Skip to content

Control Planes Configuration#

Configuration for individual Kong Konnect control planes, declared under kontfix.controlPlanes.<region>.<name>.

Supported regions: us, eu, au, sg, in, me

View all control plane options

Choosing an Auth Type#

Each control plane uses one of two authentication types for data plane connectivity:

Auth type Use when
pinned_client_certs (default) You manage certificates yourself, or use self-signed certificates generated by Kontfix
pki_client_certs You want Kontfix to issue certificates from a HashiCorp Vault PKI backend

Note

CLUSTER_TYPE_K8S_INGRESS_CONTROLLER control planes must use pinned_client_certs.

Examples#

Minimal control plane#

A basic control plane in the au region with all defaults:

kontfix.controlPlanes.au.my-cp = { };

Control plane with PKI certificates stored in Vault#

kontfix = {
  defaults = {
    pki.hcv.address = "https://vault.example.com";
    storage.hcv.address = "https://vault.example.com";
  };

  controlPlanes.au.my-cp = {
    auth_type = "pki_client_certs";
    create_certificate = true;
    store_cluster_config = true;
    storage_backend = [ "hcv" ];
  };
};

Control plane with a system account and AWS secret storage#

kontfix.controlPlanes.us.my-cp = {
  create_certificate = true;
  system_account = {
    enable = true;
    generate_token = true;
  };
  storage_backend = [ "aws" ];
  aws = {
    enable = true;
    region = "us-east-1";
    tags = {
      Environment = "production";
      ManagedBy = "kontfix";
    };
  };
};

Control plane group#

A control plane group allows multiple data planes to connect through a single group endpoint:

kontfix.controlPlanes.au = {
  cp-a = { };
  cp-b = { };

  my-group = {
    cluster_type = "CLUSTER_TYPE_CONTROL_PLANE_GROUP";
    members = [ "cp-a" "cp-b" ];
  };
};

Key Constraints#

  • Group members cannot have create_certificate = true or store_cluster_config = true
  • Control plane groups cannot have system_account.enable = true
  • CLUSTER_TYPE_K8S_INGRESS_CONTROLLER requires auth_type = "pinned_client_certs"
  • AWS storage requires aws.enable = true and non-empty aws.tags
  • HCV storage requires defaults.storage.hcv.address to be set
  • PKI certificate generation (create_certificate = true) only supports pki_backend = "hcv"