Feat: Konnect native config store (#7939)

* Update index.md for Konnect Config Store * Update how-to.md for Konnect Config Store * Update vaults.md added option for Konnect Config Store * config store docs * shotscraper, instructions, formatting * fix issues in API calls * add reference section, fix 404 --------- Co-authored-by: Angel <[email protected]> Co-authored-by: Angel <[email protected]>
Kong · Nov 4, 2024 · d7bc77d · d7bc77d
1 parent 1161df3
commit d7bc77d
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 4 deletions.
diff --git a/app/_data/docs_nav_konnect.yml b/app/_data/docs_nav_konnect.yml
@@ -105,6 +105,8 @@
           items:
             - text: Overview
               url: /gateway-manager/configuration/vaults/
+            - text: Konnect Config Store
+              url: /gateway-manager/configuration/config-store/
             - text: Set Up and Use a Vault in Konnect
               url: /gateway-manager/configuration/vaults/how-to/
         - text: Manage Control Plane Configuration with decK

diff --git a/app/_src/deck/guides/vaults.md b/app/_src/deck/guides/vaults.md
@@ -41,7 +41,7 @@ Key | Description
 ----|---
 `vaults.config` | Stores the configuration for a particular vault. The configuration values required depend on the vault that you are using. In this example, the `vaults.config.prefix` value configures the prefix for the environment variable that the value will be stored in. See the individual [vault backends](/gateway/latest/kong-enterprise/secrets-management/backends/) to find the required configuration values for your particular vault type.
 `vaults.description` | An optional description for your vault.
-`vaults.name` | The type of vault. Accepts one of: `env`, `gcp`, `aws`, or `hcv`.
+`vaults.name` | The type of vault. Accepts one of: `konnect`, `env`, `gcp`, `aws`, or `hcv`.
 `vaults.prefix` | The reference prefix. You need this prefix to access secrets stored in this vault. For example, `{vault://my-env-vault/<some-secret>}`.
 
 {{site.base_gateway}} also supports HashiCorp Vault, GCP, and AWS as [vault backends](/gateway/latest/kong-enterprise/secrets-management/backends/).

