Declarative Configuration
July 16, 2026 · View on GitHub
This page covers what you need to know for managing Kong Konnect
resources using the kongctl declarative configuration approach.
For supported resource types and field-level resource definitions see the Declarative Resource Reference.
Table of Contents
- Overview
- AI-Assisted Declarative Setup
- Quick Start
- Core Concepts
- Resource Types
- Configuration Structure
- Kongctl Metadata
- YAML Tags
- Commands Reference
- CI/CD Integration
- Best Practices
- Troubleshooting
Overview
kongctl's declarative management feature enables you to
manage your Kong Konnect resources with
simple YAML declaration files and a simple state free CLI tool.
Key Principles
- Configuration manifests: Configuration is expressed as simple YAML files that describe the desired state of your Konnect resources. Configuration files can be split into multiple files and directories for modularity and reuse.
- Plan-Based: Plans are objects that represent required changes to move a set of resources from one state to another, desired, state.
In
kongctl, plan artifacts are first class concepts that can be created, stored, reviewed, and applied. Plans are represented as JSON objects and can be generated and stored as files for later application. When running declarative commands, if plans are not provided they are generated implicitly and executed immediately. - State-Free:
kongctldoes not use a state file or database to store the current state. The system relies on querying of the online Konnect state in order to calculate plans and apply changes. - Namespace Resource Isolation: Namespaces provide a way to isolate resources however the user desires (teams, environments, etc...).
Each resource under management is assigned to one namespace, and resources in other namespaces are not considered when calculating plans or
applying changes. A
defaultnamespace is used if none is specified in input configurations.
AI-Assisted Declarative Setup
kongctl includes a kongctl-declarative skill for AI coding agents. The
skill helps an agent discover resource schemas with kongctl explain, generate
starter YAML with kongctl scaffold, bootstrap declarative files, integrate
decK through _deck, generate API configuration from OpenAPI documents, and
work through plan, diff, apply, sync, delete, and adopt workflows.
Install the bundled skills from the root of the repository where your agent will work:
kongctl install skills
Preview the files and symlinks before writing them:
kongctl install skills --dry-run
Agent-generated configuration should still be reviewed before it changes
Konnect. Use kongctl diff --mode apply or kongctl plan to preview proposed
changes before running kongctl apply or kongctl sync.
Quick Start
Prerequisites
- Kong Konnect Account: Sign up for free
kongctlinstalled: See installation instructions- Authenticated with Konnect: Run
kongctl login
Create Your First Configuration
Create a working directory:
mkdir kong-portal && cd kong-portal
Create a file named portal.yaml:
portals:
- ref: my-portal
name: "my-developer-portal"
display_name: "My Developer Portal"
description: "API documentation for developers"
authentication_enabled: false
default_api_visibility: "public"
default_page_visibility: "public"
apis:
- ref: users-api
name: "Users API"
description: "API for user management"
publications:
- ref: users-api-publication
portal_id: my-portal
Preview changes:
kongctl diff -f portal.yaml
Apply configuration:
kongctl apply -f portal.yaml
You can also load a single configuration file from an HTTP or HTTPS URL:
kongctl apply -f https://get.konghq.com/example-kongctl.yaml
To save remote files locally and run the command from the saved copies in one
operation, use --remote-file-save-dir or its shorthand, -s:
kongctl apply \
-f https://get.konghq.com/portal.yaml \
-f https://get.konghq.com/api.yaml \
--remote-file-save-dir ./kongctl-example
Remote files are saved into the directory using the filename from each URL path.
If multiple remote URLs would save to the same filename, the command fails
before fetching them. Existing files are left intact by default. Use
--remote-file-save-force or -F with --remote-file-save-dir to replace
existing saved files.
When --remote-file-auth=auto is enabled, which is the default, kongctl
sends the current profile's Konnect bearer token only to HTTPS remote sources
on Konnect hosts, such as *.cloud.konghq.com or the configured Konnect API
host. Authentication is never sent to arbitrary hosts. Use
--remote-file-auth=none to fetch a remote file without adding Konnect
authentication headers.
Review remote configuration before running mutating commands in production. Prefer HTTPS URLs and pin examples to immutable versions when using them in CI.
