Migrate Konnect DataPlanes from KGO 1.4 to 1.5

This document helps to migrate from gateway-operator.konghq.com to konnect.konghq.com KonnectExtension.

1. Label the certificate Secret:

    kubectl label secret -n kong konnect-client-tls konghq.com/konnect-dp-cert=true
   

2. Install new kubernetes-configuration CRDs:

    kustomize build https://github.com/kong/kubernetes-configuration/crd/gateway-operator | kubectl apply --server-side -f -
   

   To verify version compatibility with kubernetes-configuration CRDs, please consult the version compatibility table.

   NOTE: In case CRDs were installed via helm you might need to force conflicts:

    kustomize build https://github.com/kong/kubernetes-configuration/crd/gateway-operator | kubectl apply --server-side --force-conflicts -f -
   

3. Upgrade to new controller version (e.g. set the image.tag in values.yaml to v1.5.0)

4. Create:

   1. KonnectAPIAuthConfiguration with your Konnect API token (create one here), for example:

       echo '
       kind: KonnectAPIAuthConfiguration
       apiVersion: konnect.konghq.com/v1alpha1
       metadata:
         name: konnect-api-auth
         namespace: kong
       spec:
         type: token
         token: kpat_XXXXXXXXX
         serverURL: us.api.konghq.com' | kubectl apply -f -
      

   2. New KonnectExtension using the konnect.konghq.com API group and reference the Konnect CP by KonnectID.

      For example, the following KonnectExtension from 1.4 (using the gateway-operator.konghq.com API group):

       kind: KonnectExtension
       apiVersion: gateway-operator.konghq.com/v1alpha1
       metadata:
         name: example-konnect-config
         namespace: kong
       spec:
         controlPlaneRef:
           type: konnectID
           konnectID: <CP_ID>
         controlPlaneRegion: <REGION> # This will be inferred in 1.5+ using the Konnect API
         serverHostname: <HOSTNAME>   # This will be inferred in 1.5+ using the Konnect API
         konnectControlPlaneAPIAuthConfiguration:
           clusterCertificateSecretRef:
             name: konnect-client-tls
      

      Would translate into following KonnectExtension in 1.5 (using the konnect.konghq.com API group):

       kind: KonnectExtension
       apiVersion: konnect.konghq.com/v1alpha1
       metadata:
         name: example-konnect-config
         namespace: kong
       spec:
         konnect:
           controlPlane:
             ref:
               type: konnectID
               konnectID: a6554c4c-79a6-4db7-b7a4-201c0cf746ba # The Konnect controlPlane ID
           configuration:
             authRef:
               name: konnect-api-auth # Reference to the KonnectAPIAuthConfiguration object
         clientAuth:
           certificateSecret:
             provisioning: Manual
             secretRef:
               name: konnect-client-tls
      

5. Ensure that your DataPlane, ControlPlane and GatewayConfiguration objects use the new extension: by verifying the extensions field in the spec:

    spec:
      extensions:
      - kind: KonnectExtension
        name: my-konnect-config
        group: konnect.konghq.com # Ensure that group matches this value.
   

6. Remove the finalizer from the old extension:

    kubectl patch konnectextensions.gateway-operator.konghq.com example-konnect-config -n kong -p '{"metadata":{"finalizers":null}}' --type=merge
   

7. Delete the old gateway-operator.konghq.com KonnectExtension.