Kong · jschmid1 · Jul 11, 2024 · Aug 19, 2024 · Aug 19, 2024 · Aug 21, 2024
@@ -24,6 +24,7 @@ eventTime
 firstTimestamp
 foogineer
 geos
+identity_realms
 if_version
 ingress_controller_configuration_push_size
 ingress_controller_configuration_push_broken_resource_count

@@ -15,6 +15,8 @@
           url: /private-connections/aws-privatelink/
     - text: Geographic Regions
       url: /geo/
+    - text: Centralized consumer management
+      url: /centralized-consumer-management/
     - text: Compatibility
       url: /compatibility/
     - text: Stages of Software Availability

@@ -0,0 +1,45 @@
+---
+nav_title: Configure realms for consumers
+title: Configure realms for consumers in {{site.konnect_short_name}}
+---
+
+Starting in {{site.base_gateway]] 3.10.x, credentials that are stored centrally in {{site.konnect_short_name}} that are shared across multiple {{site.base_gateway}} can be validated by configuring `identity_realms` field in the Key Auth plugin. You can use these realms when you create [centrally managed consumers](/konnect/centralized-consumer-management/). A data plane can only reach out to realms in the same region as they are deployed.
+
+Add the `identity_realms` field as shown below:
+
+```bash
+curl -X POST \
+https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
+   --header "accept: application/json" \
+   --header "Content-Type: application/json" \
+   --header "Authorization: Bearer TOKEN" \
+   --data '{
+      "name": "key-auth",
+      "config": {
+         "key_names": ["apikey"],
+         "identity_realms": [
+            {
+               "region": "$REGION",
+               "id": "$REALM_ID",
+               "scope": "realm"
+            },
+            {
+               "scope": "cp"
+            }
+         ]
+      }
+   }'
+```
+Be sure to replace the following with your own values:
+   * {region}: Region for your {{site.konnect_short_name}} instance.
+   * {controlPlaneId}: UUID of your control plane.
+   * $KONNECT_TOKEN: Replace with your {{site.konnect_short_name}} personal access token.
+   * $REALM_ID: The ID of the realm you created previously. 
+   * $REGION: Region for your {{site.konnect_short_name}} instance.
+
+`identity_realms` are scoped to the control plane by default (`scope: cp`). The order in which you configure the `identity_realms` dictates the priority in which the data plane attempts to authenticate the provided API keys:
+
+* **Realm is listed first:** The data plane will first reach out to the realm. If the API key is not found in the realm, the data plane will look for the API key in the control plane config. 
+* **Control plane scope listed first:** The data plane will initially check the control plane configuration (LMDB) for the API key before looking up the API Key in the realm.
+* **Realm only:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the data plane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked.
+* **Control plane only:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the data plane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked.
@@ -25,11 +25,26 @@ To restrict usage to certain authenticated users, also add the
 [ACL](/plugins/acl/) plugin (not covered here) and create allowed or
 denied groups of users.
 
+## Upstream Headers
+
+{% include_cached /md/plugins-hub/upstream-headers.md %}
+
+### Request behavior matrix
+
+The following table describes how {{site.base_gateway}} behaves in various authentication scenarios:
+
+Description | Proxied to upstream service? | Response status code
+--------|-----------------------------|---------------------
+The request has a valid API key. | Yes | 200
+No API key is provided. | No | 401
+The API key is not known to {{site.base_gateway}} | No | 401
+A runtime error occurred. | No | 500
+
 ## Usage
 
 ### Create a Consumer
 
-You need to associate a credential to an existing [Consumer][consumer-object] object.
+You need to associate a credential to an existing [Consumer](/gateway/latest/key-concepts/consumers/) object.
 A Consumer can have many credentials.
 
 {% navtabs %}
@@ -69,17 +84,14 @@ service, you must add the new Consumer to the allowed group. See
 
 For more information about how to configure anonymous access, see [Anonymous Access](/gateway/latest/kong-plugins/authentication/reference/#anonymous-access).
 
-
-### Multiple Authentication
+### Create a Key
 
 {{site.base_gateway}} supports multiple authentication plugins for a given service, allowing different clients to use different authentication methods to access a given service or route. For more information, see [Multiple Authentication](/gateway/latest/kong-plugins/authentication/reference/#multiple-authentication).
 
-### Create a Key
-
 {:.important}
-> **Note**: We recommend letting the API gateway autogenerate the key. Only specify it 
-yourself if you are migrating an existing system to {{site.base_gateway}}. 
-You must reuse your keys to make the migration to {{site.base_gateway}} transparent 
+> **Note**: We recommend letting the API gateway autogenerate the key. Only specify it
+yourself if you are migrating an existing system to {{site.base_gateway}}.
+You must reuse your keys to make the migration to {{site.base_gateway}} transparent
 to your consumers.
 
 {% navtabs %}
@@ -167,7 +179,7 @@ gRPC clients are supported too:
 grpcurl -H 'apikey: {some_key}' ...
 ```
 
-### About API Key Locations in a Request
+### API Key Locations in a Request
 
 {% include /md/plugins-hub/api-key-locations.md %}
 
@@ -199,11 +211,7 @@ HTTP/1.1 204 No Content
 * `USERNAME_OR_ID`: The `id` or `username` property of the [Consumer][consumer-object] entity to associate the credentials to.
 * `ID`: The `id` attribute of the key credential object.
 
-### Upstream Headers
-
-{% include_cached /md/plugins-hub/upstream-headers.md %}
-
-### Paginate through keys
+### Pagination 
 
 Paginate through the API keys for all Consumers by making the following
 request:
@@ -292,14 +300,4 @@ Response:
 [acl-associating]: /plugins/acl/#associating-consumers
 
 
-### Request behavior matrix
-
-The following table describes how {{site.base_gateway}} behaves in various scenarios:
-
-Description | Proxied to upstream service? | Response status code
---------|-----------------------------|---------------------
-The request has a valid API key. | Yes | 200
-No API key is provided. | No | 401
-The API key is not known to {{site.base_gateway}} | No | 401
-A runtime error occurred. | No | 500
 
@@ -0,0 +1,97 @@
+---
+title: Centralized consumer management
+---
+
+A [consumer](/gateway/latest/key-concepts/consumers/) is a {{site.base_gateway}} entity that consumes or uses the APIs managed by {{site.base_gateway}}. These can be things like applications, services, or users who interact with your APIs. Consumers can be scoped to a {{site.konnect_short_name}} region and managed centrally, or be scoped to a control plane in Gateway Manager.
+
+Centralized consumer management provides the following benefits:
+* Set up consumer identity centrally instead of defining it in multiple control planes.
+* Share consumers across multiple control planes. Users don't need to replicate changes to consumer identity in multiple control planes and consumer configuration doesn't conflict.
+* Reduce configuration sync issues between the control plane and the data planes. Consumers that are managed centrally aren't part of the configuration that is pushed down from the control plane to the data planes, so it reduces config size and latency. 
+
+## How centralized consumer management works
+
+When you create a consumer centrally, you must assign it to a realm. A realm groups consumers around an identity, defined by organizational boundaries, such as a production realm or a development realm. Realms are connected to a [geographic region](/konnect/geo/) in {{site.konnect_short_name}}. Centrally managed consumers exist outside of control planes, so they can be used across control planes.
+
+## Create consumers and realms 
+
+You can manage consumers centrally using the {{site.konnect_short_name}} API. Only Org Admins and Control Plane Admins have CRUD permissions for these consumers. 
+
+{:.important}
+> Centralized consumer management is only available for {{site.base_gateway}} 3.10 data planes. Make sure your control plane uses 3.10 data planes at minimum when configuring these consumers.
+
+1. Use the `/realms` endpoint to create a realm and optionally associate it with allowed control planes and time-to-live values:
+   ```
+   curl -X POST \
+   https://{region}.api.konghq.com/v1/realms \
+   -H "Content-Type: application/json" \
+   -H "Authorization: Bearer $KONNECT_TOKEN" \
+   -d '{