Verify resources with kongctl get commands:
kongctl get portals
kongctl get apis
Your developer portal and API are now live! Visit the Konnect Console to see your developer portal with the published API.
Core Concepts
Resource Identity
Resources can have multiple identifiers:
- ref:
kongctldeclarative engine identifier.refis used to identify the resource uniquely within a given set of declarative configurations.refis not written to the remote Konnect system and must be unique across all resources in a given set of input configuration files. This value is used to to create inter-configuration references between resources. - id: Most Konnect resources have an
idfield which is a Konnect assigned UUID. This field is not stored in declarative configuration files but will be used internally by the declarative engine. - name: Many Konnect resources have a
namefield which may or may not be subject to a unique constraint within an organization for that resource type.
Top-level resource keys and field names in declarative YAML are stable
configuration contract names. Use the names documented in the
Declarative Resource Reference, and use
ref values when one resource needs to refer to another.
application_auth_strategies:
- ref: oauth-strategy
name: "OAuth 2.0 Strategy"
portals:
- ref: developer-portal
name: "Developer Portal"
default_application_auth_strategy_id: !ref oauth-strategy#id
Plan Artifacts
Plans are central to how kongctl manages resource state. Plans are objects which
define the required steps to move a set of resources from their current state to a
desired state. Plans can be created, stored, reviewed, and applied at a later time
and are stored as JSON files. Plans are not required to be used,
but can enable advanced workflows.
How Planning Works
The declarative configuration commands
(apply, sync, delete, diff) commands use the planning engine internally:
Implicit Planning (direct execution):
# Internally generates plan and executes it
kongctl apply -f config.yaml
Explicit Planning (two-phase execution):
# Phase 1: Generate plan artifact
kongctl plan -f config.yaml --output-file plan.json
# Phase 2: Execute plan artifact (can be done later)
kongctl apply --plan plan.json
Why Use Plan Artifacts?
Plan artifacts enable more advanced workflows:
- Audit Trail: Store plans in version control alongside configurations
- Review Process: Share plans and review with team members before execution
- Deferred Execution: Generate plans in CI, apply them after approval
- Rollback Safety: Keep previously applied plans for rollback analysis
- Compliance: Document exactly what changes were planned
Parent vs Child Resources
Generally the main concepts in the Konnect system are collections and many of them support child resources underneath them.
Parent Resource Examples:
apisportalsapplication_auth_strategiescontrol_planesanalytics.dashboardsorganization.teamsevent_gateways
Child Resource Examples:
api.versionsapi.publicationsapi.implementationsapi.documentsportal.pagesportal.snippetsportal.customizationportal.custom_domainportal.email_configportal.email_templates
See the Declarative Resource Reference for more details on supported resources.
Configuration Structure
Basic Structure
# Optional defaults section
_defaults:
kongctl: # kongctl metadata defaults
namespace: production
protected: false
portals: # List of Parent portal resources
- ref: developer-portal # ref is required on all resources
name: "developer-portal"
display_name: "Developer Portal"
description: "API documentation hub"
kongctl: # kongctl metadata defined explicitly on resource, overrides _defaults
namespace: platform-team
protected: true
Hierarchical vs Flattened configuration
Parents are defined at the root of a configuration while children can be expressed both nested under their parent and at the root with a parent reference field.
Hierarchical Configuration:
apis:
- ref: users-api
name: "Users API"
versions:
- ref: v1
name: "v1.0.0"
spec: !file ./specs/users-v1.yaml
publications:
- ref: public
portal_id: !ref main-portal
visibility: public
Flattened Configuration:
apis:
- ref: users-api
name: "Users API"
api_versions:
- ref: v1
api: users-api
name: "v1.0.0"
spec: !file ./specs/users-v1.yaml
api_publications:
- ref: public
api: users-api
portal_id: !ref main-portal
Kongctl Metadata
The kongctl section provides metadata for resource management.
This metadata is stored in Kong Konnect labels and labels are only
provided on parent resources. Thus, kongctl metadata is
only supported on parent resources.
