Kong Service Mesh 101, 3 Jun 2021

Previous Meeting

⏯

youtube image

►

From YouTube: Understanding "Gateway Mode" in Kuma and Kong Service Mesh

Description

Learn how Kuma, an open source service mesh, and Kong Mesh for enterprise allow you to use ANY API gateway as a "doorway" into the service mesh using "Gateway Mode." Try Kuma for free: https://kuma.io/

A

Hi, my name is cody d arkland and I'm with the technical team at kong focused on kuma and kong service mesh. One of the most common questions I get is: how can I use kong's api gateway functionality, all the plugins, the central place, to configure inbound access with service mesh? Do these things work together? Is there a way to bring them in what, if I'm not using kong gateway? But I want to use a different gate with the environment.

A

We provide a functionality in kuma and kong, mesh called gateway mode that allows you to integrate, not just kong's api gateway, but any api gateway with service mesh. We want you to be able to work the way, that's native to you and bring the tools that you use in your environment, into service mesh, let's jump in and take a look at how this works.

A

Here we have a diagram of a typical application landscape on the far left. We have users coming into the gateway and on the far right we have the application.

A

The gateway in this case acts as a central point of access for our environment. This is where we can apply changes to the inbound communication. Things like changes to the headers. We can use plug-ins to impact opa policy, jot authentication traffic, caching rate, limiting any of a number of inbound policies that exist for an environment within the service mesh space on the right. We can see our envoy sidecars attached to all of our applications. These sidecars act as communication proxies that communication proxy allows us to impact the way traffic is handled between those application tiers.

A

Using this, we can apply things like traffic policy, end-to-end encryption with mutual tls or mtls traffic permissions to restrict the way these services communicate with each other. We can get out of the box observability so that we can use grafana, prometheus and jaeger to get great visibility into the application.

A

So it's pretty obvious how these two systems would interact with each other or how we would want them to interact with each other. We want to be able to have that powerful central point of access with all that plug-in functionality, but we want that tied directly into service mesh.

A

As I mentioned previously, we have this integration as part of gateway mode in kuma and kong mesh. Let's take a look at the kuma website and how you can actually consume this functionality from the website. If we head up to our docs section, click on explore and select our data plane and data model, the gateway section gives us great visibility into how to configure this you'll see that we break this up into universal mode and kubernetes mode. Universal mode is what we use for virtual machine environments.

A

So if you want to bring service mesh into vm, you absolutely can universal mode. Is your ticket to doing that in kubernetes? We have this configured via annotations, so we can apply annotations to our services that will configure these items here. You can see that kuma dot, io, slash gateway, annotation, applying that annotation to a gateway pod or the kubernetes ingress controller will allow us to have that act as a gateway to the environment.

A

This functionality shuts off the external envoy listener and tells it that we're going to allow user traffic to come inbound via this service. The back end still communicates over envoy and still reaches out to the other envoy side: cars for communication, we're just allowing user traffic to come in the front door in universal mode. We applied this gateway configuration underneath the networking stanza of the data plane config the difference exists here, because in universal mode we run the data plane as an independent process.

A

So you actually run an executable that starts up that data plane and connects into kuma in kubernetes that sidecar is applied automatically via the sidecar annotation. Let's take a look at the kuma ui and see how this looks inside akuma.

A

Inside akuma, you can see, I have one zone, six services, six data plane proxies. If I go into all data plane proxies, we can see all the data planes that exist in my environment. A data plane is where the application communication happens. App to app communication happens there. Control plane is the configurations that come down from the control plane.

A

If I select the gateway option on the left, we can see that this is flagged as a gateway to the environment.

A

Kuma understands this because of the annotation that we applied, the sanitation can be applied to the pod or the deployment with this applied. Kuma understands this is a gateway service and treats it slightly different.

A

So switching back to our diagram view when we apply these configurations to our environment, kong's gateway gets a sidecar.

A

That side card now communicates with other aspects of the service mesh and now the gateway is a part of the service mesh, in this case we're applying the gateway annotation only to the gateway service or the gateway pod and deployment rather, and on the actual application side we're applying just the sidecar injection enabled for all those services.

A

If you weren't using kong's gateway and you're using another gateway, you could still apply this gateway annotation to the service and you have the same functionality. You wouldn't get all of kong's great plug-in ecosystem or the central point of configuration or integration with connect, but you could still integrate with other gateways. I hope this video helped.

A

You understand a little bit more about how gateway mode allows you to extend kuma and kong mesh in your environment, and I hope you enjoy watching future videos where we start to unpack some of the more advanced functionality of service mesh have a great day.