diff --git a/app/assets/images/products/konnect/gateway-manager/konnect-vaults.png b/app/assets/images/products/konnect/gateway-manager/konnect-vaults.png
diff --git a/app/konnect/gateway-manager/configuration/config-store.md b/app/konnect/gateway-manager/configuration/config-store.md
@@ -0,0 +1,91 @@
+---
+title: Konnect Config Store
+---
+
+
+You can store your sensitive data directly in {{site.konnect_short_name}} via the {{site.konnect_short_name}} Config Store. {{site.konnect_short_name}} Config Store is scoped to a control plane today and works directly with Gateway’s Vaults entity in Gateway Manager to easily manage security and governance policies. {{site.konnect_short_name}} Config Store is built with security in mind such that once a secret is stored in {{site.konnect_short_name}}, you cannot view the value again. This ensures that sensitive data is not visible in plain text anywhere. 
+
+
+## Configure the {{site.konnect_short_name}} config store
+
+{% navtabs %}
+{% navtab API %}
+
+Create a config store entity in {{site.konnect_short_name}} and save the `config_store_id` from the response body.
+
+```sh 
+curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/core-entities/vaults/ \
+  --header 'Authorization: Bearer{kpat_token}' \
+  --header 'Content-Type: application/json' \
+  --data '{
+	"name": "konnect"
+}'
+```
+
+Using the `config_store_id` create a `POST` request to associate the config store with the vault.
+
+```sh
+curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/core-entities/vaults/  \
+  --header 'Authorization: Bearer {kpat_token}' \
+  --header 'Content-Type: application/json' \
+  --data '{
+	"config":{
+		"config_store_id": "7f1daa91-d386-4eb8-83c9-a78099f9c9d5"
+	},
+	"description": "Description of your vault",
+	"name": "konnect",
+	"prefix": "mysecretvault"
+}'
+```
+
+{% endnavtab %}
+{% navtab UI %}
+1. In {% konnect_icon runtimes %} **Gateway Manager** select a control plane.
+1. Click **New vault**.
+1. Choose **Konnect**
+1. Enter the configuration settings for your vault and **Save**.
+
+{% endnavtab %}
+{% navtab decK %}
+
+Using the `config_store_id` create a `POST` request to associate the config store with the vault.
+
+```yaml
+_format_version: "3.0"
+vaults:
+- config:
+    config_store_id: ee62068e-1843-49f8-ac22-40293b0a949d
+  description: Storing secrets in Konnect
+  name: konnect
+  prefix: konnect-vault
+```
+{% endnavtab %}
+{% endnavtabs %}
+
+## Reference {{site.konnect_short_name}} Config Store secrets
+
+You can now store secrets in the {{site.konnect_short_name}} Config Store and reference them throughout the control plane. For instance, a secret in the {{site.konnect_short_name}} Config Store named `secret-name` can hold multiple key-value pairs:
+
+```json
+{
+  "foo": "bar",
+  "snip": "snap"
+}
+```
+
+To make these secrets accessible to {{site.base_gateway}}, reference the environment variables using a specific URL format. For the example above, the references would be:
+
+```sh
+{vault://konnect/secret-name/foo}
+{vault://konnect/secret-name/snip}
+```
+
+This allows {{site.base_gateway}} to recognize and retrieve the stored secrets.
+
+## Supported fields
+
+| Parameter           | Field Name        | Description                                                                                             |
+|---------------------|-------------------|---------------------------------------------------------------------------------------------------------|
+| `vaults.description`   | Description       | An optional description for your vault.                                                                 |
+| `vaults.name`         | Name              | The type of vault. Accepts one of: `konnect`, `env`, `gcp`, `aws`, or `hcv`. |
+| `vaults.prefix`       | Prefix            | The reference prefix. You need this prefix to access secrets stored in this vault. For example, `{vault://konnect-vault/<some-secret>}`. |
diff --git a/app/konnect/gateway-manager/configuration/vaults/how-to.md b/app/konnect/gateway-manager/configuration/vaults/how-to.md
@@ -21,6 +21,7 @@ Set up a new vault. For this example, we're going to use the environment variabl
 1. Click **Add vault**.
 1. Choose a vault type. 
 1. Enter the configuration settings for your vault. For more information about how to configure settings, see the following {{site.base_gateway}} documentation:
+    * [Konnect Config Store options](/konnect/gateway-manager/configuration/config-store/#supported-fields)
     * [AWS vault configuration options](/gateway/latest/kong-enterprise/secrets-management/backends/aws-sm/#vault-configuration-options)
     * [Google Cloud vault configuration options](/gateway/latest/kong-enterprise/secrets-management/backends/gcp-sm/#vault-entity-configuration-options)
     * [HashiCorp vault configuration options](/gateway/latest/kong-enterprise/secrets-management/backends/hashicorp-vault/#vault-configuration-options)

diff --git a/app/konnect/gateway-manager/configuration/vaults/index.md b/app/konnect/gateway-manager/configuration/vaults/index.md
@@ -44,8 +44,7 @@ Vaults have several use cases:
 * Encryption of secrets at rest
 
 {{site.konnect_short_name}} **does not**:
-* Store credentials to access the vault itself.
-You must provide those credentials to the {{site.base_gateway}} data plane directly.
+
 * Update or modify the secrets in 3rd party vaults.
 
 Vaults are configurable per control plane. You can't use the same vault across
@@ -54,6 +53,7 @@ multiple control planes.
 ## Supported vaults in {{site.konnect_short_name}}
 
 Konnect supports the following vault backends:
+* Konnect Config Store
 * AWS Secrets Manager
 * HashiCorp Vault
 * GCP Secret Manager
@@ -68,6 +68,7 @@ Check out the example use case for [storing certificates in a vault](/konnect/ga
 
 For detailed vault configuration references and guides, see the {{site.base_gateway}}
 documentation:
+* [Konnect Config Store](/konnect/gateway-manager/configuration/config-store/)
 * [AWS Secrets Manager](/gateway/latest/kong-enterprise/secrets-management/backends/aws-sm/)
 * [GCP Secret Manager](/gateway/latest/kong-enterprise/secrets-management/backends/gcp-sm/)
 * [HashiCorp Vault](/gateway/latest/kong-enterprise/secrets-management/backends/hashicorp-vault/)

diff --git a/tools/screenshots/konnect/vaults/overview.yaml b/tools/screenshots/konnect/vaults/overview.yaml
@@ -7,7 +7,7 @@
     async () => {
       const sidebarItem = document.querySelector("#subnav-gateway-manager > li.sidebar-item-secondary.active > a");
       const prefixItem = getTestId('prefix');
-      const addItem = getTestId('toolbar-add-vault');
+      const addItem = getTestId('kui-icon-wrapper-book-icon');
       const menuItem = getTestId('overflow-actions-button');
 
       annotateNumber(sidebarItem, { number: 1, position: { left: "100px" } });