Protected Resources
The protected field prevents accidental deletion of critical resources:
portals:
- ref: production-portal
name: "Production Portal"
kongctl:
protected: true # Cannot be deleted until protection is removed
Namespace Management
The namespace field enables resource isolation:
apis:
- ref: billing-api
name: "Billing API"
kongctl:
namespace: finance-team # Owned by finance team
protected: false
File-Level Defaults
Use _defaults to set default values for all resources in a file:
_defaults:
kongctl:
namespace: platform-team
protected: true
portals:
- ref: api-portal
name: "API Portal"
# Inherits namespace: platform-team and protected: true
- ref: test-portal
name: "Test Portal"
kongctl:
namespace: qa-team
protected: false
# Overrides both defaults
Namespace and Protected Field Behavior
kongctl provides some default behavior depending on how metadata fields
are specified or omitted. The following tables summarize the behavior.
namespace Field Behavior
| File Default | Resource Value | Final Result | Notes |
|---|---|---|---|
| Not set | Not set | "default" | System default |
| Not set | "team-a" | "team-a" | Resource explicit |
| Not set | "" (empty) | ERROR | Empty namespace not allowed |
| "team-b" | Not set | "team-b" | Inherits default |
| "team-b" | "team-a" | "team-a" | Resource overrides |
| "team-b" | "" (empty) | ERROR | Empty namespace not allowed |
| "" (empty) | Any value | ERROR | Empty default not allowed |
protected Field Behavior
| File Default | Resource Value | Final Result | Notes |
|---|---|---|---|
| Not set | Not set | false | System default |
| Not set | true | true | Resource explicit |
| Not set | false | false | Explicit false |
| true | Not set | true | Inherits default |
| true | false | false | Resource overrides |
| false | true | true | Resource overrides |
Child resources automatically inherit the metadata of their parent resource:
Namespace Enforcement Flags
The kongctl plan command provides built-in namespace guardrails:
--require-any-namespaceforces every managed resource to declare a namespace viakongctl.namespaceor_defaults.kongctl.namespace.--require-namespace=<ns>restricts planning to the provided namespaces (repeat or comma-separate the flag to allow multiple values).
These flags help prevent accidentally operating on unexpected namespaces, especially when running in sync mode.
External Resources and Namespaces
External resources (_external pseudo-resource) are references to Konnect objects that are managed elsewhere
but are "selected" by the kongctl declarative engine so they can be referenced by other resources under management.
# External portal definition - this tells kongctl that this portal
# is managed externally (by the platform team) but we need to reference it
portals:
- ref: shared-developer-portal
_external:
selector:
matchFields:
name: "Shared Developer Portal"
Because kongctl does not own those resources:
- External resources cannot declare
kongctlmetadata. Supplyingkongctl.namespaceorkongctl.protectedon an external resource results in a parsing error. File-level defaults are ignored for externals. - External references do not add their namespaces to sync planning. Only namespaces from managed parent resources are considered when sync mode calculates deletes.
- Child resources (portal pages, customizations, etc.) are still planned by resolving the external parent's Konnect ID.
Ensure the owning team labels the parent (for example via
kongctl adopt) so the ID can be resolved, but you do not need to (and cannot) assign a namespace to the external definition itself.
Resources managed by decK
Deck integration is configured on control planes via the _deck pseudo-resource. kongctl runs deck once per
control plane that declares _deck, then resolves external gateway services by selector name. _external.requires.deck
is not supported.
control_planes:
- ref: prod-cp
name: "prod-cp"
_deck:
files:
- "kong.yaml"
flags:
- "--select-tag=kongctl"
gateway_services:
- ref: billing-gw
_external:
selector:
matchFields:
name: "billing-service"
Important notes for deck integration:
_deckis allowed only on control planes and only one_deckconfig is allowed per control plane._deck.filesmust include at least one state file._deck.flagscan include additional deck flags (but not Konnect auth or output flags)._external.selector.matchFields.nameis required for external gateway services and must be the only selector field.- kongctl runs exactly one
deck gateway applyordeck gateway syncper control plane that declares_deck. - Deck state files should include
_info.select_tagsand matchingtagson entities sosyncdoes not delete resources owned by other deck files. kongctl does not inject select tags for you. - Relative deck file paths are resolved relative to the declarative config file and must remain within the
--base-dirboundary (default: the config file directory). - Plan files store deck base directories relative to the plan file location. When emitting a plan to stdout,
the base directory is made relative to the current working directory (use
--output-filefor portable plans). Applying a plan resolves them from the plan file directory (or the current working directory when using--plan -). kongctl plan/diffrunsdeck gateway diffto decide whether an external tool change is needed.kongctl applyrunsdeck gateway applyandkongctl syncrunsdeck gateway sync. For apply mode, deletes reported by deck diff are ignored.- If the control plane is being created in the same plan (or the ID is not available), kongctl skips deck diff and includes the external tool step.
