Install the Kong Mesh control plane with Helm, deploy a demo application, enable mTLS to encrypt service-to-service traffic, and apply a MeshTrafficPermission policy to allow traffic between the demo services.
This guide requires a running Kubernetes cluster. If you already have a Kubernetes cluster running, you can skip this step. It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.
For example, if you are using minikube:
minikube start -p mesh-zoneTo start learning how Kong Mesh works, run and secure a simple demo application that consists of two services:
demo-app: a web application that lets you increment a numeric counter and listens on port 5000.redis: data store for the counter.flowchart LR demo-app(demo-app :5000) redis(redis :6379) demo-app --> redis
Install the Kong Mesh control plane with Helm:
helm repo add kong-mesh https://kong.github.io/kong-mesh-charts
helm repo update
helm install --create-namespace --namespace kong-mesh-system kong-mesh kong-mesh/kong-meshDeploy the demo application:
kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/master/demo.yamlWait for the demo-app pod to be ready:
kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90sPort-forward the service to the namespace on port 5000:
kubectl port-forward svc/demo-app -n kuma-demo 5000:5000In a browser, go to http://127.0.0.1:5000 and increment the counter.
Kong Mesh ships with a read-only UI that you can use to view the sidecar proxies connected to the control plane and retrieve Kong Mesh resources. By default, the UI listens on the API port 5681.
In a new terminal, port-forward the API service:
kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681In a browser, go to http://127.0.0.1:5681/gui.
For more details, see Interacting with the Kong Mesh control plane.
By default, traffic between services is insecure and not encrypted. To encrypt traffic, enable the Mutual TLS policy. The policy provisions a Certificate Authority (CA) that automatically assigns TLS certificates to the injected data plane proxies running alongside the services.
In a new terminal, run the following command to enable Mutual TLS with a builtin CA backend:
echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
meshServices:
mode: Exclusive
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin" | kubectl apply -f -Traffic is now encrypted and secure.
demo-app to redis
Kong Mesh doesn’t define default traffic permissions, so no traffic flows with mTLS enabled until you define a MeshTrafficPermission policy.
The demo app no longer works. If you click Increment again, you should get an error message in your browser.
To allow traffic from demo-app to redis, apply a MeshTrafficPermission:
echo "apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-demo
name: redis
spec:
targetRef:
kind: Dataplane
labels:
app: redis
from:
- targetRef:
kind: MeshSubset
tags:
kuma.io/service: demo-app_kuma-demo_svc_5000
default:
action: Allow" | kubectl apply -f -Click Increment.
The counter value should increase.