+        "name": "prod",
+        "allowed_control_planes": [
+            "$CONTROL_PLANE_UUID"
+        ],
+        "ttl": 10,
+        "negative_ttl": 10,
+        "consumer_groups": [
+            "$CONSUMER_GROUP"
+        ]
+    }'
+   ```
+   Save the ID of the realm.
+
+   Be sure to replace the following with your own values:
+   * `{region}`: Region for your {{site.konnect_short_name}} instance. Data planes can only reach out to realms in the same region as the data plane.
+   * `$KONNECT_TOKEN`: Replace with your {{site.konnect_short_name}} personal access token.
+   * `$CONTROL_PLANE_UUID`: (Optional) Replace with your control plane UUID.
+   * `ttl`: (Optional) 'ttl' is the time-to-live (TTL) in minutes of the consumer for this realm in the {{site.base_gateway}} cache.
+   * `negative_ttl`: (Optional) Represents the TTL of a bad login cache entry.
+   * `$CONSUMER_GROUP`: (Optional) Replace with the name of the consumer groups you want to associate with the realm.
+1. Use the `/realms/{realmId}/consumers` endpoint to create a centrally managed consumer and optionally assign it to a consumer group:
+   ```sh
+   curl -X POST \
+   https://{region}.api.konghq.com/v1/realms/{realmId}/consumers \
+   -H "Content-Type: application/json" \
+   -H "Authorization: Bearer TOKEN" \
+   -d '{
+         "username": "$CONSUMER_NAME",
+         "consumer_groups": ["$CONSUMER_GROUP"]
+       }'
+   ```
+   Save the ID of the consumer.
+
+   Be sure to replace the following with your own values:
+   * `{region}`: Region for your {{site.konnect_short_name}} instance. Data planes can only reach out to realms in the same region as the data plane.
+   * `$KONNECT_TOKEN`: Replace with your {{site.konnect_short_name}} personal access token.
+   * `{realmId}`: The ID of the realm you created previously. 
+   * `$CONSUMER_NAME`: Replace with the name of the consumer.
+   * `$CONSUMER_GROUP`: (Optional) Replace with the name of the consumer groups you want to associate with the consumer. Consumer groups set here are additive. This means that if you configure the realm with consumer groups A and B, and then configure the consumer with consumer group C, the authenticated consumer will be assigned to consumer groups A, B, and C.
+1. Configure authentication keys for consumers:
+   ```sh
+   curl -X POST \
+   https://{region}.api.konghq.com/v1/realms/{realmId}/consumers/{consumerId}/keys \
+   -H "Content-Type: application/json" \
+   -H "Authorization: Bearer TOKEN" \
+   -d '{
+        "type": "new"
+       }'
+   ```
+   Be sure to replace the following with your own values:
+   * `{region}`: Region for your {{site.konnect_short_name}} instance. Data planes can only reach out to realms in the same region as the data plane.
+   * `$KONNECT_TOKEN`: Replace with your {{site.konnect_short_name}} personal access token.
+   * `{realmId}`: The ID of the realm you created previously.
+   * `{consumerId}`: The ID of the consumer you created previously.
+
+1. Consumers require authentication. Configure authentication using the [Key Auth plugin](/hub/kong-inc/key-auth/how-to/).
+
+   `identity_realms` are scoped to the control plane by default (`scope: cp`). The order in which you configure the `identity_realms` dictates the priority in which the data plane attempts to authenticate the provided API keys:
+
+    * **Realm is listed first:** The data plane will first reach out to the realm. If the API key is not found in the realm, the data plane will look for the API key in the control plane config. 
+    * **Control plane scope listed first:** The data plane will initially check the control plane configuration (LMDB) for the API key before looking up the API Key in the realm.
+    * **Realm only:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the data plane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked.
+    * **Control plane only:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the data plane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked.
+
+{:.note}
+> **Note:** If you are using KIC to manage your data plane nodes in {{site.konnect_short_name}}, ensure that you configure the `telemetry_endpoint` in the data plane. You can find the `telemetry_endpoint` in the {{site.konnect_short_name}} UI in [Gateway Manager](https://cloud.konghq.com/gateway-manager/) in the data plane node instructions.
+
+