- For gateway steps, kongctl injects Konnect auth flags and output flags (
--json-output --no-color); do not supply--konnect-token,--konnect-control-plane-name,--konnect-addr, or output flags yourself. - Plans represent deck resolution targets explicitly via
post_resolution_targetson the_deckchange entry, including control plane identifiers and the gateway service selector.
Portal Audit Log Webhooks
Portal audit-log webhooks can reference organization audit-log destinations
that are managed outside kongctl. Declare those destinations under
audit-logs.destinations with _external, then reference them from a portal
webhook with !ref.
portals:
- ref: docs-portal
name: Docs Portal
audit_log_webhook:
ref: docs-portal-audit-log-webhook
enabled: true
audit_log_destination_id: !ref foo
audit-logs:
destinations:
- ref: foo
_external:
selector:
matchFields:
name: foo
audit-logs.destinations supports _external.id and
_external.selector.matchFields.name. Destination resources cannot declare
kongctl metadata and are not created, updated, or deleted by declarative
apply. In sync mode, omitted portal webhook configuration is ignored unless an
audit_log_webhook block is explicitly present for that portal. To remove an
existing webhook while retaining the portal, declare audit_log_webhook: {}.
audit_log_webhook: null is rejected because null is not a reset or delete
signal.
YAML Tags
YAML tags are like preprocessors for YAML file data. They allow you to load content from external files, reference across resources, load values from environment variables, and extract specific values from structured data. Over time more tags may be added to support various functions and use cases.
Loading File Content to YAML Fields
Load the entire content of a file as a string:
apis:
- ref: users-api
name: "Users API"
description: !file ./docs/api-description.md
All file paths are resolved relative to the directory containing the configuration file:
project/
├── config.yaml # Main config file
├── specs/
│ ├── users-api.yaml
│ └── products-api.yaml
└── docs/
└── descriptions.txt
In config.yaml:
apis:
- ref: users-api
name: !file ./specs/users-api.yaml#info.title
description: !file ./docs/descriptions.txt
Supported file types: Any text file (.txt, .md, .yaml, .json, etc.)
Security Features
Path Traversal Prevention: Absolute paths are blocked. Relative paths may include
.., but the resolved path must stay within the base directory boundary. By default,
the boundary is the root of each -f source (file: its parent dir, dir: the
directory itself). For stdin and URL sources, the boundary defaults to the
current working directory. Set the base directory with --base-dir or
konnect.declarative.base-dir
(KONGCTL_<PROFILE>_KONNECT_DECLARATIVE_BASE_DIR, for example
KONGCTL_DEFAULT_KONNECT_DECLARATIVE_BASE_DIR). When URL sources are loaded
with --remote-file-save-dir, subsequent relative paths are resolved like
normal file sources from the save directory.
# ❌ These will fail with security errors
description: !file /etc/passwd
# ❌ This will fail if it resolves outside the base directory
config: !file ../../../sensitive/file.yaml
# ✅ These are allowed (if they stay within the base directory)
description: !file ../docs/description.txt
config: !file ./config/settings.yaml
File Size Limits: Files are limited to 10MB.
