body"
output = "service_request.headers"
jq = <<EOF
{
Authorization: (.token_type + " " + .access_token)
}
EOF
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied!