With our AWS partnership, we jointly created two Kong Konnect AWS EKS Terraform Blueprints AddOns, eks-blueprint-konnect-runtime-instance and eks-blueprint-konnect-kic, to help bootstrap your Kong Konnect instances on EKS.
In this post, we'll discuss what AWS EKS Blueprints AddOns for Terraform are and their benefits. We'll also demo the Kong Konnect AddOns we’ve built out.
When it comes fundamentally to standing up a production-ready EKS cluster, there’s more to it than meets the eye: deploying drivers, integrating with AWS Secrets Manager, integrating with AWS logging infrastructure, and understanding the AWS IAM Roles for Service Accounts (IRSA) integration. The AWS EKS Blueprints in Terraform framework was designed to solve these needs by providing guardrails while adhering to community-wide infrastructure as code standards.
AWS EKS Blueprints AddOns is an AWS-developed framework based on Terraform and Helm to easily bootstrap EKS clusters. It comes with native EKS Addons, such as AWS CNI, AWS EBS CSI driver, and the most popular third-party technologies such as Kong Konnect. The objective of the framework is to get you to a production-ready environment quickly by simplifying and consolidating Day 2 operations with AWS best practices built into the AddOns themselves.
Overall, AWS EKS Blueprints for Terraform helps customers get a production-ready EKS Cluster as quickly as possible.
The Kong AddOns deploy Kong with either the Kong Gateway data plane independently or alongside Kong Ingress Controller, both of which integrate with Kong Konnect.
Under the hood, it’s still the Kong Helm chart deployed by the AWS EKS Add-On framework. However, what we’ve done is create an AWS-specific default Helm configuration for you, so that all you need to provide is a small subset of required values — runtime group ExID, the region, etc. Bear in mind, you still have the opportunity to override the defaults, if required.
But the Kong modules are more than just another deployment mechanism for the Kong data planes; they also prescribe to AWS EKS best practices. For Kong, this means providing a production-ready mechanism for managing the data plane certificates.
Kong Konnect uses a hybrid deployment model — Kong Konnect acts as the control plane and each gateway is a data plane with an mTLS connection to Konnect (See Konnect Architecture for more details.) As such, each data plane needs the certificates, stored as secrets in Kubernetes, to complete the mutual TLS handshake.
To achieve this, the Kong Konnect Blueprints modules install the External Secrets Operator, which is also a part of the add-on ecosystem. Then they configure the necessary AWS IRSA privileges and the necessary CRDs in order to leverage AWS Secrets Manager. With this integration in place, the data plane TLS certificates stored in AWS Secrets Manager are automatically injected as a Kubernetes Secret.
Overall, the Kong modules will do the following:
There are a few prerequisites to be aware of before getting started.
First, you need an EKS cluster. Don’t worry. The AWS team has a very robust Terraform module for that as well, AWS EKS Terraform module, and it will run inline without addon modules.
Secondly, there are a few Kong Konnect prerequisites that need to be in place.
With those criteria in place, you’re ready to bootstrap your EKS cluster with Kong Konnect.
The name of the game is how fast we can automate provisioning an EKS cluster with Kong Ingress Controller to Kong Konnect. I’m going to bet we’ll be up and running in about 15 minutes.
First, go ahead and clone the examples github repo.
Let’s take care of the prerequisites:
Log into Kong Konnect, navigate to Runtime Manager, and create a Kong Ingress Controller Runtime Group.
And we can see below I’ve created a new Runtime Group called KIC Demo:
Now, create the data plane certificates.
We put together a CLI tool (kong-konnect-runtime-cert-generator) to get you jump-started here. The CLI tool is going to create a self-signed cert, push it to the new Kong Konnect Runtime Group and also to AWS Secrets Manager:
The output should be something similar to below. Save this output — you’ll need it for the next step.
Terraform
OK! Now for the finale. In the example repo, navigate into the konnect-kic directory. The Terraform script does three main things:
To run the Terraform script, create a terraform.tfvars file with the following output from the CLI tool:
And now run the Terraform with `terraform apply`:
And that is it. KIC is Fully Operational.
We really enjoyed this project, and we’re looking forward to the community’s reaction.
Give it a go and let us know what you think! hould we cover more Day 2 Operations? Are there more configurations you’d like to see? Don’t hesitate to create a GitHub issue.
In the meantime, we have several more examples to get you kickstarted — Fargate, AWS Graviton — and there’s a video if you’d rather watch.
Find us on the AWS Partner Addon docs as well!
Meet Emily. She’s an API product manager at ACME, Inc., an ecommerce company that runs on dozens of APIs. One morning, her team lead asks a simple question: “Who’s our top API consumer, and which of your APIs are causing the most issues right now?”
Today, we’re announcing that Kong has acquired OpenMeter , the open source and SaaS leader for real-time usage metering and billing. OpenMeter’s capabilities will be integrated into Kong Konnect, enabling usage-based pricing, entitlements, and invo
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
In the last two parts of this series, we discussed How to Strengthen a ReAct AI Agent with Kong AI Gateway and How to Build a Single-LLM AI Agent with Kong AI Gateway and LangGraph . In this third and final part, we're going to evolve the AI Agen
In my previous post, we discussed how we can implement a basic AI Agent with Kong AI Gateway. In part two of this series, we're going to review LangGraph fundamentals, rewrite the AI Agent and explore how Kong AI Gateway can be used to protect an LLM
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
This is part one of a series exploring how Kong AI Gateway can be used in an AI Agent development with LangGraph. The series comprises three parts: Basic ReAct AI Agent with Kong AI Gateway Single LLM ReAct AI Agent with Kong AI Gateway and LangGr