Zone Ingress
To implement cross-zone communication when Kuma is deployed in a multi-zone mode, there is a new proxy type ZoneIngress
. These proxies are not attached to any particular workload. Instead, they are bound to that particular zone. Zone Ingress can proxy the traffic between all meshes, so we need only one deployment in each zone.
All requests that are sent from one zone to another will be directed to the proper instance by the Zone Ingress.
Because ZoneIngress
uses Server Name Indication (SNI) to route traffic, mTLS is required to do cross zone communication.
The ZoneIngress
entity includes a few sections:
type
: must beZoneIngress
.name
: this is the name of the Zone Ingress instance, and it must be unique for any givenzone
.networking
: contains networking parameters of the Zone Ingressaddress
: the address of the network interface Zone Ingress is listening on. Could be the address of either public or private network interface, but the latter must be used with a load balancer.port
: is a port that Zone Ingress is listening on default to 10001advertisedAddress
: an IP address or hostname which will be used to communicate with the Zone Ingress. Zone Ingress doesn’t listen on this address. If Zone Ingress is exposed using a load balancer, then the address of the load balancer should be used here. If Zone Ingress is listening on the public network interface, then the address of the public network interface should be used here.advertisedPort
: a port which will be used to communicate with the Zone Ingress. Zone Ingress doesn’t listen on this port.admin
: determines parameters related to Envoy Admin APIport
: the port that Envoy Admin API will listen to
availableServices
[auto-generated on Kuma CP] : the list of services that could be consumed through the Zone Ingresszone
[auto-generated on Kuma CP] : zone where Zone Ingress is running
Zone Ingress without advertisedAddress
and advertisedPort
is not taken into account when generating Envoy configuration, because they cannot be accessed by data plane proxies from other zones.
To install ZoneIngress
in Kubernetes when doing kumactl install control-plane
use the --ingress-enabled
. If using helm add ingress.enabled: true
to your values.yaml
.
Kuma will set advertisedAddress
and advertisedPort
automatically by checking the Service associated with this Zone Ingress.
If the Service type is Load Balancer, Kuma will wait for public IP to be resolved. It may take a couple of minutes to receive public IP depending on the LB implementation of your Kubernetes provider. If the Service type is Node Port, Kuma will take an External IP of the first Node in the cluster and combine it with Node Port.
You can provide your own public address and port using the following annotations on the Ingress deployment:
kuma.io/ingress-public-address
kuma.io/ingress-public-port
In Universal mode, the token is required to authenticate ZoneIngress
instance. Create the token by using kumactl
binary:
kumactl generate zone-token --valid-for 720h --scope ingress > /path/to/token
Create a ZoneIngress
configuration to allow services to receive traffic from other zones:
type: ZoneIngress
name: zoneingress-1
networking:
address: 192.168.0.1
port: 10001
advertisedAddress: 10.0.0.1 # Adapt to the address of the Load Balancer in front of your ZoneIngresses
advertisedPort: 10001 # Adapt to the port of the Load Balancer in front of you ZoneIngresses
Apply the ingress configuration, passing the IP address of the control plane and your instance should start.
kuma-dp run \
--proxy-type=ingress \
--cp-address=https://<kuma-cp-address>:5678 \
--dataplane-token-file=/path/to/token \
--dataplane-file=/path/to/config
A ZoneIngress
deployment can be scaled horizontally. Many instances can have the same advertised address and advertised port because they can be put behind one load balancer.