Performance Features
File Caching: Files are cached during a single execution to improve performance:
apis:
- ref: api-1
name: !file ./common.yaml#api.name # File loaded and cached
description: !file ./common.yaml#api.desc # Uses cached version
- ref: api-2
team: !file ./common.yaml#team.name # Uses cached version
Value Extraction
You can extract specific values from structured data loaded from the file tag
with this hash (#) notation:
apis:
- ref: users-api
name: !file ./specs/openapi.yaml#info.title # loads info.title field from the openapi.yaml file
description: !file ./specs/openapi.yaml#info.description
version: !file ./specs/openapi.yaml#info.version
versions:
- ref: v1
spec: !file ./specs/openapi.yaml
Alternatively values can be extracted using this map format:
apis:
- ref: products-api
name: !file
path: ./specs/products.yaml
extract: info.title
labels:
contact: !file
path: ./specs/products.yaml
extract: info.contact.email
Loading Values From Environment Variables
Use !env to load a value from an environment variable into a string
field:
portals:
- ref: env-portal
name: env-portal
description: !env PORTAL_DESCRIPTION
Scalar syntax supports extraction with #:
api_documents:
- ref: env-doc
api_id: petstore-api
title: !env DOC_METADATA#title
content: !env DOC_METADATA#content
slug: getting-started
Map syntax is also supported:
api_documents:
- ref: env-doc
api_id: petstore-api
title: !env
var: DOC_METADATA
extract: title
content: !env
var: DOC_METADATA
extract: content
slug: getting-started
!env extraction parses the environment variable as YAML or JSON before
reading the requested field path.
A runnable example is available in docs/examples/declarative/env/.
!env Behavior
!envis supported on string-typed fields in this release.- Unset environment variables are treated as errors.
- Empty-but-set environment variables are allowed.
- During planning,
kongctlresolves the current environment value to calculate changes. - Saved plan files preserve the deferred
!envreference instead of the resolved plaintext value. - During execution,
kongctlperforms a fresh environment lookup for each deferred!envvalue instead of reusing the value observed during planning. - When you run
apply,sync, ordeletedirectly from configuration files,kongctlstill plans first and then performs that second lookup during execution in the same command invocation. - In direct
apply,sync, anddeleteruns, both lookups happen within the samekongctlprocess, so they will usually observe the same process environment. - When execution uses a saved plan with
--plan, planning and execution happen in separate command invocations, so environment values may differ between them and the executed value may differ from what was observed while planning. - Human-readable plan and diff output redact
!envvalues.
Write-only Secret Fields
Some Konnect APIs accept secret values on create or update but do not return
them from get or list responses. Common examples include:
- Portal identity provider
config.client_secret - DCR provider secrets such as
dcr_token,api_key, andinitial_client_secret - AI Gateway Model Provider authentication values such as
config.auth.headers[].value,client_secret,secret_access_key, andservice_account_json - AI Gateway Identity Provider OpenID Connect
config.client_secret - Event Gateway schema registry authentication
password
For these fields, kongctl prefers idempotent planning over perpetual
updates. When the API does not expose the current value, the planner skips
that field during diff calculation instead of assuming drift on every run.
This means:
- The initial create or update still sends the configured secret value.
- Re-applying the same declarative configuration will usually be a no-op instead of planning an update forever.
- Changing only a write-only secret may not be detectable from live state, so
planmay show no changes even though the configured secret value differs from what is currently stored in Konnect.
When you need to rotate a write-only secret declaratively, make the change alongside another observable field, or recreate the resource if the API does not provide a safe observable signal for that update.
Commands Reference
The following are high level descriptions of commands for declarative configuration management. See the command usage text for details on command usage, flags and options.
plan
Create a plan - a JSON file containing the set of planned changes to a set of resources.
Plans are generated with either --mode apply or --mode sync. Apply mode
creates and updates configured resources only. Sync mode also deletes managed
resources, but only for resource collections that are explicitly present in the
input configuration.
Generate an apply plan and output to STDOUT:
kongctl plan -f config.yaml --mode apply
Generate a sync plan and output to STDOUT:
kongctl plan -f config.yaml --mode sync
apply
Applying a configuration will create or update resources to match the desired state
and will not delete resources. Because apply does not delete resources, it can
be used for incremental application of resource configurations. For example, you could
apply a portal in one command and then later apply apis in a separate command.
Apply directly from config:
kongctl apply -f config.yaml
Apply from saved plan:
kongctl apply --plan plan.json
Preview changes without applying:
kongctl apply -f config.yaml --dry-run
sync
sync applies a set of configurations including deleting managed resources that
are missing from explicitly scoped collections.
Sync scope is based on YAML key presence:
- Omitted resource collections are ignored.
