RedHat

Don’t forget! The Official Documentation of Kuma is a great place to learn about both basic and more advanced topics.

To install and run Kuma on RedHat (x86_64) execute the following steps:

1. Download and run Kuma

You can download Kuma from hereRedHat - 图1 or by running:

  1. $ wget https://kong.bintray.com/kuma/kuma-0.3.2-rhel-amd64.tar.gz

You can extract the archive and check the contents of the bin folder by running:

  1. $ tar xvzf kuma-0.3.2-rhel-amd64.tar.gz
  2. $ cd bin/ && ls
  3. envoy kuma-dp kuma-tcp-echo kuma-cp kuma-prometheus-sd kumactl

As you can see Kuma already ships with an envoyRedHat - 图2 executable ready to use.

To run Kuma execute:

  1. $ ./kuma-cp run

Kuma automatically creates a Mesh entity with name default.

By default this will run Kuma with a memory backend, but you can change this to use PostgreSQL by updating the conf/kuma-cp.conf file.

2. Start the Data-Plane

Before starting the sidecar proxy data-plane, the service should already be running. For demo purposes, we can start a sample TCP server that comes bundled with Kuma and that echoes back the requests we are sending to it:

  1. $ ./kuma-tcp-echo -port 9000

You can then consume the service by making requests to 127.0.0.1:9000, like: curl http://127.0.0.1:9000/ or nc 127.0.0.1 9000

We now have our control-plane and services running. For each service we can now provision a Dataplane Entity that configures the inbound and outbound networking configuration:

  1. $ echo "type: Dataplane
  2. mesh: default
  3. name: dp-echo-1
  4. networking:
  5. inbound:
  6. - interface: 127.0.0.1:10000:9000
  7. tags:
  8. service: echo" | ./kumactl apply -f -

Next, generate a data-plane token that is used by the control-plane to verify identity of the data-plane:

  1. $ ./kumactl generate dataplane-token --dataplane=dp-echo-1 > /tmp/kuma-dp-echo-1

And run the actual data-plane process with:

  1. $ ./kuma-dp run \
  2. --name=dp-echo-1 \
  3. --mesh=default \
  4. --cp-address=http://127.0.0.1:5681 \
  5. --dataplane-token-file=/tmp/kuma-dp-echo-1

You can now consume the service on port 10000, which will be internally redirected to the service on port 9000:

  1. $ curl http://127.0.0.1:10000
  2. GET / HTTP/1.1
  3. Host: 127.0.0.1:10000
  4. User-Agent: curl/7.54.0
  5. Accept: */*

3. Apply Policies

Now you can start applying Policies to your default Service Mesh, like Mutual TLS:

  1. $ echo "type: Mesh
  2. name: default
  3. mtls:
  4. enabled: true
  5. ca:
  6. builtin: {}" | ./kumactl apply -f -

With mTLS enabled, all traffic is restricted by default unless we specify a Traffic Permission policy that enables it again. For example, we can apply the following permissive policy to enable all traffic across every data-plane again:

  1. $ echo "type: TrafficPermission
  2. name: enable-all-traffic
  3. mesh: default
  4. sources:
  5. - match:
  6. service: '*'
  7. destinations:
  8. - match:
  9. service: '*'" | ./kumactl apply -f -

4. Done!

You can configure kumactl to point to any remote kuma-cp instance by running:

  1. $ ./kumactl config control-planes add --name=XYZ --address=http://address.to.kuma:5681

If you consume the service again on port 10000, you will now notice that the communication requires now a TLS connection.

You can now review the entities created by Kuma by using the kumactl CLI. For example you can list the Meshes and the Traffic Permissions:

  1. $ ./kumactl get meshes
  2. NAME mTLS CA METRICS
  3. default on builtin off
  4. $ ./kumactl get traffic-permissions
  5. MESH NAME
  6. default enable-all-traffic

and you can list the data-planes that have been registered, and their status:

  1. $ ./kumactl get dataplanes
  2. MESH NAME TAGS
  3. default dp-echo-1 service=echo
  4. $ ./kumactl inspect dataplanes
  5. MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS
  6. default dp-echo-1 service=echo Online 19s 18s 2 0