Kong Gateway as a delegated gateway with Kong Mesh
Enable the Gateway API, install Kong Ingress Controller, enable sidecar injection on the namespace associated with KIC, and restart the KIC and Kong Gateway pods. Make sure that your mesh is configured to allow external traffic using a MeshTrafficPermission policy.
Prerequisites
A running Kubernetes cluster with LoadBalancer support
This guide requires a running Kubernetes cluster that supports the LoadBalancer service type. If you already have a Kubernetes cluster running, you can skip this step.
It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.
Install Kong Mesh with demo configuration
-
Install Kong Mesh:
helm upgrade \ --install \ --create-namespace \ --namespace kong-mesh-system \ kong-mesh kong-mesh/kong-mesh kubectl wait -n kong-mesh-system --for=condition=ready pod --selector=app=kong-mesh-control-plane --timeout=90sCopied! -
Apply the demo configuration:
echo " apiVersion: v1 kind: Namespace metadata: labels: kuma.io/sidecar-injection: enabled name: kong-mesh-demo --- apiVersion: v1 kind: Service metadata: name: demo-app namespace: kong-mesh-demo spec: ports: - appProtocol: http port: 5050 protocol: TCP targetPort: 5050 selector: app: demo-app --- apiVersion: v1 kind: Service metadata: name: demo-app-v1 namespace: kong-mesh-demo spec: ports: - appProtocol: http port: 5050 protocol: TCP targetPort: 5050 selector: app: demo-app version: v1 --- apiVersion: v1 kind: Service metadata: name: demo-app-v2 namespace: kong-mesh-demo spec: ports: - appProtocol: http port: 5050 protocol: TCP targetPort: 5050 selector: app: demo-app version: v2 --- apiVersion: v1 kind: Service metadata: name: kv namespace: kong-mesh-demo spec: ports: - appProtocol: http port: 5050 protocol: TCP targetPort: 5050 selector: app: kv --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: demo-app version: v1 name: demo-app namespace: kong-mesh-demo spec: replicas: 1 selector: matchLabels: app: demo-app version: v1 template: metadata: labels: app: demo-app version: v1 spec: containers: - env: - name: OTEL_SERVICE_NAME value: demo-app - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://opentelemetry-collector.mesh-observability:4317 - name: KV_URL value: http://kv.kong-mesh-demo.svc.cluster.local:5050 - name: APP_VERSION valueFrom: fieldRef: fieldPath: metadata.labels['version'] image: ghcr.io/kumahq/kuma-counter-demo:latest@sha256:daf8f5cffa10b576ff845be84e4e3bd5a8a6470c7e66293c5e03a148f08ac148 name: app ports: - containerPort: 5050 name: http --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: demo-app version: v2 name: demo-app-v2 namespace: kong-mesh-demo spec: replicas: 0 selector: matchLabels: app: demo-app version: v2 template: metadata: labels: app: demo-app version: v2 spec: containers: - env: - name: OTEL_SERVICE_NAME value: demo-app - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://opentelemetry-collector.mesh-observability:4317 - name: KV_URL value: http://kv.kong-mesh-demo.svc.cluster.local:5050 - name: APP_VERSION valueFrom: fieldRef: fieldPath: metadata.labels['version'] image: ghcr.io/kumahq/kuma-counter-demo:latest@sha256:daf8f5cffa10b576ff845be84e4e3bd5a8a6470c7e66293c5e03a148f08ac148 name: demo-app ports: - containerPort: 5050 name: http --- apiVersion: apps/v1 kind: Deployment metadata: name: kv namespace: kong-mesh-demo spec: replicas: 1 selector: matchLabels: app: kv template: metadata: labels: app: kv spec: containers: - env: - name: OTEL_SERVICE_NAME value: kv - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://opentelemetry-collector.mesh-observability:4317 - name: APP_VERSION valueFrom: fieldRef: fieldPath: metadata.labels['version'] image: ghcr.io/kumahq/kuma-counter-demo:latest@sha256:daf8f5cffa10b576ff845be84e4e3bd5a8a6470c7e66293c5e03a148f08ac148 name: app ports: - containerPort: 5050 name: http --- apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: meshServices: mode: Exclusive mtls: backends: - name: ca-1 type: builtin enabledBackend: ca-1 --- apiVersion: kuma.io/v1alpha1 kind: MeshTrafficPermission metadata: name: kv namespace: kong-mesh-demo spec: from: - default: action: Allow targetRef: kind: MeshSubset tags: app: demo-app k8s.kuma.io/namespace: kong-mesh-demo targetRef: kind: Dataplane labels: app: kv" | kubectl apply -f -Copied!
Enable the Gateway API
In this example, we’ll use Kong Ingress Controller to manage Kong Gateway. Before installing KIC, we need to enable the Kubernetes Gateway API.
-
Install the Gateway API CRDs:
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yamlCopied! -
Create a
GatewayandGatewayClassinstance to use:echo " apiVersion: v1 kind: Namespace metadata: name: kong --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: kong annotations: konghq.com/gatewayclass-unmanaged: 'true' spec: controllerName: konghq.com/kic-gateway-controller --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: kong spec: gatewayClassName: kong listeners: - name: proxy port: 80 protocol: HTTP allowedRoutes: namespaces: from: All " | kubectl apply -n kong -f -Copied!
Install Kong Ingress Controller
Use the following command to install Kong Ingress Controller in a new kong namespace:
helm install kong kong/ingress -n kong --create-namespace
Enable sidecar injection
Since Kong Ingress Controller is installed outside of the mesh, we need to enable sidecar injection.
-
Add the sidecar injection label to the
kongnamespace:kubectl label namespace kong kuma.io/sidecar-injection=enabledCopied! -
Restart the Kong Ingress Controller and Kong Gateway pods:
kubectl rollout restart -n kong deployment kong-gateway kong-controller kubectl wait -n kong --for=condition=ready pod --selector=app=kong-gateway --timeout=90sCopied! -
Check the pods’ information:
kubectl get pods -n kongCopied!You should see two containers for each pod, one for the application and one for the sidecar:
NAME READY STATUS RESTARTS AGE kong-controller-78d5486d98-7wqm6 2/2 Running 1 (46s ago) 49s kong-gateway-5d697cd486-4h55p 2/2 Running 0 49sCopied! -
Export the gateway’s public URL to your environment:
export PROXY_IP=$(kubectl get svc -n kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $PROXY_IPCopied!
Add a Route
Use the HTTPRoute resource to add a Route to your gateway:
echo "apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-app
namespace: kong-mesh-demo
spec:
parentRefs:
- name: kong
namespace: kong
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: demo-app
namespace: kong-mesh-demo
kind: Service
port: 5050 " | kubectl apply -f -
Add a MeshTrafficPermission policy
The demo configuration we set in the prerequisites applies restrictive permissions, so the gateway can’t access the demo service. We need to add a MeshTrafficPermission policy to allow traffic from the kong namespace:
echo "apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kong-mesh-demo
name: demo-app
spec:
targetRef:
kind: Dataplane
labels:
app: demo-app
from:
- targetRef:
kind: MeshSubset
tags:
app.kubernetes.io/name: gateway
k8s.kuma.io/namespace: kong
default:
action: Allow" | kubectl apply -f -
Validate
Send a request to the proxy URL:
curl -i -X POST "$PROXY_IP/api/counter" \
--no-progress-meter --fail-with-body
You should get the following response:
{
"counter": 1,
"zone": ""
}
If you get an
RBAC: access deniederror, you may need to wait for the configuration to be applied. Wait a few seconds and try again.