Kong Ingress Controller 3.1 provides brand-new capabilities for keeping your secrets secure. We’ve introduced new KongVault and KongLicense CRDs, and added a way to keep sensitive information in your cluster when using KIC in Konnect. Finally, there’s a quality-of-life improvement that allows you to use a Kubernetes secret to populate a single field in a KongPlugin configuration.
If you’re a Kong Gateway Enterprise customer, you’re probably familiar with the process of placing your license in a Kubernetes secret before deploying Kong Gateway. The Helm chart mounts this secret at a well-known path in the Gateway container, and Kong Gateway reads a license from disk. This has worked so far, but we wanted to do better.
The biggest pain point of the “mount a secret” approach is that when your license is updated, pods need to be cycled to pick up the new value. This isn’t a huge task, but it’s also not frictionless.
In Kong Ingress Controller 3.1, we’ve added support for using the Kong Admin API to apply licenses to running Gateways. This allows you to apply or update a license on demand, without needing to cycle the pod.
Create a new KongLicense CRD in your cluster, and KIC will take care of the rest. To learn more, see the KongLicense documentation.
Support for secret vaults is a powerful Kong Gateway feature, and they’re now a first-class citizen for Kong Gateway users on Kubernetes.
The KongVault CRD allows you to manage Vault entities in Kong Gateway. It provides access to AWS Secrets Manager, Azure Key Vaults, Google Secrets Manager, and Hashicorp Vault. Secrets from these vaults can be used to inject sensitive information such as certificate private keys and plugin configuration fields at runtime. Here’s an example that configures an AWS SM vault in us-west-2:
All supported vaults can be configured using the KongVault CRD. For more information, see the Vaults on Kubernetes documentation.
Kong Ingress Controller supports reading KongPlugin configuration from Kubernetes secrets using the configFrom pattern. KIC 3.1 enhances this capability by allowing individual fields to be read from secrets, with the rest of the configuration being provided as plain text.
This is done using a new configPatches property in the KongPlugin CRD. configPatches is a list of JSON patches to apply. Each patch contains a path and a valueFrom entry that references a secret in the same namespace.
The majority of the plugin is available in plain text in the KongPlugin resource. This makes understanding what’s being applied much easier for operators. The redis_password key is populated using a Kubernetes secret:
It’s worth noting that the Kong Ingress Controller resolves secrets before sending the configuration to Kong Gateway. Secrets injected using configPatches will be visible in plain text in the admin API. For a more secure option, we recommend using Kong Vault with an external vault such as AWS Secrets Manager, Hashicorp Vault or any other supported vault.
The Kong Ingress Controller control plane in Kong Konnect is a read-only view of your Kong Gateway configuration. The ingress controller sends the configuration directly to the data plane and then mirrors the configuration to Konnect.
Many configurations contain sensitive information such as certificate private keys. These values were being transmitted to Konnect, but could not be used to configure data planes. KIC 3.1 adds a new SanitizeKonnectConfigDumps feature gate, which prevents sensitive data from being sent to Konnect. When enabled, certificate private keys will not leave your cluster.
The SanitizeKonnectConfigDumps feature gate is enabled by default, so upgrade to KIC 3.1 to try it today.
For a full list of features, fixes, and updates please see the CHANGELOG.
As always, the quickest way to get started with KIC 3.1 is with Kong Konnect thanks to our KIC in Kong Konnect functionality.
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Update Includes Data Orchestration, CyberArk Support, Solace Integration, and Kafka Schema Validation We’re excited to bring you Kong Gateway Enterprise 3.11 with compelling new features to make your APIs and event streams even more powerful, includ
When we released the beta version of Service Catalog last September, it was in service of a greater API discovery vision we had for Kong Konnect as an API platform. In March of this year, we moved closer to fulfilling that vision when we announced
The new Kong Konnect Dev Portal is now generally available for all users! In March, we announced the public beta version of our reimagined Dev Portal. We set out to fully address the needs of the modern API consumer as well as the needs of the moder