Deploy a single-zone control plane

In order to deploy Kuma in a single-zone deployment, the kuma-cp control plane must be started in zone mode:

This is the standard installation method.

  1. kumactl install control-plane \
  2.   --set "controlPlane.mode=zone" \
  3.   | kubectl apply -f -

Before using Kuma with helm, please follow these steps to configure your local helm repo.

  1. helm install --create-namespace --namespace kuma-system \
  2.   --set "controlPlane.mode=zone" \
  3.   kuma kuma/kuma

With zone egress:

It’s possible to run ZoneEgress for single-zone deployment. In order to deploy Kuma with ZoneEgress run the install command with an additional parameter.

  1. kumactl install control-plane \
  2.   --set "controlPlane.mode=zone" \
  3.   --set "egress.enabled=true" \
  4.   | kubectl apply -f -

Before using Kuma with helm, please follow these steps to configure your local helm repo.

  1. helm install --create-namespace --namespace kuma-system \
  2.   --set "controlPlane.mode=zone" \
  3.   --set "egress.enabled=true" \
  4.   kuma kuma/kuma

When running a control plane in Universal mode, a database must be used to persist state for production deployments. Ensure that migrations have been run against the database prior to running the control plane.

This is the standard installation method.

  1. KUMA_STORE_TYPE=postgres \
  2. KUMA_STORE_POSTGRES_HOST=<postgres-host> \
  3. KUMA_STORE_POSTGRES_PORT=<postgres-port> \
  4. KUMA_STORE_POSTGRES_USER=<postgres-user> \
  5. KUMA_STORE_POSTGRES_PASSWORD=<postgres-password> \
  6. KUMA_STORE_POSTGRES_DB_NAME=<postgres-db-name> \
  7. kuma-cp run

With zone egress:

ZoneEgress works for Universal deployment as well. In order to deploy ZoneEgress for Universal deployment follow the instruction.

Once Kuma is up and running, data plane proxies can now connect directly to it.

When the mode is not specified, Kuma will always start in zone mode by default.

Optional: control plane authentication

Running administrative tasks (like generating auth tokens) requires authentication by token or a connection via localhost when interacting with the control plane.

You can authenticate by port-forwarding API service and extracting admin user token.

  1. kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681
  3. export ADMIN_TOKEN=$(kubectl get secrets -n kuma-system admin-user-token -ojson | jq -r .data.value | base64 -d)
  5. kumactl config control-planes add \
  6. --address http://localhost:5681 \
  7. --headers "authorization=Bearer $ADMIN_TOKEN" \
  8. --name "zone-cp" \
  9. --overwrite
Localhost authentication

For kuma-cp to recognize requests issued to docker published port it needs to run the container in the host network. To do this, add --network="host" parameter to the docker run command.

Authenticate via token

You can also configure kumactl to access kuma-dp from the container. Get the kuma-cp container id:

  1. docker ps # copy kuma-cp container id
  3. export KUMA_CP_CONTAINER_ID='...'

Configure kumactl:

  1. TOKEN=$(bash -c "docker exec -it $KUMA_CP_CONTAINER_ID wget -q -O - http://localhost:5681/global-secrets/admin-user-token" | jq -r .data | base64 -d)
  3. kumactl config control-planes add \
  4.  --name my-control-plane \
  5.  --address http://localhost:5681 \
  6.  --auth-type=tokens \
  7.  --auth-conf token=$TOKEN \
  8.  --skip-verify

Moving to a multi-zone deployment

You can transform a single-zone deployment into a multi-zone deployment by doing federation.