diff --git a/app/_data/docs_nav_mesh_1.2.x.yml b/app/_data/docs_nav_mesh_1.2.x.yml deleted file mode 100644 index cdb8e11a31de..000000000000 --- a/app/_data/docs_nav_mesh_1.2.x.yml +++ /dev/null @@ -1,50 +0,0 @@ -- title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/ - absolute_url: true - -- title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - absolute_url: true - -- title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - -- title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - -- title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support diff --git a/app/_data/docs_nav_mesh_1.3.x.yml b/app/_data/docs_nav_mesh_1.3.x.yml deleted file mode 100644 index cdb8e11a31de..000000000000 --- a/app/_data/docs_nav_mesh_1.3.x.yml +++ /dev/null @@ -1,50 +0,0 @@ -- title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/ - absolute_url: true - -- title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - absolute_url: true - -- title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - -- title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - -- title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support diff --git a/app/_data/docs_nav_mesh_1.4.x.yml b/app/_data/docs_nav_mesh_1.4.x.yml deleted file mode 100644 index 57f7ecef64bf..000000000000 --- a/app/_data/docs_nav_mesh_1.4.x.yml +++ /dev/null @@ -1,52 +0,0 @@ -- title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/ - absolute_url: true - -- title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - absolute_url: true - -- title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - -- title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - -- title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation diff --git a/app/_data/docs_nav_mesh_1.5.x.yml b/app/_data/docs_nav_mesh_1.5.x.yml deleted file mode 100644 index e18fdfd75408..000000000000 --- a/app/_data/docs_nav_mesh_1.5.x.yml +++ /dev/null @@ -1,61 +0,0 @@ -- title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/ - absolute_url: true - -- title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - absolute_url: true - -- title: Version Support Policy - icon: /assets/images/icons/documentation/icn-support.svg - url: /mesh/latest/support-policy - absolute_url: true - -- title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - -- title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - - text: Windows - url: /installation/windows - -- title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac diff --git a/app/_data/docs_nav_mesh_1.6.x.yml b/app/_data/docs_nav_mesh_1.6.x.yml deleted file mode 100644 index 60718a2b5772..000000000000 --- a/app/_data/docs_nav_mesh_1.6.x.yml +++ /dev/null @@ -1,74 +0,0 @@ -- title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/1.6.x/ - absolute_url: true - -- title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - absolute_url: true - -- title: Version Support Policy - icon: /assets/images/icons/documentation/icn-support.svg - url: /mesh/latest/support-policy - absolute_url: true - -- title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - -- title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: Amazon ECS - url: /installation/ecs - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - - text: Windows - url: /installation/windows - -- title: Plan and Deploy - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - -- title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - src: production/secure-deployment/fips-support/ - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - src: production/secure-deployment/rbac/ - - text: UBI Images - url: /features/ubi-images diff --git a/app/_data/docs_nav_mesh_1.7.x.yml b/app/_data/docs_nav_mesh_1.7.x.yml deleted file mode 100644 index a625c0378672..000000000000 --- a/app/_data/docs_nav_mesh_1.7.x.yml +++ /dev/null @@ -1,77 +0,0 @@ -product: mesh -release: 1.7.x -generate: true -items: - - title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/1.7.x/ - absolute_url: true - - - title: Release notes - icon: /assets/images/icons/documentation/icn-references-color.svg - url: /mesh/changelog - generate: false - absolute_url: true - - - title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - - - title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: Amazon ECS - url: /installation/ecs - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - - text: Windows - url: /installation/windows - generate: false - - - title: Plan and Deploy - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - - - title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: Amazon ACM Private CA - url: /features/acmpca - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - - text: UBI Images - url: /features/ubi-images - - text: Windows Support - url: /features/windows diff --git a/app/_data/docs_nav_mesh_1.8.x.yml b/app/_data/docs_nav_mesh_1.8.x.yml deleted file mode 100644 index 0da7b390a17e..000000000000 --- a/app/_data/docs_nav_mesh_1.8.x.yml +++ /dev/null @@ -1,82 +0,0 @@ -product: mesh -release: 1.8.x -generate: true -items: - - title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/1.8.x/ - absolute_url: true - items: - - text: Version Support Policy - url: /support-policy - - text: Stages of Software Availability - url: /availability-stages - - text: Release notes - url: /mesh/changelog - generate: false - absolute_url: true - - - title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - - - title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: Amazon ECS - url: /installation/ecs - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - - text: Windows - url: /installation/windows - generate: false - - - title: Plan and Deploy - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - - - title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: Amazon ACM Private CA - url: /features/acmpca - - text: cert-manager Private CA - url: /features/cert-manager - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - - text: UBI Images - url: /features/ubi-images - - text: Windows Support - url: /features/windows diff --git a/app/_data/docs_nav_mesh_1.9.x.yml b/app/_data/docs_nav_mesh_1.9.x.yml deleted file mode 100644 index 5c126fdc4728..000000000000 --- a/app/_data/docs_nav_mesh_1.9.x.yml +++ /dev/null @@ -1,82 +0,0 @@ -product: mesh -release: 1.9.x -generate: true -items: - - title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - url: /mesh/1.9.x/ - absolute_url: true - items: - - text: Version Support Policy - url: /support-policy - - text: Stages of Software Availability - url: /availability-stages - - text: Release Notes - url: /mesh/changelog - generate: false - absolute_url: true - - - title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - - - title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - url: /install - items: - - text: Kubernetes - url: /installation/kubernetes - - text: Helm - url: /installation/helm - - text: OpenShift - url: /installation/openshift - - text: Docker - url: /installation/docker - - text: Amazon ECS - url: /installation/ecs - - text: CentOS - url: /installation/centos - - text: Red Hat - url: /installation/redhat - - text: Amazon Linux - url: /installation/amazonlinux - - text: Debian - url: /installation/debian - - text: Ubuntu - url: /installation/ubuntu - - text: macOS - url: /installation/macos - - text: Windows - url: /installation/windows - generate: false - - - title: Plan and Deploy - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - - - title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: HashiCorp Vault CA - url: /features/vault - - text: Amazon ACM Private CA - url: /features/acmpca - - text: cert-manager Private CA - url: /features/cert-manager - - text: OPAPolicy Support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - - text: UBI Images - url: /features/ubi-images - - text: Windows Support - url: /features/windows diff --git a/app/_data/docs_nav_mesh_2.0.x.yml b/app/_data/docs_nav_mesh_2.0.x.yml deleted file mode 100644 index 2a1ba518cf72..000000000000 --- a/app/_data/docs_nav_mesh_2.0.x.yml +++ /dev/null @@ -1,627 +0,0 @@ -product: mesh -release: 2.0.x -generate: true -items: - - title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - items: - - text: Introduction to Kong Mesh - url: /mesh/2.0.x/ - absolute_url: true - - text: What is Service Mesh? - url: /introduction/what-is-a-service-mesh/ - src: /.repos/kuma/app/docs/2.0.x/introduction/what-is-a-service-mesh/ - - text: What is Kong Mesh? - url: /introduction/what-is-kong-mesh/ - src: /.repos/kuma/app/docs/2.0.x/introduction/what-is-kuma/ - - text: How Kong Mesh works - url: /introduction/how-kong-mesh-works/ - src: /.repos/kuma/app/docs/2.0.x/introduction/how-kuma-works/ - - text: Deployments - url: /introduction/deployments/ - src: /.repos/kuma/app/docs/2.0.x/introduction/deployments/ - - text: Version support policy - url: /support-policy/ - - text: Stability - url: /availability-stages/ - - text: Release notes - url: /mesh/changelog - generate: false - absolute_url: true - - title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - - title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: Installation Options - url: /install/ - - text: Kubernetes - url: /installation/kubernetes/ - - text: Helm - url: /installation/helm/ - - text: OpenShift - url: /installation/openshift/ - - text: Docker - url: /installation/docker/ - - text: Amazon ECS - url: /installation/ecs - - text: Amazon Linux - url: /installation/amazonlinux/ - - text: Red Hat - url: /installation/redhat/ - - text: CentOS - url: /installation/centos/ - - text: Debian - url: /installation/debian/ - - text: Ubuntu - url: /installation/ubuntu/ - - text: macOS - url: /installation/macos/ - - text: Windows - url: /installation/windows - generate: false - - title: Deploy - icon: /assets/images/icons/documentation/icn-manager-color.svg - items: - - text: Explore Kong Mesh with the Kubernetes demo app - url: /quickstart/kubernetes/ - src: /.repos/kuma/app/docs/2.0.x/quickstart/kubernetes/ - - text: Explore Kong Mesh with the Universal demo app - url: /quickstart/universal/ - src: /.repos/kuma/app/docs/2.0.x/quickstart/universal/ - - text: Standalone deployment - url: /deployments/stand-alone/ - src: /.repos/kuma/app/docs/2.0.x/deployments/stand-alone/ - - text: Multi-zone deployment - url: /deployments/multi-zone/ - src: /.repos/kuma/app/docs/2.0.x/deployments/multi-zone/ - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - - title: Explore - icon: /assets/images/icons/documentation/icn-solution-guide.svg - items: - - text: Overview - url: /explore/overview/ - src: /.repos/kuma/app/docs/2.0.x/explore/overview/ - - text: Data plane proxy - url: /explore/dpp/ - src: /.repos/kuma/app/docs/2.0.x/explore/dpp/ - - text: Data plane on Kubernetes - url: /explore/dpp-on-kubernetes/ - src: /.repos/kuma/app/docs/2.0.x/explore/dpp-on-kubernetes/ - - text: Data plane on Universal - url: /explore/dpp-on-universal/ - src: /.repos/kuma/app/docs/2.0.x/explore/dpp-on-universal/ - - text: Gateway - url: /explore/gateway/ - src: /.repos/kuma/app/docs/2.0.x/explore/gateway/ - - text: Zone Ingress - url: /explore/zone-ingress/ - src: /.repos/kuma/app/docs/2.0.x/explore/zone-ingress/ - - text: Zone Egress - url: /explore/zoneegress/ - src: /.repos/kuma/app/docs/2.0.x/explore/zoneegress/ - - text: CLI - url: /explore/cli/ - src: /.repos/kuma/app/docs/2.0.x/explore/cli/ - - text: GUI - url: /explore/gui/ - src: /.repos/kuma/app/docs/2.0.x/explore/gui/ - - text: Observability - url: /explore/observability/ - src: /.repos/kuma/app/docs/2.0.x/explore/observability/ - - text: Inspect API - url: /explore/inspect-api/ - src: /.repos/kuma/app/docs/2.0.x/explore/inspect-api/ - - text: Kubernetes Gateway API - url: /explore/gateway-api/ - src: /.repos/kuma/app/docs/2.0.x/explore/gateway-api/ - - title: Networking - icon: /assets/images/icons/documentation/icn-brain-color.svg - items: - - text: Networking - url: /networking/networking/ - src: /.repos/kuma/app/docs/2.0.x/networking/networking/ - - text: Service Discovery - url: /networking/service-discovery/ - src: /.repos/kuma/app/docs/2.0.x/networking/service-discovery/ - - text: DNS - url: /networking/dns/ - src: /.repos/kuma/app/docs/2.0.x/networking/dns/ - - text: Kong Mesh CNI - url: /networking/cni/ - src: /.repos/kuma/app/docs/2.0.x/networking/cni/ - - text: Transparent Proxying - url: /networking/transparent-proxying/ - src: /.repos/kuma/app/docs/2.0.x/networking/transparent-proxying/ - - text: IPv6 support - url: /networking/ipv6/ - src: /.repos/kuma/app/docs/2.0.x/networking/ipv6/ - - title: Security - icon: /assets/images/icons/konnect/icn-organizations-nav.svg - items: - - text: Secure access across Kong Mesh components - url: /security/certificates/ - src: /.repos/kuma/app/docs/2.0.x/security/certificates/ - - text: Secrets - url: /security/secrets/ - src: /.repos/kuma/app/docs/2.0.x/security/secrets/ - - text: Kong Mesh API Access Control - url: /security/api-access-control/ - src: /.repos/kuma/app/docs/2.0.x/security/api-access-control/ - - text: API server authentication - url: /security/api-server-auth/ - src: /.repos/kuma/app/docs/2.0.x/security/api-server-auth/ - - text: Data plane proxy authentication - url: /security/dp-auth/ - src: /.repos/kuma/app/docs/2.0.x/security/dp-auth/ - - text: Zone proxy authentication - url: /security/zoneproxy-auth/ - src: /.repos/kuma/app/docs/2.0.x/security/zoneproxy-auth/ - - text: Data plane proxy membership - url: /security/dp-membership/ - src: /.repos/kuma/app/docs/2.0.x/security/dp-membership/ - - title: Monitor and Manage - icon: /assets/images/icons/konnect/icn-analytics-nav.svg - items: - - text: Dataplane Health - url: /documentation/health/ - src: /.repos/kuma/app/docs/2.0.x/documentation/health/ - - text: Fine-tuning - url: /documentation/fine-tuning/ - src: /.repos/kuma/app/docs/2.0.x/documentation/fine-tuning/ - - text: Control Plane Configuration - url: /documentation/configuration/ - src: /.repos/kuma/app/docs/2.0.x/documentation/configuration/ - - text: Upgrades - url: /documentation/upgrades/ - src: /.repos/kuma/app/docs/2.0.x/documentation/upgrades/ - - text: Requirements - url: /documentation/requirements/ - src: /.repos/kuma/app/docs/2.0.x/documentation/requirements/ - - title: Policies - icon: /assets/images/icons/documentation/icn-documentation-small.svg - items: - - text: Introduction - url: /policies/introduction - src: /.repos/kuma/app/docs/2.0.x/policies/introduction/ - - text: General notes about Kong Mesh policies - url: /policies/general-notes-about-kong-mesh-policies/ - src: /.repos/kuma/app/docs/2.0.x/policies/general-notes-about-kuma-policies/ - - text: Applying Policies - url: /policies/applying-policies/ - src: /.repos/kuma/app/docs/2.0.x/policies/applying-policies/ - - text: How Kong Mesh chooses the right policy to apply - url: /policies/how-kong-mesh-chooses-the-right-policy-to-apply/ - src: /.repos/kuma/app/docs/2.0.x/policies/how-kuma-chooses-the-right-policy-to-apply/ - - text: Understanding TargetRef policies - url: /policies/targetref/ - src: /.repos/kuma/app/docs/2.0.x/policies/targetref/ - - text: Protocol support in Kong Mesh - url: /policies/protocol-support-in-kong-mesh/ - src: /.repos/kuma/app/docs/2.0.x/policies/protocol-support-in-kuma/ - - text: Mesh - url: /policies/mesh/ - src: /.repos/kuma/app/docs/2.0.x/policies/mesh/ - - text: Mutual TLS - url: /policies/mutual-tls/ - src: /.repos/kuma/app/docs/2.0.x/policies/mutual-tls/ - - text: Traffic Permissions - url: /policies/traffic-permissions/ - src: /.repos/kuma/app/docs/2.0.x/policies/traffic-permissions/ - - text: Traffic Route - url: /policies/traffic-route/ - src: /.repos/kuma/app/docs/2.0.x/policies/traffic-route/ - - text: Traffic Metrics - url: /policies/traffic-metrics/ - src: /.repos/kuma/app/docs/2.0.x/policies/traffic-metrics/ - - text: Traffic Trace - url: /policies/traffic-trace/ - src: /.repos/kuma/app/docs/2.0.x/policies/traffic-trace/ - - text: Traffic Log - url: /policies/traffic-log/ - src: /.repos/kuma/app/docs/2.0.x/policies/traffic-log/ - - text: Locality-aware Load Balancing - url: /policies/locality-aware/ - src: /.repos/kuma/app/docs/2.0.x/policies/locality-aware/ - - text: Fault Injection - url: /policies/fault-injection/ - src: /.repos/kuma/app/docs/2.0.x/policies/fault-injection/ - - text: Health Check - url: /policies/health-check/ - src: /.repos/kuma/app/docs/2.0.x/policies/health-check/ - - text: Circuit Breaker - url: /policies/circuit-breaker/ - src: /.repos/kuma/app/docs/2.0.x/policies/circuit-breaker/ - - text: Proxy Template - url: /policies/proxy-template/ - src: /.repos/kuma/app/_src/reference/proxy-template/ - - text: External Service - url: /policies/external-services/ - src: /.repos/kuma/app/docs/2.0.x/policies/external-services/ - - text: Retry - url: /policies/retry/ - src: /.repos/kuma/app/docs/2.0.x/policies/retry/ - - text: Timeout - url: /policies/timeout/ - src: /.repos/kuma/app/docs/2.0.x/policies/timeout/ - - text: Rate Limit - url: /policies/rate-limit/ - src: /.repos/kuma/app/docs/2.0.x/policies/rate-limit/ - - text: Virtual Outbound - url: /policies/virtual-outbound/ - src: /.repos/kuma/app/docs/2.0.x/policies/virtual-outbound/ - - text: MeshGateway - url: /policies/mesh-gateway/ - src: /.repos/kuma/app/docs/2.0.x/policies/mesh-gateway/ - - text: MeshGatewayRoute - url: /policies/mesh-gateway-route/ - src: /.repos/kuma/app/docs/2.0.x/policies/mesh-gateway-route/ - - text: Service Health Probes - url: /policies/service-health-probes/ - src: /.repos/kuma/app/docs/2.0.x/policies/service-health-probes/ - - text: MeshTrace (Beta) - url: /policies/meshtrace/ - src: /.repos/kuma/app/docs/2.0.x/policies/meshtrace/ - - text: MeshAccessLog (Beta) - url: /policies/meshaccesslog/ - src: /.repos/kuma/app/docs/2.0.x/policies/meshaccesslog/ - - text: MeshTrafficPermission (Beta) - url: /policies/meshtrafficpermission/ - src: /.repos/kuma/app/docs/2.0.x/policies/meshtrafficpermission/ - - title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: Overview - url: /features/ - - text: HashiCorp Vault CA - url: /features/vault - - text: Amazon ACM Private CA - url: /features/acmpca - - text: cert-manager Private CA - url: /features/cert-manager - - text: OPA policy support - url: /features/opa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - - text: UBI Images - url: /features/ubi-images - - text: Windows Support - url: /features/windows - - text: Auditing - url: /features/access-audit - - title: Reference docs - icon: /assets/images/icons/documentation/icn-references-color.svg - items: - - text: HTTP API - url: /reference/http-api/ - src: /.repos/kuma/app/docs/2.0.x/reference/http-api/ - - text: Annotations and labels in Kubernetes mode - url: /reference/kubernetes-annotations/ - src: /.repos/kuma/app/docs/2.0.x/reference/kubernetes-annotations/ - - text: Kong Mesh data collection - url: /reference/data-collection/ - src: /.repos/kuma/app/docs/2.0.x/reference/data-collection/ - - text: Resources - items: - - text: Mesh - url: /generated/resources/other_mesh/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/other_mesh/ - - text: CircuitBreaker - url: /generated/resources/policy_circuit-breaker/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_circuit-breaker/ - - text: ExternalService - url: /generated/resources/policy_external-service/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_external-service/ - - text: FaultInjection - url: /generated/resources/policy_fault-injection/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_fault-injection/ - - text: HealthCheck - url: /generated/resources/policy_health-check/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_health-check/ - - text: MeshGateway - url: /generated/resources/policy_meshgateway/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_meshgateway/ - - text: MeshGatewayRoute - url: /generated/resources/policy_meshgatewayroute/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_meshgatewayroute/ - - text: ProxyTemplate - url: /generated/resources/policy_proxy-template/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_proxy-template/ - - text: RateLimit - url: /generated/resources/policy_rate-limit/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_rate-limit/ - - text: Retry - url: /generated/resources/policy_retry/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_retry/ - - text: Timeout - url: /generated/resources/policy_timeout/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_timeout/ - - text: TrafficLog - url: /generated/resources/policy_traffic-log/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_traffic-log/ - - text: TrafficPermission - url: /generated/resources/policy_traffic-permissions/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_traffic-permissions/ - - text: TrafficRoute - url: /generated/resources/policy_traffic-route/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_traffic-route/ - - text: TrafficTrace - url: /generated/resources/policy_traffic-trace/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_traffic-trace/ - - text: VirtualOutbound - url: /generated/resources/policy_virtual-outbound/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/policy_virtual-outbound/ - - text: Dataplane - url: /generated/resources/proxy_dataplane/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/proxy_dataplane/ - - text: ZoneEgress - url: /generated/resources/proxy_zoneegress/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/proxy_zoneegress/ - - text: ZoneIngress - url: /generated/resources/proxy_zoneingress/ - src: /.repos/kuma/app/docs/2.0.x/generated/resources/proxy_zoneingress/ - - text: Commands - items: - - text: kuma-cp - url: /generated/cmd/kuma-cp/kuma-cp/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-cp/kuma-cp/ - - text: kuma-dp - url: /generated/cmd/kuma-dp/kuma-dp/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-dp/kuma-dp/ - - text: kumactl - url: /generated/cmd/kumactl/kumactl/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl/ - - text: Kuma-cp configuration reference - url: /generated/kuma-cp - src: /.repos/kuma/app/docs/2.0.x/generated/kuma-cp -unlisted: - - url: /policies/matching - src: /.repos/kuma/app/docs/2.0.x/policies/matching/ - # Kuma CP - - url: /generated/cmd/kuma-cp/kuma-cp_migrate/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-cp/kuma-cp_migrate/ - - url: /generated/cmd/kuma-cp/kuma-cp_migrate_up/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-cp/kuma-cp_migrate_up/ - - url: /generated/cmd/kuma-cp/kuma-cp_run/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-cp/kuma-cp_run/ - - url: /generated/cmd/kuma-cp/kuma-cp_version/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-cp/kuma-cp_version/ - - url: /generated/cmd/kuma-dp/kuma-dp_run/ - # Kuma DP - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-dp/kuma-dp_run/ - - url: /generated/cmd/kuma-dp/kuma-dp_version/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kuma-dp/kuma-dp_version/ - # kumactl - - url: /generated/cmd/kumactl/kumactl_apply/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_apply/ - - url: /generated/cmd/kumactl/kumactl_completion/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_completion/ - - url: /generated/cmd/kumactl/kumactl_completion_bash/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_completion_bash/ - - url: /generated/cmd/kumactl/kumactl_completion_fish/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_completion_fish/ - - url: /generated/cmd/kumactl/kumactl_completion_zsh/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_completion_zsh/ - - url: /generated/cmd/kumactl/kumactl_config/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config/ - - url: /generated/cmd/kumactl/kumactl_config_control-planes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_control-planes/ - - url: /generated/cmd/kumactl/kumactl_config_control-planes_add/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_control-planes_add/ - - url: /generated/cmd/kumactl/kumactl_config_control-planes_list/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_control-planes_list/ - - url: /generated/cmd/kumactl/kumactl_config_control-planes_remove/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_control-planes_remove/ - - url: /generated/cmd/kumactl/kumactl_config_control-planes_switch/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_control-planes_switch/ - - url: /generated/cmd/kumactl/kumactl_config_view/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_config_view/ - - url: /generated/cmd/kumactl/kumactl_delete/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_delete/ - - url: /generated/cmd/kumactl/kumactl_generate/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate/ - - url: /generated/cmd/kumactl/kumactl_generate_dataplane-token/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_dataplane-token/ - - url: /generated/cmd/kumactl/kumactl_generate_signing-key/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_signing-key/ - - url: /generated/cmd/kumactl/kumactl_generate_tls-certificate/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_tls-certificate/ - - url: /generated/cmd/kumactl/kumactl_generate_user-token/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_user-token/ - - url: /generated/cmd/kumactl/kumactl_generate_zone-ingress-token/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_zone-ingress-token/ - - url: /generated/cmd/kumactl/kumactl_generate_zone-token/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_generate_zone-token/ - - url: /generated/cmd/kumactl/kumactl_get/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get/ - - url: /generated/cmd/kumactl/kumactl_get_circuit-breaker/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_circuit-breaker/ - - url: /generated/cmd/kumactl/kumactl_get_circuit-breakers/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_circuit-breakers/ - - url: /generated/cmd/kumactl/kumactl_get_dataplane/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_dataplane/ - - url: /generated/cmd/kumactl/kumactl_get_dataplanes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_dataplanes/ - - url: /generated/cmd/kumactl/kumactl_get_external-service/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_external-service/ - - url: /generated/cmd/kumactl/kumactl_get_external-services/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_external-services/ - - url: /generated/cmd/kumactl/kumactl_get_fault-injection/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_fault-injection/ - - url: /generated/cmd/kumactl/kumactl_get_fault-injections/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_fault-injections/ - - url: /generated/cmd/kumactl/kumactl_get_global-secret/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_global-secret/ - - url: /generated/cmd/kumactl/kumactl_get_global-secrets/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_global-secrets/ - - url: /generated/cmd/kumactl/kumactl_get_healthcheck/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_healthcheck/ - - url: /generated/cmd/kumactl/kumactl_get_healthchecks/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_healthchecks/ - - url: /generated/cmd/kumactl/kumactl_get_mesh/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_mesh/ - - url: /generated/cmd/kumactl/kumactl_get_meshaccesslog/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshaccesslog/ - - url: /generated/cmd/kumactl/kumactl_get_meshaccesslogs/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshaccesslogs/ - - url: /generated/cmd/kumactl/kumactl_get_meshes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshes/ - - url: /generated/cmd/kumactl/kumactl_get_meshgateway/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshgateway/ - - url: /generated/cmd/kumactl/kumactl_get_meshgatewayroute/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshgatewayroute/ - - url: /generated/cmd/kumactl/kumactl_get_meshgatewayroutes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshgatewayroutes/ - - url: /generated/cmd/kumactl/kumactl_get_meshgateways/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshgateways/ - - url: /generated/cmd/kumactl/kumactl_get_meshtrace/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshtrace/ - - url: /generated/cmd/kumactl/kumactl_get_meshtraces/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshtraces/ - - url: /generated/cmd/kumactl/kumactl_get_meshtrafficpermission/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshtrafficpermission/ - - url: /generated/cmd/kumactl/kumactl_get_meshtrafficpermissions/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_meshtrafficpermissions/ - - url: /generated/cmd/kumactl/kumactl_get_proxytemplate/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_proxytemplate/ - - url: /generated/cmd/kumactl/kumactl_get_proxytemplates/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_proxytemplates/ - - url: /generated/cmd/kumactl/kumactl_get_rate-limit/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_rate-limit/ - - url: /generated/cmd/kumactl/kumactl_get_rate-limits/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_rate-limits/ - - url: /generated/cmd/kumactl/kumactl_get_retries/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_retries/ - - url: /generated/cmd/kumactl/kumactl_get_retry/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_retry/ - - url: /generated/cmd/kumactl/kumactl_get_secret/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_secret/ - - url: /generated/cmd/kumactl/kumactl_get_secrets/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_secrets/ - - url: /generated/cmd/kumactl/kumactl_get_timeout/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_timeout/ - - url: /generated/cmd/kumactl/kumactl_get_timeouts/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_timeouts/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-log/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-log/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-logs/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-logs/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-permission/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-permission/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-permissions/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-permissions/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-route/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-route/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-routes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-routes/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-trace/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-trace/ - - url: /generated/cmd/kumactl/kumactl_get_traffic-traces/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_traffic-traces/ - - url: /generated/cmd/kumactl/kumactl_get_virtual-outbound/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_virtual-outbound/ - - url: /generated/cmd/kumactl/kumactl_get_virtual-outbounds/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_virtual-outbounds/ - - url: /generated/cmd/kumactl/kumactl_get_zone/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zone/ - - url: /generated/cmd/kumactl/kumactl_get_zone-ingress/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zone-ingress/ - - url: /generated/cmd/kumactl/kumactl_get_zone-ingresses/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zone-ingresses/ - - url: /generated/cmd/kumactl/kumactl_get_zoneegress/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zoneegress/ - - url: /generated/cmd/kumactl/kumactl_get_zoneegresses/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zoneegresses/ - - url: /generated/cmd/kumactl/kumactl_get_zones/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_get_zones/ - - url: /generated/cmd/kumactl/kumactl_inspect/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect/ - - url: /generated/cmd/kumactl/kumactl_inspect_circuit-breaker/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_circuit-breaker/ - - url: /generated/cmd/kumactl/kumactl_inspect_dataplane/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_dataplane/ - - url: /generated/cmd/kumactl/kumactl_inspect_dataplanes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_dataplanes/ - - url: /generated/cmd/kumactl/kumactl_inspect_fault-injection/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_fault-injection/ - - url: /generated/cmd/kumactl/kumactl_inspect_healthcheck/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_healthcheck/ - - url: /generated/cmd/kumactl/kumactl_inspect_meshaccesslog/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_meshaccesslog/ - - url: /generated/cmd/kumactl/kumactl_inspect_meshes/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_meshes/ - - url: /generated/cmd/kumactl/kumactl_inspect_meshgateway/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_meshgateway/ - - url: /generated/cmd/kumactl/kumactl_inspect_meshtrace/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_meshtrace/ - - url: /generated/cmd/kumactl/kumactl_inspect_meshtrafficpermission/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_meshtrafficpermission/ - - url: /generated/cmd/kumactl/kumactl_inspect_proxytemplate/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_proxytemplate/ - - url: /generated/cmd/kumactl/kumactl_inspect_rate-limit/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_rate-limit/ - - url: /generated/cmd/kumactl/kumactl_inspect_retry/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_retry/ - - url: /generated/cmd/kumactl/kumactl_inspect_services/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_services/ - - url: /generated/cmd/kumactl/kumactl_inspect_timeout/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_timeout/ - - url: /generated/cmd/kumactl/kumactl_inspect_traffic-log/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_traffic-log/ - - url: /generated/cmd/kumactl/kumactl_inspect_traffic-permission/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_traffic-permission/ - - url: /generated/cmd/kumactl/kumactl_inspect_traffic-route/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_traffic-route/ - - url: /generated/cmd/kumactl/kumactl_inspect_traffic-trace/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_traffic-trace/ - - url: /generated/cmd/kumactl/kumactl_inspect_zone-ingresses/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_zone-ingresses/ - - url: /generated/cmd/kumactl/kumactl_inspect_zoneegress/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_zoneegress/ - - url: /generated/cmd/kumactl/kumactl_inspect_zoneegresses/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_zoneegresses/ - - url: /generated/cmd/kumactl/kumactl_inspect_zoneingress/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_zoneingress/ - - url: /generated/cmd/kumactl/kumactl_inspect_zones/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_inspect_zones/ - - url: /generated/cmd/kumactl/kumactl_install/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install/ - - url: /generated/cmd/kumactl/kumactl_install_control-plane/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_control-plane/ - - url: /generated/cmd/kumactl/kumactl_install_crds/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_crds/ - - url: /generated/cmd/kumactl/kumactl_install_demo/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_demo/ - - url: /generated/cmd/kumactl/kumactl_install_gateway/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_gateway/ - - url: /generated/cmd/kumactl/kumactl_install_gateway_kong-enterprise/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_gateway_kong-enterprise/ - - url: /generated/cmd/kumactl/kumactl_install_gateway_kong/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_gateway_kong/ - - url: /generated/cmd/kumactl/kumactl_install_logging/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_logging/ - - url: /generated/cmd/kumactl/kumactl_install_metrics/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_metrics/ - - url: /generated/cmd/kumactl/kumactl_install_observability/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_observability/ - - url: /generated/cmd/kumactl/kumactl_install_tracing/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_tracing/ - - url: /generated/cmd/kumactl/kumactl_install_transparent-proxy/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_install_transparent-proxy/ - - url: /generated/cmd/kumactl/kumactl_uninstall/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_uninstall/ - - url: /generated/cmd/kumactl/kumactl_uninstall_ebpf/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_uninstall_ebpf/ - - url: /generated/cmd/kumactl/kumactl_uninstall_transparent-proxy/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_uninstall_transparent-proxy/ - - url: /generated/cmd/kumactl/kumactl_version/ - src: /.repos/kuma/app/docs/2.0.x/generated/cmd/kumactl/kumactl_version/ diff --git a/app/_data/docs_nav_mesh_2.1.x.yml b/app/_data/docs_nav_mesh_2.1.x.yml deleted file mode 100644 index 7a9fb9e21cc6..000000000000 --- a/app/_data/docs_nav_mesh_2.1.x.yml +++ /dev/null @@ -1,418 +0,0 @@ -product: mesh -release: 2.1.x -generate: true -assume_generated: true -items: - - title: Introduction - icon: /assets/images/icons/documentation/icn-flag.svg - items: - - text: Introduction to Kong Mesh - url: /mesh/2.1.x/ - absolute_url: true - - text: What is Service Mesh? - url: /introduction/what-is-a-service-mesh/ - src: /.repos/kuma/app/_src/introduction/about-service-meshes/ - - text: How Kong Mesh works - url: /introduction/how-kong-mesh-works/ - src: /.repos/kuma/app/_src/introduction/overview-of-kuma/ - - text: Deployments - url: /introduction/deployments/ - src: /.repos/kuma/app/_src/production/deployment/ - - text: Version support policy - url: /support-policy/ - - text: Stability - url: /availability-stages/ - - text: Release notes - url: /mesh/changelog - src: /mesh/changelog - generate: false - absolute_url: true - - title: Getting Started - icon: /assets/images/icons/documentation/icn-quickstart-color.svg - url: /gettingstarted - - title: Install - icon: /assets/images/icons/documentation/icn-deployment-color.svg - items: - - text: Installation Options - url: /install/ - - text: Kubernetes - url: /installation/kubernetes/ - - text: Helm - url: /installation/helm/ - - text: OpenShift - url: /installation/openshift/ - - text: Docker - url: /installation/docker/ - - text: Amazon ECS - url: /installation/ecs - - text: Amazon Linux - url: /installation/amazonlinux/ - - text: Red Hat - url: /installation/redhat/ - - text: CentOS - url: /installation/centos/ - - text: Debian - url: /installation/debian/ - - text: Ubuntu - url: /installation/ubuntu/ - - text: macOS - url: /installation/macos/ - - text: Windows - url: /installation/windows - - title: Deploy - icon: /assets/images/icons/documentation/icn-manager-color.svg - items: - - text: Explore Kong Mesh with the Kubernetes demo app - url: /quickstart/kubernetes/ - src: /.repos/kuma/app/_src/quickstart/kubernetes/ - - text: Explore Kong Mesh with the Universal demo app - url: /quickstart/universal/ - src: /.repos/kuma/app/_src/quickstart/universal/ - - text: Standalone deployment - url: /deployments/stand-alone/ - src: /.repos/kuma/app/_src/production/deployment/stand-alone/ - - text: Deploy a standalone control plane - url: /production/cp-deployment/stand-alone/ - src: /.repos/kuma/app/_src/production/cp-deployment/stand-alone/ - - text: Multi-zone deployment - url: /deployments/multi-zone/ - src: /.repos/kuma/app/_src/production/deployment/multi-zone/ - - text: Deploy a multi-zone global control plane - url: /production/cp-deployment/multi-zone/ - src: /.repos/kuma/app/_src/production/cp-deployment/multi-zone/ - - text: License - url: /plan-and-deploy/license - src: production/cp-deployment/license/ - - title: Explore - icon: /assets/images/icons/documentation/icn-solution-guide.svg - items: - - text: Overview - url: /explore/overview/ - src: /.repos/kuma/app/_src/introduction/architecture/ - - text: Data plane proxy - url: /explore/dpp/ - src: /.repos/kuma/app/_src/production/dp-config/dpp/ - - text: Data plane on Kubernetes - url: /explore/dpp-on-kubernetes/ - src: /.repos/kuma/app/_src/production/dp-config/dpp-on-kubernetes/ - - text: Data plane on Universal - url: /explore/dpp-on-universal/ - src: /.repos/kuma/app/_src/production/dp-config/dpp-on-universal/ - - text: Gateway - url: /explore/gateway/ - src: /.repos/kuma/app/_src/explore/gateway/ - - text: Zone Ingress - url: /explore/zone-ingress/ - src: /.repos/kuma/app/_src/production/cp-deployment/zone-ingress/ - - text: Zone Egress - url: /explore/zoneegress/ - src: /.repos/kuma/app/_src/production/cp-deployment/zoneegress/ - - text: CLI - url: /explore/cli/ - src: /.repos/kuma/app/_src/explore/cli/ - - text: GUI - url: /explore/gui/ - src: /.repos/kuma/app/_src/production/gui/ - - text: Observability - url: /explore/observability/ - src: /.repos/kuma/app/_src/explore/observability/ - - text: Inspect API - url: /explore/inspect-api/ - src: /.repos/kuma/app/_src/explore/inspect-api/ - - text: Kubernetes Gateway API - url: /explore/gateway-api/ - src: /.repos/kuma/app/_src/explore/gateway-api/ - - title: Networking - icon: /assets/images/icons/documentation/icn-brain-color.svg - items: - - text: Networking - url: /networking/networking/ - src: /.repos/kuma/app/_src/production/deployment/networking/ - - text: Service Discovery - url: /networking/service-discovery/ - src: /.repos/kuma/app/_src/networking/service-discovery/ - - text: DNS - url: /networking/dns/ - src: /.repos/kuma/app/_src/networking/dns/ - - text: Kong Mesh CNI - url: /networking/cni/ - src: /.repos/kuma/app/_src/production/dp-config/cni/ - - text: Transparent Proxying - url: /networking/transparent-proxying/ - src: /.repos/kuma/app/_src/production/dp-config/transparent-proxying/ - - text: IPv6 support - url: /networking/ipv6/ - src: /.repos/kuma/app/_src/production/dp-config/ipv6/ - - text: Non-mesh traffic - url: /networking/non-mesh-traffic/ - src: /.repos/kuma/app/_src/networking/non-mesh-traffic/ - - title: Security - icon: /assets/images/icons/konnect/icn-organizations-nav.svg - items: - - text: Secure access across Kong Mesh components - url: /security/certificates/ - src: /.repos/kuma/app/_src/production/secure-deployment/certificates/ - - text: Secrets - url: /security/secrets/ - src: /.repos/kuma/app/_src/production/secure-deployment/secrets/ - - text: Kong Mesh API Access Control - url: /security/api-access-control/ - src: /.repos/kuma/app/_src/production/secure-deployment/api-access-control/ - - text: API server authentication - url: /security/api-server-auth/ - src: /.repos/kuma/app/_src/production/secure-deployment/api-server-auth/ - - text: Data plane proxy authentication - url: /security/dp-auth/ - src: /.repos/kuma/app/_src/production/secure-deployment/dp-auth/ - - text: Zone proxy authentication - url: /security/zoneproxy-auth/ - src: /.repos/kuma/app/_src/production/cp-deployment/zoneproxy-auth/ - - text: Data plane proxy membership - url: /security/dp-membership/ - src: /.repos/kuma/app/_src/production/secure-deployment/dp-membership/ - - title: Monitor and Manage - icon: /assets/images/icons/konnect/icn-analytics-nav.svg - items: - - text: Dataplane Health - url: /documentation/health/ - src: /.repos/kuma/app/_src/documentation/health/ - - text: Fine-tuning - url: /documentation/fine-tuning/ - src: /.repos/kuma/app/_src/production/upgrades-tuning/fine-tuning/ - - text: Control Plane Configuration - url: /documentation/configuration/ - src: /.repos/kuma/app/_src/documentation/configuration/ - - text: Upgrades - url: /documentation/upgrades/ - src: /.repos/kuma/app/_src/production/upgrades-tuning/upgrades/ - - text: Requirements - url: /documentation/requirements/ - src: /.repos/kuma/app/_src/introduction/kuma-requirements/ - - title: Policies - icon: /assets/images/icons/documentation/icn-documentation-small.svg - items: - - text: Introduction - url: /policies/introduction - src: /.repos/kuma/app/_src/policies/introduction/ - - text: General notes about Kong Mesh policies - url: /policies/general-notes-about-kong-mesh-policies/ - src: /.repos/kuma/app/_src/policies/general-notes-about-kuma-policies/ - - text: Applying Policies - url: /policies/applying-policies/ - src: /.repos/kuma/app/_src/policies/applying-policies/ - - text: How Kong Mesh chooses the right policy to apply - url: /policies/how-kong-mesh-chooses-the-right-policy-to-apply/ - src: /.repos/kuma/app/_src/policies/how-kuma-chooses-the-right-policy-to-apply/ - - text: Understanding TargetRef policies - url: /policies/targetref - src: /.repos/kuma/app/_src/policies/targetref/ - - text: Protocol support in Kong Mesh - url: /policies/protocol-support-in-kong-mesh/ - src: /.repos/kuma/app/_src/policies/protocol-support-in-kuma/ - - text: Mesh - url: /policies/mesh/ - src: /.repos/kuma/app/_src/production/mesh/ - - text: Mutual TLS - url: /policies/mutual-tls/ - src: /.repos/kuma/app/_src/policies/mutual-tls/ - - text: Traffic Permissions - url: /policies/traffic-permissions/ - src: /.repos/kuma/app/_src/policies/traffic-permissions/ - - text: Traffic Route - url: /policies/traffic-route/ - src: /.repos/kuma/app/_src/policies/traffic-route/ - - text: Traffic Metrics - url: /policies/traffic-metrics/ - src: /.repos/kuma/app/_src/policies/traffic-metrics/ - - text: Traffic Trace - url: /policies/traffic-trace/ - src: /.repos/kuma/app/_src/policies/traffic-trace/ - - text: Traffic Log - url: /policies/traffic-log/ - src: /.repos/kuma/app/_src/policies/traffic-log/ - - text: Locality-aware Load Balancing - url: /policies/locality-aware/ - src: /.repos/kuma/app/_src/policies/locality-aware/ - - text: Fault Injection - url: /policies/fault-injection/ - src: /.repos/kuma/app/_src/policies/fault-injection/ - - text: Health Check - url: /policies/health-check/ - src: /.repos/kuma/app/_src/policies/health-check/ - - text: Circuit Breaker - url: /policies/circuit-breaker/ - src: /.repos/kuma/app/_src/policies/circuit-breaker/ - - text: Proxy Template - url: /policies/proxy-template/ - src: /.repos/kuma/app/_src/reference/proxy-template/ - - text: External Service - url: /policies/external-services/ - src: /.repos/kuma/app/_src/policies/external-services/ - - text: Retry - url: /policies/retry/ - src: /.repos/kuma/app/_src/policies/retry/ - - text: Timeout - url: /policies/timeout/ - src: /.repos/kuma/app/_src/policies/timeout/ - - text: Rate Limit - url: /policies/rate-limit/ - src: /.repos/kuma/app/_src/policies/rate-limit/ - - text: Virtual Outbound - url: /policies/virtual-outbound/ - src: /.repos/kuma/app/_src/policies/virtual-outbound/ - - text: MeshGateway - url: /policies/meshgateway/ - src: /.repos/kuma/app/_src/policies/meshgateway/ - - text: MeshGatewayRoute - url: /policies/meshgatewayroute/ - src: /.repos/kuma/app/_src/policies/meshgatewayroute/ - - text: MeshGatewayInstance - url: /policies/meshgatewayinstance/ - src: /.repos/kuma/app/_src/policies/meshgatewayinstance/ - - text: Service Health Probes - url: /policies/service-health-probes/ - src: /.repos/kuma/app/_src/policies/service-health-probes/ - - text: MeshAccessLog (Beta) - url: /policies/meshaccesslog/ - src: /.repos/kuma/app/_src/policies/meshaccesslog/ - - text: MeshCircuitBreaker (Beta) - url: /policies/meshcircuitbreaker/ - src: /.repos/kuma/app/_src/policies/meshcircuitbreaker/ - - text: MeshFaultInjection (Beta) - url: /policies/meshfaultinjection/ - src: /.repos/kuma/app/_src/policies/meshfaultinjection/ - - text: MeshHealthCheck (Beta) - url: /policies/meshhealthcheck/ - src: /.repos/kuma/app/_src/policies/meshhealthcheck/ - - text: MeshHTTPRoute (Beta) - url: /policies/meshhttproute/ - src: /.repos/kuma/app/_src/policies/meshhttproute/ - - text: MeshProxyPatch (Beta) - url: /policies/meshproxypatch/ - src: /.repos/kuma/app/_src/policies/meshproxypatch/ - - text: MeshRateLimit (Beta) - url: /policies/meshratelimit/ - src: /.repos/kuma/app/_src/policies/meshratelimit/ - - text: MeshRetry (Beta) - url: /policies/meshretry/ - src: /.repos/kuma/app/_src/policies/meshretry/ - - text: MeshTimeout (Beta) - url: /policies/meshtimeout/ - src: /.repos/kuma/app/_src/policies/meshtimeout/ - - text: MeshTrace (Beta) - url: /policies/meshtrace/ - src: /.repos/kuma/app/_src/policies/meshtrace/ - - text: MeshTrafficPermission (Beta) - url: /policies/meshtrafficpermission/ - src: /.repos/kuma/app/_src/policies/meshtrafficpermission/ - - title: Enterprise Features - icon: /assets/images/icons/documentation/icn-enterprise-blue.svg - items: - - text: Overview - url: /features/ - - text: HashiCorp Vault CA - url: /features/vault - - text: Amazon ACM Private CA - url: /features/acmpca - - text: cert-manager Private CA - url: /features/cert-manager - - text: OPA policy support - url: /features/opa - - text: MeshOPA (beta) - url: /features/meshopa - - text: Multi-zone authentication - url: /features/kds-auth - - text: FIPS support - url: /features/fips-support - - text: Certificate Authority rotation - url: /features/ca-rotation - - text: Role-Based Access Control - url: /features/rbac - - text: UBI Images - url: /features/ubi-images - - text: Windows Support - url: /features/windows - - text: Auditing - url: /features/access-audit - - title: Reference docs - icon: /assets/images/icons/documentation/icn-references-color.svg - items: - - text: HTTP API - url: /reference/http-api/ - src: /.repos/kuma/app/_src/reference/http-api/ - - text: Annotations and labels in Kubernetes mode - url: /reference/kubernetes-annotations/ - src: /.repos/kuma/app/_src/reference/kubernetes-annotations/ - - text: Kong Mesh data collection - url: /reference/data-collection/ - src: /.repos/kuma/app/_src/reference/data-collection/ - - text: Resources - items: - - text: Mesh - url: /generated/resources/other_mesh/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/other_mesh/ - - text: CircuitBreaker - url: /generated/resources/policy_circuit-breaker/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_circuit-breaker/ - - text: ExternalService - url: /generated/resources/policy_external-service/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_external-service/ - - text: FaultInjection - url: /generated/resources/policy_fault-injection/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_fault-injection/ - - text: HealthCheck - url: /generated/resources/policy_health-check/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_health-check/ - - text: MeshGateway - url: /generated/resources/policy_meshgateway/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_meshgateway/ - - text: MeshGatewayRoute - url: /generated/resources/policy_meshgatewayroute/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_meshgatewayroute/ - - text: ProxyTemplate - url: /generated/resources/policy_proxy-template/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_proxy-template/ - - text: RateLimit - url: /generated/resources/policy_rate-limit/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_rate-limit/ - - text: Retry - url: /generated/resources/policy_retry/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_retry/ - - text: Timeout - url: /generated/resources/policy_timeout/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_timeout/ - - text: TrafficLog - url: /generated/resources/policy_traffic-log/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_traffic-log/ - - text: TrafficPermission - url: /generated/resources/policy_traffic-permissions/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_traffic-permissions/ - - text: TrafficRoute - url: /generated/resources/policy_traffic-route/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_traffic-route/ - - text: TrafficTrace - url: /generated/resources/policy_traffic-trace/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_traffic-trace/ - - text: VirtualOutbound - url: /generated/resources/policy_virtual-outbound/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/policy_virtual-outbound/ - - text: Dataplane - url: /generated/resources/proxy_dataplane/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/proxy_dataplane/ - - text: ZoneEgress - url: /generated/resources/proxy_zoneegress/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/proxy_zoneegress/ - - text: ZoneIngress - url: /generated/resources/proxy_zoneingress/ - src: /.repos/kuma/app/assets/2.1.x/raw/generated/resources/proxy_zoneingress/ - - text: Kuma-cp configuration reference - url: /reference/kuma-cp - src: /.repos/kuma/app/assets/2.1.x/raw/generated/kuma-cp - - title: Community - items: - - text: Open source License - url: /community/license/ - src: /.repos/kuma/app/_src/community/license/ - - text: Contribute to Mesh - url: /community/contribute-to-mesh/ - src: /.repos/kuma/app/_src/community/contribute-to-kuma/ diff --git a/app/_src/mesh/install.md b/app/_src/mesh/install.md deleted file mode 100644 index 1cbab5ead4d3..000000000000 --- a/app/_src/mesh/install.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true -# This page is to be removed as soon as we remove docs lower than 2.2.x ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -The official distributions of {{site.mesh_product_name}} provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-cp version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-dp version -{{site.mesh_product_name}} [VERSION NUMBER] -``` diff --git a/app/assets/mesh/1.9.x/raw/kuma-cp.yaml b/app/assets/mesh/1.9.x/raw/kuma-cp.yaml deleted file mode 100644 index f294194cd175..000000000000 --- a/app/assets/mesh/1.9.x/raw/kuma-cp.yaml +++ /dev/null @@ -1,501 +0,0 @@ -# Environment type. Available values are: "kubernetes" or "universal" -environment: universal # ENV: KUMA_ENVIRONMENT -# Mode in which Kuma CP is running. Available values are: "standalone", "global", "zone" -mode: standalone # ENV: KUMA_MODE -# Resource Store configuration -store: - # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory" - type: memory # ENV: KUMA_STORE_TYPE - # Kubernetes Store configuration (used when store.type=kubernetes) - kubernetes: - # Namespace where Control Plane is installed to. - systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE - # Postgres Store configuration (used when store.type=postgres) - postgres: - # Host of the Postgres DB - host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST - # Port of the Postgres DB - port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT - # User of the Postgres DB - user: kuma # ENV: KUMA_STORE_POSTGRES_USER - # Password of the Postgres DB - password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD - # Database name of the Postgres DB - dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME - # Connection Timeout to the DB in seconds - connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT - # Maximum number of open connections to the database - # `0` value means number of open connections is unlimited - maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS - # Maximum number of connections in the idle connection pool - # <0 value means no idle connections and 0 means default max idle connections - maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS - # TLS settings - tls: - # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" - mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE - # Path to TLS Certificate of the client. Used in verifyCa and verifyFull modes - certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH - # Path to TLS Key of the client. Used in verifyCa and verifyFull modes - keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH - # Path to the root certificate. Used in verifyCa and verifyFull modes. - caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH - # MinReconnectInterval controls the duration to wait before trying to - # re-establish the database connection after connection loss. After each - # consecutive failure this interval is doubled, until MaxReconnectInterval - # is reached. Successfully completing the connection establishment procedure - # resets the interval back to MinReconnectInterval. - minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL - # MaxReconnectInterval controls the maximum possible duration to wait before trying - # to re-establish the database connection after connection loss. - maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL - # Cache for read only operations. This cache is local to the instance of the control plane. - cache: - # If true then cache is enabled - enabled: true # ENV: KUMA_STORE_CACHE_ENABLED - # Expiration time for elements in cache. - expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME - # Upsert (get and update) configuration - upsert: - # Base time for exponential backoff on upsert operations when retry is enabled - conflictRetryBaseBackoff: 100ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF - # Max retries on upsert (get and update) operation when retry is enabled - conflictRetryMaxTimes: 5 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES - # If true, skips validation of resource delete. - # For example you don't have to delete all Dataplane objects before you delete a Mesh - unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE -# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes -bootstrapServer: - # Parameters of bootstrap configuration - params: - # Address of Envoy Admin - adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS - # Port of Envoy Admin - adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT - # Path to access log file of Envoy Admin - adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH - # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane - xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST - # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT - xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT - # Connection timeout to the XDS Server - xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT -# Monitoring Assignment Discovery Service (MADS) server configuration -monitoringAssignmentServer: - # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS). - port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT - # Which MADS API versions to serve - apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS - # Interval for re-generating monitoring assignments for clients connected to the Control Plane. - assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL - # The default timeout for a single fetch-based discovery request, if not specified - defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT -# Envoy XDS server configuration -xdsServer: - # Interval for re-genarting configuration for Dataplanes connected to the Control Plane - dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL - # Interval for flushing status of Dataplanes connected to the Control Plane - dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane - nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF - # A delay between proxy terminating a connection and the CP trying to deregister the proxy. - # It is used only in universal mode when you use direct lifecycle. - # Setting this setting to 0s disables the delay. - # Disabling this may cause race conditions that one instance of CP removes proxy object - # while proxy is connected to another instance of the CP. - dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY -# API Server configuration -apiServer: - # HTTP configuration of the API Server - http: - # If true then API Server will be served on HTTP - enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED - # Network interface on which HTTP API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE - # Port of the API Server - port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT - # HTTPS configuration of the API Server - https: - # If true then API Server will be served on HTTPS - enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED - # Network interface on which HTTPS API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE - # Port of the HTTPS API Server - port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT - # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty - tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE - # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty - tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE - # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets - auth: - # Directory of authorized client certificates (only validate in HTTPS) - clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR - # Api Server Authentication configuration - authn: - # Type of authentication mechanism (available values: "adminClientCerts", "tokens") - type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE - # Localhost is authenticated as a user admin of group admin - localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN - # Configuration for tokens authentication - tokens: - # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret - bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN - # If true, then API Server will operate in read only mode (serving GET requests) - readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY - # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp - corsAllowedDomains: - - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS -# Environment-specific configuration -runtime: - # Kubernetes-specific configuration - kubernetes: - # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL. - controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME - # Name of Service Account that is used to run the Control Plane - serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME - # Taint controller that prevents applications from scheduling until CNI is ready. - nodeTaintController: - # If true enables the taint controller. - enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED - # Value of app label on CNI pod that indicates if node can be ready. - cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP - # Admission WebHook Server configuration - admissionServer: - # Address the Admission WebHook Server should be listening on - address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS - # Port the Admission WebHook Server should be listening on - port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT - # Directory with a TLS cert and private key for the Admission WebHook Server. - # TLS certificate file must be named `tls.crt`. - # TLS key file must be named `tls.key`. - certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir - # Injector defines configuration of a Kuma Sidecar Injector. - injector: - # if true runs kuma-cp in CNI compatible mode - cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED - # list of exceptions for Kuma injection - exceptions: - # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value. - labels: - openshift.io/build.name: "*" - openshift.io/deployer-pod-for.name: "*" - # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe - # serves on sub-path of insecure port 'virtualProbesPort', - # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort - virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED - # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS - virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT - # CaCertFile is CA certificate which will be used to verify a connection to the control plane. - caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE - # SidecarContainer defines configuration of the Kuma sidecar container. - sidecarContainer: - # Image name. - image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE - # Redirect port for inbound traffic. - redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND - # Redirect port for inbound traffic. - redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6 - # Redirect port for outbound traffic. - redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND - # User ID. - uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID - # Group ID. - gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI - # Drain time for listeners. - drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME - # Readiness probe. - readinessProbe: - # Number of seconds after the container has started before readiness probes are initiated. - initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS - # Number of seconds after which the probe times out. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS - # Minimum consecutive successes for the probe to be considered successful after having failed. - successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD - # Liveness probe. - livenessProbe: - # Number of seconds after the container has started before liveness probes are initiated. - initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS - # How often (in seconds) to perform the probe. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD - # Compute resource requirements. - resources: - # Minimum amount of compute resources required. - requests: - # CPU, in cores. (500m = .5 cores) - cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY - # Maximum amount of compute resources allowed. - limits: - # CPU, in cores. (500m = .5 cores) - cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY - # Additional environment variables that can be placed on Kuma DP sidecar - envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS - # InitContainer defines configuration of the Kuma init container - initContainer: - # Image name. - image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE - # ContainerPatches is an optional list of ContainerPatch names which will be applied - # to init and sidecar containers if workload is not annotated with a patch list. - containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES - # Configuration for a traffic that is intercepted by sidecar - sidecarTraffic: - # List of inbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod. - excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS - # List of outbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod. - excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS - builtinDNS: - # Use the built-in DNS - enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED - # Redirect port for DNS - port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT - marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME - # Universal-specific configuration - universal: - # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC - dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE -# Default Kuma entities configuration -defaults: - # If true, it skips creating the default Mesh - skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION - # If true, instead of providing inbound clusters with address of dataplane, generates cluster with localhost. - # Enabled can cause security threat by exposing application listing on localhost. This configuration is going to - # be removed in the future. - enableLocalhostInboundClusters: false #ENV: KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS -# Metrics configuration -metrics: - dataplane: - # Enables collecting metrics from Dataplane - enabled: true # ENV: KUMA_METRICS_DATAPLANE_ENABLED - # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited - subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT - # How long data plane proxy can stay Online without active xDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT - zone: - # Enables collecting metrics from Zone - enabled: true # ENV: KUMA_METRICS_ZONE_ENABLED - # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited - subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT - # How long zone can stay Online without active KDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT - mesh: - # Min time that should pass between MeshInsight resync - minResyncTimeout: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_TIMEOUT - # Max time that MeshInsight could spend without resync - maxResyncTimeout: 20s # ENV: KUMA_METRICS_MESH_MAX_RESYNC_TIMEOUT -# Reports configuration -reports: - # If true then usage stats will be reported - enabled: false # ENV: KUMA_REPORTS_ENABLED -# General configuration -general: - # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name - dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers. - tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers. - tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE - # WorkDir defines a path to the working directory - # Kuma stores in this directory autogenerated entities like certificates. - # If empty then the working directory is $HOME/.kuma - workDir: "" # ENV: KUMA_GENERAL_WORK_DIR -# DNS Server configuration -dnsServer: - # The domain that the server will resolve the services for - domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN - # The CIDR range used to allocate - CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR - # Will create a service ".mesh" dns entry for every service. - serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED -# Multizone mode -multizone: - global: - kds: - # Port of a gRPC server that serves Kuma Discovery Service (KDS). - grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL - # Interval for flushing Zone Insights (stats of multi-zone communication) - zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. - tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE - # TTlsKeyFile defines a path to a file with PEM-encoded TLS key. - tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT - zone: - # Kuma Zone name used to mark the zone dataplane resources - name: "" # ENV: KUMA_MULTIZONE_ZONE_NAME - # GlobalAddress URL of Global Kuma CP - globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS - kds: - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL - # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it. - rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT -# Diagnostics configuration -diagnostics: - # Port of Diagnostic Server for checking health and readiness of the Control Plane - serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT - # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints - debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS -# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane. -dpServer: - # Port of the DP Server - port: 5678 # ENV: KUMA_DP_SERVER_PORT - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile - tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile - tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE - # Auth defines an authentication configuration for the DP Server - auth: - # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". - # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. - type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE - # Hds defines a Health Discovery Service configuration - hds: - # Enabled if true then Envoy will actively check application's ports, but only on Universal. - # On Kubernetes this feature disabled for now regardless the flag value - enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED - # Interval for Envoy to send statuses for HealthChecks - interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL - # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane - refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL - # Check defines a HealthCheck configuration - checkDefaults: - # Timeout is a time to wait for a health check response. If the timeout is reached the - # health check attempt will be considered a failure - timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT - # Interval between health checks - interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL - # NoTrafficInterval is a special health check interval that is used when a cluster has - # never had traffic routed to it - noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL - # HealthyThreshold is a number of healthy health checks required before a host is marked healthy - healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD - # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy - unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD -# Access Control configuration -access: - # Type of access strategy (available values: "static", "rbac") - type: rbac - # Configuration of static access strategy - static: - # AdminResources defines an access to admin resources (Secret/GlobalSecret) - adminResources: - # List of users that are allowed to access admin resources - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS - # List of groups that are allowed to access admin resources - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS - # GenerateDPToken defines an access to generating dataplane token - generateDpToken: - # List of users that are allowed to generate dataplane token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS - # List of groups that are allowed to generate dataplane token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS - # GenerateUserToken defines an access to generating user token - generateUserToken: - # List of users that are allowed to generate user token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS - # List of groups that are allowed to generate user token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS - # GenerateZoneToken defines an access to generating zone token - generateZoneToken: - # List of users that are allowed to generate zone token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS - # List of groups that are allowed to generate zone token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS - viewConfigDump: - # List of users that are allowed to get envoy config dump - users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS - # List of groups that are allowed to get envoy config dump - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS - viewStats: - # List of users that are allowed to get envoy stats - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS - # List of groups that are allowed to get envoy stats - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS - viewClusters: - # List of users that are allowed to get envoy clusters - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS - # List of groups that are allowed to get envoy clusters - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS -# Configuration of experimental features of Kuma -experimental: - # If true, experimental Gateway API is enabled - gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API - # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap - # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config - kubeOutboundsAsVIPs: false # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS -proxy: - gateway: - # Sets the envoy runtime value to limit maximum number of incoming - # connections to a builtin gateway data plane proxy - globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS -kmesh: - # License of Kong Mesh - license: - # Inline string of the Kong Mesh license - # inline: "" # ENV: KMESH_LICENSE_INLINE - # Path to a file with the Kong Mesh license - path: "" # ENV: KMESH_LICENSE_PATH - opa: - # Interval for re-generating OPA configuration for Dataplanes connected to the Control Plane - configurationRefreshInterval: 1s # ENV: KMESH_OPA_CONFIGURATION_REFRESH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by OPA - nackBackoff: 5s # ENV: KMESH_OPA_CONFIGURATION_NACK_BACKOFF - multizone: - global: - kds: - auth: - # The way how Global Control Plane authenticates the Zone Control Planes. Available values ("none", "cpToken") - type: none # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE - zone: - kds: - auth: - # Control Plane Token provided as a string - cpTokenInline: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE - # Control Plane Token provided as a file - cpTokenPath: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH - access: - static: - generateCpToken: - # List of users that are allowed to generate control plane token - users: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_USERS - # List of groups that are allowed to generate control plane token - groups: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_GROUPS - rbac: - # LogActions defines actions that will be logged when RBAC is resolved. Allowed values: "allowed", "denied" - logActions: ["allowed", "denied"] - ca: - vault: - # Interval for checking whether any referenced Vault tokens have changed. - # A value of 0 disables the check. - # This check is necessary to detect updates to a Vault token stored in a secret. - # Keep this interval shorter than the value of the Vault token's TTL. - # The default is 30s, which works well for tokens with a TTL longer than 60s. - # If the token TTL is shorter than 60s, you may need to decrease this value. - # When only tokens with `inline` or `inlineString` are set, you can disable this. - tokenChangeCheckInterval: 30s # ENV: KMESH_CA_VAULT_TOKEN_CHANGE_CHECK_INTERVAL diff --git a/app/assets/mesh/2.0.x/raw/kuma-cp.yaml b/app/assets/mesh/2.0.x/raw/kuma-cp.yaml deleted file mode 100644 index 9575ec5306ae..000000000000 --- a/app/assets/mesh/2.0.x/raw/kuma-cp.yaml +++ /dev/null @@ -1,572 +0,0 @@ -# Environment type. Available values are: "kubernetes" or "universal" -environment: universal # ENV: KUMA_ENVIRONMENT -# Mode in which Kuma CP is running. Available values are: "standalone", "global", "zone" -mode: standalone # ENV: KUMA_MODE -# Resource Store configuration -store: - # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory" - type: memory # ENV: KUMA_STORE_TYPE - # Kubernetes Store configuration (used when store.type=kubernetes) - kubernetes: - # Namespace where Control Plane is installed to. - systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE - # Postgres Store configuration (used when store.type=postgres) - postgres: - # Host of the Postgres DB - host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST - # Port of the Postgres DB - port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT - # User of the Postgres DB - user: kuma # ENV: KUMA_STORE_POSTGRES_USER - # Password of the Postgres DB - password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD - # Database name of the Postgres DB - dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME - # Connection Timeout to the DB in seconds - connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT - # Maximum number of open connections to the database - # `0` value means number of open connections is unlimited - maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS - # Maximum number of connections in the idle connection pool - # <0 value means no idle connections and 0 means default max idle connections - maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS - # TLS settings - tls: - # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" - mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE - # Path to TLS Certificate of the client. Used in verifyCa and verifyFull modes - certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH - # Path to TLS Key of the client. Used in verifyCa and verifyFull modes - keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH - # Path to the root certificate. Used in verifyCa and verifyFull modes. - caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH - # MinReconnectInterval controls the duration to wait before trying to - # re-establish the database connection after connection loss. After each - # consecutive failure this interval is doubled, until MaxReconnectInterval - # is reached. Successfully completing the connection establishment procedure - # resets the interval back to MinReconnectInterval. - minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL - # MaxReconnectInterval controls the maximum possible duration to wait before trying - # to re-establish the database connection after connection loss. - maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL - # Cache for read only operations. This cache is local to the instance of the control plane. - cache: - # If true then cache is enabled - enabled: true # ENV: KUMA_STORE_CACHE_ENABLED - # Expiration time for elements in cache. - expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME - # Upsert (get and update) configuration - upsert: - # Base time for exponential backoff on upsert operations when retry is enabled - conflictRetryBaseBackoff: 100ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF - # Max retries on upsert (get and update) operation when retry is enabled - conflictRetryMaxTimes: 5 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES - # If true, skips validation of resource delete. - # For example you don't have to delete all Dataplane objects before you delete a Mesh - unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE -# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes -bootstrapServer: - # Parameters of bootstrap configuration - params: - # Address of Envoy Admin - adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS - # Port of Envoy Admin - adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT - # Path to access log file of Envoy Admin - adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH - # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane - xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST - # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT - xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT - # Connection timeout to the XDS Server - xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT -# Monitoring Assignment Discovery Service (MADS) server configuration -monitoringAssignmentServer: - # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS). - port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT - # Which MADS API versions to serve - apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS - # Interval for re-generating monitoring assignments for clients connected to the Control Plane. - assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL - # The default timeout for a single fetch-based discovery request, if not specified - defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT - # Path to TLS certificate file - tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE - # Path to TLS key file - tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES -# Envoy XDS server configuration -xdsServer: - # Interval for re-genarting configuration for Dataplanes connected to the Control Plane - dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL - # Interval for flushing status of Dataplanes connected to the Control Plane - dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane - nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF - # A delay between proxy terminating a connection and the CP trying to deregister the proxy. - # It is used only in universal mode when you use direct lifecycle. - # Setting this setting to 0s disables the delay. - # Disabling this may cause race conditions that one instance of CP removes proxy object - # while proxy is connected to another instance of the CP. - dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY -# API Server configuration -apiServer: - # HTTP configuration of the API Server - http: - # If true then API Server will be served on HTTP - enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED - # Network interface on which HTTP API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE - # Port of the API Server - port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT - # HTTPS configuration of the API Server - https: - # If true then API Server will be served on HTTPS - enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED - # Network interface on which HTTPS API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE - # Port of the HTTPS API Server - port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT - # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty - tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE - # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty - tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES - # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets - auth: - # Directory of authorized client certificates (only validate in HTTPS) - clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR - # Api Server Authentication configuration - authn: - # Type of authentication mechanism (available values: "adminClientCerts", "tokens") - type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE - # Localhost is authenticated as a user admin of group admin - localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN - # Configuration for tokens authentication - tokens: - # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret - bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN - # If true, then API Server will operate in read only mode (serving GET requests) - readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY - # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp - corsAllowedDomains: - - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS -# Environment-specific configuration -runtime: - # Kubernetes-specific configuration - kubernetes: - # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL. - controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME - # Name of Service Account that is used to run the Control Plane - serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME - # Taint controller that prevents applications from scheduling until CNI is ready. - nodeTaintController: - # If true enables the taint controller. - enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED - # Value of app label on CNI pod that indicates if node can be ready. - cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP - # Admission WebHook Server configuration - admissionServer: - # Address the Admission WebHook Server should be listening on - address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS - # Port the Admission WebHook Server should be listening on - port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT - # Directory with a TLS cert and private key for the Admission WebHook Server. - # TLS certificate file must be named `tls.crt`. - # TLS key file must be named `tls.key`. - certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir - # Injector defines configuration of a Kuma Sidecar Injector. - injector: - # if true runs kuma-cp in CNI compatible mode - cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED - # list of exceptions for Kuma injection - exceptions: - # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value. - labels: - openshift.io/build.name: "*" - openshift.io/deployer-pod-for.name: "*" - # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe - # serves on sub-path of insecure port 'virtualProbesPort', - # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort - virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED - # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS - virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT - # CaCertFile is CA certificate which will be used to verify a connection to the control plane. - caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE - # SidecarContainer defines configuration of the Kuma sidecar container. - sidecarContainer: - # Image name. - image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE - # Redirect port for inbound traffic. - redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND - # Redirect port for inbound traffic. - redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6 - # Redirect port for outbound traffic. - redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND - # User ID. - uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID - # Group ID. - gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI - # Drain time for listeners. - drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME - # Readiness probe. - readinessProbe: - # Number of seconds after the container has started before readiness probes are initiated. - initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS - # Number of seconds after which the probe times out. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS - # Minimum consecutive successes for the probe to be considered successful after having failed. - successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD - # Liveness probe. - livenessProbe: - # Number of seconds after the container has started before liveness probes are initiated. - initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS - # How often (in seconds) to perform the probe. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD - # Compute resource requirements. - resources: - # Minimum amount of compute resources required. - requests: - # CPU, in cores. (500m = .5 cores) - cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY - # Maximum amount of compute resources allowed. - limits: - # CPU, in cores. (500m = .5 cores) - cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY - # Additional environment variables that can be placed on Kuma DP sidecar - envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS - # InitContainer defines configuration of the Kuma init container - initContainer: - # Image name. - image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE - # ContainerPatches is an optional list of ContainerPatch names which will be applied - # to init and sidecar containers if workload is not annotated with a patch list. - containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES - # Configuration for a traffic that is intercepted by sidecar - sidecarTraffic: - # List of inbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod. - excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS - # List of outbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod. - excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS - builtinDNS: - # Use the built-in DNS - enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED - # Redirect port for DNS - port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT - transparentProxyV2: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V2 - # EBPF defines configuration for the ebpf, when transparent proxy is marked to be - # installed using ebpf instead of iptables - ebpf: - # Install transparent proxy using ebpf - enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED - # Name of the environmental variable which will include IP address of the pod - instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME - # Path where BPF file system will be mounted for pinning ebpf programs and maps - bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH - # Path of mounted cgroup2 - cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH - # Name of the network interface which should be used to attach to it TC programs - # when not specified, we will try to automatically determine it - tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE - # Path where compiled eBPF programs are placed - programsSourcePath: /kuma/ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH - marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME - # Universal-specific configuration - universal: - # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC - dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE -# Default Kuma entities configuration -defaults: - # If true, it skips creating the default Mesh - skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION - # If true, instead of providing inbound clusters with address of dataplane, generates cluster with localhost. - # Enabled can cause security threat by exposing application listing on localhost. This configuration is going to - # be removed in the future. - enableLocalhostInboundClusters: false #ENV: KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS -# Metrics configuration -metrics: - dataplane: - # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited - subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT - # How long data plane proxy can stay Online without active xDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT - zone: - # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited - subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT - # How long zone can stay Online without active KDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT - mesh: - # Min time that should pass between MeshInsight resync - minResyncTimeout: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_TIMEOUT - # Max time that MeshInsight could spend without resync - maxResyncTimeout: 20s # ENV: KUMA_METRICS_MESH_MAX_RESYNC_TIMEOUT -# Reports configuration -reports: - # If true then usage stats will be reported - enabled: false # ENV: KUMA_REPORTS_ENABLED -# General configuration -general: - # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name - dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers. - tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers. - tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES - # WorkDir defines a path to the working directory - # Kuma stores in this directory autogenerated entities like certificates. - # If empty then the working directory is $HOME/.kuma - workDir: "" # ENV: KUMA_GENERAL_WORK_DIR -# DNS Server configuration -dnsServer: - # The domain that the server will resolve the services for - domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN - # The CIDR range used to allocate - CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR - # Will create a service ".mesh" dns entry for every service. - serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED - # The port to use along with the `.mesh` dns entry - serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT -# Multizone mode -multizone: - global: - kds: - # Port of a gRPC server that serves Kuma Discovery Service (KDS). - grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL - # Interval for flushing Zone Insights (stats of multi-zone communication) - zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. - tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. - tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT - zone: - # Kuma Zone name used to mark the zone dataplane resources - name: "" # ENV: KUMA_MULTIZONE_ZONE_NAME - # GlobalAddress URL of Global Kuma CP - globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS - kds: - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL - # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it. - rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT -# Diagnostics configuration -diagnostics: - # Port of Diagnostic Server for checking health and readiness of the Control Plane - serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT - # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints - debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS -# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane. -dpServer: - # Port of the DP Server - port: 5678 # ENV: KUMA_DP_SERVER_PORT - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile - tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile - tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES - # Auth defines an authentication configuration for the DP Server - auth: - # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". - # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. - type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE - # Hds defines a Health Discovery Service configuration - hds: - # Enabled if true then Envoy will actively check application's ports, but only on Universal. - # On Kubernetes this feature disabled for now regardless the flag value - enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED - # Interval for Envoy to send statuses for HealthChecks - interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL - # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane - refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL - # Check defines a HealthCheck configuration - checkDefaults: - # Timeout is a time to wait for a health check response. If the timeout is reached the - # health check attempt will be considered a failure - timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT - # Interval between health checks - interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL - # NoTrafficInterval is a special health check interval that is used when a cluster has - # never had traffic routed to it - noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL - # HealthyThreshold is a number of healthy health checks required before a host is marked healthy - healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD - # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy - unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD -# Access Control configuration -access: - # Type of access strategy (available values: "static", "rbac") - type: rbac - # Configuration of static access strategy - static: - # AdminResources defines an access to admin resources (Secret/GlobalSecret) - adminResources: - # List of users that are allowed to access admin resources - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS - # List of groups that are allowed to access admin resources - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS - # GenerateDPToken defines an access to generating dataplane token - generateDpToken: - # List of users that are allowed to generate dataplane token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS - # List of groups that are allowed to generate dataplane token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS - # GenerateUserToken defines an access to generating user token - generateUserToken: - # List of users that are allowed to generate user token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS - # List of groups that are allowed to generate user token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS - # GenerateZoneToken defines an access to generating zone token - generateZoneToken: - # List of users that are allowed to generate zone token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS - # List of groups that are allowed to generate zone token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS - viewConfigDump: - # List of users that are allowed to get envoy config dump - users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS - # List of groups that are allowed to get envoy config dump - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS - viewStats: - # List of users that are allowed to get envoy stats - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS - # List of groups that are allowed to get envoy stats - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS - viewClusters: - # List of users that are allowed to get envoy clusters - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS - # List of groups that are allowed to get envoy clusters - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS -# Configuration of experimental features of Kuma -experimental: - # If true, experimental Gateway API is enabled - gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API - # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap - # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config - kubeOutboundsAsVIPs: false # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS -proxy: - gateway: - # Sets the envoy runtime value to limit maximum number of incoming - # connections to a builtin gateway data plane proxy - globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS -kmesh: - # License of Kong Mesh - license: - # Inline string of the Kong Mesh license - # inline: "" # ENV: KMESH_LICENSE_INLINE - # Path to a file with the Kong Mesh license - path: "" # ENV: KMESH_LICENSE_PATH - opa: - # Interval for re-generating OPA configuration for Dataplanes connected to the Control Plane - configurationRefreshInterval: 1s # ENV: KMESH_OPA_CONFIGURATION_REFRESH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by OPA - nackBackoff: 5s # ENV: KMESH_OPA_CONFIGURATION_NACK_BACKOFF - multizone: - global: - kds: - auth: - # The way how Global Control Plane authenticates the Zone Control Planes. Available values ("none", "cpToken") - type: none # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE - zone: - kds: - auth: - # Control Plane Token provided as a string - cpTokenInline: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE - # Control Plane Token provided as a file - cpTokenPath: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH - access: - static: - generateCpToken: - # List of users that are allowed to generate control plane token - users: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_USERS - # List of groups that are allowed to generate control plane token - groups: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_GROUPS - rbac: - # LogActions defines actions that will be logged when RBAC is resolved. Allowed values: "allowed", "denied" - logActions: ["allowed", "denied"] - # Configuration for recording all the actions in the system. - audit: - # Types that are skipped by default when `types` list in AccessAudit resource is empty - skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"] - # List of backends for auditing. If empty, no audit is recorded. - backends: [] - # - # type of logging backend. Available values: "file" - # type: file - # # Settings of a file backend used when the type is set to "file" - # file: - # # Path to the file that will be filled with logs - # path: /tmp/access.logs - # rotation: - # # If true, rotation is enabled. - # # Example: if we set path to /tmp/kuma.log then after the file is rotated we will have /tmp/kuma-2021-06-07T09-15-18.265.log - # enabled: true - # # Maximum number of the old log files to retain - # maxRetainedFiles: 10 - # # Maximum size in megabytes of a log file before it gets rotated - # maxSizeMb: 100 - # # Maximum number of days to retain old log files based on the timestamp encoded in their filename - # maxAgeDays: 30 - ca: - vault: - # Interval for checking whether any referenced Vault tokens have changed. - # A value of 0 disables the check. - # This check is necessary to detect updates to a Vault token stored in a secret. - # Keep this interval shorter than the value of the Vault token's TTL. - # The default is 30s, which works well for tokens with a TTL longer than 60s. - # If the token TTL is shorter than 60s, you may need to decrease this value. - # When only tokens with `inline` or `inlineString` are set, you can disable this. - tokenChangeCheckInterval: 30s # ENV: KMESH_CA_VAULT_TOKEN_CHANGE_CHECK_INTERVAL diff --git a/app/assets/mesh/2.1.x/raw/crds/access-audit.yaml b/app/assets/mesh/2.1.x/raw/crds/access-audit.yaml deleted file mode 100644 index d1d5bb322fd7..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/access-audit.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: accessaudits.kuma.io -spec: - group: kuma.io - names: - kind: AccessAudit - plural: accessaudits - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - description: AccessAudit is the Schema for the accessaudit API - properties: - mesh: - type: string - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object diff --git a/app/assets/mesh/2.1.x/raw/crds/access-role-binding.yaml b/app/assets/mesh/2.1.x/raw/crds/access-role-binding.yaml deleted file mode 100644 index d8367b85868d..