- Explicit empty root lists mean the desired count is zero. For example,
apis: []deletes managed APIs in the selected namespace. - Parent and child collections are scoped separately. A portal block without
pagesdoes not delete portal pages. Usepages: []under that portal to declare that the portal should have no pages. - Map-shaped child collections use an empty object as the empty collection. For
example,
email_templates: {}means the portal should have no customized email templates. - Singleton child sections use the same key-presence rule, but
{}andnullare intentionally different. Omit a singleton key to ignore that child. Provide an object with fields to manage or update it. For optional, delete-capable portal singletons such ascustom_domain,email_config, andaudit_log_webhook, an empty object scopes the child with desired count zero:custom_domain: {}deletes any existing managed custom domain for that portal during sync.nullis rejected because sync does not infer reset or delete semantics from null. Update-only singleton sections, such ascustomization, cannot be deleted by declaring{}. - Empty child collections must be nested under a parent resource. Root-level
api_documents: []is rejected because it does not identify which API owns the desired zero count.
For federated ownership, include the parent resource entry in the team
configuration and scope only the child collection that team owns. When the
parent is managed elsewhere and the resource type supports _external, declare
the parent as external and nest the child collection under that parent. This
allows sync to plan the child collection without treating the managed parent
collection in the team's namespace as desired state.
apis:
- ref: orders-api
name: Orders API
documents: []
portals:
- ref: shared-docs-portal
_external:
selector:
matchFields:
name: "Shared Docs Portal"
pages: []
The external-parent pattern should not be combined with a namespace default unless the team also intends to scope managed parent resources in that namespace.
Preview sync changes:
kongctl sync -f config.yaml --dry-run
Sync configuration with a prompt confirmation:
kongctl sync -f team-config.yaml
Skip confirmation prompt (caution!):
kongctl sync -f config.yaml --auto-approve
Sync from a plan artifact:
kongctl sync --plan plan.json
diff
Display preview of changes between current and desired state:
Preview changes in apply mode (CREATE and UPDATE only):
kongctl diff -f config.yaml --mode apply
Preview changes in sync mode (CREATE, UPDATE, and DELETE):
kongctl diff -f config.yaml --mode sync
Preview targeted deletions in delete mode (DELETE only for matching resources):
kongctl diff -f config.yaml --mode delete
Preview changes from a plan artifact:
kongctl diff --plan plan.json
Note:
--modecannot be used with--planbecause mode is stored in the plan artifact metadata.
For UPDATE actions, text diff shows only the fields that would be
changed. JSON and YAML outputs expose the same detail in each change's
changed_fields object while keeping fields as the execution payload.
adopt
kongctl declarative configuration engine will only consider resources that
are part of the list of kongctl.namespace values given to it during planning
and execution of changes. There may be cases where you want to bring an
existing Konnect resource into configuration that was created outside of the
configuration management process. The adopt command enables you to
add the proper namespace label to an existing Konnect resources without
modifying any other fields. Once you adopt a resource, you need to add the
configuration for it
to your configuration set to ensure it is managed going forward.
Adopt a portal by name:
kongctl adopt portal my-portal --namespace team-alpha
Adopt a control plane by ID:
kongctl adopt control-plane 22cd8a0b-72e7-4212-9099-0764f8e9c5ac \
--namespace platform
Adopt a custom dashboard by ID:
kongctl adopt analytics dashboard 22cd8a0b-72e7-4212-9099-0764f8e9c5ac \
--namespace analytics
If the resource already has a KONGCTL-namespace label, the command fails
without making changes.
dump
Export current Konnect resource state to various formats.
