Home / How-to Guides
Edit
Report

Deploy Self Managed Control Plane on Kubernetes

Uses: Kong Mesh
Related Documentation
Mesh Documentation
TL;DR

Install Kong Mesh on your environment and manage the Control plane yourself.

Prerequisites

Create a Kubernetes Kong Mesh control plane

The Kong Mesh Control plan and Dataplane deployments are managed as part of the Kong Mesh Helm charts. You will need a Kubernetes cluster to use this quick start.

To install the Kong Mesh components on Universal / VM / Bare metal, follow the instructions here.

Install Kong Mesh

Install Kong Mesh control plane and Kubernetes CRDs with Helm:

helm repo add kong-mesh https://kong.github.io/kong-mesh-charts
helm repo update
helm install --create-namespace --namespace kong-mesh-system kong-mesh kong-mesh/kong-mesh

Deploy the demo application

To start learning how Kong Mesh works, you can use our simple and secure demo application that consists of two services:

  • demo-app: A web application that lets you increment a numeric counter. It listens on port 5000
  • redis: The data store for the counter
 
flowchart LR
  demo-app(demo-app :5000)
  redis(redis :6379)
  demo-app --> redis

Deploy the demo application:

kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/master/demo.yaml
kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90s

When using the Konnect managed Control Plane, all changes to the Mesh must be applied using kumactl. You can configure kumactl connectivity by clicking on Actions from the Mesh overview in Konnect Mesh Manager.

Forward ports

Port-forward the service to the namespace on port 5000:

kubectl port-forward svc/demo-app -n kuma-demo 5000:5000

Validate

Navigate to 127.0.0.1:5000 in your web browser and increment the counter.

Now that you have you workloads up and running, we can secure them with Mutual TLS.

Introduce zero-trust security

By default, service-to-service traffic in the mesh is not encrypted. You can change this in Kong Mesh by enabling the Mutual TLS (mTLS) policy, which provisions a dynamic Certificate Authority (CA) on the default Mesh. This CA automatically issues TLS certificates to all dataplanes.

To enable mTLS using a built-in CA:

Do not enable mTLS in an environment with existing workloads until you define a MeshTrafficPermission policy. Without it, service-to-service communication will be blocked.

cat <<EOF | kumactl apply -f -
type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: builtin
EOF

After enabling mTLS, service communication will be denied by default. To restore connectivity, apply a fully permissive MeshTrafficPermission policy:

cat <<EOF | kumactl apply -f -
type: MeshTrafficPermission
name: allow-all
mesh: default
spec:
  from:
    - targetRef:
        kind: Mesh
      default:
        action: Allow
EOF
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support