Careful!
You are browsing documentation for a version of Kuma that is not the latest release.
Looking for even older versions? Learn more.
Add a builtin gateway
To get traffic from outside your mesh inside it (North/South) with Kuma you can use a builtin gateway.
In the quickstart, traffic was only able to get in the mesh by port-forwarding to an instance of an app inside the mesh. In production, you typically set up a gateway to receive traffic external to the mesh. In this guide you will add a built-in gateway in front of the demo-app service and expose it publicly.
Prerequisites
- Completed quickstart to set up a zone control plane with demo application
Start a gateway
Create a MeshGatewayInstance
A MeshGatewayInstance
configures the pods
that will run the gateway.
Create it by running:
The Kubernetes cluster needs to support LoadBalancer
for this to work.
If you are running minikube
you will want to open a tunnel with minikube tunnel -p mesh-zone
.
You may not have support for LoadBalancer
if you are running locally with kind
or k3d
.
One option for kind
is kubernetes-sigs/cloud-provider-kind may be helpful.
Define a listener using MeshGateway
MeshGateway
defines listeners for the gateway.
Define a single HTTP listener on port 8080:
Notice how the selector selects the kuma.io/service
tag of the previously defined MeshGatewayInstance
.
Now look at the pods running in the namespace by running:
Observe the gateway pod:
Retrieve the public URL for the gateway with:
Check the gateway is running:
Which outputs:
Notice the gateway says that there are no routes configured.
Define a route using MeshHTTPRoute
MeshHTTPRoute
defines HTTP routes inside your service mesh.
Attach a route to an entire gateway or to a single listener by using targetRef.kind: MeshGateway
Now try to reach our gateway again:
which outputs:
Notice the forbidden error. This is because the quickstart has very restrictive permissions as defaults. Therefore, the gateway doesn’t have permissions to talk to the demo-app service.
To fix this, add a MeshTrafficPermission
:
Check it works with:
Now returns a 200 OK response:
Securing your public endpoint with a certificate
The application is now exposed to a public endpoint thanks to the gateway. We will now add TLS to our endpoint.
Create a certificate
Create a self-signed certificate:
Now update the gateway to use this certificate:
Check the call to the gateway:
Which should output a successful call and indicate TLS is being used:
Note that we’re using --insecure
as we have used a self-signed certificate.
Next steps
- Read more about the different types of gateways in the managing ingress traffic docs.
- Learn about setting up observability to get full end to end visibility of your mesh.