# Export all APIs with their child resources and include debug logging
# to tf-import format
kongctl dump tf-import --resources=api --include-child-resources
# Export all portal and api resources to
# kongctl declarative configuration with format and the team-alpha namespace
kongctl dump declarative --resources=portal,api --default-namespace=team-alpha
For custom dashboards created in the Konnect UI, adopt the dashboard first, then dump it with the same namespace:
kongctl adopt analytics dashboard 22cd8a0b-72e7-4212-9099-0764f8e9c5ac \
--namespace analytics
kongctl dump declarative --resources=analytics.dashboards \
--default-namespace=analytics > dashboards.yaml
kongctl plan -f dashboards.yaml --mode apply
CI/CD Integration
Key principles for CI/CD integration:
- Plan on PR: Generate and review plans in pull requests
- Apply on Merge: Apply reviewed plans when merged to target branch
- Environment Separation: Different configs for dev/staging/prod
- Approval Gates: Require human approval for production
Best Practices
Multi-Team Setup
Each team manages their own namespace:
# team-alpha/config.yaml
_defaults:
kongctl:
namespace: team-alpha
apis:
- ref: frontend-api
name: "Frontend API"
# Automatically in team-alpha namespace
Environment Management
Use configuration profiles for different environments:
# Development environment
kongctl apply -f config.yaml --profile dev
# Production environment
kongctl apply -f config.yaml --profile prod
Security Best Practices
-
Protect production resources:
apis: - ref: payment-api kongctl: namespace: production protected: true -
Use namespaces for isolation:
- One namespace per team
- Separate namespaces for environments
- Clear namespace ownership documentation
-
Version control everything:
- Configuration files
- OpenAPI specifications
- Documentation
-
Review plans before applying:
- Use
planin production - Save plans for audit trail
- Implement approval workflows
- Use
Plan Artifact Workflows
Basic Plan Review Workflow
Developer creates plan:
kongctl plan -f config.yaml --output-file proposed-changes.json
Review changes visually:
kongctl diff --plan proposed-changes.json
Share plan for review (commit to git, attach to PR, etc.):
git add proposed-changes.json
git commit -m "Plan for adding new API endpoints"
After approval, apply the plan:
kongctl apply --plan proposed-changes.json
Production Deployment with Approval
# CI/CD Pipeline Stage 1: Plan Generation
kongctl plan -f production-config.yaml \
--output-file plan-$(date +%Y%m%d-%H%M%S).json
# Stage 2: Manual approval gate
# - Plan artifact is stored as build artifact
# - Team reviews plan details
# - Approval triggers next stage
# Stage 3: Plan Execution
kongctl sync --plan plan-20240115-142530.json --auto-approve
Emergency Rollback Using Previous Plan
List recent plans (assuming you store them):
ls -la plans/
Review what the previous state included:
kongctl diff --plan plans/last-known-good.json
Revert to previous state:
kongctl sync --plan plans/last-known-good.json --auto-approve
Common Mistakes to Avoid
❌ Setting kongctl on child resources:
# WRONG
apis:
- ref: my-api
kongctl:
namespace: team-a
versions:
- ref: v1
kongctl: # ERROR - not supported on child resources
protected: true
✅ Correct approach:
# RIGHT
apis:
- ref: my-api
kongctl:
namespace: team-a
protected: true
versions:
- ref: v1
❌ Using name as identifier:
# WRONG - using display name
api_publications:
- ref: pub1
api: "Users API"
✅ Use ref for references:
# RIGHT - using ref
api_publications:
- ref: pub1
api: users-api
Field Validation
Kongctl uses strict YAML validation to catch configuration errors early:
# This will cause an error
portals:
- ref: my-portal
name: "My Portal"
lables: # ❌ ERROR: Unknown field 'lables'. Did you mean 'labels'?
team: platform
Common field name errors:
lables→labelsdescriptin→descriptiondisplayname→display_namestrategytype→strategy_type
Troubleshooting
Common Issues
Authentication Failures:
- Verify PAT is not expired
- Check authentication:
kongctl get me - Ensure proper credential storage
Plan Generation Failures:
- Validate YAML syntax
- Check file paths are correct
- Verify network connectivity
Apply Failures:
- Review plan for conflicts
- Check for protected resources
- Verify dependencies exist
File Loading Errors:
Error: failed to process file tag: file not found: ./specs/missing.yaml
- Verify the file path is correct
- Check that the file exists
- Ensure proper relative path from config file location
Debug Mode
Enable verbose logging:
kongctl apply -f config.yaml --log-level debug
Enable trace logging for HTTP requests:
kongctl apply -f config.yaml --log-level trace
For more troubleshooting help, see the Troubleshooting Guide.
Examples
Browse the examples directory
Related Documentation
- Troubleshooting Guide - Common issues and solutions