旧バージョンのドキュメントを参照しています。最新のドキュメントはこちらをご参照ください。

Using Kubernetes Secrets in Plugins

Kong Ingress Controller allows you to configure Kong Gateway plugins using the contents of a Kubernetes secret. Kong Ingress Controller can read secrets in two ways:

Read the complete plugin configuration from a secret
Use configPatches to set a single field in a plugin configuration (requires Kong Ingress Controller 3.1+)

Kong Ingress Controller resolves the referenced secrets and sends a complete configuration to Kong Gateway.

Kong Ingress Controller resolves secrets before sending the configuration to Kong Gateway. Anyone with access to the Kong Gateway pod can read the configuration, including secrets, from the admin API. To securely fetch secrets at runtime, use Kong’s Vault support.

Read a complete configuration

The configFrom field in the KongPlugin resource allows you to set a secretKeyRef pointing to a Kubernetes secret.

This KongPlugin definition points to a secret named rate-limit-redis that contains a complete configuration for the plugin:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
 name: rate-limiting-example
plugin: rate-limiting
configFrom:
  secretKeyRef:
    name: rate-limit-redis
    key: config
" | kubectl apply -f -

The rate-limit-redis secret contains a complete configuration as a string:

echo "
apiVersion: v1
kind: Secret
metadata:
  name: rate-limit-redis
stringData:
  config: |
    minute: 10
    policy: redis
    redis_host: redis-master
    redis_password: PASSWORD
type: Opaque
" | kubectl apply -f -