Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Konnect Config Store how to #297

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 145 additions & 7 deletions app/_how-tos/store-secrets-in-konnect-config-store.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ content_type: how_to
related_resources:
- text: Secrets management
url: /secrets-management
- text: Vault entity
url: /gateway/entities/vault

products:
- gateway
Expand All @@ -16,16 +18,31 @@ entities:

tags:
- security
- secrets-management

tldr:
q: How do I
a: placeholder
q: How do I use {{site.konnect_short_name}} as a Vault backend and store secrets in it?
a: |
Use the {{site.konnect_short_name}} API to create a Config Store using the `/v2/control-planes/{controlPlaneId}/config-stores` endpoint, create a {{site.konnect_short_name}} Vault using the [`/v2/control-planes/{controlPlaneId}/core-entities/vaults/` endpoint](/api/konnect/control-planes-config/v2/#/operations/create-vault), and then store your secret as a key/value pair using the `/v2/control-planes/{controlPlaneId}/config-stores/{configStoreId}/secrets` endpoint. To reference the secret in configuration, use the Vault prefix and the key name, for example: `{vault://mysecretvault/mistral-key}`

tools:
- deck
# - konnect-api
prereqs:
entities:
services:
- example-service
routes:
- example-route
inline:
- title: Mistral AI API key
include_content: prereqs/vault-backends/mistral-env-var
- title: Konnect API
include_content: prereqs/konnect-api-for-curl

tools:
- konnect-api

faqs:
- q: How do I replace certificates used in {{site.base_gateway}} data plane nodes with a secret reference?
a: Set up a {{site.konnect_short_name}} or any other Vault, define the certificate and key in a secret in the Vault.
cleanup:
inline:
- title: Clean up Konnect environment
Expand All @@ -39,6 +56,127 @@ min_version:
gateway: '3.4'
---

@todo

Use content from https://docs.konghq.com/konnect/gateway-manager/configuration/config-store/#main
## 1. Configure a {{site.konnect_short_name}} Config Store

Before you can configure a {{site.konnect_short_name}} Vault, you must first create a Config Store by sending a `POST` request to the `/v2/control-planes/{controlPlaneId}/config-stores` endpoint:

<!--vale off-->
{% control_plane_request %}
url: /v2/control-planes/$CONTROL_PLANE_ID/config-stores
status_code: 201
method: POST
headers:
- 'Accept: application/json'
- 'Content-Type: application/json'
- 'Authorization: Bearer $KONNECT_TOKEN'
body:
name: my-config-store
{% endcontrol_plane_request %}
<!--vale on-->

Export your Config Store ID as an environment variable so you can use it later:

```sh
export CONFIG_STORE_ID=config-store-uuid
```

## 2. Configure {{site.konnect_short_name}} as your Vault

To enable {{site.konnect_short_name}} as your vault, you can use the [Vault entity](/gateway/entities/vault).

Send a `POST` request to the [`/v2/control-planes/{controlPlaneId}/core-entities/vaults/` endpoint](/api/konnect/control-planes-config/v2/#/operations/create-vault):

<!--vale off-->
{% control_plane_request %}
url: /v2/control-planes/$CONTROL_PLANE_ID/core-entities/vaults/
status_code: 201
method: POST
headers:
- 'Accept: application/json'
- 'Content-Type: application/json'
- 'Authorization: Bearer $KONNECT_TOKEN'
body:
config:
config_store_id: $CONFIG_STORE_ID
description: Storing secrets in Konnect
name: konnect
prefix: mysecretvault
{% endcontrol_plane_request %}
<!--vale on-->

## 3. Store the Mistral AI key as a secret

In this how-to, you're storing the Mistral AI API key you copied earlier as a secret in your Vault. This will allow you to reference this later in a plugin configuration.

