Deploy Mesh on Kubernetes
Install Kong Mesh on your Kubernetes cluster using Helm, and deploy the Kong Mesh demo application.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'
Create a Kong Mesh Control Plane
This tutorial requires a Konnect Plus account. If you don’t have one, you can get started quickly with our onboarding wizard.
After creating your Konnect account, create the Kong Mesh Control Plane and your first Mesh zone. Follow the instructions in Konnect to deploy Mesh on your Kubernetes cluster.
A running Kubernetes cluster
This guide requires a running Kubernetes cluster. If you already have a Kubernetes cluster running, you can skip this step. It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.
For example, if you are using minikube:
minikube start -p mesh-zone
Install Kong Mesh
Install Kong Mesh Control Plane with Helm:
helm repo add kong-mesh https://kong.github.io/kong-mesh-charts
helm repo update
helm install --create-namespace --namespace kong-mesh-system kong-mesh kong-mesh/kong-mesh
Deploy the demo application
To start learning how Kong Mesh works, you can use our simple and secure demo application that consists of two services:
-
demo-app: A web application that lets you increment a numeric counter. It listens on port5000 -
redis: The data store for the counter
flowchart LR demo-app(demo-app :5000) redis(redis :6379) demo-app --> redis
Deploy the demo application:
kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/master/demo.yaml
kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90s
Forward ports
Port-forward the service to the namespace on port 5000:
kubectl port-forward svc/demo-app -n kuma-demo 5000:5000
Introduce zero-trust security
The traffic is now encrypted and secure. Kong Mesh does not define default traffic permissions, which means that no traffic will flow with mTLS enabled until we define a proper MeshTrafficPermission policy.
For now, the demo application won’t work.
You can verify this by clicking the increment button again and seeing the error message in the browser.
We can allow the traffic from the demo-app to redis by applying the following MeshTrafficPermission:
echo "apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-demo
name: redis
spec:
targetRef:
kind: Dataplane
labels:
app: redis
from:
- targetRef:
kind: MeshSubset
tags:
kuma.io/service: demo-app_kuma-demo_svc_5000
default:
action: Allow" | kubectl apply -f -
Validate
The demo app consists of a web application called Kuma Counter. This application allows us to increment a counter. You can validate the installation was successful by visiting http://127.0.0.1:5000/ and using the web application. When you click Increment, you will see the connection being managed from the terminal.
Cleanup
Clean up Mesh
To clean up your environment, remove the Docker containers, network, temporary directory, and the control plane configuration. Run the following command:
kubectl config delete-context mesh-zone