How to: Deploy Konnect Managed Control Plane

Prerequisites

Create a Kong Mesh control plane

This is a Konnect tutorial and requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

After creating your Konnect account, create the Kong Mesh Control plane and your first Mesh zone. Follow the instructions in Konnect to deploy your data plane.
The Konnect onboarding process will guide you through the steps below, automatically injecting you System Access Token, Control plane URL and Control plane ID. If you want to follow the steps here, export the generated token, Control plane URL and Control plane ID:
```
 export KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export KONNECT_CONTROL_PLANE_URL='YOUR KONNECT CONTROL PLANE'
 export KONNECT_CONTROL_PLANE_ID='YOUR CONTROL PLANE ID'
```

Install Kong Mesh

Install Kong Mesh control plane with Helm:

kubectl create namespace kong-mesh-system
helm repo add kong-mesh https://kong.github.io/kong-mesh-charts
helm repo update

Create the control plane token:

echo "
  apiVersion: v1
  kind: Secret
  metadata:
    name: cp-token
    namespace: kong-mesh-system
  type: Opaque
  data:
    token: $CONTROL_PLANE_TOKEN
" | kubectl apply -f -

The CONTROL_PLANE_TOKEN will be created automatically in Konnect

Create the Helm values file:

echo "
kuma:
  controlPlane:
    mode: zone
    zone: zone3
    kdsGlobalAddress: $CONTROL_PLANE_URL
    konnect:
      cpId: $CONTROL_PLANE_ID
    secrets:
      - Env: $KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE
        Secret: cp-token
        Key: token
  ingress:
    enabled: true
  egress:
    enabled: true
  " > values.yaml

CONTROL_PLANE_ID and CONTROL_PLANE_URL were created automatically in Konnect and exported as environment variable in the prerequisites section.

Install Kong Mesh:

helm upgrade --install -n kong-mesh-system kong-mesh kong-mesh/kong-mesh -f values.yaml

Save Control Plane token to a file:

mkdir -p ~/kuma-cp \
  && echo $CONTROL_PLANE_TOKEN > ~/kuma-cp/cpTokenFile \
  && chmod 600 ~/kuma-cp/cpTokenFile

Create Mesh config file:

echo "
environment: universal
mode: zone
multizone:
  zone:
    name: zone3
    globalAddress: $CONTROL_PLANE_URL
kmesh:
  multizone:
    zone:
      konnect:
        cpId: $CONTROL_PLANE_ID
experimental:
  kdsDeltaEnabled: true
" > config.yaml

CONTROL_PLANE_ID and CONTROL_PLANE_URL were created automatically in Konnect and exported as environment variable in the prerequisites section.

Download Kong Mesh and connect to the zone:

curl -L http://developer.konghq.com/mesh/installer.sh | sh - \
  && KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH=~/kuma-cp/cpTokenFile kong-mesh-*/bin/kuma-cp run --config-file config.yaml

Deploy the demo application

To start learning how Kong Mesh works, you can use our simple and secure demo application that consists of two services:

demo-app: A web application that lets you increment a numeric counter. It listens on port 5000
redis: The data store for the counter

 
flowchart LR
  demo-app(demo-app :5000)
  redis(redis :6379)
  demo-app --> redis

Deploy the demo application:

kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/master/demo.yaml
kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90s

The demo-app service listens on port 5000. When it starts, it expects to find a zone key in Redis that specifies the name of the data center (or cluster) where the Redis instance is running. This name is displayed in the browser.

The zone key is purely static and arbitrary. Different zone values for different Redis instances let you keep track of which Redis instance stores the counter if you manage routes across different zones, clusters, and clouds.

Universal Prerequisites

Redis installed
Kong Mesh installed

Demo app downloaded from GitHub:

git clone https://github.com/kumahq/kuma-counter-demo.git

Set up

Run redis as a daemon on port 26379 and set a default zone name:

redis-server --port 26379 --daemonize yes
redis-cli -p 26379 set zone local

Install and start demo-app on the default port 5000:

npm install --prefix=app/
npm start --prefix=app/

Generate tokens

Create a token for Redis and a token for the app (all valid for 30 days):

kumactl generate dataplane-token --tag kuma.io/service=redis --valid-for=720h > kuma-token-redis
kumactl generate dataplane-token --tag kuma.io/service=app --valid-for=720h > kuma-token-app

This action requires authentication unless executed against a control-plane running on localhost.

Create a data plane proxy for each service

For Redis:

kuma-dp run \
  --cp-address=https://localhost:5678/ \
  --dns-enabled=false \
  --dataplane-token-file=kuma-token-redis \
  --dataplane="
  type: Dataplane
  mesh: default
  name: redis
  networking: 
    address: 127.0.0.1
    inbound: 
      - port: 16379
        servicePort: 26379
        serviceAddress: 127.0.0.1
        tags: 
          kuma.io/service: redis
          kuma.io/protocol: tcp
    admin:
      port: 9901"

And for the demo app:

kuma-dp run \
  --cp-address=https://localhost:5678/ \
  --dns-enabled=false \
  --dataplane-token-file=kuma-token-app \
  --dataplane="
  type: Dataplane
  mesh: default
  name: app
  networking: 
    address: 127.0.0.1
    outbound:
      - port: 6379
        tags:
          kuma.io/service: redis
    inbound: 
      - port: 15000
        servicePort: 5000
        serviceAddress: 127.0.0.1
        tags: 
          kuma.io/service: app
          kuma.io/protocol: http
    admin:
      port: 9902"

When using the Konnect managed Control Plane, all changes to the Mesh must be applied using kumactl. You can configure kumactl connectivity by clicking on Actions from the Mesh overview in Konnect Mesh Manager.

Forward ports

Port-forward the service to the namespace on port 5000:

kubectl port-forward svc/demo-app -n kuma-demo 5000:5000

Validate

Navigate to 127.0.0.1:5000/ in your web browser and increment the counter.

Now that you have you workloads up and running, we can secure them with Mutual TLS.

Introduce zero-trust security

By default, service-to-service traffic in the mesh is not encrypted. You can change this in Kong Mesh by enabling the Mutual TLS (mTLS) policy, which provisions a dynamic Certificate Authority (CA) on the default Mesh. This CA automatically issues TLS certificates to all dataplanes.

To enable mTLS using a built-in CA:

Do not enable mTLS in an environment with existing workloads until you define a MeshTrafficPermission policy. Without it, service-to-service communication will be blocked.

cat <<EOF | kumactl apply -f -
type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: builtin
EOF

After enabling mTLS, service communication will be denied by default. To restore connectivity, apply a fully permissive MeshTrafficPermission policy:

cat <<EOF | kumactl apply -f -
type: MeshTrafficPermission
name: allow-all
mesh: default
spec:
  from:
    - targetRef:
        kind: Mesh
      default:
        action: Allow
EOF

Deploy Konnect Managed Control Plane