From 5b93b2e3315e8d48651a828ed5b39275c5f68030 Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 12:29:59 -0700 Subject: [PATCH 01/11] fix voice for llms --- app/konnect-platform/audit-logs.md | 2 +- app/konnect-platform/cmek.md | 6 +++--- app/konnect-platform/compatibility.md | 8 ++++---- app/konnect-platform/konnect-labels.md | 2 +- app/konnect-platform/network.md | 6 +++--- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/app/konnect-platform/audit-logs.md b/app/konnect-platform/audit-logs.md index a06e281092..2db18903b2 100644 --- a/app/konnect-platform/audit-logs.md +++ b/app/konnect-platform/audit-logs.md @@ -95,7 +95,7 @@ rows: {% endtable %} -{{site.konnect_short_name}} retains audit logs for 7 days. After the 7 days, they are permanently deleted and can't be recovered. +{{site.konnect_short_name}} retains audit logs for 7 days. After 7 days, {{site.konnect_short_name}} permanently deletes them and you cannot recover them. {:.info} > Dev Portal audit logs don't collect authorization and access events by design. You can view Dev Portal entity creation, edits, and approved state changes from the {{site.konnect_short_name}} audit logs. diff --git a/app/konnect-platform/cmek.md b/app/konnect-platform/cmek.md index 5aaf594d49..bcbb15bfa2 100644 --- a/app/konnect-platform/cmek.md +++ b/app/konnect-platform/cmek.md @@ -63,7 +63,7 @@ To configure CMEK, you need: 1. Provision a new multi-region symmetric key in your AWS account using "Key Managed Service (KMS)". They key should be in the AWS region you intend to use in {{site.konnect_short_name}}. A multi-region key is recommended to replicate the key in multiple regions, which can be used for disaster recovery or compliance purposes. -1. Ensure the following access policy statement is included in your key policy to allow `cc-konnect` role ({{site.konnect_short_name}}) to use your key: +1. Add the following access policy statement to your key policy to allow the `cc-konnect` role ({{site.konnect_short_name}}) to use your key: ```json { "Effect": "Allow", @@ -98,7 +98,7 @@ When you configure CMEK, you are responsible for the following: * **Key rotation**: * AWS KMS takes care of key rotation automatically. - * Manual rotation with a new ARN requires updating the key in {{site.konnect_short_name}}. If the key's ARN changes, data encrypted with the previous key cannot be decrypted in {{site.konnect_short_name}}. + * Manual rotation with a new ARN requires updating the key in {{site.konnect_short_name}}. If the key's ARN changes, {{site.konnect_short_name}} cannot decrypt data encrypted with the previous key. * **Key revocation**: * Revoking or deleting your key in AWS KMS renders associated data permanently unreadable. * **Performance impact**: @@ -118,7 +118,7 @@ See the following sections for information about how to manage CMEK keys. * Rotating keys within AWS KMS (without changing the ARN) is supported automatically. * If you change the ARN, you must update the key in {{site.konnect_short_name}} manually. - * Data encrypted with the previous key cannot be decrypted and will be lost. + * {{site.konnect_short_name}} cannot decrypt data encrypted with the previous key, and that data will be lost. ### Key revocation diff --git a/app/konnect-platform/compatibility.md b/app/konnect-platform/compatibility.md index 95ebe0ce98..9a17e7238f 100644 --- a/app/konnect-platform/compatibility.md +++ b/app/konnect-platform/compatibility.md @@ -30,14 +30,14 @@ faqs: - q: Are the {{site.konnect_short_name}} Control Plane and associated database migrations or upgrades done by Kong Inc.? a: The {{site.base_gateway}} Control Plane and its dependencies are fully managed by {{site.konnect_short_name}}. As new versions of {{site.base_gateway}} are released, {{site.konnect_short_name}} supports them as long as they are under our [active support schedule](/gateway/version-support-policy/). - q: Will {{site.konnect_short_name}} Control Plane upgrades always show incompatible messages on the API Gateway page in {{site.konnect_short_name}} if the Data Plane nodes are not the same version as the {{site.konnect_short_name}} Control Plane? - a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If there are compatibility issues detected when pushing the payload down to the Data Plane, then this will be reflected in the UI. + a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If {{site.konnect_short_name}} detects compatibility issues when pushing the payload to the Data Plane, the UI displays them. - q: Will new features be available if the {{site.konnect_short_name}} Control Plane detects incompatible Data Plane nodes? a: | - New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when an update payload is pushed to an incompatible Data Plane, the update will be automatically rejected by the Data Plane. + New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when the Control Plane pushes an update payload to an incompatible Data Plane, the Data Plane automatically rejects the update. - This is managed by a version compatibility layer that checks the payload before the update gets sent to the Data Plane. If there are concerns with the payload, metadata is added to the node. That metadata is what will display incompatibility warnings or errors in the {{site.konnect_short_name}} UI. + A version compatibility layer checks the payload before the Control Plane sends the update to the Data Plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI. - For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then no warning or incompatibility metadata will be applied to the node in {{site.konnect_short_name}}, and no warnings or errors will appear. + For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then {{site.konnect_short_name}} adds no warning or incompatibility metadata to the node, and no warnings or errors appear. - q: Can I continue to use older versions of configurations as the {{site.konnect_short_name}} Control Plane auto-upgrades? a: Yes. All decK dumps, or YAML configurations, will continue to work in {{site.konnect_short_name}} after they are synced. - q: Are there any disruptions if I choose not to upgrade my Data Plane nodes? diff --git a/app/konnect-platform/konnect-labels.md b/app/konnect-platform/konnect-labels.md index 382aaffcfd..089efcf628 100644 --- a/app/konnect-platform/konnect-labels.md +++ b/app/konnect-platform/konnect-labels.md @@ -46,4 +46,4 @@ Each label must follow these requirements: You can use labels separately on the Control Plane and Data Plane nodes: * On the Control Plane, you can set a label for `control plane` and for individual API products. * On Data Plane nodes, set labels through `kong.conf` or via environment variables using the [`cluster_dp_labels`](/gateway/configuration/#cluster-dp-labels) property. -These labels are exposed through the [`/nodes`](/api/konnect/control-planes-config/#/operations/list-dataplane-nodes) endpoint of the {{site.konnect_short_name}} API. \ No newline at end of file +The {{site.konnect_short_name}} API exposes these labels through the [`/nodes`](/api/konnect/control-planes-config/#/operations/list-dataplane-nodes) endpoint. \ No newline at end of file diff --git a/app/konnect-platform/network.md b/app/konnect-platform/network.md index ccfcdf829c..a7a0ca7e48 100644 --- a/app/konnect-platform/network.md +++ b/app/konnect-platform/network.md @@ -46,13 +46,13 @@ faqs: When a Data Plane node receives new configuration from the Control Plane, it immediately loads it into memory and also caches it to disk. The cache location depends on the Gateway version: - * **2.x Gateway** – Configuration is stored in an unencrypted cache file, `config.json.gz`, located in the {{site.base_gateway}} prefix path. - * **3.x Gateway** – Configuration is stored in an unencrypted LMDB database directory, `dbless.lmdb`, also in the {{site.base_gateway}} prefix path. + * **2.x Gateway** – The Data Plane node stores the configuration in an unencrypted cache file, `config.json.gz`, in the {{site.base_gateway}} prefix path. + * **3.x Gateway** – The Data Plane node stores the configuration in an unencrypted LMDB database directory, `dbless.lmdb`, also in the {{site.base_gateway}} prefix path. - q: What happens if the Control Plane and Data Plane nodes disconnect? a: | Data plane nodes use the cached configuration until they can reconnect. Once reconnected, the Control Plane sends the latest configuration. - It does not queue or replay any older configuration changes. + The Control Plane does not queue or replay any older configuration changes. - q: Can I restart a Data Plane node if the Control Plane is down or disconnected? a: | Yes. Restarting a Data Plane node will load its cached configuration and resume normal function. From 062da1525b6f3cae19ddcc3037b346bd43b959f8 Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 12:35:06 -0700 Subject: [PATCH 02/11] more --- app/konnect-platform/geos.md | 2 +- app/konnect-platform/search.