The following hands-on descriptions guides you on your Cloud-native journey by improving Cloud-native architectures leveraging concepts like API Gateway and Service Mesh for ensuring connectivity, security and observability.
The following scenario description uses k3d as a runtime platfrom, but in general you can use any Kubernetes distro you like.
As example application, the Kuma Demo Application is used.
The demo environment can be easily provisioned by using the bootstrap_demo.sh script.
If you want to use another Kubernetes Distro you can also follow the manual setup steps mentioned in the next section.
- Setup K3d Cluster
k3d cluster create mesh-demo --api-port 127.0.0.1:6445 --servers 1 --agents 2 --port '8088:80@loadbalancer' --k3s-server-arg '--no-deploy=traefik'
- Install marketplace application
kubectl apply -f https://bit.ly/demokuma
- Install Kuma Control Plane
kumactl install control-plane | kubectl apply -f -
Note: Before you can use kumactl CLI, you need to install the current version as described in the corresponding documentation.
After installing the Kuma Control Plane, it can be accessed using a browser, after port-forwarding the kuma-control-plane service:
kubectl port-forward svc/kuma-control-plane -n kuma-system 5681
First of all, we need to add the pods of the marketplace app to the mesh.
- Setup Data plane proxies for the Marketplace application
kubectl apply -f k8s/01-connect-dp.yaml && kubectl delete pod --all -n kuma-demo
To be able to access the Marketplace application from outside Kubernetes, we need to expose the Frontend pod. In Kubernetes, we can use Ingress for doing so. Kong API Gateway can be configured to act as an Ingress Controller, which is done in the next step.
- Add API Gateway to the stack
As a first step, Kong for Kubernetes must be deployed using the following command:
kubectl apply -f https://bit.ly/demokumakong
Afterwards, we can configure the API Gateway, expose respective services and configure policies, e.g. for authenticating users.
As we now have an API Gateway in place, the Marketplace app should be exposed using an Ingress rule, so that port-forwarding is no longer needed.
kubectl apply -f k8s/02-ingress-frontend.yaml -n kuma-demo
In a first step, we'll add Kong Basic Auth Plugin to achieve simple authentication for the Marketplace app without changing the code base.
kubectl apply -f k8s/07-kong-basic-auth-plugin.yaml
kubectl apply -f k8s/08-kong-consumer.yaml
kubectl apply -f k8s/09-ingress-frontend_with_plugin.yaml
The commands above create a Kong Basic Auth Plugin, a Kong Consumer and update the already configured Ingress definition.
In addition, we need to create a respective K8s Secret that can be used for the consumer to authenticate. In case of Kong Basic Auth plugin this is simply a String-based password.
kubectl create secret generic yoda-basicauth \
--from-literal=kongCredType=basic-auth \
--from-literal=username=yoda \
--from-literal=password=s3cret
mTLS is used to secure the communication between the Services within our Mesh. Additionally, after enabling mTLS, it needs to be specified, which Services are allowed talking to each other.
Note: Beforehand, the default Traffic permission that is defined for the Mesh default should be deleted, because it allows all traffic between all Services.
kubectl delete trafficpermission allow-all-default
Enabling mTLS is done by changing the Meshes configuration:
kubectl apply -f k8s/03-mesh-add-mtls.yaml
After executing the command above the marketplace app is no longer working properly. To solve this situation, respective traffic permissions need to be defined.
kubectl apply -f k8s/04-traffic-permissions.yaml
Now the marketplace app is again as before; but now, the services are communicating securely with each other.
Insights into highly distributed applications are necessary to being able to continuously improve and maintain applications. Observability is key; Observability builds upon the three pillars Logging, Metrics and Traces.
By enabling Traffic Traces, traces for all Dataplane Proxies can be collected. As tracing operates on HTTP layer, only traces for HTTP-based proxies are collected. Respective services needs to be annotated accordingly.
Example:
80.service.kuma.io/protocol: http
Before the Mesh configuration can be adjusted, the respective Tracing ifnrastructure needs to be setup. Per default Kuma uses Jaeger for Service Tracing.
kumactl install tracing | kubectl apply -f -
After installing Jaeger, Jaeger UI can be accessed using a browser, after port-forwarding the corresponding service port:
kubectl port-forward svc/jaeger-query -n kuma-tracing 16686:80
To enable Traffic traces in the Mesh, the respective configuration needs to be adjusted.
kubectl apply -f k8s/05-mesh-add-tracing.yaml
In addition, a Traffic trace policy needs to be defined.
kubectl apply -f k8s/06-traffic-trace-all.yaml
This policy traces all traffic within the Mesh.