kong service mesh - setup and deploy to AKS manually for testing purposes


To install kong service mesh via helm run the following command in your cloud shell.


helm repo add kong-mesh https://kong.github.io/kong-mesh-charts

helm repo update

helm install --create-namespace --namespace kong-mesh-system kong-mesh kong-mesh/kong-mesh


Takes abit of time to spin this up. 

kubectl apply -f https://raw.githubusercontent.com/kumahq/kuma-counter-demo/refs/heads/main/k8s/000-with-kuma.yaml

kubectl wait -n kuma-demo --for=condition=ready pod --selector=app=demo-app --timeout=90s


And then you can see some of the pods being spined up.


Also notice we have our namespace labeled (kuma.io/sidecar-injection: enabled).


To turn on, mutual tls, we can use the following yaml.

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  meshServices:
    mode: Exclusive
  mtls:
    backends:
      - name: ca-1
        type: builtin
    enabledBackend: ca-1


And the enable application being able to talk to each other we need 'MeshTrafficPermission' instead of the mesh. MeshTrafficPermission defines which services are allowed to communicate with others. It's part of Kuma's Zero Trust security model — by default, no service can talk to another unless explicitly allowed.

The yaml for MeshTrafficPermission looks like this:- 

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-demo
  name: kv
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: kv
  from:
    - targetRef:
        kind: MeshSubset
        tags:
          app: demo-app
          k8s.kuma.io/namespace: kuma-demo
      default:
        action: Allow




The yaml below describe where the resource are being created. It is placed in the namespace - kuma-demo and called kv. 


kind: MeshTrafficPermission
metadata:
  namespace: kuma-demo
  name: kv



Let's break this yaml down. We need to tell kong/kuma where traffic is allowed which beings with targetRef. We have a pod label with "app: kv" which demo-app talks to. 


spec:
  targetRef:
    kind: Dataplane
    labels:
      app: kv

Then we need to tell it, who can connect. And in this case, app-demo which has the label "app: demo-app" and namespace "kuma-demo". It is abit confusing the targetRef appears again (could be named more meaningful).  The action is "allow" and traffic flows.


from:
    - targetRef:
        kind: MeshSubset
        tags:
          app: demo-app
          k8s.kuma.io/namespace: kuma-demo



FAQ

You might get some error here but don't worry too much about it. 

"ERROR   kube-manager    Reconciler error        {"controller": "kuma-mesh-controller", "controllerGroup": "kuma.io", "controllerKind": "Mesh", "Mesh": {"name":"default"}, "namespace": "", "name": "default", "reconcileID": "5bef11cd-021e-41f6-ab9a-aefc0a2b0f0f", "error": "could not create default mesh resources: could not create default MeshRetry \"mesh-retry-all-default.kong-mesh-system\": could not create a resource: resource already exists: type=\"MeshRetry\" name=\"mesh-retry-all-default.kong-mesh-system\" mesh=\"default\"", "errorVerbose": "resource already exists: type=\"MeshRetry\" name=\"mesh-retry-all-default.kong-mesh-system\" mesh=\"default\"\ncould not create a resource\ngithub.com/kumahq/kuma/pkg/defaults/mesh.ensureDefaultResource\n\tgithub.com/kumahq/kuma@v0.0.0-20250709045707-6c17bc74d42e/pkg/defaults/mesh/mesh.go:115\ngithub.com/kumahq/kuma/pkg/defaults/mesh.EnsureDefaultMeshResources\n\tgithub.com/kumahq/kuma@v0.0.0-20250709045707-6c17bc74d42e/pkg/defaults/mesh/mesh.go:88\ngithub.com/kumahq/kuma/pkg/plugins/runtime/k8s/controllers.(*MeshReconciler).ensureDefaultResources\n\tgithub.com/kumahq/kuma@v0.0.0-20250709045707-6c17bc74d42e/pkg/plugins/runtime/k8s/controllers/mesh_controller.go:62\ngithub.com/kumahq/kuma/pkg/plugins/runtime/k8s/controllers.(*MeshReconciler).Reconcile\n\tgithub.com/kumahq/kuma@v0.0.0-20250709045707-6c17bc74d42e/pkg/plugins/runtime/k8s/controllers/mesh_controller.go:48\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/control"








Comments

Post a Comment

Popular posts from this blog

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more