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/konnect-platform/geos.md b/app/konnect-platform/geos.md index 8fbdf54e69..379a023888 100644 --- a/app/konnect-platform/geos.md +++ b/app/konnect-platform/geos.md @@ -25,7 +25,7 @@ related_resources: {{site.konnect_short_name}} allows you to host and operate your cloud instance in a geographic region that you specify. This is important for data privacy and regulatory compliance for you organization. -Geographic regions allow you to also operate {{site.konnect_short_name}} in a similar geo to your users and their infrastructure applications. +Geographic regions allow you to operate {{site.konnect_short_name}} in the same region as your users and their infrastructure. ## Geo-specific objects diff --git a/app/konnect-platform/search.md b/app/konnect-platform/search.md index 17e776298b..f3df2a901e 100644 --- a/app/konnect-platform/search.md +++ b/app/konnect-platform/search.md @@ -21,7 +21,7 @@ related_resources: url: /api/konnect/ksearch/ --- -{{site.konnect_short_name}} Search allows to search across all {{site.konnect_short_name}} entities within an organization using simple keywords as well as precise query syntax.. +{{site.konnect_short_name}} Search allows to search across all {{site.konnect_short_name}} entities within an organization using keyword matching as well as advanced query syntax. You can access search using the search bar (_Command+K_ or _Control+K_) at the top of every page in {{site.konnect_short_name}} or using the [{{site.konnect_short_name}} Search API](/api/konnect/ksearch/). The {{site.konnect_short_name}} Search, by default, searches for both global and regional entities (with regional-awareness for the [currently selected region](/konnect-platform/geos/)). This ensures that returned entities are relevant to their geographical location. By default, every search performs: @@ -65,7 +65,7 @@ In this example, the query syntax is made up of the following components: * Selectors: `type`, `label`, and `name`. They define what you are searching by. * Entity type: `team`. These define what {{site.konnect_short_name}} entity you want to search for. * Logical operator: `AND NOT` and `AND`. These are used to combine multiple criteria in a query. -* Wildcard: `*` to denote any a suffix match. +* Wildcard: `*` to denote a suffix match. * Search values: `eng` and `_qa`. These are the values that the search service is matching for. ### Entity types From a06f2407715ee02d0c0452c0e3ade0f7262c9985 Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 13:08:33 -0700 Subject: [PATCH 03/11] mesh geos --- app/konnect-platform/network.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/konnect-platform/network.md b/app/konnect-platform/network.md index a7a0ca7e48..aab95fdc49 100644 --- a/app/konnect-platform/network.md +++ b/app/konnect-platform/network.md @@ -157,7 +157,7 @@ rows: ## Mesh hostnames in {{site.konnect_short_name}} -If you use {{site.konnect_short_name}} to manage your service mesh, you must add the `{geo}.mesh.sync.konghq.com:443` hostname to your firewall allowlist. The geo can be `au`, `eu`, `us`, or `global`. +If you use {{site.konnect_short_name}} to manage your service mesh, you must add the `{geo}.mesh.sync.konghq.com:443` hostname to your firewall allowlist. The geo can be `au`, `eu`, `me`, `in`, `sg`, `us`, or `global`. ## Specify IP addresses that can connect to {{site.konnect_short_name}} From df5dcabfcc1df80d1b753e085d679208bc76893d Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 13:19:45 -0700 Subject: [PATCH 04/11] more fixes --- .../konnect-platform/konnect-reference-platform.md | 8 ++++---- .../konnect-platform/recover-konnect-org-audit-logs.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/_how-tos/konnect-platform/konnect-reference-platform.md b/app/_how-tos/konnect-platform/konnect-reference-platform.md index 4098d8345e..15a5fb43b7 100644 --- a/app/_how-tos/konnect-platform/konnect-reference-platform.md +++ b/app/_how-tos/konnect-platform/konnect-reference-platform.md @@ -61,7 +61,7 @@ prereqs: on your development machine to run the web app. - title: Operating system compatibility content: | - These instructions are specific to *nix style operating systems. For MS Windows, the user will need to + These instructions are specific to *nix style operating systems. For MS Windows, you will need to make adjustments to commands and instructions. automated_tests: false @@ -83,7 +83,7 @@ Create (if necessary) a new {{site.konnect_short_name}} Organization and [sign i ## Authorize the {{site.konnect_short_name}} Orchestrator to {{site.konnect_short_name}} The {{site.konnect_short_name}} Orchestrator (aka "orchestrator" or `koctl`) provides commands you can use to -setup the reference platform in your own engineering environment. `koctl` is also ran within the [APIOps workflows](/konnect-reference-platform/apiops) +setup the reference platform in your own engineering environment. `koctl` also runs within the [APIOps workflows](/konnect-reference-platform/apiops) and creates and manages resource configurations within your {{site.konnect_short_name}} Organization via APIs. In order to authorize the tool, use the following steps to create a system account with [Organization Admin](/konnect-platform/teams-and-roles/#predefined-teams) permissions: @@ -114,7 +114,7 @@ The orchestrator requires specific access to the `platform` repository in order In order to authorize the orchestrator, you need to create a GitHub access token with the proper permissions. 1. From the GitHub web console, navigate to your profile menu, then _Settings -> Developer Settings -> Personal access tokens_ -1. Create a new _Fine-grained token_ and give the token a name that indicates it's relationship to the orchestrator (e.g. `platform-konnect-orchestrator`) +1. Create a new _Fine-grained token_ and give the token a name that indicates its relationship to the orchestrator (e.g. `platform-konnect-orchestrator`) 1. Select the GitHub organization that owns the `platform` repository you created in the previous step and set appropriate token expiration 1. Under _Repository access_, choose _Only select repositories_ and choose the `platform` repository. 1. Under _Repository permissions_, select all of the following permissions: @@ -188,7 +188,7 @@ including a link directly to the PR. The PR will have the following title: `[Kon Open the PR in the GitHub web console and review the changes. Once satisfied with the changes, merge the PR into the `main` branch of the repository. -You have now added your {{site.konnect_short_name}} to the `platform` repository and the APIOps workflows will initiate +You have now added your {{site.konnect_short_name}} Organization to the `platform` repository and the APIOps workflows will initiate the necessary steps to prepare your {{site.konnect_short_name}} Organization for use with the reference platform. ## Create a {{site.konnect_short_name}} Orchestrator GitHub OAuth application diff --git a/app/_how-tos/konnect-platform/recover-konnect-org-audit-logs.md b/app/_how-tos/konnect-platform/recover-konnect-org-audit-logs.md index 20e52c7f05..f855141bd8 100644 --- a/app/_how-tos/konnect-platform/recover-konnect-org-audit-logs.md +++ b/app/_how-tos/konnect-platform/recover-konnect-org-audit-logs.md @@ -51,7 +51,7 @@ prereqs: 1. On the Webhook Destination tab, click **New Webhook**. 1. In the **Name** field, enter `SumoLogic`. 1. In the **Endpoint** field, enter your external endpoint that will receive audit log messages. For example: `https://endpoint4.collection.sumologic.com/receiver/v1/http/1234abcd`. - 1. In the **Authorization Header** field, enter the access token from you SIEM. + 1. In the **Authorization Header** field, enter the access token from your SIEM. {{site.konnect_short_name}} will send this string in the `Authorization` header of requests to that endpoint. 1. From the **Log Format** dropdown menu, select "cef". 1. (Optional) Click **Disable SSL Verification** to disable SSL verification of the host endpoint when delivering payloads. @@ -60,7 +60,7 @@ prereqs: > We only recommend disabling SSL verification when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks. 1. Click the **Konnect** tab. 1. Navigate to the region you want to configure the webhook for. - 1. Click **Disabled**. + 1. Click **Disabled** to enable log delivery for this region. 1. From the **Endpoint** dropdown menu, select your SIEM endpoint. 1. Click **Save**. @@ -74,7 +74,7 @@ prereqs: {% endkonnect_api_request %} - This triggers a log in SumoLogic. Sometimes it can take a minute to populate the logs. + This triggers a log in SumoLogic. Logs may take up to one minute to appear. cleanup: inline: From 011447d190d358df37b76a5e2a284f64dfae76ab Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 13:24:40 -0700 Subject: [PATCH 05/11] more fixes --- app/_how-tos/konnect-platform/kongctl-get-started.md | 3 +-- app/konnect-platform/account.md | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/app/_how-tos/konnect-platform/kongctl-get-started.md b/app/_how-tos/konnect-platform/kongctl-get-started.md index ebdf182b5d..bccef2ad5a 100644 --- a/app/_how-tos/konnect-platform/kongctl-get-started.md +++ b/app/_how-tos/konnect-platform/kongctl-get-started.md @@ -87,8 +87,7 @@ For example, list all Dev Portals in your organization: kongctl get portals ``` -If you are using a new account, you should see an empty response, otherwise the Dev Portals you have access to -will be displayed. +If you are using a new account, you should see an empty response, otherwise {{site.konnect_short_name}} displays the Dev Portals you have access to. kongctl commands support different output formats, including `json`, `yaml`, or `text`. The same `get` command will output the data in `json` format if you run the following: diff --git a/app/konnect-platform/account.md b/app/konnect-platform/account.md index 9a6a00c958..c3edec2a9e 100644 --- a/app/konnect-platform/account.md +++ b/app/konnect-platform/account.md @@ -59,7 +59,7 @@ faqs: If you have registered data plane nodes, they won't be stopped by {{site.konnect_short_name}}. They will no longer proxy data, but the - nodes will keep running until manually stop them. + nodes will keep running until you manually stop them. - q: How do I deactivate or reactivate an org? a: | Contact Kong Support by navigating to the **?** icon on the top right menu and clicking **Create support case** or from the [Kong Support portal](https://support.konghq.com) to do any of the following: @@ -104,7 +104,7 @@ faqs: {{site.konnect_short_name}} offers [two plans](https://konghq.com/pricing). -* **{{site.konnect_short_name}} Plus**: {{site.konnect_short_name}} Plus is the simplest way to get started with {{site.konnect_short_name}}, allowing you to only pay for the services you consume. New accounts are automatically given a month of free credits as part of 30-day trial. You can claim your Konnect Plus credits by [signing up](https://konghq.com/products/kong-konnect/register). +* **{{site.konnect_short_name}} Plus**: {{site.konnect_short_name}} Plus is the simplest way to get started with {{site.konnect_short_name}}, allowing you to only pay for the services you consume. New accounts are automatically given a month of free credits as part of a 30-day trial. You can claim your {{site.konnect_short_name}} Plus credits by [signing up](https://konghq.com/products/kong-konnect/register). * **{{site.konnect_short_name}} Enterprise**: {{site.konnect_short_name}} Enterprise is our contract-based option that includes 24x7x365 support and professional services access to help you build and maintain your own custom environment. Learn more about enterprise on our [pricing page](https://konghq.com/pricing). From 086a4b8052fb24f1847f16cf87bd3f1231196d5a Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 13:26:50 -0700 Subject: [PATCH 06/11] date --- app/konnect-platform/kai-changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/konnect-platform/kai-changelog.md b/app/konnect-platform/kai-changelog.md index 23551d9fb0..b881385733 100644 --- a/app/konnect-platform/kai-changelog.md +++ b/app/konnect-platform/kai-changelog.md @@ -26,7 +26,7 @@ related_resources: Changelog for KAi. -## Week of 2026-01-xx +## Week of 2026-01-01 * Beta trial is available for Enterprise accounts in [{{site.konnect_short_name}} Labs](https://cloud.konghq.com/global/organization/labs). From 7123ec4c3a29f8362b23e3fe74fd1cc714f90876 Mon Sep 17 00:00:00 2001 From: Angel Date: Wed, 8 Apr 2026 14:02:26 -0700 Subject: [PATCH 07/11] Update app/konnect-platform/cmek.md Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- app/konnect-platform/cmek.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/app/konnect-platform/cmek.md b/app/konnect-platform/cmek.md index bcbb15bfa2..eded6cfa7b 100644 --- a/app/konnect-platform/cmek.md +++ b/app/konnect-platform/cmek.md @@ -80,7 +80,23 @@ To configure CMEK, you need: ], "Resource": "*" } -``` + ```json + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::333402130851:role/cc-konnect" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GetKeyRotationStatus", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "*" + } + ``` 3. Ensure the multi-region key is replicated to all AWS regions that make up a [{{site.konnect_short_name}} region](/konnect-platform/geos/). {% include_cached /konnect/cmek-region-mapping.md %} From 7187abb5e18d8618520b3f560a05b8b2229b73e2 Mon Sep 17 00:00:00 2001 From: Angel Date: Thu, 9 Apr 2026 14:24:57 -0700 Subject: [PATCH 08/11] Apply suggestions from code review Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- app/konnect-platform/compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/konnect-platform/compatibility.md b/app/konnect-platform/compatibility.md