Store your secret by sending a `POST` request to the `/v2/control-planes/{controlPlaneId}/config-stores/{configStoreId}/secrets` endpoint:

<!--vale off-->
{% control_plane_request %}
url: /v2/control-planes/$CONTROL_PLANE_ID/config-stores/$CONFIG_STORE_ID/secrets/
status_code: 201
method: POST
headers:
- 'Accept: application/json'
- 'Content-Type: application/json'
- 'Authorization: Bearer $KONNECT_TOKEN'
body:
key: mistral-key
value: Bearer <mistral-key-here>
{% endcontrol_plane_request %}
<!--vale on-->

## 4. Reference your stored secret

Now that {{site.konnect_short_name}} is configured as your Vault, you can reference secrets stored in that Vault in configuration. In this tutorial, you'll be referencing the API key you set previously and using it to generate an answer to a question using the [AI Proxy plugin](/plugins/ai-proxy/). To reference a secret, you use the prefix from your Vault config, the name of the secret, and optionally the property in the secret you want to use.

Enable the AI Proxy plugin on your route by sending a `POST` request to the [`/control-planes/{controlPlaneId}/core-entities/routes/{RouteId}/plugins` endpoint](/api/konnect/control-planes-config/v2/#/operations/create-plugin-with-route):

<!--vale off-->
{% control_plane_request %}
url: /v2/control-planes/$CONTROL_PLANE_ID/core-entities/plugins
status_code: 201
method: POST
headers:
- 'Accept: application/json'
- 'Content-Type: application/json'
- 'Authorization: Bearer $KONNECT_TOKEN'
body:
config:
route_type: llm/v1/chat
auth:
header_name: Authorization
header_value: '{vault://mysecretvault/mistral-key}'
model:
provider: mistral
name: mistral-tiny
options:
mistral_format: openai
upstream_url: https://api.mistral.ai/v1/chat/completions
enabled: true
name: ai-proxy
route:
id: $ROUTE_ID
{% endcontrol_plane_request %}
<!--vale on-->

## 5. Validate

To verify that {{site.base_gateway}} can pull the secrets from {{site.konnect_short_name}} Config Store, you can use the AI Proxy plugin to confirm that the plugin is using the correct API key when a request is made:

<!--vale off-->
{% validation request-check %}
url: /anything
status_code: 200
method: POST
headers:
- 'Accept: application/json'
- 'Content-Type: application/json'
body:
messages:
- role: "system"
content: "You are a mathematician"
- role: "user"
content: "What is 1+1?"
{% endvalidation %}
<!--vale on-->
10 changes: 10 additions & 0 deletions app/_includes/prereqs/konnect-api-for-curl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
To use the copy, paste, and run the instructions in this how-to, you must export these additional environmental variables:

```sh
export KONNECT_CONTROL_PLANE_URL=https://{region}.api.konghq.com
export CONTROL_PLANE_ID=your-control-plane-uuid
export EXAMPLE_ROUTE_ID=your-example-route-id
```

* `CONTROL_PLANE_ID`: You can find your control plane UUID by navigating to the control plane in the UI or by sending a `GET` request to the [`/control-planes` endpoint](/api/konnect/control-planes/v2/#/operations/list-control-planes).
* `EXAMPLE_ROUTE_ID`: You can find your Route ID by navigating to the Route in the UI or by sending a `GET` request to the [`/control-planes/{controlPlaneId}/core-entities/routes` endpoint](/api/konnect/control-planes-config/v2/#/operations/list-route).
3 changes: 3 additions & 0 deletions app/_includes/prereqs/vault-backends/mistral-env-var.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
In this tutorial, you'll be validating that {{site.base_gateway}} can correctly reference secrets in your Vault by storing a Mistral AI API key as a secret.

In the Mistral AI console, [create an API key](https://console.mistral.ai/api-keys/) and copy it. You'll add this API key as a secret to your vault.
2 changes: 2 additions & 0 deletions tools/track-docs-changes/config/sources.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ app/_how-tos/set-up-ai-proxy-with-anthropic.md:
- app/_hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/_anthropic.md
app/_how-tos/proxy-tls-passthrough-traffic-using-sni.md:
- app/_src/gateway/how-kong-works/routing-traffic.md
app/_how-tos/store-secrets-in-konnect-config-store.md:
- app/konnect/gateway-manager/configuration/config-store.md

# plugins
app/_kong_plugins/ai-rate-limiting-advanced/index.md:
Expand Down
Loading