ko: add docs for using KonnectAPIAuthConfiguration with Secrets

pmalek · pmalek · commit 8673c9068c43 · 2025-11-19T17:53:32.000+01:00
diff --git a/app/_how-tos/operator-konnect-getstarted-authentication.md b/app/_how-tos/operator-konnect-getstarted-authentication.md
@@ -35,8 +35,15 @@ prereqs:
 
 ## Create a `KonnectAPIAuthConfiguration` object
 
-Depending on your preferences, you can create a `KonnectAPIAuthConfiguration` object with the token specified directly in the spec or as a reference to a Kubernetes Secret. In the CRD, the `serverURL` should be set to the {{site.konnect_short_name}} API url in the region where your account is located. 
+Depending on your preferences, you can either:
 
+- Create a `KonnectAPIAuthConfiguration` object with the token specified directly in the spec and use RBAC to restrict access to its type.
+- Or you can use a Kubernetes `Secret` (of type `Opaque`) and reference it from the `KonnectAPIAuthConfiguration` object.
+  The token has to be specified in `Secret`'s `token` data field.
+
+The `serverURL` should be set to the {{site.konnect_short_name}} API url in the region where your account is located.
+
+### Using a token in `KonnectAPIAuthConfiguration`
 
 <!-- vale off -->
 {% konnect_crd %}
@@ -50,6 +57,32 @@ spec:
 {% endkonnect_crd %}
 <!-- vale on -->
 
+### Using a Secret reference
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: konnect-api-auth-secret
+  namespace: default
+  labels:
+    konghq.com/secret: konnect
+stringData:
+  token: '$KONNECT_TOKEN'
+```
+
+<!-- vale off -->
+{% konnect_crd %}
+kind: KonnectAPIAuthConfiguration
+metadata:
+  name: konnect-api-auth
+spec:
+  type: secretRef
+  secretRef:
+    name: konnect-api-auth-secret
+  serverURL: us.api.konghq.tech
+{% endkonnect_crd %}
+<!-- vale on -->
 
 ## Validate
 
@@ -59,3 +92,21 @@ Run the following command to verify that the authentication configuration was cr
 kubectl get konnectapiauthconfiguration konnect-api-auth -n kong
 ```
 
+You should see output similar to the following:
+
+```bash
+NAME               VALID   ORGID                                  SERVERURL
+konnect-api-auth   True    5ca26716-02f7-4430-9117-1d1a7a2695e7   https://us.api.konghq.tech
+```
+
+If you prefer to work with status conditions programmatically, you can also run:
+
+```bash
+kubectl get konnectapiauthconfiguration konnect-api-auth -n kong -o jsonpath="{.status.conditions[?(@.type=='APIAuthValid')]}"
+```
+
+Which should yield the follow
+
+```json
+{"lastTransitionTime":"2025-10-16T11:46:28Z","message":"Token is valid","observedGeneration":1,"reason":"Valid","status":"True","type":"APIAuthValid"}%
+```