index 9a17e7238f..53e7178bb1 100644 --- a/app/konnect-platform/compatibility.md +++ b/app/konnect-platform/compatibility.md @@ -35,7 +35,7 @@ faqs: a: | New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when the Control Plane pushes an update payload to an incompatible Data Plane, the Data Plane automatically rejects the update. - A version compatibility layer checks the payload before the Control Plane sends the update to the Data Plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI. + A version compatibility layer checks the payload before the control plane sends the update to the data plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI. For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then {{site.konnect_short_name}} adds no warning or incompatibility metadata to the node, and no warnings or errors appear. - q: Can I continue to use older versions of configurations as the {{site.konnect_short_name}} Control Plane auto-upgrades? From 90ed8671310997201286206683d9967aa755020a Mon Sep 17 00:00:00 2001 From: Angel Date: Thu, 9 Apr 2026 14:25:12 -0700 Subject: [PATCH 09/11] Apply suggestions from code review Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- app/konnect-platform/compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/konnect-platform/compatibility.md b/app/konnect-platform/compatibility.md index 53e7178bb1..fc079e4b5b 100644 --- a/app/konnect-platform/compatibility.md +++ b/app/konnect-platform/compatibility.md @@ -33,7 +33,7 @@ faqs: a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If {{site.konnect_short_name}} detects compatibility issues when pushing the payload to the Data Plane, the UI displays them. - q: Will new features be available if the {{site.konnect_short_name}} Control Plane detects incompatible Data Plane nodes? a: | - New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when the Control Plane pushes an update payload to an incompatible Data Plane, the Data Plane automatically rejects the update. + New features will not be available for use or consumption on incompatible data plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the data plane that is connected to the control plane in {{site.konnect_short_name}}. However, when the control plane pushes an update payload to an incompatible data plane, the data plane automatically rejects the update. A version compatibility layer checks the payload before the control plane sends the update to the data plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI. From 4aaab27f55a45e574c1727ebab777aeafd76b191 Mon Sep 17 00:00:00 2001 From: Angel Date: Thu, 9 Apr 2026 14:31:35 -0700 Subject: [PATCH 10/11] cp dp lowercase --- app/konnect-platform/compatibility.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/app/konnect-platform/compatibility.md b/app/konnect-platform/compatibility.md index fc079e4b5b..f1bf9e382b 100644 --- a/app/konnect-platform/compatibility.md +++ b/app/konnect-platform/compatibility.md @@ -27,21 +27,21 @@ related_resources: url: /plugins/ faqs: - - q: Are the {{site.konnect_short_name}} Control Plane and associated database migrations or upgrades done by Kong Inc.? - a: The {{site.base_gateway}} Control Plane and its dependencies are fully managed by {{site.konnect_short_name}}. As new versions of {{site.base_gateway}} are released, {{site.konnect_short_name}} supports them as long as they are under our [active support schedule](/gateway/version-support-policy/). - - q: Will {{site.konnect_short_name}} Control Plane upgrades always show incompatible messages on the API Gateway page in {{site.konnect_short_name}} if the Data Plane nodes are not the same version as the {{site.konnect_short_name}} Control Plane? - a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If {{site.konnect_short_name}} detects compatibility issues when pushing the payload to the Data Plane, the UI displays them. - - q: Will new features be available if the {{site.konnect_short_name}} Control Plane detects incompatible Data Plane nodes? + - q: Are the {{site.konnect_short_name}} control plane and associated database migrations or upgrades done by Kong Inc.? + a: The {{site.base_gateway}} control plane and its dependencies are fully managed by {{site.konnect_short_name}}. As new versions of {{site.base_gateway}} are released, {{site.konnect_short_name}} supports them as long as they are under our [active support schedule](/gateway/version-support-policy/). + - q: Will {{site.konnect_short_name}} control plane upgrades always show incompatible messages on the