Skip to content
|
unreleased
github-edit-pageEdit this page
report-issueReport an issue
You are browsing unreleased documentation. See the latest documentation here.

Cloud Gateways Networks

In this guide you’ll learn how to use the KonnectCloudGatewayNetwork custom resource to manage Kong Konnect Dedicated Cloud Gateways Networks natively from your Kubernetes cluster.

Prerequisites: Install Kong Gateway Operator and create a valid KonnectAPIAuthConfiguration in your cluster.

Prerequisites

Install Kong Gateway Operator

Update the Helm repository:

helm repo add kong https://charts.konghq.com
helm repo update kong

Install Kong Gateway Operator with Helm:

helm upgrade --install kgo kong/gateway-operator -n kong-system --create-namespace \
  --set image.repository=kong/nightly-gateway-operator \
  --set image.tag=nightly \
  --set kubernetes-configuration-crds.enabled=true \
  --set env.ENABLE_CONTROLLER_KONNECT=true

You can wait for the operator to be ready using kubectl wait:

kubectl -n kong-system wait --for=condition=Available=true --timeout=120s deployment/kgo-gateway-operator-controller-manager

Create an access token in Konnect

You may create either a Personal Access Token (PAT) or a Service Account Token (SAT) in Konnect. Please refer to the Konnect authentication documentation for more information. You will need this token to create a KonnectAPIAuthConfiguration object that will be used by the Kong Gateway Operator to authenticate with Konnect APIs.

Create a Kong Konnect API auth configuration

Depending on your preferences, you can create a KonnectAPIAuthConfiguration object with the token specified directly in its spec or as a reference to a Kubernetes Secret. The serverURL field should be set to the Konnect API URL in a region where your Kong Konnect account is located. Please refer to the list of available API URLs for more information.

echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: default
spec:
  type: token
  token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  serverURL: us.api.konghq.com
' | kubectl apply -f -

Please note that the Secret must have the konghq.com/credential: konnect label to make the Kong Gateway Operator reconcile it.

echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: default
spec:
  type: secretRef
  secretRef:
    name: konnect-api-auth-secret
  serverURL: us.api.konghq.com
---
kind: Secret
apiVersion: v1
metadata:
  name: konnect-api-auth-secret
  namespace: default
  labels:
    konghq.com/credential: konnect
stringData:
  token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
' | kubectl apply -f -

You can verify the KonnectAPIAuthConfiguration object was reconciled successfully by checking its status.

kubectl get konnectapiauthconfiguration konnect-api-auth

The output should look like this:

NAME               VALID   ORGID                                  SERVERURL
konnect-api-auth   True    <your-konnect-org-id>                  https://us.api.konghq.tech

Provider Account

In order to mange Cloud Gateway networks you need to have a Cloud Gateway Provider Account associated with your Kong Konnect account.

To create one, please contact your Kong Account Manager.

If you already have one, you can use the Konnect’s /cloud-gateways/provider-accounts API to get the id of the provider account.

curl -s -H 'Content-Type: application/json' -H "Authorization: Bearer ${KONNECT_TOKEN}" -XGET https://global.api.konghq.com/v2/cloud-gateways/provider-accounts | jq

This should return a list of provider accounts, you can use the id of the account you want to use to create a Cloud Gateway Network.

{
  "data": [
    {
      "id": "11111111-1111-1111-1111-111111111111",
      "provider": "aws",
      "provider_account_id": "001111111111",
      "created_at": "2023-07-06T18:40:12.172Z",
      "updated_at": "2023-07-06T18:40:12.172Z"
    }
  ],
  "meta": {
    "page": {
      "total": 1,
      "size": 100,
      "number": 1
    }
  }
}

Create a Cloud Gateway Network

Creating the KonnectCloudGatewayNetwork object in your Kubernetes cluster will provision a new Konnect Dedicated Cloud Gateway Network.

You can refer to the KonnectCloudGatewayNetwork CRD API for all the available fields.

To create a KonnectCloudGatewayNetwork object you can use the following YAML manifest:

echo '
kind: KonnectCloudGatewayNetwork
apiVersion: konnect.konghq.com/v1alpha1
metadata:
 name: konnect-network-1
 namespace: default
spec:
 name: network1
 cloud_gateway_provider_account_id: "001111111111"
 availability_zones:
 - euw1-az1
 - euw1-az2
 - euw1-az3
 cidr_block: "192.168.0.0/16"
 region: eu-west-1
 konnect:
   authRef:
     name: konnect-api-auth
' | kubectl apply -f -

After creating the network object you can check the status of the network by running:

kubectl get konnectcloudgatewaynetworks.konnect.konghq.com konnect-network-1 -o=jsonpath='{.status}' | yq -p json

Which should return the status of the network:

conditions:
  - lastTransitionTime: "2025-03-13T09:16:49Z"
    message: KonnectAPIAuthConfiguration reference default/konnect-api-auth is resolved
    observedGeneration: 3
    reason: ResolvedRef
    status: "True"
    type: APIAuthResolvedRef
  - lastTransitionTime: "2025-03-13T09:16:49Z"
    message: referenced KonnectAPIAuthConfiguration default/konnect-api-auth is valid
    observedGeneration: 3
    reason: Valid
    status: "True"
    type: APIAuthValid
  - lastTransitionTime: "2025-03-13T09:18:05Z"
    message: ""
    observedGeneration: 3
    reason: Programmed
    status: "True"
    type: Programmed
id: 1111111-111111111111-11111111111111111
organizationID: 222222222-22222222-2222222222222222222
serverURL: https://global.api.konghq.com
state: initializing

Since creating a network can take some time, you can monitor the status of the network by checking the state field.