Careful!
You are browsing documentation for a version of Kuma that is not the latest release.
Looking for even older versions? Learn more.
Use Kong as a delegated Gateway
To get traffic from outside your mesh inside it (North/South) with Kuma you can use a delegated gateway.
In the quickstart, traffic was only able to get in the mesh by port-forwarding to an instance of an app inside the mesh. In production, you typically set up a gateway to receive traffic external to the mesh. In this guide you will add Kong as a delegated gateway in front of the demo-app service and expose it publicly.
Prerequisites
- Completed quickstart to set up a zone control plane with demo application
Install Kong ingress controller
Follow the steps on the Kong docs website to install the ingress controller.
The Kubernetes cluster needs to support LoadBalancer
for this to work.
If you are running minikube
you will want to open a tunnel with minikube tunnel -p mesh-zone
.
You may not have support for LoadBalancer
if you are running locally with kind
or k3d
.
One option for kind
is kubernetes-sigs/cloud-provider-kind may be helpful.
Enable sidecar injection on the kong
namespace
The Kong Ingress controller was installed outside the mesh. For it to work as a delegated gateway restart it with sidecar injection enabled:
Add the label:
Restart both the controller and the gateway to leverage sidecar injection:
Wait until pods are fully rolled out and look at them:
It is now visible that both pods have 2 containers, one for the application and one for the sidecar.
Retrieve the public URL for the gateway with:
Verify the gateway still works:
which outputs that there are no routes defined:
Add a route to our demo-app
Patch our gateway to allow routes in any namespace:
This is required because in the Kong ingress controller tutorial the gateway is created in the default
namespace.
To do this the Gateway API spec requires to explicitly allow routes from different namespaces.
Now add the gateway route in our kuma-demo
namespace which binds to the gateway kong
defined in the default
namespace:
This route is managed by the Kong ingress controller and not by Kuma.
Now call the gateway:
Which outputs:
Notice the forbidden error. This is because the quickstart has very restrictive permissions as defaults. Therefore, the gateway doesn’t have permissions to talk to the demo-app service.
To fix this, add a MeshTrafficPermission
:
Call the gateway again:
Notice that the call succeeds:
Next steps
- Read more about the different types of gateways in the managing ingress traffic docs.
- Learn about setting up observability to get full end to end visibility of your mesh.