API Gateway page in {{site.konnect_short_name}} if the data plane nodes are not the same version as the {{site.konnect_short_name}} control plane? + a: An old configuration may still be 100% compatible with older data plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If {{site.konnect_short_name}} detects compatibility issues when pushing the payload to the data plane, the UI displays them. + - q: Will new features be available if the {{site.konnect_short_name}} control plane detects incompatible data plane nodes? a: | New features will not be available for use or consumption on incompatible data plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the data plane that is connected to the control plane in {{site.konnect_short_name}}. However, when the control plane pushes an update payload to an incompatible data plane, the data plane automatically rejects the update. A version compatibility layer checks the payload before the control plane sends the update to the data plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI. - For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then {{site.konnect_short_name}} adds no warning or incompatibility metadata to the node, and no warnings or errors appear. - - q: Can I continue to use older versions of configurations as the {{site.konnect_short_name}} Control Plane auto-upgrades? + For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The data plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then {{site.konnect_short_name}} adds no warning or incompatibility metadata to the node, and no warnings or errors appear. + - q: Can I continue to use older versions of configurations as the {{site.konnect_short_name}} control plane auto-upgrades? a: Yes. All decK dumps, or YAML configurations, will continue to work in {{site.konnect_short_name}} after they are synced. - - q: Are there any disruptions if I choose not to upgrade my Data Plane nodes? - a: There is **no** disruption at all if you choose **not** to upgrade your Data Plane nodes as long as the version of the Data Plane is under our [{{site.base_gateway}} active support timeline](/konnect-platform/compatibility/#kong-gateway-version-compatibility). + - q: Are there any disruptions if I choose not to upgrade my data plane nodes? + a: There is **no** disruption at all if you choose **not** to upgrade your data plane nodes as long as the version of the data plane is under our [{{site.base_gateway}} active support timeline](/konnect-platform/compatibility/#kong-gateway-version-compatibility). - q: How can I create a support case in {{site.konnect_short_name}}? a: | If you're an org admin with an Enterprise account and a [Kong Support portal](https://support.konghq.com/support/s/) account, you can create a support case in {{site.konnect_short_name}} by navigating to the **?** icon on the top right menu and clicking **Create support case**. From ef1dd21250e969219f48940381fdf9f7fd2af578 Mon Sep 17 00:00:00 2001 From: Angel Date: Fri, 17 Apr 2026 16:52:08 -0400 Subject: [PATCH 11/11] remove duplicates --- app/konnect-platform/cmek.md | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/app/konnect-platform/cmek.md b/app/konnect-platform/cmek.md index eded6cfa7b..e25b75f319 100644 --- a/app/konnect-platform/cmek.md +++ b/app/konnect-platform/cmek.md @@ -64,22 +64,7 @@ To configure CMEK, you need: 1. Provision a new multi-region symmetric key in your AWS account using "Key Managed Service (KMS)". They key should be in the AWS region you intend to use in {{site.konnect_short_name}}. A multi-region key is recommended to replicate the key in multiple regions, which can be used for disaster recovery or compliance purposes. 1. Add the following access policy statement to your key policy to allow the `cc-konnect` role ({{site.konnect_short_name}}) to use your key: -```json -{ - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::333402130851:role/cc-konnect" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GetKeyRotationStatus", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ], - "Resource": "*" -} + ```json { "Effect": "Allow", @@ -98,7 +83,7 @@ To configure CMEK, you need: } ``` -3. Ensure the multi-region key is replicated to all AWS regions that make up a [{{site.konnect_short_name}} region](/konnect-platform/geos/). +1. Ensure the multi-region key is replicated to all AWS regions that make up a [{{site.konnect_short_name}} region](/konnect-platform/geos/). {% include_cached /konnect/cmek-region-mapping.md %} ### Configure CMEK in {{site.konnect_short_name}}