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/access-role-binding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: accessrolebindings.kuma.io -spec: - group: kuma.io - names: - kind: AccessRoleBinding - plural: accessrolebindings - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - description: AccessRoleBinding is the Schema for the accessrolebinding API - properties: - mesh: - type: string - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object diff --git a/app/assets/mesh/2.1.x/raw/crds/access-role.yaml b/app/assets/mesh/2.1.x/raw/crds/access-role.yaml deleted file mode 100644 index e1904f4488a3..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/access-role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: accessroles.kuma.io -spec: - group: kuma.io - names: - kind: AccessRole - plural: accessroles - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - description: AccessRole is the Schema for the accessrole API - properties: - mesh: - type: string - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_circuitbreakers.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_circuitbreakers.yaml deleted file mode 100644 index e9d7d0dc754d..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_circuitbreakers.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: circuitbreakers.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: CircuitBreaker - listKind: CircuitBreakerList - plural: circuitbreakers - singular: circuitbreaker - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma CircuitBreaker resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_containerpatches.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_containerpatches.yaml deleted file mode 100644 index 02a01ba9e64f..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_containerpatches.yaml +++ /dev/null @@ -1,110 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: containerpatches.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ContainerPatch - listKind: ContainerPatchList - plural: containerpatches - singular: containerpatch - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContainerPatch stores a list of patches to apply to init and - sidecar containers. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - type: string - metadata: - type: object - spec: - description: ContainerPatchSpec specifies the options available for a - ContainerPatch - properties: - initPatch: - description: InitPatch specifies jsonpatch to apply to an init container. - items: - description: JsonPatchBlock is one json patch operation block. - properties: - from: - description: From is a jsonpatch from string, used by move and - copy operations. - type: string - op: - description: Op is a jsonpatch operation string. - enum: - - add - - remove - - replace - - move - - copy - type: string - path: - description: Path is a jsonpatch path string. - type: string - value: - description: Value must be a string representing a valid json - object used by replace and add operations. String has to be - escaped with " to be valid a json object. - type: string - required: - - op - - path - type: object - type: array - sidecarPatch: - description: SidecarPatch specifies jsonpatch to apply to a sidecar - container. - items: - description: JsonPatchBlock is one json patch operation block. - properties: - from: - description: From is a jsonpatch from string, used by move and - copy operations. - type: string - op: - description: Op is a jsonpatch operation string. - enum: - - add - - remove - - replace - - move - - copy - type: string - path: - description: Path is a jsonpatch path string. - type: string - value: - description: Value must be a string representing a valid json - object used by replace and add operations. String has to be - escaped with " to be valid a json object. - type: string - required: - - op - - path - type: object - type: array - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplaneinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplaneinsights.yaml deleted file mode 100644 index 8d8c4711504d..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplaneinsights.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: dataplaneinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: DataplaneInsight - listKind: DataplaneInsightList - plural: dataplaneinsights - singular: dataplaneinsight - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - status: - description: Status is the status the Kuma resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplanes.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplanes.yaml deleted file mode 100644 index a375c527d948..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_dataplanes.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: dataplanes.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: Dataplane - listKind: DataplaneList - plural: dataplanes - singular: dataplane - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma Dataplane resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_externalservices.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_externalservices.yaml deleted file mode 100644 index 5c3b082ee8f4..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_externalservices.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: externalservices.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ExternalService - listKind: ExternalServiceList - plural: externalservices - singular: externalservice - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ExternalService resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_faultinjections.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_faultinjections.yaml deleted file mode 100644 index d8a927d7923a..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_faultinjections.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: faultinjections.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: FaultInjection - listKind: FaultInjectionList - plural: faultinjections - singular: faultinjection - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma FaultInjection resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_healthchecks.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_healthchecks.yaml deleted file mode 100644 index dae84517e687..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_healthchecks.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: healthchecks.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: HealthCheck - listKind: HealthCheckList - plural: healthchecks - singular: healthcheck - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma HealthCheck resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshaccesslogs.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshaccesslogs.yaml deleted file mode 100644 index d7b1d8519958..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshaccesslogs.yaml +++ /dev/null @@ -1,281 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshaccesslogs.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshAccessLog - listKind: MeshAccessLogList - plural: meshaccesslogs - singular: meshaccesslog - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshAccessLog resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' - properties: - backends: - items: - properties: - file: - description: FileBackend defines configuration for - file based access logs - properties: - format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log - properties: - json: - items: - properties: - key: - type: string - value: - type: string - type: object - type: array - omitEmptyValues: - type: boolean - plain: - type: string - type: object - path: - description: Path to a file that logs will be - written to - type: string - required: - - path - type: object - tcp: - description: TCPBackend defines a TCP logging backend. - properties: - address: - description: Address of the TCP logging backend - type: string - format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log - properties: - json: - items: - properties: - key: - type: string - value: - type: string - type: object - type: array - omitEmptyValues: - type: boolean - plain: - type: string - type: object - required: - - address - type: object - type: object - type: array - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To list makes a match between the consumed services and - corresponding configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - backends: - items: - properties: - file: - description: FileBackend defines configuration for - file based access logs - properties: - format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log - properties: - json: - items: - properties: - key: - type: string - value: - type: string - type: object - type: array - omitEmptyValues: - type: boolean - plain: - type: string - type: object - path: - description: Path to a file that logs will be - written to - type: string - required: - - path - type: object - tcp: - description: TCPBackend defines a TCP logging backend. - properties: - address: - description: Address of the TCP logging backend - type: string - format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log - properties: - json: - items: - properties: - key: - type: string - value: - type: string - type: object - type: array - omitEmptyValues: - type: boolean - plain: - type: string - type: object - required: - - address - type: object - type: object - type: array - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshcircuitbreakers.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshcircuitbreakers.yaml deleted file mode 100644 index bdb9f29d6298..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshcircuitbreakers.yaml +++ /dev/null @@ -1,652 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshcircuitbreakers.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshCircuitBreaker - listKind: MeshCircuitBreakerList - plural: meshcircuitbreakers - singular: meshcircuitbreaker - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshCircuitBreaker - resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - connectionLimits: - description: ConnectionLimits contains configuration of - each circuit breaking limit, which when exceeded makes - the circuit breaker to become open (no traffic is allowed - like no current is allowed in the circuits when physical - circuit breaker ir open) - properties: - maxConnectionPools: - description: The maximum number of connection pools - per cluster that are concurrently supported at once. - Set this for clusters which create a large number - of connection pools. - format: int32 - type: integer - maxConnections: - description: The maximum number of connections allowed - to be made to the upstream cluster. - format: int32 - type: integer - maxPendingRequests: - description: The maximum number of pending requests - that are allowed to the upstream cluster. This limit - is applied as a connection limit for non-HTTP traffic. - format: int32 - type: integer - maxRequests: - description: The maximum number of parallel requests - that are allowed to be made to the upstream cluster. - This limit does not apply to non-HTTP traffic. - format: int32 - type: integer - maxRetries: - description: The maximum number of parallel retries - that will be allowed to the upstream cluster. - format: int32 - type: integer - type: object - outlierDetection: - description: OutlierDetection contains the configuration - of the process of dynamically determining whether some - number of hosts in an upstream cluster are performing - unlike the others and removing them from the healthy load - balancing set. Performance might be along different axes - such as consecutive failures, temporal success rate, temporal - latency, etc. Outlier detection is a form of passive health - checking. - properties: - baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected. - type: string - detectors: - description: Contains configuration for supported outlier - detectors - properties: - failurePercentage: - description: Failure Percentage based outlier detection - functions similarly to success rate detection, - in that it relies on success rate data from each - host in a cluster. However, rather than compare - those values to the mean success rate of the cluster - as a whole, they are compared to a flat user-configured - threshold. This threshold is configured via the - outlierDetection.failurePercentageThreshold field. - The other configuration fields for failure percentage - based detection are similar to the fields for - success rate detection. As with success rate detection, - detection will not be performed for a host if - its request volume over the aggregation interval - is less than the outlierDetection.detectors.failurePercentage.requestVolume - value. Detection also will not be performed for - a cluster if the number of hosts with the minimum - required request volume in an interval is less - than the outlierDetection.detectors.failurePercentage.minimumHosts - value. - properties: - minimumHosts: - description: The minimum number of hosts in - a cluster in order to perform failure percentage-based - ejection. If the total number of hosts in - the cluster is less than this value, failure - percentage-based ejection will not be performed. - format: int32 - type: integer - requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration above) to - perform failure percentage-based ejection - for this host. If the volume is lower than - this setting, failure percentage-based ejection - will not be performed for this host. - format: int32 - type: integer - threshold: - description: The failure percentage to use when - determining failure percentage-based outlier - detection. If the failure percentage of a - given host is greater than or equal to this - value, it will be ejected. - format: int32 - type: integer - type: object - gatewayFailures: - description: In the default mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and local origin - failures, such as timeout, TCP reset etc. In split - mode (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and is supported - only by the http router. - properties: - consecutive: - description: The number of consecutive gateway - failures (502, 503, 504 status codes) before - a consecutive gateway failure ejection occurs. - format: int32 - type: integer - type: object - localOriginFailures: - description: 'This detection type is enabled only - when outlierDetection.splitExternalLocalOriginErrors - is true and takes into account only locally originated - errors (timeout, reset, etc). If Envoy repeatedly - cannot connect to an upstream host or communication - with the upstream host is repeatedly interrupted, - it will be ejected. Various locally originated - problems are detected: timeout, TCP reset, ICMP - errors, etc. This detection type is supported - by http router and tcp proxy.' - properties: - consecutive: - description: The number of consecutive locally - originated failures before ejection occurs. - Parameter takes effect only when splitExternalAndLocalErrors - is set to true. - format: int32 - type: integer - type: object - successRate: - description: 'Success Rate based outlier detection - aggregates success rate data from every host in - a cluster. Then at given intervals ejects hosts - based on statistical outlier detection. Success - Rate outlier detection will not be calculated - for a host if its request volume over the aggregation - interval is less than the outlierDetection.detectors.successRate.requestVolume - value. Moreover, detection will not be performed - for a cluster if the number of hosts with the - minimum required request volume in an interval - is less than the outlierDetection.detectors.successRate.minimumHosts - value. In the default configuration mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - all types of errors: locally and externally originated. - In split mode (outlierDetection.splitExternalLocalOriginErrors - is true), locally originated errors and externally - originated (transaction) errors are counted and - treated separately.' - properties: - minimumHosts: - description: The number of hosts in a cluster - that must have enough request volume to detect - success rate outliers. If the number of hosts - is less than this setting, outlier detection - via success rate statistics is not performed - for any host in the cluster. - format: int32 - type: integer - requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration configured - in outlierDetection section) to include this - host in success rate based outlier detection. - If the volume is lower than this setting, - outlier detection via success rate statistics - is not performed for that host. - format: int32 - type: integer - standardDeviationFactor: - anyOf: - - type: integer - - type: string - description: 'This factor is used to determine - the ejection threshold for success rate outlier - ejection. The ejection threshold is the difference - between the mean success rate, and the product - of this factor and the standard deviation - of the mean success rate: mean - (standard_deviation - * success_rate_standard_deviation_factor). - Either int or decimal represented as string.' - x-kubernetes-int-or-string: true - type: object - totalFailures: - description: 'In the default mode (outlierDetection.splitExternalAndLocalErrors - is false) this detection type takes into account - all generated errors: locally originated and externally - originated (transaction) errors. In split mode - (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - only externally originated (transaction) errors, - ignoring locally originated errors. If an upstream - host is an HTTP-server, only 5xx types of error - are taken into account (see Consecutive Gateway - Failure for exceptions). Properly formatted responses, - even when they carry an operational error (like - index not found, access denied) are not taken - into account.' - properties: - consecutive: - description: The number of consecutive server-side - error responses (for HTTP traffic, 5xx responses; - for TCP traffic, connection failures; for - Redis, failure to respond PONG; etc.) before - a consecutive total failure ejection occurs. - format: int32 - type: integer - type: object - type: object - disabled: - description: When set to true, outlierDetection configuration - won't take any effect - type: boolean - interval: - description: The time interval between ejection analysis - sweeps. This can result in both new ejections and - hosts being returned to service. - type: string - maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. - format: int32 - type: integer - splitExternalAndLocalErrors: - description: 'Determines whether to distinguish local - origin failures from external errors. If set to true - the following configuration parameters are taken into - account: detectors.localOriginFailures.consecutive' - type: boolean - type: object - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined in place. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To list makes a match between the consumed services and - corresponding configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - connectionLimits: - description: ConnectionLimits contains configuration of - each circuit breaking limit, which when exceeded makes - the circuit breaker to become open (no traffic is allowed - like no current is allowed in the circuits when physical - circuit breaker ir open) - properties: - maxConnectionPools: - description: The maximum number of connection pools - per cluster that are concurrently supported at once. - Set this for clusters which create a large number - of connection pools. - format: int32 - type: integer - maxConnections: - description: The maximum number of connections allowed - to be made to the upstream cluster. - format: int32 - type: integer - maxPendingRequests: - description: The maximum number of pending requests - that are allowed to the upstream cluster. This limit - is applied as a connection limit for non-HTTP traffic. - format: int32 - type: integer - maxRequests: - description: The maximum number of parallel requests - that are allowed to be made to the upstream cluster. - This limit does not apply to non-HTTP traffic. - format: int32 - type: integer - maxRetries: - description: The maximum number of parallel retries - that will be allowed to the upstream cluster. - format: int32 - type: integer - type: object - outlierDetection: - description: OutlierDetection contains the configuration - of the process of dynamically determining whether some - number of hosts in an upstream cluster are performing - unlike the others and removing them from the healthy load - balancing set. Performance might be along different axes - such as consecutive failures, temporal success rate, temporal - latency, etc. Outlier detection is a form of passive health - checking. - properties: - baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected. - type: string - detectors: - description: Contains configuration for supported outlier - detectors - properties: - failurePercentage: - description: Failure Percentage based outlier detection - functions similarly to success rate detection, - in that it relies on success rate data from each - host in a cluster. However, rather than compare - those values to the mean success rate of the cluster - as a whole, they are compared to a flat user-configured - threshold. This threshold is configured via the - outlierDetection.failurePercentageThreshold field. - The other configuration fields for failure percentage - based detection are similar to the fields for - success rate detection. As with success rate detection, - detection will not be performed for a host if - its request volume over the aggregation interval - is less than the outlierDetection.detectors.failurePercentage.requestVolume - value. Detection also will not be performed for - a cluster if the number of hosts with the minimum - required request volume in an interval is less - than the outlierDetection.detectors.failurePercentage.minimumHosts - value. - properties: - minimumHosts: - description: The minimum number of hosts in - a cluster in order to perform failure percentage-based - ejection. If the total number of hosts in - the cluster is less than this value, failure - percentage-based ejection will not be performed. - format: int32 - type: integer - requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration above) to - perform failure percentage-based ejection - for this host. If the volume is lower than - this setting, failure percentage-based ejection - will not be performed for this host. - format: int32 - type: integer - threshold: - description: The failure percentage to use when - determining failure percentage-based outlier - detection. If the failure percentage of a - given host is greater than or equal to this - value, it will be ejected. - format: int32 - type: integer - type: object - gatewayFailures: - description: In the default mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and local origin - failures, such as timeout, TCP reset etc. In split - mode (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and is supported - only by the http router. - properties: - consecutive: - description: The number of consecutive gateway - failures (502, 503, 504 status codes) before - a consecutive gateway failure ejection occurs. - format: int32 - type: integer - type: object - localOriginFailures: - description: 'This detection type is enabled only - when outlierDetection.splitExternalLocalOriginErrors - is true and takes into account only locally originated - errors (timeout, reset, etc). If Envoy repeatedly - cannot connect to an upstream host or communication - with the upstream host is repeatedly interrupted, - it will be ejected. Various locally originated - problems are detected: timeout, TCP reset, ICMP - errors, etc. This detection type is supported - by http router and tcp proxy.' - properties: - consecutive: - description: The number of consecutive locally - originated failures before ejection occurs. - Parameter takes effect only when splitExternalAndLocalErrors - is set to true. - format: int32 - type: integer - type: object - successRate: - description: 'Success Rate based outlier detection - aggregates success rate data from every host in - a cluster. Then at given intervals ejects hosts - based on statistical outlier detection. Success - Rate outlier detection will not be calculated - for a host if its request volume over the aggregation - interval is less than the outlierDetection.detectors.successRate.requestVolume - value. Moreover, detection will not be performed - for a cluster if the number of hosts with the - minimum required request volume in an interval - is less than the outlierDetection.detectors.successRate.minimumHosts - value. In the default configuration mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - all types of errors: locally and externally originated. - In split mode (outlierDetection.splitExternalLocalOriginErrors - is true), locally originated errors and externally - originated (transaction) errors are counted and - treated separately.' - properties: - minimumHosts: - description: The number of hosts in a cluster - that must have enough request volume to detect - success rate outliers. If the number of hosts - is less than this setting, outlier detection - via success rate statistics is not performed - for any host in the cluster. - format: int32 - type: integer - requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration configured - in outlierDetection section) to include this - host in success rate based outlier detection. - If the volume is lower than this setting, - outlier detection via success rate statistics - is not performed for that host. - format: int32 - type: integer - standardDeviationFactor: - anyOf: - - type: integer - - type: string - description: 'This factor is used to determine - the ejection threshold for success rate outlier - ejection. The ejection threshold is the difference - between the mean success rate, and the product - of this factor and the standard deviation - of the mean success rate: mean - (standard_deviation - * success_rate_standard_deviation_factor). - Either int or decimal represented as string.' - x-kubernetes-int-or-string: true - type: object - totalFailures: - description: 'In the default mode (outlierDetection.splitExternalAndLocalErrors - is false) this detection type takes into account - all generated errors: locally originated and externally - originated (transaction) errors. In split mode - (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - only externally originated (transaction) errors, - ignoring locally originated errors. If an upstream - host is an HTTP-server, only 5xx types of error - are taken into account (see Consecutive Gateway - Failure for exceptions). Properly formatted responses, - even when they carry an operational error (like - index not found, access denied) are not taken - into account.' - properties: - consecutive: - description: The number of consecutive server-side - error responses (for HTTP traffic, 5xx responses; - for TCP traffic, connection failures; for - Redis, failure to respond PONG; etc.) before - a consecutive total failure ejection occurs. - format: int32 - type: integer - type: object - type: object - disabled: - description: When set to true, outlierDetection configuration - won't take any effect - type: boolean - interval: - description: The time interval between ejection analysis - sweeps. This can result in both new ejections and - hosts being returned to service. - type: string - maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. - format: int32 - type: integer - splitExternalAndLocalErrors: - description: 'Determines whether to distinguish local - origin failures from external errors. If set to true - the following configuration parameters are taken into - account: detectors.localOriginFailures.consecutive' - type: boolean - type: object - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshes.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshes.yaml deleted file mode 100644 index 65cde9401f9c..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshes.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshes.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: Mesh - listKind: MeshList - plural: meshes - singular: mesh - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma Mesh resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshfaultinjections.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshfaultinjections.yaml deleted file mode 100644 index 403d8afa9a9b..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshfaultinjections.yaml +++ /dev/null @@ -1,189 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshfaultinjections.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshFaultInjection - listKind: MeshFaultInjectionList - plural: meshfaultinjections - singular: meshfaultinjection - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshFaultInjection - resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - http: - description: Http allows to define list of Http faults between - dataplanes. - items: - description: FaultInjection defines the configuration - of faults between dataplanes. - properties: - abort: - description: Abort defines a configuration of not - delivering requests to destination service and replacing - the responses from destination dataplane by predefined - status code - properties: - httpStatus: - description: HTTP status code which will be returned - to source side - format: int32 - type: integer - percentage: - anyOf: - - type: integer - - type: string - description: Percentage of requests on which abort - will be injected, has to be either int or decimal - represented as string. - x-kubernetes-int-or-string: true - required: - - httpStatus - - percentage - type: object - delay: - description: Delay defines configuration of delaying - a response from a destination - properties: - percentage: - anyOf: - - type: integer - - type: string - description: Percentage of requests on which delay - will be injected, has to be either int or decimal - represented as string. - x-kubernetes-int-or-string: true - value: - description: The duration during which the response - will be delayed - type: string - required: - - percentage - - value - type: object - responseBandwidth: - description: ResponseBandwidth defines a configuration - to limit the speed of responding to the requests - properties: - limit: - description: Limit is represented by value measure - in gbps, mbps, kbps or bps, e.g. 10kbps - type: string - percentage: - anyOf: - - type: integer - - type: string - description: Percentage of requests on which response - bandwidth limit will be either int or decimal - represented as string. - x-kubernetes-int-or-string: true - required: - - limit - - percentage - type: object - type: object - type: array - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayconfigs.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayconfigs.yaml deleted file mode 100644 index 1b91d0d5a681..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayconfigs.yaml +++ /dev/null @@ -1,152 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshgatewayconfigs.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshGatewayConfig - listKind: MeshGatewayConfigList - plural: meshgatewayconfigs - singular: meshgatewayconfig - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: MeshGatewayConfig holds the configuration of a MeshGateway. A - GatewayClass can refer to a MeshGatewayConfig via parametersRef. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: MeshGatewayConfigSpec specifies the options available for - a Kuma MeshGateway. - properties: - crossMesh: - description: CrossMesh specifies whether listeners configured by this - gateway are cross mesh listeners. - type: boolean - replicas: - default: 1 - description: Replicas is the number of dataplane proxy replicas to - create. For now this is a fixed number, but in the future it could - be automatically scaled based on metrics. - format: int32 - minimum: 1 - type: integer - resources: - description: Resources specifies the compute resources for the proxy - container. The default can be set in the control plane config. - properties: - claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - serviceTemplate: - description: ServiceTemplate configures the Service owned by this - config. - properties: - metadata: - description: Metadata holds metadata configuration for a Service. - properties: - annotations: - additionalProperties: - type: string - description: Annotations holds annotations to be set on a - Service. - type: object - type: object - spec: - description: Spec holds some customizable fields of a Service. - properties: - loadBalancerIP: - description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP. - type: string - type: object - type: object - serviceType: - default: LoadBalancer - description: ServiceType specifies the type of managed Service that - will be created to expose the dataplane proxies to traffic from - outside the cluster. The ports to expose will be taken from the - matching Gateway resource. If there is no matching Gateway, the - managed Service will be deleted. - enum: - - LoadBalancer - - ClusterIP - - NodePort - type: string - tags: - additionalProperties: - type: string - description: Tags specifies a set of Kuma tags that are included in - the MeshGatewayInstance and thus propagated to every Dataplane generated - to serve the MeshGateway. These tags should include a maximum of - one `kuma.io/service` tag. - type: object - type: object - status: - description: MeshGatewayConfigStatus holds information about the status - of the gateway instance. - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayinstances.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayinstances.yaml deleted file mode 100644 index 76fd21dfc8c8..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayinstances.yaml +++ /dev/null @@ -1,279 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshgatewayinstances.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshGatewayInstance - listKind: MeshGatewayInstanceList - plural: meshgatewayinstances - singular: meshgatewayinstance - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: MeshGatewayInstance represents a managed instance of a dataplane - proxy for a Kuma Gateway. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: MeshGatewayInstanceSpec specifies the options available for - a GatewayDataplane. - properties: - replicas: - default: 1 - description: Replicas is the number of dataplane proxy replicas to - create. For now this is a fixed number, but in the future it could - be automatically scaled based on metrics. - format: int32 - minimum: 1 - type: integer - resources: - description: Resources specifies the compute resources for the proxy - container. The default can be set in the control plane config. - properties: - claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - serviceTemplate: - description: ServiceTemplate configures the Service owned by this - config. - properties: - metadata: - description: Metadata holds metadata configuration for a Service. - properties: - annotations: - additionalProperties: - type: string - description: Annotations holds annotations to be set on a - Service. - type: object - type: object - spec: - description: Spec holds some customizable fields of a Service. - properties: - loadBalancerIP: - description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP. - type: string - type: object - type: object - serviceType: - default: LoadBalancer - description: ServiceType specifies the type of managed Service that - will be created to expose the dataplane proxies to traffic from - outside the cluster. The ports to expose will be taken from the - matching Gateway resource. If there is no matching Gateway, the - managed Service will be deleted. - enum: - - LoadBalancer - - ClusterIP - - NodePort - type: string - tags: - additionalProperties: - type: string - description: Tags specifies the Kuma tags that are propagated to the - managed dataplane proxies. These tags should include exactly one - `kuma.io/service` tag, and should match exactly one Gateway resource. - type: object - type: object - status: - description: MeshGatewayInstanceStatus holds information about the status - of the gateway instance. - properties: - conditions: - description: Conditions is an array of gateway instance conditions. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - loadBalancer: - description: LoadBalancer contains the current status of the load-balancer, - if one is present. - properties: - ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. - items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' - properties: - hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) - type: string - ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) - type: string - ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it - items: - properties: - error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - port: - description: Port is the port number of the service - port of which status is recorded here - format: int32 - type: integer - protocol: - default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' - type: string - required: - - port - - protocol - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayroutes.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayroutes.yaml deleted file mode 100644 index 843dec889d1c..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgatewayroutes.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshgatewayroutes.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshGatewayRoute - listKind: MeshGatewayRouteList - plural: meshgatewayroutes - singular: meshgatewayroute - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshGatewayRoute resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgateways.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgateways.yaml deleted file mode 100644 index 73135c196435..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshgateways.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshgateways.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshGateway - listKind: MeshGatewayList - plural: meshgateways - singular: meshgateway - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshGateway resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhealthchecks.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhealthchecks.yaml deleted file mode 100644 index 4eafcbe762e1..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhealthchecks.yaml +++ /dev/null @@ -1,303 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshhealthchecks.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshHealthCheck - listKind: MeshHealthCheckList - plural: meshhealthchecks - singular: meshhealthcheck - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshHealthCheck resource. - properties: - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To list makes a match between the consumed services and - corresponding configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - alwaysLogHealthCheckFailures: - description: If set to true, health check failure events - will always be logged. If set to false, only the initial - health check failure event will be logged. The default - value is false. - type: boolean - eventLogPath: - description: Specifies the path to the file where Envoy - can log health check events. If empty, no event log will - be written. - type: string - failTrafficOnPanic: - description: If set to true, Envoy will not consider any - hosts when the cluster is in 'panic mode'. Instead, the - cluster will fail all requests as if all hosts are unhealthy. - This can help avoid potentially overwhelming a failing - service. - type: boolean - grpc: - description: GrpcHealthCheck defines gRPC configuration - which will instruct the service the health check will - be made for is a gRPC service. - properties: - authority: - description: The value of the :authority header in the - gRPC health check request, by default name of the - cluster this health check is associated with - type: string - disabled: - description: If true the GrpcHealthCheck is disabled - type: boolean - serviceName: - description: Service name parameter which will be sent - to gRPC service - type: string - type: object - healthyPanicThreshold: - anyOf: - - type: integer - - type: string - description: Allows to configure panic threshold for Envoy - cluster. If not specified, the default is 50%. To disable - panic mode, set to 0%. Either int or decimal represented - as string. - x-kubernetes-int-or-string: true - healthyThreshold: - default: 1 - description: Number of consecutive healthy checks before - considering a host healthy. - format: int32 - type: integer - http: - description: HttpHealthCheck defines HTTP configuration - which will instruct the service the health check will - be made for is an HTTP service. - properties: - disabled: - description: If true the HttpHealthCheck is disabled - type: boolean - expectedStatuses: - description: List of HTTP response statuses which are - considered healthy - items: - format: int32 - type: integer - type: array - path: - default: / - description: The HTTP path which will be requested during - the health check (ie. /health) - type: string - requestHeadersToAdd: - description: The list of HTTP headers which should be - added to each health check request - properties: - add: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - set: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - initialJitter: - description: If specified, Envoy will start health checking - after a random time in ms between 0 and initialJitter. - This only applies to the first health check. - type: string - interval: - default: 1m - description: Interval between consecutive health checks. - type: string - intervalJitter: - description: If specified, during every interval Envoy will - add IntervalJitter to the wait time. - type: string - intervalJitterPercent: - description: If specified, during every interval Envoy will - add IntervalJitter * IntervalJitterPercent / 100 to the - wait time. If IntervalJitter and IntervalJitterPercent - are both set, both of them will be used to increase the - wait time. - format: int32 - type: integer - noTrafficInterval: - description: The "no traffic interval" is a special health - check interval that is used when a cluster has never had - traffic routed to it. This lower interval allows cluster - information to be kept up to date, without sending a potentially - large amount of active health checking traffic for no - reason. Once a cluster has been used for traffic routing, - Envoy will shift back to using the standard health check - interval that is defined. Note that this interval takes - precedence over any other. The default value for "no traffic - interval" is 60 seconds. - type: string - reuseConnection: - description: Reuse health check connection between health - checks. Default is true. - type: boolean - tcp: - description: TcpHealthCheck defines configuration for specifying - bytes to send and expected response during the health - check - properties: - disabled: - description: If true the TcpHealthCheck is disabled - type: boolean - receive: - description: List of Base64 encoded blocks of strings - expected as a response. When checking the response, - "fuzzy" matching is performed such that each block - must be found, and in the order specified, but not - necessarily contiguous. If not provided or empty, - checks will be performed as "connect only" and be - marked as successful when TCP connection is successfully - established. - items: - type: string - type: array - send: - description: Base64 encoded content of the message which - will be sent during the health check to the target - type: string - type: object - timeout: - default: 15s - description: Maximum time to wait for a health check response. - type: string - unhealthyThreshold: - default: 5 - description: Number of consecutive unhealthy checks before - considering a host unhealthy. - format: int32 - type: integer - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhttproutes.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhttproutes.yaml deleted file mode 100644 index f9245237c398..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshhttproutes.yaml +++ /dev/null @@ -1,403 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshhttproutes.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshHTTPRoute - listKind: MeshHTTPRouteList - plural: meshhttproutes - singular: meshhttproute - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshHTTPRoute resource. - properties: - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To matches destination services of requests and holds - configuration. - items: - properties: - rules: - description: Rules contains the routing rules applies to a combination - of top-level targetRef and the targetRef in this entry. - items: - properties: - default: - description: Default holds routing rules that can be merged - with rules from other policies. - properties: - backendRefs: - items: - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use - to identify cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. - Can only be used with kinds: `MeshService`, - `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of - proxies by tags. Can only be used with kinds - `MeshSubset` and `MeshServiceSubset` - type: object - weight: - minimum: 0 - type: integer - type: object - type: array - filters: - items: - properties: - requestHeaderModifier: - description: Only one action is supported per - header name. Configuration to set or add multiple - values for a header must use RFC 7230 header - value formatting, separating each value with - a comma. - properties: - add: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - items: - type: string - maxItems: 16 - type: array - set: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestRedirect: - properties: - hostname: - description: "PreciseHostname is the fully - qualified domain name of a network host. - This matches the RFC 1123 definition of - a hostname with 1 notable exception that - numeric IP addresses are not allowed. - \n Note that as per RFC1035 and RFC1123, - a *label* must consist of lower case alphanumeric - characters or '-', and must start and - end with an alphanumeric character. No - other punctuation is allowed." - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - port: - description: Port is the port to be used - in the value of the `Location` header - in the response. When empty, port (if - specified) of the request is used. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - enum: - - http - - https - type: string - statusCode: - default: 302 - description: StatusCode is the HTTP status - code to be used in response. - enum: - - 301 - - 302 - - 303 - - 307 - - 308 - type: integer - type: object - responseHeaderModifier: - description: Only one action is supported per - header name. Configuration to set or add multiple - values for a header must use RFC 7230 header - value formatting, separating each value with - a comma. - properties: - add: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - items: - type: string - maxItems: 16 - type: array - set: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestRedirect - - URLRewrite - type: string - urlRewrite: - properties: - hostname: - description: "PreciseHostname is the fully - qualified domain name of a network host. - This matches the RFC 1123 definition of - a hostname with 1 notable exception that - numeric IP addresses are not allowed. - \n Note that as per RFC1035 and RFC1123, - a *label* must consist of lower case alphanumeric - characters or '-', and must start and - end with an alphanumeric character. No - other punctuation is allowed." - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - properties: - replaceFullPath: - type: string - replacePrefixMatch: - type: string - type: - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - type: object - required: - - type - type: object - type: array - type: object - matches: - items: - properties: - method: - enum: - - CONNECT - - DELETE - - GET - - HEAD - - OPTIONS - - PATCH - - POST - - PUT - - TRACE - type: string - path: - properties: - type: - enum: - - Exact - - Prefix - - RegularExpression - type: string - value: - description: Exact or prefix matches must be - an absolute path. A prefix matches only if - separated by a slash or the entire path. - minLength: 1 - type: string - required: - - type - - value - type: object - queryParams: - description: QueryParams matches based on HTTP URL - query parameters. Multiple matches are ANDed together - such that all listed matches must succeed. - items: - properties: - name: - minLength: 1 - type: string - type: - enum: - - Exact - - RegularExpression - type: string - value: - type: string - required: - - name - - type - - value - type: object - type: array - type: object - type: array - required: - - default - - matches - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource that represents - a group of request destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - type: object - type: array - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshinsights.yaml deleted file mode 100644 index 1581092d55a8..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshinsights.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshInsight - listKind: MeshInsightList - plural: meshinsights - singular: meshinsight - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshInsight resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshopas.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshopas.yaml deleted file mode 100644 index 30e4d4aeb75b..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshopas.yaml +++ /dev/null @@ -1,148 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshopas.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshOPA - listKind: MeshOPAList - plural: meshopas - singular: meshopa - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshOPA resource. - properties: - default: - properties: - agentConfig: - description: AgentConfig defines bootstrap OPA agent configuration. - properties: - inline: - description: Data source is inline bytes. - format: byte - type: string - inlineString: - description: Data source is inline string` - type: string - secret: - description: Data source is a secret with given Secret key. - type: string - type: object - appendPolicies: - description: 'Policies define data source for a policies. Available - values: secret, inline, inlineString.' - items: - description: DataSource defines the source of bytes to use. - properties: - inline: - description: Data source is inline bytes. - format: byte - type: string - inlineString: - description: Data source is inline string` - type: string - secret: - description: Data source is a secret with given Secret key. - type: string - type: object - type: array - authConfig: - description: AuthConfig are configurations specific to the filter. - properties: - onAgentFailure: - description: OnAgentFailure either 'allow' or 'deny' (default - to deny) whether to allow requests when the authorization - agent failed. - enum: - - Allow - - Deny - type: string - requestBody: - description: RequestBody configuration to apply on the request - body sent to the authorization agent (if absent, the body - is not sent). - properties: - maxSize: - description: 'MaxSize defines the maximum payload size - sent to authorization agent. If the payload is larger - it will be truncated and there will be a header `x-envoy-auth-partial-body: - true`. If it is set to 0 no body will be sent to the - agent.' - format: int32 - type: integer - sendRawBody: - description: SendRawBody enable sending raw body instead - of the body encoded into UTF-8 - type: boolean - type: object - statusOnError: - description: StatusOnError is the http status to return when - there's a connection failure between the dataplane and the - authorization agent - format: int32 - type: integer - timeout: - description: Timeout for the single gRPC request from Envoy - to OPA Agent. - type: string - type: object - type: object - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshproxypatches.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshproxypatches.yaml deleted file mode 100644 index 19478a4b6a17..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshproxypatches.yaml +++ /dev/null @@ -1,343 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshproxypatches.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshProxyPatch - listKind: MeshProxyPatchList - plural: meshproxypatches - singular: meshproxypatch - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshProxyPatch resource. - properties: - default: - description: Default is a configuration specific to the group of destinations - referenced in 'targetRef'. - properties: - appendModifications: - description: AppendModifications is a list of modifications applied - on the selected proxy. - items: - properties: - cluster: - description: Cluster is a modification of Envoy's Cluster - resource. - properties: - match: - description: Match is a set of conditions that have - to be matched for modification operation to happen. - properties: - name: - description: Name of the cluster to match. - type: string - origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. - ingress - resources generated for Zone Ingress. - egress - resources generated for Zone Egress. - gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." - type: string - type: object - operation: - description: Operation to execute on matched cluster. - enum: - - Add - - Remove - - Patch - type: string - value: - description: Value of xDS resource in YAML format to - add or patch. - type: string - required: - - operation - type: object - httpFilter: - description: HTTPFilter is a modification of Envoy HTTP - Filter available in HTTP Connection Manager in a Listener - resource. - properties: - match: - description: Match is a set of conditions that have - to be matched for modification operation to happen. - properties: - listenerName: - description: Name of the listener to match. - type: string - listenerTags: - additionalProperties: - type: string - description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] - type: object - name: - description: Name of the HTTP filter. For example - "envoy.filters.http.local_ratelimit" - type: string - origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. - ingress - resources generated for Zone Ingress. - egress - resources generated for Zone Egress. - gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." - type: string - type: object - operation: - description: Operation to execute on matched listener. - enum: - - Remove - - Patch - - AddFirst - - AddBefore - - AddAfter - - AddLast - type: string - value: - description: Value of xDS resource in YAML format to - add or patch. - type: string - required: - - operation - type: object - listener: - description: Listener is a modification of Envoy's Listener - resource. - properties: - match: - description: Match is a set of conditions that have - to be matched for modification operation to happen. - properties: - name: - description: Name of the listener to match. - type: string - origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. - ingress - resources generated for Zone Ingress. - egress - resources generated for Zone Egress. - gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." - type: string - tags: - additionalProperties: - type: string - description: Tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] - type: object - type: object - operation: - description: Operation to execute on matched listener. - enum: - - Add - - Remove - - Patch - type: string - value: - description: Value of xDS resource in YAML format to - add or patch. - type: string - required: - - operation - type: object - networkFilter: - description: NetworkFilter is a modification of Envoy Listener's - filter. - properties: - match: - description: Match is a set of conditions that have - to be matched for modification operation to happen. - properties: - listenerName: - description: Name of the listener to match. - type: string - listenerTags: - additionalProperties: - type: string - description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] - type: object - name: - description: Name of the network filter. For example - "envoy.filters.network.ratelimit" - type: string - origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. - ingress - resources generated for Zone Ingress. - egress - resources generated for Zone Egress. - gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." - type: string - type: object - operation: - description: Operation to execute on matched listener. - enum: - - Remove - - Patch - - AddFirst - - AddBefore - - AddAfter - - AddLast - type: string - value: - description: Value of xDS resource in YAML format to - add or patch. - type: string - required: - - operation - type: object - virtualHost: - description: VirtualHost is a modification of Envoy's VirtualHost - referenced in HTTP Connection Manager in a Listener resource. - properties: - match: - description: Match is a set of conditions that have - to be matched for modification operation to happen. - properties: - name: - description: Name of the VirtualHost to match. - type: string - origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. - ingress - resources generated for Zone Ingress. - egress - resources generated for Zone Egress. - gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." - type: string - routeConfigurationName: - description: Name of the RouteConfiguration resource - to match. - type: string - type: object - operation: - description: Operation to execute on matched listener. - enum: - - Add - - Remove - - Patch - type: string - value: - description: Value of xDS resource in YAML format to - add or patch. - type: string - required: - - match - - operation - type: object - type: object - type: array - required: - - appendModifications - type: object - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - default - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshratelimits.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshratelimits.yaml deleted file mode 100644 index 09f99334b865..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshratelimits.yaml +++ /dev/null @@ -1,227 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshratelimits.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshRateLimit - listKind: MeshRateLimitList - plural: meshratelimits - singular: meshratelimit - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshRateLimit resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' - properties: - local: - description: LocalConf defines local http or/and tcp rate - limit configuration - properties: - http: - description: LocalHTTP defines configuration of local - HTTP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter - properties: - disabled: - description: Define if rate limiting should be disabled. - type: boolean - onRateLimit: - description: Describes the actions to take on a - rate limit event - properties: - headers: - description: The Headers to be added to the - HTTP response on a rate limit event - properties: - add: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - set: - items: - properties: - name: - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - status: - description: The HTTP status code to be set - on a rate limit event - format: int32 - type: integer - type: object - requestRate: - description: Defines how many requests are allowed - per interval. - properties: - interval: - description: The interval the number of units - is accounted for. - type: string - num: - description: Number of units per interval (depending - on usage it can be a number of requests, or - a number of connections). - format: int32 - type: integer - required: - - interval - - num - type: object - type: object - tcp: - description: LocalTCP defines confguration of local - TCP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter - properties: - connectionRate: - description: Defines how many connections are allowed - per interval. - properties: - interval: - description: The interval the number of units - is accounted for. - type: string - num: - description: Number of units per interval (depending - on usage it can be a number of requests, or - a number of connections). - format: int32 - type: integer - required: - - interval - - num - type: object - disabled: - description: 'Define if rate limiting should be - disabled. Default: false' - type: boolean - type: object - type: object - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshretries.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshretries.yaml deleted file mode 100644 index 9f8d950f0dca..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshretries.yaml +++ /dev/null @@ -1,362 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshretries.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshRetry - listKind: MeshRetryList - plural: meshretries - singular: meshretry - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshRetry resource. - properties: - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To list makes a match between the consumed services and - corresponding configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - grpc: - description: GRPC defines a configuration of retries for - GRPC traffic - properties: - backOff: - description: BackOff is a configuration of durations - which will be used in exponential backoff strategy - between retries. - properties: - baseInterval: - description: BaseInterval is an amount of time which - should be taken between retries. Must be greater - than zero. Values less than 1 ms are rounded up - to 1 ms. Default is 25ms. - type: string - maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 10 times the "BaseInterval". - type: string - type: object - numRetries: - description: NumRetries is the number of attempts that - will be made on failed (and retriable) requests. - format: int32 - type: integer - perTryTimeout: - description: PerTryTimeout is the amount of time after - which retry attempt should timeout. Setting this timeout - to 0 will disable it. Default is 15s. - type: string - rateLimitedBackOff: - description: RateLimitedBackOff is a configuration of - backoff which will be used when the upstream returns - one of the headers configured. - properties: - maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 300 seconds. - type: string - resetHeaders: - description: ResetHeaders specifies the list of - headers (like Retry-After or X-RateLimit-Reset) - to match against the response. Headers are tried - in order, and matched case-insensitive. The first - header to be parsed successfully is used. If no - headers match the default exponential BackOff - is used instead. - items: - properties: - format: - description: The format of the reset header, - either Seconds or UnixTimestamp. - enum: - - Seconds - - UnixTimestamp - type: string - name: - description: The Name of the reset header. - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - required: - - format - - name - type: object - type: array - type: object - retryOn: - description: 'RetryOn is a list of conditions which - will cause a retry. Available values are: [Canceled, - DeadlineExceeded, Internal, ResourceExhausted, Unavailable].' - items: - type: string - type: array - type: object - http: - description: HTTP defines a configuration of retries for - HTTP traffic - properties: - backOff: - description: BackOff is a configuration of durations - which will be used in exponential backoff strategy - between retries - properties: - baseInterval: - description: BaseInterval is an amount of time which - should be taken between retries. Must be greater - than zero. Values less than 1 ms are rounded up - to 1 ms. Default is 25ms. - type: string - maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 10 times the "BaseInterval". - type: string - type: object - numRetries: - description: NumRetries is the number of attempts that - will be made on failed (and retriable) requests - format: int32 - type: integer - perTryTimeout: - description: PerTryTimeout is the amount of time after - which retry attempt should timeout. Setting this timeout - to 0 will disable it. Default is 15s. - type: string - rateLimitedBackOff: - description: RateLimitedBackOff is a configuration of - backoff which will be used when the upstream returns - one of the headers configured. - properties: - maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 300 seconds. - type: string - resetHeaders: - description: ResetHeaders specifies the list of - headers (like Retry-After or X-RateLimit-Reset) - to match against the response. Headers are tried - in order, and matched case-insensitive. The first - header to be parsed successfully is used. If no - headers match the default exponential BackOff - is used instead. - items: - properties: - format: - description: The format of the reset header, - either Seconds or UnixTimestamp. - enum: - - Seconds - - UnixTimestamp - type: string - name: - description: The Name of the reset header. - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - required: - - format - - name - type: object - type: array - type: object - retriableRequestHeaders: - description: RetriableRequestHeaders is an HTTP headers - which must be present in the request for retries to - be attempted. - items: - description: HTTPHeaderMatch describes how to select - a HTTP route by matching HTTP request headers. - properties: - name: - description: Name is the name of the HTTP Header - to be matched. Name MUST be lower case as they - will be handled with case insensitivity (See - https://tools.ietf.org/html/rfc7230#section-3.2). - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - Present - - RegularExpression - - Absent - - Prefix - type: string - value: - description: Value is the value of HTTP Header - to be matched. - type: string - required: - - name - - value - type: object - type: array - retriableResponseHeaders: - description: RetriableResponseHeaders is an HTTP response - headers that trigger a retry if present in the response. - A retry will be triggered if any of the header matches - match the upstream response headers. - items: - description: HTTPHeaderMatch describes how to select - a HTTP route by matching HTTP request headers. - properties: - name: - description: Name is the name of the HTTP Header - to be matched. Name MUST be lower case as they - will be handled with case insensitivity (See - https://tools.ietf.org/html/rfc7230#section-3.2). - maxLength: 256 - minLength: 1 - pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - Present - - RegularExpression - - Absent - - Prefix - type: string - value: - description: Value is the value of HTTP Header - to be matched. - type: string - required: - - name - - value - type: object - type: array - retryOn: - description: 'RetryOn is a list of conditions which - will cause a retry. Available values are: [5XX, GatewayError, - Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited, - RefusedStream, Http3PostConnectFailure, HttpMethodConnect, - HttpMethodDelete, HttpMethodGet, HttpMethodHead, HttpMethodOptions, - HttpMethodPatch, HttpMethodPost, HttpMethodPut, HttpMethodTrace]. - Also, any HTTP status code (500, 503, etc).' - items: - type: string - type: array - type: object - tcp: - description: TCP defines a configuration of retries for - TCP traffic - properties: - maxConnectAttempt: - description: MaxConnectAttempt is a maximal amount of - TCP connection attempts which will be made before - giving up - format: int32 - type: integer - type: object - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtimeouts.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtimeouts.yaml deleted file mode 100644 index da628f22e362..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtimeouts.yaml +++ /dev/null @@ -1,243 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshtimeouts.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshTimeout - listKind: MeshTimeoutList - plural: meshtimeouts - singular: meshtimeout - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshTimeout resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' - properties: - connectionTimeout: - description: ConnectionTimeout specifies the amount of time - proxy will wait for an TCP connection to be established. - Default value is 5 seconds. Cannot be set to 0. - type: string - http: - description: Http provides configuration for HTTP specific - timeouts - properties: - maxConnectionDuration: - description: MaxConnectionDuration is the time after - which a connection will be drained and/or closed, - starting from when it was first established. Setting - this timeout to 0 will disable it. Disabled by default. - type: string - maxStreamDuration: - description: MaxStreamDuration is the maximum time that - a stream’s lifetime will span. Setting this timeout - to 0 will disable it. Disabled by default. - type: string - requestTimeout: - description: RequestTimeout The amount of time that - proxy will wait for the entire request to be received. - The timer is activated when the request is initiated, - and is disarmed when the last byte of the request - is sent, OR when the response is initiated. Setting - this timeout to 0 will disable it. Default is 15s. - type: string - streamIdleTimeout: - description: StreamIdleTimeout is the amount of time - that proxy will allow a stream to exist with no activity. - Setting this timeout to 0 will disable it. Default - is 30m - type: string - type: object - idleTimeout: - description: IdleTimeout is defined as the period in which - there are no bytes sent or received on connection Setting - this timeout to 0 will disable it. Be cautious when disabling - it because it can lead to connection leaking. Default - value is 1h. - type: string - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - to: - description: To list makes a match between the consumed services and - corresponding configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' - properties: - connectionTimeout: - description: ConnectionTimeout specifies the amount of time - proxy will wait for an TCP connection to be established. - Default value is 5 seconds. Cannot be set to 0. - type: string - http: - description: Http provides configuration for HTTP specific - timeouts - properties: - maxConnectionDuration: - description: MaxConnectionDuration is the time after - which a connection will be drained and/or closed, - starting from when it was first established. Setting - this timeout to 0 will disable it. Disabled by default. - type: string - maxStreamDuration: - description: MaxStreamDuration is the maximum time that - a stream’s lifetime will span. Setting this timeout - to 0 will disable it. Disabled by default. - type: string - requestTimeout: - description: RequestTimeout The amount of time that - proxy will wait for the entire request to be received. - The timer is activated when the request is initiated, - and is disarmed when the last byte of the request - is sent, OR when the response is initiated. Setting - this timeout to 0 will disable it. Default is 15s. - type: string - streamIdleTimeout: - description: StreamIdleTimeout is the amount of time - that proxy will allow a stream to exist with no activity. - Setting this timeout to 0 will disable it. Default - is 30m - type: string - type: object - idleTimeout: - description: IdleTimeout is defined as the period in which - there are no bytes sent or received on connection Setting - this timeout to 0 will disable it. Be cautious when disabling - it because it can lead to connection leaking. Default - value is 1h. - type: string - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtraces.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtraces.yaml deleted file mode 100644 index 69fbf29e5585..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtraces.yaml +++ /dev/null @@ -1,201 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshtraces.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshTrace - listKind: MeshTraceList - plural: meshtraces - singular: meshtrace - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshTrace resource. - properties: - default: - description: MeshTrace configuration. - properties: - backends: - description: A one element array of backend definition. Envoy - allows configuring only 1 backend, so the natural way of representing - that would be just one object. Unfortunately due to the reasons - explained in MADR 009-tracing-policy this has to be a one element - array for now. - items: - description: Only one of zipkin or datadog can be used. - properties: - datadog: - description: Datadog backend configuration. - properties: - splitService: - description: 'Determines if datadog service name should - be split based on traffic direction and destination. - For example, with `splitService: true` and a `backend` - service that communicates with a couple of databases, - you would get service names like `backend_INBOUND`, - `backend_OUTBOUND_db1`, and `backend_OUTBOUND_db2` - in Datadog. Default: false' - type: boolean - url: - description: Address of Datadog collector, only host - and port are allowed (no paths, fragments etc.) - type: string - required: - - url - type: object - zipkin: - description: Zipkin backend configuration. - properties: - apiVersion: - default: httpJson - description: 'Version of the API. values: httpJson, - httpProto. Default: httpJson see https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66' - enum: - - httpJson - - httpProto - type: string - sharedSpanContext: - description: 'Determines whether client and server spans - will share the same span context. Default: true. https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63' - type: boolean - traceId128bit: - description: 'Generate 128bit traces. Default: false' - type: boolean - url: - description: Address of Zipkin collector. - type: string - required: - - url - type: object - type: object - type: array - sampling: - description: Sampling configuration. Sampling is the process by - which a decision is made on whether to process/export a span - or not. - properties: - client: - anyOf: - - type: integer - - type: string - description: 'Target percentage of requests that will be force - traced if the ''x-client-trace-id'' header is set. Default: - 100% Mirror of client_sampling in Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133 - Either int or decimal represented as string.' - x-kubernetes-int-or-string: true - overall: - anyOf: - - type: integer - - type: string - description: 'Target percentage of requests will be traced - after all other sampling checks have been applied (client, - force tracing, random sampling). This field functions as - an upper limit on the total configured sampling rate. For - instance, setting client_sampling to 100% but overall_sampling - to 1% will result in only 1% of client requests with the - appropriate headers to be force traced. Default: 100% Mirror - of overall_sampling in Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150 - Either int or decimal represented as string.' - x-kubernetes-int-or-string: true - random: - anyOf: - - type: integer - - type: string - description: 'Target percentage of requests that will be randomly - selected for trace generation, if not requested by the client - or not forced. Default: 100% Mirror of random_sampling in - Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140 - Either int or decimal represented as string.' - x-kubernetes-int-or-string: true - type: object - tags: - description: Custom tags configuration. You can add custom tags - to traces based on headers or literal values. - items: - description: Custom tags configuration. Only one of literal - or header can be used. - properties: - header: - description: Tag taken from a header. - properties: - default: - description: Default value to use if header is missing. - If the default is missing and there is no value the - tag will not be included. - type: string - name: - description: Name of the header. - type: string - required: - - name - type: object - literal: - description: Tag taken from literal value. - type: string - name: - description: Name of the tag. - type: string - required: - - name - type: object - type: array - type: object - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtrafficpermissions.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtrafficpermissions.yaml deleted file mode 100644 index 02f3882e4dbc..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_meshtrafficpermissions.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: meshtrafficpermissions.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: MeshTrafficPermission - listKind: MeshTrafficPermissionList - plural: meshtrafficpermissions - singular: meshtrafficpermission - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma MeshTrafficPermission - resource. - properties: - from: - description: From list makes a match between clients and corresponding - configurations - items: - properties: - default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' - properties: - action: - description: 'Action defines a behavior for the specified - group of clients:' - enum: - - Allow - - Deny - - AllowWithShadowDeny - type: string - type: object - targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify - cross mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: array - targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. - properties: - kind: - description: Kind of the referenced resource - enum: - - Mesh - - MeshSubset - - MeshService - - MeshServiceSubset - - MeshGatewayRoute - type: string - mesh: - description: Mesh is reserved for future use to identify cross - mesh resources. - type: string - name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' - type: string - tags: - additionalProperties: - type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` - type: object - type: object - required: - - targetRef - type: object - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_proxytemplates.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_proxytemplates.yaml deleted file mode 100644 index 2aeae60783cc..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_proxytemplates.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: proxytemplates.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ProxyTemplate - listKind: ProxyTemplateList - plural: proxytemplates - singular: proxytemplate - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ProxyTemplate resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_ratelimits.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_ratelimits.yaml deleted file mode 100644 index 7c50a9dd1418..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_ratelimits.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: ratelimits.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: RateLimit - listKind: RateLimitList - plural: ratelimits - singular: ratelimit - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma RateLimit resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_retries.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_retries.yaml deleted file mode 100644 index e2b50cc9f1d6..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_retries.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: retries.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: Retry - listKind: RetryList - plural: retries - singular: retry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma Retry resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_serviceinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_serviceinsights.yaml deleted file mode 100644 index ba266b6ff935..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_serviceinsights.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: serviceinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ServiceInsight - listKind: ServiceInsightList - plural: serviceinsights - singular: serviceinsight - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ServiceInsight resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_timeouts.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_timeouts.yaml deleted file mode 100644 index 268eec1e4510..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_timeouts.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: timeouts.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: Timeout - listKind: TimeoutList - plural: timeouts - singular: timeout - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma Timeout resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficlogs.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficlogs.yaml deleted file mode 100644 index 50a7c23b9a8e..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficlogs.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: trafficlogs.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: TrafficLog - listKind: TrafficLogList - plural: trafficlogs - singular: trafficlog - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma TrafficLog resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficpermissions.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficpermissions.yaml deleted file mode 100644 index 74e9ac557141..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficpermissions.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: trafficpermissions.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: TrafficPermission - listKind: TrafficPermissionList - plural: trafficpermissions - singular: trafficpermission - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma TrafficPermission resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficroutes.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficroutes.yaml deleted file mode 100644 index 5f539139f329..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_trafficroutes.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: trafficroutes.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: TrafficRoute - listKind: TrafficRouteList - plural: trafficroutes - singular: trafficroute - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma TrafficRoute resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_traffictraces.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_traffictraces.yaml deleted file mode 100644 index 8c09731c09ce..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_traffictraces.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: traffictraces.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: TrafficTrace - listKind: TrafficTraceList - plural: traffictraces - singular: traffictrace - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma TrafficTrace resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_virtualoutbounds.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_virtualoutbounds.yaml deleted file mode 100644 index 241a24648794..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_virtualoutbounds.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: virtualoutbounds.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: VirtualOutbound - listKind: VirtualOutboundList - plural: virtualoutbounds - singular: virtualoutbound - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma VirtualOutbound resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegresses.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegresses.yaml deleted file mode 100644 index 38eb83ee1171..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegresses.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zoneegresses.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ZoneEgress - listKind: ZoneEgressList - plural: zoneegresses - singular: zoneegress - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ZoneEgress resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegressinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegressinsights.yaml deleted file mode 100644 index 76c36f7375af..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneegressinsights.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zoneegressinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ZoneEgressInsight - listKind: ZoneEgressInsightList - plural: zoneegressinsights - singular: zoneegressinsight - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ZoneEgressInsight resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingresses.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingresses.yaml deleted file mode 100644 index 41b2928e656f..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingresses.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zoneingresses.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ZoneIngress - listKind: ZoneIngressList - plural: zoneingresses - singular: zoneingress - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ZoneIngress resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingressinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingressinsights.yaml deleted file mode 100644 index 1898e0aec459..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneingressinsights.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zoneingressinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ZoneIngressInsight - listKind: ZoneIngressInsightList - plural: zoneingressinsights - singular: zoneingressinsight - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ZoneIngressInsight - resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneinsights.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneinsights.yaml deleted file mode 100644 index 9d5237d865a5..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zoneinsights.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zoneinsights.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: ZoneInsight - listKind: ZoneInsightList - plural: zoneinsights - singular: zoneinsight - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma ZoneInsight resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zones.yaml b/app/assets/mesh/2.1.x/raw/crds/kuma.io_zones.yaml deleted file mode 100644 index 40970ab6a7a3..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/kuma.io_zones.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: zones.kuma.io -spec: - group: kuma.io - names: - categories: - - kuma - kind: Zone - listKind: ZoneList - plural: zones - singular: zone - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. - It may be omitted for cluster-scoped resources. - type: string - metadata: - type: object - spec: - description: Spec is the specification of the Kuma Zone resource. - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true diff --git a/app/assets/mesh/2.1.x/raw/crds/opa-policy.yaml b/app/assets/mesh/2.1.x/raw/crds/opa-policy.yaml deleted file mode 100644 index fb4111fe1e95..000000000000 --- a/app/assets/mesh/2.1.x/raw/crds/opa-policy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - mesh: - type: string - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object diff --git a/app/assets/mesh/2.1.x/raw/helm-values.yaml b/app/assets/mesh/2.1.x/raw/helm-values.yaml deleted file mode 100644 index 2c094784ee79..000000000000 --- a/app/assets/mesh/2.1.x/raw/helm-values.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kuma: - nameOverride: kong-mesh - # The default registry and tag to use for all Kuma images - global: - image: - registry: "docker.io/kong" - tag: - - controlPlane: - secrets: # {Env: "KMESH_LICENSE_INLINE", Secret: "kong-mesh-license", Key: "license"} - image: - repository: "kuma-cp" - webhooks: - validator: - additionalRules: | - - apiGroups: - - kuma.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - - DELETE - resources: - - opapolicies - - accessaudits - - accessroles - - accessrolebindings - ownerReference: - additionalRules: | - - apiGroups: - - kuma.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - opapolicies - plugins: - policies: - meshopas: {} diff --git a/app/assets/mesh/2.1.x/raw/kuma-cp.yaml b/app/assets/mesh/2.1.x/raw/kuma-cp.yaml deleted file mode 100644 index a39ff322fc10..000000000000 --- a/app/assets/mesh/2.1.x/raw/kuma-cp.yaml +++ /dev/null @@ -1,623 +0,0 @@ -# Environment type. Available values are: "kubernetes" or "universal" -environment: universal # ENV: KUMA_ENVIRONMENT -# Mode in which Kuma CP is running. Available values are: "standalone", "global", "zone" -mode: standalone # ENV: KUMA_MODE -# Resource Store configuration -store: - # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory" - type: memory # ENV: KUMA_STORE_TYPE - # Kubernetes Store configuration (used when store.type=kubernetes) - kubernetes: - # Namespace where Control Plane is installed to. - systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE - # Postgres Store configuration (used when store.type=postgres) - postgres: - # Host of the Postgres DB - host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST - # Port of the Postgres DB - port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT - # User of the Postgres DB - user: kuma # ENV: KUMA_STORE_POSTGRES_USER - # Password of the Postgres DB - password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD - # Database name of the Postgres DB - dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME - # Connection Timeout to the DB in seconds - connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT - # Maximum number of open connections to the database - # `0` value means number of open connections is unlimited - maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS - # Maximum number of connections in the idle connection pool - # <0 value means no idle connections and 0 means default max idle connections - maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS - # TLS settings - tls: - # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" - mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE - # Path to TLS Certificate of the client. Used in verifyCa and verifyFull modes - certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH - # Path to TLS Key of the client. Used in verifyCa and verifyFull modes - keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH - # Path to the root certificate. Used in verifyCa and verifyFull modes. - caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH - # MinReconnectInterval controls the duration to wait before trying to - # re-establish the database connection after connection loss. After each - # consecutive failure this interval is doubled, until MaxReconnectInterval - # is reached. Successfully completing the connection establishment procedure - # resets the interval back to MinReconnectInterval. - minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL - # MaxReconnectInterval controls the maximum possible duration to wait before trying - # to re-establish the database connection after connection loss. - maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL - # Cache for read only operations. This cache is local to the instance of the control plane. - cache: - # If true then cache is enabled - enabled: true # ENV: KUMA_STORE_CACHE_ENABLED - # Expiration time for elements in cache. - expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME - # Upsert (get and update) configuration - upsert: - # Base time for exponential backoff on upsert operations when retry is enabled - conflictRetryBaseBackoff: 100ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF - # Max retries on upsert (get and update) operation when retry is enabled - conflictRetryMaxTimes: 5 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES - # If true, skips validation of resource delete. - # For example you don't have to delete all Dataplane objects before you delete a Mesh - unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE -# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes -bootstrapServer: - # Parameters of bootstrap configuration - params: - # Address of Envoy Admin - adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS - # Port of Envoy Admin - adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT - # Path to access log file of Envoy Admin - adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH - # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane - xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST - # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT - xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT - # Connection timeout to the XDS Server - xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT -# Monitoring Assignment Discovery Service (MADS) server configuration -monitoringAssignmentServer: - # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS). - port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT - # Which MADS API versions to serve - apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS - # Interval for re-generating monitoring assignments for clients connected to the Control Plane. - assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL - # The default timeout for a single fetch-based discovery request, if not specified - defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT - # Path to TLS certificate file - tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE - # Path to TLS key file - tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES -# Envoy XDS server configuration -xdsServer: - # Interval for re-genarting configuration for Dataplanes connected to the Control Plane - dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL - # Interval for flushing status of Dataplanes connected to the Control Plane - dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane - nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF - # A delay between proxy terminating a connection and the CP trying to deregister the proxy. - # It is used only in universal mode when you use direct lifecycle. - # Setting this setting to 0s disables the delay. - # Disabling this may cause race conditions that one instance of CP removes proxy object - # while proxy is connected to another instance of the CP. - dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY -# API Server configuration -apiServer: - # HTTP configuration of the API Server - http: - # If true then API Server will be served on HTTP - enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED - # Network interface on which HTTP API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE - # Port of the API Server - port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT - # HTTPS configuration of the API Server - https: - # If true then API Server will be served on HTTPS - enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED - # Network interface on which HTTPS API Server will be exposed - interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE - # Port of the HTTPS API Server - port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT - # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty - tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE - # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty - tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE - # Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates. - tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES - # If true, then HTTPS connection will require client cert. - requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT - # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets - auth: - # Directory of authorized client certificates (only validate in HTTPS) - clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR - # Api Server Authentication configuration - authn: - # Type of authentication mechanism (available values: "adminClientCerts", "tokens") - type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE - # Localhost is authenticated as a user admin of group admin - localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN - # Configuration for tokens authentication - tokens: - # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret - bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN - # If true, then API Server will operate in read only mode (serving GET requests) - readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY - # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp - corsAllowedDomains: - - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS - # Can be used if you use a reverse proxy - rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL - # The path to serve the API from - basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH - # configuration specific to the GUI - gui: - # Whether to serve the gui (if mode=zone this has no effect) - enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED - # Can be used if you use a reverse proxy or want to serve the gui from a different path - rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL - # The path to serve the GUI from - basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH -# Environment-specific configuration -runtime: - # Kubernetes-specific configuration - kubernetes: - # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL. - controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME - # Name of Service Account that is used to run the Control Plane - serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME - # Taint controller that prevents applications from scheduling until CNI is ready. - nodeTaintController: - # If true enables the taint controller. - enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED - # Value of app label on CNI pod that indicates if node can be ready. - cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP - # Admission WebHook Server configuration - admissionServer: - # Address the Admission WebHook Server should be listening on - address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS - # Port the Admission WebHook Server should be listening on - port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT - # Directory with a TLS cert and private key for the Admission WebHook Server. - # TLS certificate file must be named `tls.crt`. - # TLS key file must be named `tls.key`. - certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir - # Injector defines configuration of a Kuma Sidecar Injector. - injector: - # if true runs kuma-cp in CNI compatible mode - cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED - # list of exceptions for Kuma injection - exceptions: - # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value. - labels: - openshift.io/build.name: "*" - openshift.io/deployer-pod-for.name: "*" - # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe - # serves on sub-path of insecure port 'virtualProbesPort', - # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort - virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED - # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS - virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT - # CaCertFile is CA certificate which will be used to verify a connection to the control plane. - caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE - # SidecarContainer defines configuration of the Kuma sidecar container. - sidecarContainer: - # Image name. - image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE - # Redirect port for inbound traffic. - redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND - # Redirect port for inbound traffic. - redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6 - # Redirect port for outbound traffic. - redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND - # User ID. - uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID - # Group ID. - gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI - # Drain time for listeners. - drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME - # Readiness probe. - readinessProbe: - # Number of seconds after the container has started before readiness probes are initiated. - initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS - # Number of seconds after which the probe times out. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS - # Minimum consecutive successes for the probe to be considered successful after having failed. - successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD - # Liveness probe. - livenessProbe: - # Number of seconds after the container has started before liveness probes are initiated. - initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS - # Number of seconds after which the probe times out. - timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS - # How often (in seconds) to perform the probe. - periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS - # Minimum consecutive failures for the probe to be considered failed after having succeeded. - failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD - # Compute resource requirements. - resources: - # Minimum amount of compute resources required. - requests: - # CPU, in cores. (500m = .5 cores) - cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY - # Maximum amount of compute resources allowed. - limits: - # CPU, in cores. (500m = .5 cores) - cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU - # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) - memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY - # Additional environment variables that can be placed on Kuma DP sidecar - envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS - # InitContainer defines configuration of the Kuma init container - initContainer: - # Image name. - image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE - # ContainerPatches is an optional list of ContainerPatch names which will be applied - # to init and sidecar containers if workload is not annotated with a patch list. - containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES - # Configuration for a traffic that is intercepted by sidecar - sidecarTraffic: - # List of inbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod. - excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS - # List of outbound ports that will be excluded from interception. - # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod. - excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS - builtinDNS: - # Use the built-in DNS - enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED - # Redirect port for DNS - port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT - transparentProxyV2: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V2 - # EBPF defines configuration for the ebpf, when transparent proxy is marked to be - # installed using ebpf instead of iptables - ebpf: - # Install transparent proxy using ebpf - enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED - # Name of the environmental variable which will include IP address of the pod - instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME - # Path where BPF file system will be mounted for pinning ebpf programs and maps - bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH - # Path of mounted cgroup2 - cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH - # Name of the network interface which should be used to attach to it TC programs - # when not specified, we will try to automatically determine it - tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE - # Path where compiled eBPF programs are placed - programsSourcePath: /kuma/ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH - marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME - # Universal-specific configuration - universal: - # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC - dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE -# Default Kuma entities configuration -defaults: - # If true, it skips creating the default Mesh - skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION - # If true, instead of providing inbound clusters with address of dataplane, generates cluster with localhost. - # Enabled can cause security threat by exposing application listing on localhost. This configuration is going to - # be removed in the future. - enableLocalhostInboundClusters: false #ENV: KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS -# Metrics configuration -metrics: - dataplane: - # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited - subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT - # How long data plane proxy can stay Online without active xDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT - zone: - # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited - subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT - # How long zone can stay Online without active KDS connection - idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT - mesh: - # Min time that should pass between MeshInsight resync - minResyncTimeout: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_TIMEOUT - # Max time that MeshInsight could spend without resync - maxResyncTimeout: 20s # ENV: KUMA_METRICS_MESH_MAX_RESYNC_TIMEOUT -# Reports configuration -reports: - # If true then usage stats will be reported - enabled: false # ENV: KUMA_REPORTS_ENABLED -# General configuration -general: - # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name - dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers. - tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers. - tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. - tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. - tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. - tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES - # WorkDir defines a path to the working directory - # Kuma stores in this directory autogenerated entities like certificates. - # If empty then the working directory is $HOME/.kuma - workDir: "" # ENV: KUMA_GENERAL_WORK_DIR -# DNS Server configuration -dnsServer: - # The domain that the server will resolve the services for - domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN - # The CIDR range used to allocate - CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR - # Will create a service ".mesh" dns entry for every service. - serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED - # The port to use along with the `.mesh` dns entry - serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT -# Multizone mode -multizone: - global: - kds: - # Port of a gRPC server that serves Kuma Discovery Service (KDS). - grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL - # Interval for flushing Zone Insights (stats of multi-zone communication) - zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. - tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. - tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT - zone: - # Kuma Zone name used to mark the zone dataplane resources - name: "" # ENV: KUMA_MULTIZONE_ZONE_NAME - # GlobalAddress URL of Global Kuma CP - globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS - kds: - # Interval for refreshing state of the world - refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL - # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it. - rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE - # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. - # In practice this means a limit on full list of one resource type. - maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE - # MsgSendTimeout defines a timeout on sending a single KDS message. - # KDS stream between control planes is terminated if the control plane hits this timeout. - msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT -# Diagnostics configuration -diagnostics: - # Port of Diagnostic Server for checking health and readiness of the Control Plane - serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT - # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints - debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS - # Whether tls is enabled or not - tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile - tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile - tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES -# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane. -dpServer: - # Port of the DP Server - port: 5678 # ENV: KUMA_DP_SERVER_PORT - # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile - tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE - # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile - tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES - # Auth defines an authentication configuration for the DP Server - auth: - # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". - # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. - type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE - # Hds defines a Health Discovery Service configuration - hds: - # Enabled if true then Envoy will actively check application's ports, but only on Universal. - # On Kubernetes this feature disabled for now regardless the flag value - enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED - # Interval for Envoy to send statuses for HealthChecks - interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL - # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane - refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL - # Check defines a HealthCheck configuration - checkDefaults: - # Timeout is a time to wait for a health check response. If the timeout is reached the - # health check attempt will be considered a failure - timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT - # Interval between health checks - interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL - # NoTrafficInterval is a special health check interval that is used when a cluster has - # never had traffic routed to it - noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL - # HealthyThreshold is a number of healthy health checks required before a host is marked healthy - healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD - # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy - unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD -# Intercommunication CP configuration -interCp: - # Catalog configuration. Catalog keeps a record of all live CP instances in the zone. - catalog: - # Indicates an address on which other control planes can communicate with this CP. - # If empty then it's autoconfigured by taking the first IP of the nonloopback network interface. - instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS - # Interval on which CP will send heartbeat to a leader. - heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL - # Interval on which CP will write all instances to a catalog. - writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL - # Intercommunication CP server configuration - server: - # Port of the inter-cp server - port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT - # TlsMinVersion the minimum version of TLS - tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION - # TlsMaxVersion the maximum version of TLS - tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION - # TlsCipherSuites the list of cipher suites - tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES -# Access Control configuration -access: - # Type of access strategy (available values: "static", "rbac") - type: rbac - # Configuration of static access strategy - static: - # AdminResources defines an access to admin resources (Secret/GlobalSecret) - adminResources: - # List of users that are allowed to access admin resources - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS - # List of groups that are allowed to access admin resources - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS - # GenerateDPToken defines an access to generating dataplane token - generateDpToken: - # List of users that are allowed to generate dataplane token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS - # List of groups that are allowed to generate dataplane token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS - # GenerateUserToken defines an access to generating user token - generateUserToken: - # List of users that are allowed to generate user token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS - # List of groups that are allowed to generate user token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS - # GenerateZoneToken defines an access to generating zone token - generateZoneToken: - # List of users that are allowed to generate zone token - users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS - # List of groups that are allowed to generate zone token - groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS - viewConfigDump: - # List of users that are allowed to get envoy config dump - users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS - # List of groups that are allowed to get envoy config dump - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS - viewStats: - # List of users that are allowed to get envoy stats - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS - # List of groups that are allowed to get envoy stats - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS - viewClusters: - # List of users that are allowed to get envoy clusters - users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS - # List of groups that are allowed to get envoy clusters - groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS -# Configuration of experimental features of Kuma -experimental: - # If true, experimental Gateway API is enabled - gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API - # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap - # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config - kubeOutboundsAsVIPs: false # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS -proxy: - gateway: - # Sets the envoy runtime value to limit maximum number of incoming - # connections to a builtin gateway data plane proxy - globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS -kmesh: - # License of Kong Mesh - license: - # Inline string of the Kong Mesh license - # inline: "" # ENV: KMESH_LICENSE_INLINE - # Path to a file with the Kong Mesh license - path: "" # ENV: KMESH_LICENSE_PATH - opa: - # Interval for re-generating OPA configuration for Dataplanes connected to the Control Plane - configurationRefreshInterval: 1s # ENV: KMESH_OPA_CONFIGURATION_REFRESH_INTERVAL - # Backoff that is executed when Control Plane is sending the response that was previously rejected by OPA - nackBackoff: 5s # ENV: KMESH_OPA_CONFIGURATION_NACK_BACKOFF - multizone: - global: - kds: - auth: - # The way how Global Control Plane authenticates the Zone Control Planes. Available values ("none", "cpToken") - type: none # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE - zone: - kds: - auth: - # Control Plane Token provided as a string - cpTokenInline: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE - # Control Plane Token provided as a file - cpTokenPath: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH - access: - static: - generateCpToken: - # List of users that are allowed to generate control plane token - users: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_USERS - # List of groups that are allowed to generate control plane token - groups: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_GROUPS - rbac: - # LogActions defines actions that will be logged when RBAC is resolved. Allowed values: "allowed", "denied" - logActions: ["allowed", "denied"] - # DefaultAdminRoleUsers defines a list of users to be added to the default list of admins. - defaultAdminRoleUsers: [] - # Configuration for recording all the actions in the system. - audit: - # Types that are skipped by default when `types` list in AccessAudit resource is empty - skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"] - # List of backends for auditing. If empty, no audit is recorded. - backends: [] - # - # type of logging backend. Available values: "file" - # type: file - # # Settings of a file backend used when the type is set to "file" - # file: - # # Path to the file that will be filled with logs - # path: /tmp/access.logs - # rotation: - # # If true, rotation is enabled. - # # Example: if we set path to /tmp/kuma.log then after the file is rotated we will have /tmp/kuma-2021-06-07T09-15-18.265.log - # enabled: true - # # Maximum number of the old log files to retain - # maxRetainedFiles: 10 - # # Maximum size in megabytes of a log file before it gets rotated - # maxSizeMb: 100 - # # Maximum number of days to retain old log files based on the timestamp encoded in their filename - # maxAgeDays: 30 - ca: - vault: - # Interval for checking whether any referenced Vault tokens have changed. - # A value of 0 disables the check. - # This check is necessary to detect updates to a Vault token stored in a secret. - # Keep this interval shorter than the value of the Vault token's TTL. - # The default is 30s, which works well for tokens with a TTL longer than 60s. - # If the token TTL is shorter than 60s, you may need to decrease this value. - # When only tokens with `inline` or `inlineString` are set, you can disable this. - tokenChangeCheckInterval: 30s # ENV: KMESH_CA_VAULT_TOKEN_CHANGE_CHECK_INTERVAL diff --git a/app/assets/mesh/2.1.x/raw/protos/OPAPolicy.json b/app/assets/mesh/2.1.x/raw/protos/OPAPolicy.json deleted file mode 100644 index 5a721aa90351..000000000000 --- a/app/assets/mesh/2.1.x/raw/protos/OPAPolicy.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/OPAPolicy", - "definitions": { - "OPAPolicy": { - "properties": { - "selectors": { - "items": { - "$ref": "#/definitions/kuma.mesh.v1alpha1.Selector" - }, - "type": "array", - "description": "List of selectors to match dataplanes." - }, - "conf": { - "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf", - "additionalProperties": true, - "description": "Configuration of the policy." - } - }, - "additionalProperties": true, - "type": "object", - "title": "OPA Policy", - "description": "OPAPolicy defines OpenPolicyAgent policy for selected Dataplanes" - }, - "kuma.mesh.v1alpha1.Selector": { - "properties": { - "match": { - "additionalProperties": { - "type": "string" - }, - "type": "object", - "description": "Tags to match, can be used for both source and destinations" - } - }, - "additionalProperties": true, - "type": "object", - "title": "Selector", - "description": "Selector defines structure for selecting tags for given dataplane" - }, - "kuma.plugins.policies.OPAPolicy.Conf": { - "properties": { - "agentConfig": { - "$ref": "#/definitions/kuma.system.v1alpha1.DataSource", - "additionalProperties": true, - "description": "AgentConfig defines bootstrap OPA agent configuration." - }, - "policies": { - "items": { - "$ref": "#/definitions/kuma.system.v1alpha1.DataSource" - }, - "type": "array", - "description": "Policies define data source for a policies. Available values: secret, inline, inlineString." - }, - "authConfig": { - "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf.AuthConf", - "additionalProperties": true, - "description": "AuthConfig are configurations specific to the filter." - } - }, - "additionalProperties": true, - "type": "object", - "title": "Conf", - "description": "Conf defines settings of the policy." - }, - "kuma.plugins.policies.OPAPolicy.Conf.AuthConf": { - "properties": { - "statusOnError": { - "type": "integer", - "description": "statusOnError is the http status to return when there's a connection failure between the dataplane and the authorization agent" - }, - "onAgentFailure": { - "type": "string", - "description": "onAgentFailure either 'allow' or 'deny' (default to deny) whether or not to allow requests when the authorization agent failed." - }, - "requestBody": { - "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf.AuthConf.RequestBodyConf", - "additionalProperties": true, - "description": "requestBody configuration to apply on the request body sent to the authorization agent (if absent, the body is not sent)." - }, - "timeout": { - "pattern": "^([0-9]+\\.?[0-9]*|\\.[0-9]+)s$", - "type": "string", - "description": "The timeout for the single gRPC request from Envoy to OPA Agent.", - "format": "regex" - } - }, - "additionalProperties": true, - "type": "object", - "title": "Auth Conf" - }, - "kuma.plugins.policies.OPAPolicy.Conf.AuthConf.RequestBodyConf": { - "properties": { - "maxSize": { - "type": "integer", - "description": "The maximum payload size sent to authorization agent. If the payload is larger it will be truncated and there will be a header `x-envoy-auth-partial-body: true`. If it is set to 0 no body will be sent to the agent." - }, - "sendRawBody": { - "type": "boolean", - "description": "Send a raw body instead of the body encoded into UTF-8" - } - }, - "additionalProperties": true, - "type": "object", - "title": "Request Body Conf" - }, - "kuma.system.v1alpha1.DataSource": { - "properties": { - "secret": { - "type": "string", - "description": "Data source is a secret with given Secret key." - }, - "file": { - "type": "string", - "description": "Data source is a path to a file. Deprecated, use other sources of a data." - }, - "inline": { - "additionalProperties": true, - "type": "string", - "description": "Data source is inline bytes." - }, - "inlineString": { - "type": "string", - "description": "Data source is inline string" - } - }, - "additionalProperties": true, - "type": "object", - "title": "Data Source", - "description": "DataSource defines the source of bytes to use." - } - } -} \ No newline at end of file diff --git a/app/mesh/1.2.x/features/fips-support.md b/app/mesh/1.2.x/features/fips-support.md deleted file mode 100644 index 08db52166d88..000000000000 --- a/app/mesh/1.2.x/features/fips-support.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Kong Mesh - FIPS Support -toc: false ---- - -With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors. - -FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringSSL. For more information about how it works, see Envoy's [FIPS 140-2 documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. diff --git a/app/mesh/1.2.x/features/kds-auth.md b/app/mesh/1.2.x/features/kds-auth.md deleted file mode 100644 index 7e9e5446c721..000000000000 --- a/app/mesh/1.2.x/features/kds-auth.md +++ /dev/null @@ -1,283 +0,0 @@ ---- -title: Multi-zone authentication ---- - -To add to the security of your deployments, {{site.mesh_product_name}} provides token generation for authenticating remote control planes to the global control plane. - -The control plane token is a JWT that contains: - -- The name of the zone the token is generated for -- The token's serial number, used for token rotation - -The control plane token is signed by a signing key that is autogenerated on the global control plane. The signing key is SHA256 encrypted. - -You can check for the signing key: - -``` -$ kumactl get global-secrets -``` - -which returns something like: - -``` -NAME AGE -control-plane-signing-key-0001 36m -``` - -## Set up tokens - -To generate the tokens you need and configure your clusters: - -- Generate a token for each remote control plane. -- Add the token to the configuration for each remote zone. -- Enable authentication on the global control plane. - -### Generate token for each remote zone - -On the global control plane, [authenticate](/mesh/latest/production/secure-deployment/certificates/#user-to-control-plane-communication) and run the following command: - -``` -$ kumactl generate control-plane-token --zone=west > /tmp/token -$ cat /tmp/token -``` - -The generated token looks like: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API. - -### Add token to each remote configuration - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the remote control plane with `kumactl install control-plane`, pass the `--cp-token-path` argument, where the value is the path to the file where the token is stored: - -``` -$ kumactl install control-plane \ - --mode=remote \ - --zone= \ - --cp-token-path=/tmp/token \ - --ingress-enabled \ - --kds-global-address grpcs://`` | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Create a secret with a token in the same namespace where {{site.mesh_product_name}} is installed: - -``` -$ kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token -``` - -Add the following to `Values.yaml`: -```yaml -kuma: - controlPlane: - secrets: - - Env: "KMESH_MULTIZONE_REMOTE_KDS_AUTH_CP_TOKEN_INLINE" - Secret: "cp-token" - Key: "token" -``` - - -{% endnavtab %} -{% navtab Universal %} - -Either: - -- Set the token as an inline value in a `KMESH_MULTIZONE_REMOTE_KDS_AUTH_CP_TOKEN_INLINE` environment variable: - -```sh -$ KUMA_MODE=remote \ - KUMA_MULTIZONE_REMOTE_ZONE= \ - KUMA_MULTIZONE_REMOTE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_REMOTE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ" \ - ./kuma-cp run -``` - -OR - -- Store the token in a file, then set the path to the file in a `KMESH_MULTIZONE_REMOTE_KDS_AUTH_CP_TOKEN_PATH` environment variable. -```sh -$ KUMA_MODE=remote \ - KUMA_MULTIZONE_REMOTE_ZONE= \ - KUMA_MULTIZONE_REMOTE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_REMOTE_KDS_AUTH_CP_TOKEN_PATH="/tmp/token" \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -### Enable authentication on the global control plane - -If you are starting from scratch and not securing existing {{site.mesh_product_name}} deployment, you can do this as a first step. - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the remote control plane with `kumactl install control-plane`, pass the `--cp-auth` argument with the value `cpToken`: - -```sh -$ kumactl install control-plane \ - --mode=global \ - --cp-auth=cpToken | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Add the following to `Values.yaml`: - -```yaml -kuma: - controlPlane: - envVars: - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken -``` - -{% endnavtab %} -{% navtab Universal %} - -Set `KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE` to `cpToken`: - -```sh -$ KUMA_MODE=global \ - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -Verify the remote control plane is connected with authentication by looking at the global control plane logs: - -``` -2021-02-24T14:30:38.596+0100 INFO kds.auth Remote CP successfully authenticated using Control Plane Token {"tokenSerialNumber": 1, "zone": "cluster-2"} -``` - -## Rotate tokens - -If a control plane token or signing key is compromised, you must rotate all tokens. - -### Generate new signing key - -The signing key is stored as a `GlobalSecret` with a name that looks like `control-plane-signing-key-{serialNumber}`. - -Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key. - - -{% navtabs %} -{% navtab Kubernetes %} - -Check what is the current highest serial number. - -```sh -$ kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret' -NAME TYPE DATA AGE -control-plane-signing-key-0001 system.kuma.io/global-secret 1 25m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -$ TOKEN="$(kumactl generate signing-key)" && echo " -apiVersion: v1 -data: - value: $TOKEN -kind: Secret -metadata: - name: control-plane-signing-key-0002 - namespace: kong-mesh-system -type: system.kuma.io/global-secret -" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Universal %} - -Check what is the current highest serial number. - -```sh -$ kumactl get global-secrets -NAME AGE -control-plane-signing-key-0001 36m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -echo " -type: GlobalSecret -name: control-plane-signing-key-0002 -data: {{ key }} -" | kumactl apply --var key=$(kumactl generate signing-key) -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -### Regenerate control plane tokens - -Create and add a new token for each remote control plane. These tokens are automatically created with the signing key that's assigned the highest serial number, so they're created with the new signing key. - -Make sure the new signing key is available; otherwise old and new tokens are created with the same signing key and can both provide authentication. - -### Remove the old signing key - -{% navtabs %} -{% navtab Kubernetes %} - -```sh -$ kubectl delete secret control-plane-signing-key-0001 -n kong-mesh-system -``` - -{% endnavtab %} -{% navtab Universal %} - -```sh -$ kumactl delete global-secret control-plane-signing-key-0001 -``` - -{% endnavtab %} -{% endnavtabs %} - -All new connections to the global control plane now require tokens signed with the new signing key. - -### Restart the global control plane - -Restart all instances of the global control plane. All connections are now authenticated with the new tokens. - -## Explore an example token - -You can decode the tokens to validate the signature or explore details. - -For example, run: -``` -$ kumactl generate control-plane-token --zone=west -``` - -which returns: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -Paste the token into the UI at jwt.io, or run - -``` -$ kumactl generate control-plane-token --zone=west | jwt -``` - -The result looks like: - -![JWT token decoded](/assets/images/docs/mesh/jwt-decoded.png) - -## Additional security - -By default, a connection from the remote control plane to the global control plane is secured with TLS. You should also configure the remote control plane to [verify the certificate authority (CA) of the global control plane](/mesh/latest/production/secure-deployment/certificates/){:target="_blank"}. diff --git a/app/mesh/1.2.x/features/opa.md b/app/mesh/1.2.x/features/opa.md deleted file mode 100644 index a6cbef7f5c05..000000000000 --- a/app/mesh/1.2.x/features/opa.md +++ /dev/null @@ -1,527 +0,0 @@ ---- -title: Kong Mesh - OPA Policy Integration ---- - -## OPA policy plugin - -{{site.mesh_product_name}} integrates the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to provide access control for your services. - -The agent is included in the data plane proxy sidecar, instead of the more common deployment as a separate sidecar. - -When `OPAPolicy` is applied, the control plane configures: - -- the embedded policy agent, with the specified policy -- Envoy, to use [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) that points to the embedded policy agent - -## Usage - -To apply a policy with OPA: - -- Specify the group of data plane proxies to apply the policy to with the `selectors` property. -- Provide a policy with the `conf` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). -{:.note} -> **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. - -- Optionally provide custom configuration for the policy agent. - - -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} - -### With Secrets - -Encoding the policy in a [Secret](https://kuma.io/docs/1.2.x/security/secrets/) provides some security for policies that contain sensitive data. - -{% navtabs %} -{% navtab Kubernetes %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: opa-policy - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - data: - value: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - type: system.kuma.io/secret - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% navtab Universal %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - type: Secret - name: sample-secret - mesh: default - data: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - type: OPAPolicy - mesh: default - name: opa-1 - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% endnavtabs %} - -## Configuration - -{{site.mesh_product_name}} defines a default configuration for OPA, but you can adjust the configuration to meet your environment's requirements. - -The following environment variables are available: - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | [plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow] | - -{% navtabs %} -{% navtab Kubernetes %} - -You can customize the agent in either of the following ways: - -- Override variables in the data plane proxy config: -{% navtabs %} -{% navtab kumactl %} - -When you deploy the Mesh control plane, edit the `kong-mesh-control-plane-config` ConfigMap: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kong-mesh-control-plane-config - namespace: kong-mesh-system -data: - config.yaml: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% navtab Helm %} - -Override the Helm value in `values.yaml` - -```yaml -kuma: - controlPlane: - config: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% endnavtabs %} -{% endnavtab %} -{% navtab Universal %} - -The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables: - - -``` ---opa-addr ---opa-config-path ---opa-diagnostic-addr ---opa-enabled ---opa-ext-authz-addr ---opa-set strings -``` - -{% endnavtab %} -{% endnavtabs %} - -- Override the config for individual data plane proxies by placing the appropriate annotations on the Pod: - -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example-app - namespace: kuma-example -spec: - ... - template: - metadata: - ... - annotations: - # indicate to Kuma that this Pod doesn't need a sidecar - kuma.io/sidecar-env-vars: "KMESH_OPA_ENABLED=false;KMESH_OPA_ADDR=:8888;KMESH_OPA_CONFIG_OVERRIDES=config1:x,config2:y" -``` - -## Support for external API management servers - -The `agentConfig` field lets you define a custom configuration that points to an external management server: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: - inlineString: | - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: - inlineString: | # one of: inlineString, secret - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% endnavtabs %} - -## Example - -The following example shows how to deploy and test a sample OPA Policy on Kubernetes, using the kuma-demo application. - -1. Deploy the example application: - - ``` - kubectl apply -f https://bit.ly/demokuma - ``` - -1. Make a request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 1717af9c-2587-43b9-897f-f8061bba5ad4 - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 15:33:18 GMT - < x-envoy-upstream-service-time: 1521 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - -1. Apply an OPA Policy that requires a valid JWT token: - - ``` - echo " - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` - -1. Make an invalid request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod. - * Trying 10.105.146.164:3001... - * TCP_NODELAY set - * Connected to backend (10.105.146.164) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < date: Tue, 09 Mar 2021 16:50:40 GMT - < server: envoy - < x-envoy-upstream-service-time: 2 - < content-length: 0 - < - * Connection #0 to host backend left intact - ``` - - Note the `HTTP/1.1 403 Forbidden` message. The application doesn't allow a request without a valid token. - - The policy can take up to 30 seconds to propagate, so if this request succeeds the first time, wait and then try again. - -1. Make a valid request from the frontend to the backend: - - ``` - $ export ADMIN_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJzdWIiOiJZbTlpIiwibmJmIjoxNTE0ODUxMTM5LCJleHAiOjI1MjQ2MDgwMDB9.H0-42LYzoWyQ_4MXAcED30u6lA5JE087eECV2nxDfXo" - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001 - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 8fd7b398-1ba2-4c2e-b229-5159d04d782e - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 17:26:00 GMT - < x-envoy-upstream-service-time: 261 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - - The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. diff --git a/app/mesh/1.2.x/features/vault.md b/app/mesh/1.2.x/features/vault.md deleted file mode 100644 index 6e81a45fbf2a..000000000000 --- a/app/mesh/1.2.x/features/vault.md +++ /dev/null @@ -1,252 +0,0 @@ ---- -title: Kong Mesh - Vault Policy ---- - -## Vault CA Backend - -The default [mTLS policy in Kuma](https://kuma.io/docs/latest/policies/mutual-tls/) -supports the following backends: - -* `builtin`: {{site.mesh_product_name}} automatically generates the Certificate -Authority (CA) root certificate and key that will be used to generate the data -plane certificates. -* `provided`: the CA root certificate and key can be provided by the user. - -{{site.mesh_product_name}} adds: - -* `vault`: {{site.mesh_product_name}} generates data plane certificates -using a CA root certificate and key stored in a HashiCorp Vault -server. - -## Vault mode - -In `vault` mTLS mode, {{site.mesh_product_name}} communicates with the HashiCorp Vault PKI, -which generates the data plane proxy certificates automatically. -{{site.mesh_product_name}} does not retrieve private key of the CA to generate data plane proxy certificates, -which means that private key of the CA is secured by Vault and not exposed to third parties. - -In `vault` mode, you point {{site.mesh_product_name}} to the -Vault server and provide the appropriate credentials. {{site.mesh_product_name}} -uses these parameters to authenticate the control plane and generate the -data plane certificates. - -When {{site.mesh_product_name}} is running in `vault` mode, the backend communicates with Vault and ensures -that Vault's PKI automatically issues data plane certificates and rotates them for -each proxy. - -### Configure Vault - -The `vault` mTLS backend expects a `kuma-pki-${MESH_NAME}` PKI already -configured in Vault. For example, the PKI path for a mesh named `default` is `kuma-pki-default`. - -The following steps show how to configure Vault for {{site.mesh_product_name}} with a mesh named -`default`. For your environment, replace `default` with the appropriate mesh name. - -#### Step 1. Configure the Certificate Authority - -{{site.mesh_product_name}} works with a Root CA or an Intermediate CA. - -{% navtabs %} -{% navtab Root CA %} - -Create a new PKI for the `default` Mesh called `kuma-pki-default`: - -```sh -vault secrets enable -path=kuma-pki-default pki -``` - -Generate a new Root Certificate Authority for the `default` Mesh: - -```sh -vault secrets tune -max-lease-ttl=87600h kuma-pki-default -``` - -```sh -vault write -field=certificate kuma-pki-default/root/generate/internal \ - common_name="Kuma Mesh Default" \ - uri_sans="spiffe://default" \ - ttl=87600h -``` - -{% endnavtab %} -{% navtab Intermediate CA %} - -Create a new Root Certificate Authority and save it to a file called `ca.pem`: - -```sh -vault secrets enable pki -``` - -```sh -vault secrets tune -max-lease-ttl=87600h pki -``` - -```sh -vault write -field=certificate pki/root/generate/internal \ - common_name="Organization CA" \ - ttl=87600h > ca.pem -``` - -You can also use your current Root CA, retrieve the PEM-encoded certificate, and save it to `ca.pem`. - -Create a new PKI for the `default` Mesh: - -```sh -vault secrets enable -path=kuma-pki-default pki -``` - -Generate the Intermediate CA for the `default` Mesh: - -```sh -vault write -format=json kuma-pki-default/intermediate/generate/internal \ - common_name="Kuma Mesh Default" \ - uri_sans="spiffe://default" \ - | jq -r '.data.csr' > pki_intermediate.csr -``` - -Sign the Intermediate CA with the Root CA. Make sure to pass the right path for the PKI that has the Root CA. -In this example, the path value is `pki`: - -```sh -vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \ - format=pem_bundle \ - ttl="43800h" \ - | jq -r '.data.certificate' > intermediate.cert.pem -``` - -Set the certificate of signed Intermediate CA to the `default` Mesh PKI. You must include the public certificate of the Root CA -so that data plane proxies can verify the certificates: - -```sh -cat intermediate.cert.pem > bundle.pem -echo "" >> bundle.pem -cat ca.pem >> bundle.pem -vault write kuma-pki-default/intermediate/set-signed certificate=@bundle.pem -``` - -{% endnavtab %} -{% endnavtabs %} - -#### Step 2. Create a role for generating data plane proxy certificates: - -```sh -vault write kuma-pki-default/roles/dataplanes \ - allowed_uri_sans="spiffe://default/*,kuma://*" \ - key_usage="KeyUsageKeyEncipherment,KeyUsageKeyAgreement,KeyUsageDigitalSignature" \ - ext_key_usage="ExtKeyUsageServerAuth,ExtKeyUsageClientAuth" \ - client_flag=true \ - require_cn=false \ - basic_constraints_valid_for_non_ca=true \ - max_ttl="720h" \ - ttl="720h" -``` - -#### Step 3. Create a policy to use the new role: - -```sh -cat > kuma-default-dataplanes.hcl <<- EOM -path "/kuma-pki-default/issue/dataplanes" -{ - capabilities = ["create", "update"] -} -EOM -vault policy write kuma-default-dataplanes kuma-default-dataplanes.hcl -``` - -#### Step 4. Create a Vault token: - -```sh -vault token create -format=json -policy="kuma-default-dataplanes" | jq -r ".auth.client_token" -``` - -The output should print a Vault token that you then provide as the `conf.fromCp.auth.token` value of the `Mesh` object. - -### Configure Mesh - -`kuma-cp` communicates directly with Vault. To connect to -Vault, you must provide credentials in the configuration of the `mesh` object of `kuma-cp`. - -You can authenticate with the `token` or with client certificates by providing `clientKey` and `clientCert`. - -You can provide these values inline for testing purposes only, as a path to a file on the -same host as `kuma-cp`, or contained in a `secret`. See [the Kuma Secrets documentation](https://kuma.io/docs/1.2.x/security/secrets/). - -Here's an example of a configuration with a `vault`-backed CA: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 1d # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inline - clientCert: - file: /tmp/cert.pem # can be file, secret or inlineString -``` - -Apply the configuration with `kubectl apply -f [..]`. - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: Mesh -name: default -mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 24h # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inlineString - clientCert: - file: /tmp/cert.pem # can be file, secret or inline -``` - -Apply the configuration with `kumactl apply -f [..]`, or with the [HTTP API](https://kuma.io/docs/latest/reference/http-api). - -{% endnavtab %} -{% endnavtabs %} diff --git a/app/mesh/1.2.x/gettingstarted.md b/app/mesh/1.2.x/gettingstarted.md deleted file mode 100644 index 1d6da34b0ea1..000000000000 --- a/app/mesh/1.2.x/gettingstarted.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Getting Started with Kong Mesh ---- - -## Getting Started - -{{site.mesh_product_name}} — built on top of CNCF's Kuma and Envoy — - tries to be as close as possible to the usage of Kuma itself, while providing - drop-in binary replacements for both the control plane and data plane - executables. - -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs){:target="_blank"} to start using the product. - -{:.note} -> Kuma, a donated CNCF project, was originally created by Kong, which is -currently maintaining both the project and the documentation. - -## 1. Installing {{site.mesh_product_name}} - -Download and install {{site.mesh_product_name}} from the -[official installation page](/mesh/{{page.release}}/install). - -## 2. Getting Started - -After you install, follow the Kuma getting started guide to get -{{site.mesh_product_name}} up and running: - -* [Getting started with Kubernetes](https://kuma.io/docs/latest/quickstart/kubernetes/){:target="_blank"} -* [Getting started with Universal](https://kuma.io/docs/latest/quickstart/universal/){:target="_blank"} - -## 3. Learn more - -* Read the [Kuma documentation](https://kuma.io/docs/){:target="_blank"} -* Learn about enterprise features: - * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) - * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) - * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) - * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) - -If you are a {{site.mesh_product_name}} customer, you can also open a support -ticket with any question or feedback you may have. diff --git a/app/mesh/1.2.x/index.md b/app/mesh/1.2.x/index.md deleted file mode 100644 index 35e68efbf9eb..000000000000 --- a/app/mesh/1.2.x/index.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Kong Mesh -subtitle: A modern control plane built on top of Envoy and focused on simplicity, security, and scalability ---- - -{:.note} -> **Demo**: To see {{site.mesh_product_name}} in action, you can -[request a demo](https://konghq.com/request-demo-kong-mesh/) and -we will get in touch with you. - -Welcome to the official documentation for {{site.mesh_product_name}}! - -{{site.mesh_product_name}} is an enterprise-grade service mesh that runs on -both Kubernetes and VMs on any cloud. Built on top of CNCF's -[Kuma](https://kuma.io) and Envoy and focused on simplicity, -{{site.mesh_product_name}} enables the microservices transformation with: -* Out-of-the-box service connectivity and discovery -* Zero-trust security -* Traffic reliability -* Global observability across all traffic, including cross-cluster deployments - -{{site.mesh_product_name}} extends Kuma and Envoy with enterprise features and -support, while providing native integration with -[{{site.ee_product_name}}](https://konghq.com/products/kong-enterprise) for a -full-stack connectivity platform for all of your services and APIs, across -every cloud and environment. - -{:.note} -> Kuma itself was originally created by Kong and donated to CNCF to -provide the first neutral Envoy-based service mesh to the industry. Kong -still maintains and develops Kuma, which is the foundation for -{{site.mesh_product_name}}. - -
-
- -
- {{site.mesh_product_name}} extends CNCF's Kuma and Envoy to provide an - enterprise-grade service mesh with unique features in the service mesh - landscape, while still relying on a neutral foundation. -
-
-{{site.mesh_product_name}} provides a unique combination of strengths and -features in the service mesh ecosystem, specifically designed for the enterprise -architect, including: - -* **Universal** support for both Kubernetes and VM-based services. -* **Single and Multi Zone** deployments to support multi-cloud and multi-cluster - environments with global/remote control plane modes, automatic Ingress - connectivity, and service discovery. -* **Multi-Mesh** to create as many service meshes as we need, using one cluster - with low operational costs. -* **Easy to install and use** and turnkey, by abstracting away all the -complexity of running a service mesh with easy-to-use policies for managing -services and traffic. -* **Full-Stack Connectivity** by natively integrating with Kong and -{{site.ee_product_name}} for end-to-end connectivity that goes from the API -gateway to the service mesh. -* **Powered by Kuma and Envoy** to provide a modern and reliable CNCF -open source foundation for an enterprise service mesh. - -When used in combination with {{site.ee_product_name}}, {{site.mesh_product_name}} -provides a full stack connectivity platform for all of our L4-L7 connectivity, -for both edge and internal API traffic. - -
- -
- Two different applications - "Banking" and "Trading" - run in their - own meshes "A" and "B" across different data centers. In this example, - {{site.base_gateway}} is being used both for edge communication, and for internal - communication between meshes. -
- -## Why {{site.mesh_product_name}}? {#why-kong-mesh} - -Organizations are transitioning to distributed software architectures to -support and accelerate innovation, gain digital revenue, and reduce costs. -A successful transition to microservices requires many pieces to fall into -place: that services are connected reliably with minimal latency, -that they are protected with end-to-end security, that they are discoverable -and fully observable. However, this presents challenges due to the need to -write custom code for security and identity, a lack of granular telemetry, -and insufficient traffic management capabilities, especially as the number of -services grows. - -Leading organizations are looking to service meshes to address these challenges -in a scalable and standardized way. With a service mesh, you can: - -* **Ensure service connectivity, discovery, and traffic reliability**: Apply -out-of-box traffic management to intelligently route traffic across any -platform and any cloud to meet expectations and SLAs. -* **Achieve Zero-Trust Security**: Restrict access by default, encrypt all -traffic, and only complete transactions when identity is verified. -* **Gain Global Traffic Observability**: Gain a detailed understanding of your -service behavior to increase application reliability and the efficiency of -your teams. - -{{site.mesh_product_name}} is the universal service mesh for enterprise -organizations focused on simplicity and scalability with Kuma and Envoy. -Kong’s service mesh is unique in that it allows you to: - -* **Start, secure, and scale with ease**: - * Deploy a turnkey service mesh with a single command. - * Group services by attributes to efficiently apply policies. - * Manage multiple service meshes as tenants of a single control plane to - provide scale and reduce operational costs. -* **Run anywhere**: - * Deploy the service mesh across any environment, including multi-cluster, - multi-cloud, and multi-platform. - * Manage service meshes natively in Kubernetes using CRDs, or start with a - service mesh in a VM environment and migrate to Kubernetes at your own pace. -* **Connect services end-to-end**: - * Integrate into the {{site.ee_product_name}} platform for full stack connectivity, - including Ingress and Egress traffic for your service mesh. - * Expose mesh services for internal or external consumption and manage the - full lifecycle of APIs. - -Thanks to the underlying Kuma runtime, with {{site.mesh_product_name}}, you -can easily support multiple clusters, clouds, and architectures using the -multi-zone capability that ships out of the box. This — combined with -multi-mesh support — lets you create a service mesh powered by an Envoy proxy -for the entire organization in just a few steps. You can do this for both -simple and distributed deployments, including multi-cloud, multi-cluster, and -hybrid Kubernetes/VMs: - -
- -
- {{site.mesh_product_name}} can support multiple zones (like a Kubernetes - cluster, VPC, data center, etc.) together in the same distributed deployment. - Then, you can create multiple isolated virtual meshes with the same - control plane in order to support every team and application in the - organization. -
-
-[Learn more](/mesh/latest/production/deployment/) about the -standalone and multi-zone deployment modes in the Kuma documentation. diff --git a/app/mesh/1.2.x/install.md b/app/mesh/1.2.x/install.md deleted file mode 100644 index 44b3bc73c810..000000000000 --- a/app/mesh/1.2.x/install.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -On this page, you will find access to the official {{site.mesh_product_name}} -distributions that provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - -{% navtabs %} -{% navtab Containerized %} - - - -{% endnavtab %} -{% navtab Operating Systems %} - - - -{% endnavtab %} -{% endnavtabs %} - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -Kong Mesh [VERSION NUMBER] - -$ kuma-cp version -Kong Mesh [VERSION NUMBER] - -$ kuma-dp version -Kong Mesh [VERSION NUMBER] -``` diff --git a/app/mesh/1.2.x/installation/amazonlinux.md b/app/mesh/1.2.x/installation/amazonlinux.md deleted file mode 100644 index 0130c8bfb791..000000000000 --- a/app/mesh/1.2.x/installation/amazonlinux.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Kong Mesh with Amazon Linux ---- - -{:.note} -> If you want to use {{site.mesh_product_name}} on Amazon EKS, follow the -[Kubernetes instructions](/mesh/{{page.release}}/installation/kubernetes/) -instead. - -To install and run {{site.mesh_product_name}} on Amazon Linux (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download the latest version of {{site.mesh_product_name}}: - -```sh -$ yum install -y tar gzip -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/installation/centos.md b/app/mesh/1.2.x/installation/centos.md deleted file mode 100644 index d1f8c4bf5bd3..000000000000 --- a/app/mesh/1.2.x/installation/centos.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Kong Mesh with CentOS ---- - -To install and run {{site.mesh_product_name}} on CentOS (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/installation/debian.md b/app/mesh/1.2.x/installation/debian.md deleted file mode 100644 index d2e32294a077..000000000000 --- a/app/mesh/1.2.x/installation/debian.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Kong Mesh with Debian ---- - -To install and run {{site.mesh_product_name}} on Debian (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/installation/docker.md b/app/mesh/1.2.x/installation/docker.md deleted file mode 100644 index 36d0632d2adf..000000000000 --- a/app/mesh/1.2.x/installation/docker.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -title: Kong Mesh with Docker ---- - -To install and run {{site.mesh_product_name}} on Docker, execute the following -steps: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -The official Docker images are used by default in the -Kubernetes -distributions. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{{site.mesh_product_name}} provides the following Docker images for all of its -executables, hosted on Docker Hub: - -* **kuma-cp**: at [`kong/kuma-cp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-cp) -* **kuma-dp**: at [`kong/kuma-dp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-dp) -* **kumactl**: at [`kong/kumactl:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kumactl) -* **kuma-prometheus-sd**: at [`kong/kuma-prometheus-sd:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-prometheus-sd) - -`docker pull` each image that you need. For example: - -```sh -$ docker pull kong/kuma-cp:{{page.kong_latest.version}} -``` - -## 2. Run {{site.mesh_product_name}} - -Run the control plane with: - -```sh -$ docker run \ - -p 5681:5681 \ - -v /path/to/license.json:/license.json \ - -e "KMESH_LICENSE_PATH=/license.json" \ - kong/kuma-cp:{{page.kong_latest.version}} run -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the host that will be mounted as `/license.json` into the -container. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) is running, you can access the -control plane using either the GUI, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681/gui` to see -the GUI. - -{% endnavtab %} -{% navtab HTTP API (Read & Write) %} - -{{site.mesh_product_name}} ships with a **read and write** HTTP API that you can -use to perform operations on {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681` to see -the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read & Write) %} - -You can use the `kumactl` CLI to perform **read and write** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. For example: - -```sh -$ docker run \ - --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | docker run -i --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl apply -f - -``` - -This runs `kumactl` from the Docker -container on the same network as the host, but most likely you want to download -a compatible version of {{site.mesh_product_name}} for the machine where you -will be executing the commands. - -See the individual installation pages for your OS to download and extract -`kumactl` to your machine: -* [CentOS](/mesh/{{page.release}}/installation/centos/) -* [Red Hat](/mesh/{{page.release}}/installation/redhat/) -* [Debian](/mesh/{{page.release}}/installation/debian/) -* [Ubuntu](/mesh/{{page.release}}/installation/ubuntu/) -* [macOS](/mesh/{{page.release}}/installation/macos/) - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Universal deployments](https://kuma.io/docs/latest/quickstart/universal/). -If you are entirely using Docker, you may also be interested in checking out the -[Kubernetes quickstart](https://kuma.io/docs/latest/quickstart/kubernetes/) as well. diff --git a/app/mesh/1.2.x/installation/helm.md b/app/mesh/1.2.x/installation/helm.md deleted file mode 100644 index 2094a714cf6c..000000000000 --- a/app/mesh/1.2.x/installation/helm.md +++ /dev/null @@ -1,166 +0,0 @@ ---- -title: Kong Mesh with Helm ---- - -To install and run {{site.mesh_product_name}} on Kubernetes using Helm: - -1. [Add the {{site.mesh_product_name}} Helm Repository](#1-add-the-kong-mesh-helm-repository) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Add the {{site.mesh_product_name}} Helm Repository - -To start using {{site.mesh_product_name}} with Helm charts, first add the -{{site.mesh_product_name}} charts repository to your local Helm deployment: - -```sh -$ helm repo add kong-mesh https://kong.github.io/kong-mesh-charts -``` - -Once the repo is added, any following updates can be fetched with -`helm repo update`. - -## 2. Run {{site.mesh_product_name}} - -Install and run {{site.mesh_product_name}} using the following commands. -You can use any Kubernetes namespace to install {{site.mesh_product_name}}, but as a default, we -suggest `kong-mesh-system`. - -1. Create the `kong-mesh-system` namespace: - - ```sh - $ kubectl create namespace kong-mesh-system - ``` - -2. Upload the license secret to the cluster: - - ```sh - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` - - Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} - license file on the file system. - - The filename should be license.json, unless otherwise specified in values.yaml. - -3. Deploy the {{site.mesh_product_name}} Helm chart: - - ```sh - $ helm repo update - $ helm upgrade -i -n kong-mesh-system kong-mesh kong-mesh/kong-mesh - ``` - - This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ - deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) - like _multi-zone_. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) has been installed in the newly -created `kong-mesh-system` namespace, you can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.2.x/quickstart/kubernetes/). diff --git a/app/mesh/1.2.x/installation/kubernetes.md b/app/mesh/1.2.x/installation/kubernetes.md deleted file mode 100644 index 59f3117f3646..000000000000 --- a/app/mesh/1.2.x/installation/kubernetes.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Kong Mesh with Kubernetes ---- - -To install and run {{site.mesh_product_name}} on Kubernetes: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -Download a compatible version of {{site.mesh_product_name}} for the machine from which you -will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the client host from the machine where you plan to run the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can create a link -in `/usr/local/bin/` by running: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -It may take a while for Kubernetes to start the -{{site.mesh_product_name}} resources. You can check the status by executing: - -```sh -$ kubectl get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -You can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -{{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.2.x/quickstart/kubernetes/). diff --git a/app/mesh/1.2.x/installation/macos.md b/app/mesh/1.2.x/installation/macos.md deleted file mode 100644 index bf79e769681f..000000000000 --- a/app/mesh/1.2.x/installation/macos.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Kong Mesh with macOS ---- - -To install and run {{site.mesh_product_name}} on macOS,: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on macOS, you can choose from the following -installation methods: - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/installation/openshift.md b/app/mesh/1.2.x/installation/openshift.md deleted file mode 100644 index 207f1624ecff..000000000000 --- a/app/mesh/1.2.x/installation/openshift.md +++ /dev/null @@ -1,265 +0,0 @@ ---- -title: Kong Mesh with OpenShift ---- - -To install and run {{site.mesh_product_name}} on OpenShift: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on OpenShift, you need to download a -compatible version of {{site.mesh_product_name}} for the machine from which -you will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the **client host** from where you will be executing the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can also create a link -in `/usr/local/bin/` by executing: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -Then, run the control plane on OpenShift with: - -{% navtabs %} -{% navtab OpenShift 4.x %} - -```sh -kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f - -``` - -Starting from version 4.1, OpenShift uses `nftables` instead of `iptables`. So, -using init container for redirecting traffic to the proxy no longer works. -Instead, we use `kuma-cni`, which can be installed with the `--cni-enabled` flag. - -{% endnavtab %} -{% navtab OpenShift 3.11 %} - -By default, `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` are -disabled on OpenShift 3.11. - -To make them work, add the following `pluginConfig` into -`/etc/origin/master/master-config.yaml` on the master node: - -```yaml -admissionConfig: - pluginConfig: - MutatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission - ValidatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission -``` - -After updating `master-config.yaml`, restart the cluster and install -`control-plane`: - -```sh -$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -It may take a while for OpenShift to start the -{{site.mesh_product_name}} resources. You can check the status by running: - -```sh -$ oc get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -Now you can access the control plane with the GUI, `oc`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681` and defaults to `:5681/gui`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab oc (Read & Write) %} -You can use {{site.mesh_product_name}} with `oc` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ oc get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | oc apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -Notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -{{site.mesh_product_name}} explicitly specifies a UID -for the `kuma-dp` sidecar to avoid capturing traffic from -`kuma-dp` itself. You must grant a `nonroot` [Security Context Constraint] -(https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) -to the application namespace: - -```sh -$ oc adm policy add-scc-to-group nonroot system:serviceaccounts: -``` - -If the namespace is not configured properly, you will see the following error -on the `Deployment` or `DeploymentConfig`: - -```sh -'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: -[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]' -``` - -## 4. Quickstart - -Congratulations! You have successfully installed {{site.mesh_product_name}}. - -Before running the Kuma Demo in the Quickstart guide, -run the following command: - -```sh -$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo -``` - -One of the components in the demo requires root access, therefore it uses the -`anyuid` instead of the `nonroot` permission. - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.2.x/quickstart/kubernetes/). diff --git a/app/mesh/1.2.x/installation/redhat.md b/app/mesh/1.2.x/installation/redhat.md deleted file mode 100644 index 51937fecb5f3..000000000000 --- a/app/mesh/1.2.x/installation/redhat.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Kong Mesh with Red Hat ---- - -To install and run {{site.mesh_product_name}} on Red Hat (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/installation/ubuntu.md b/app/mesh/1.2.x/installation/ubuntu.md deleted file mode 100644 index 3ed46bfefadc..000000000000 --- a/app/mesh/1.2.x/installation/ubuntu.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Kong Mesh with Ubuntu ---- - -To install and run {{site.mesh_product_name}} on Ubuntu (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) - the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.2.x/patches/opa-policy.yaml b/app/mesh/1.2.x/patches/opa-policy.yaml deleted file mode 100644 index cc8b2e75cbf3..000000000000 --- a/app/mesh/1.2.x/patches/opa-policy.yaml +++ /dev/null @@ -1,392 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - validation: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - initializers: - description: "An initializer is a controller which enforces some system - invariant at object creation time. This field is a list of initializers - that have not yet acted on this object. If nil or empty, this object - has been completely initialized. Otherwise, the object is considered - uninitialized and is hidden (in list/watch and get calls) from clients - that haven't explicitly asked to observe uninitialized objects. \n - When an object is created, the system will populate this list with - the current set of initializers. Only privileged users may set or - modify this list. Once it is empty, it may not be modified further - by any user. \n DEPRECATED - initializers are an alpha field and will - be removed in v1.15." - properties: - pending: - description: Pending is a list of initializers that must execute - in order before this object is visible. When the last pending - initializer is removed, and no failing result is set, the initializers - struct will be set to nil and the object is considered as initialized - and visible to all clients. - items: - properties: - name: - description: name of the process that is responsible for initializing - this object. - type: string - required: - - name - type: object - type: array - result: - description: If result is set with the Failure field, the object - will be persisted to storage and then deleted, ensuring that other - clients can observe the deletion. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this - representation of an object. Servers should convert recognized - schemas to the latest internal value, and may reject unrecognized - values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - code: - description: Suggested HTTP return code for this status, 0 if - not set. - format: int32 - type: integer - details: - description: Extended data associated with the reason. Each - reason may define its own extended details. This field is - optional and the data returned is not guaranteed to conform - to any schema except that defined by the reason type. - properties: - causes: - description: The Causes array includes more details associated - with the StatusReason failure. Not all StatusReasons may - provide detailed causes. - items: - properties: - field: - description: "The field of the resource that has caused - this error, as named by its JSON serialization. - May include dot and postfix notation for nested - attributes. Arrays are zero-indexed. Fields may - appear more than once in an array of causes due - to fields having multiple errors. Optional. \n Examples: - \ \"name\" - the field \"name\" on the current - resource \"items[0].name\" - the field \"name\" - on the first array entry in \"items\"" - type: string - message: - description: A human-readable description of the cause - of the error. This field may be presented as-is - to a reader. - type: string - reason: - description: A machine-readable description of the - cause of the error. If this value is empty there - is no information available. - type: string - type: object - type: array - group: - description: The group attribute of the resource associated - with the status StatusReason. - type: string - kind: - description: 'The kind attribute of the resource associated - with the status StatusReason. On some operations may differ - from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: The name attribute of the resource associated - with the status StatusReason (when there is a single name - which can be described). - type: string - retryAfterSeconds: - description: If specified, the time in seconds before the - operation should be retried. Some errors may indicate - the client must take an alternate action - for those errors - this field may indicate how long to wait before taking - the alternate action. - format: int32 - type: integer - uid: - description: 'UID of the resource. (when there is a single - resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - type: object - kind: - description: 'Kind is a string value representing the REST resource - this object represents. Servers may infer this from the endpoint - the client submits requests to. Cannot be updated. In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - message: - description: A human-readable description of the status of this - operation. - type: string - metadata: - description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - properties: - continue: - description: continue may be set if the user set a limit - on the number of items returned, and indicates that the - server has more data available. The value is opaque and - may be used to issue another request to the endpoint that - served this list to retrieve the next set of available - objects. Continuing a consistent list may not be possible - if the server configuration has changed or more than a - few minutes have passed. The resourceVersion field returned - when using this continue value will be identical to the - value in the first response, unless you have received - this token from an error message. - type: string - resourceVersion: - description: 'String that identifies the server''s internal - version of this object that can be used by clients to - determine when objects have changed. Value must be treated - as opaque by clients and passed unmodified back to the - server. Populated by the system. Read-only. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - selfLink: - description: selfLink is a URL representing this object. - Populated by the system. Read-only. - type: string - type: object - reason: - description: A machine-readable description of why this operation - is in the "Failure" status. If this value is empty there is - no information available. A Reason clarifies an HTTP status - code but does not override it. - type: string - status: - description: 'Status of the operation. One of: "Success" or - "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' - type: string - type: object - required: - - pending - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: "ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like \"ci-cd\". The set of fields - is always in the version that the workflow used when modifying the - object. \n This field is alpha and can be changed or removed without - notice." - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fields: - additionalProperties: true - description: Fields identifies a set of fields. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: SelfLink is a URL representing this object. Populated by - the system. Read-only. - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - mesh: - type: string - spec: - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true diff --git a/app/mesh/1.3.x/features/fips-support.md b/app/mesh/1.3.x/features/fips-support.md deleted file mode 100644 index 08db52166d88..000000000000 --- a/app/mesh/1.3.x/features/fips-support.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Kong Mesh - FIPS Support -toc: false ---- - -With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors. - -FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringSSL. For more information about how it works, see Envoy's [FIPS 140-2 documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. diff --git a/app/mesh/1.3.x/features/kds-auth.md b/app/mesh/1.3.x/features/kds-auth.md deleted file mode 100644 index 30174787c092..000000000000 --- a/app/mesh/1.3.x/features/kds-auth.md +++ /dev/null @@ -1,283 +0,0 @@ ---- -title: Multi-zone authentication ---- - -To add to the security of your deployments, {{site.mesh_product_name}} provides token generation for authenticating remote control planes to the global control plane. - -The control plane token is a JWT that contains: - -- The name of the zone the token is generated for -- The token's serial number, used for token rotation - -The control plane token is signed by a signing key that is autogenerated on the global control plane. The signing key is SHA256 encrypted. - -You can check for the signing key: - -``` -$ kumactl get global-secrets -``` - -which returns something like: - -``` -NAME AGE -control-plane-signing-key-0001 36m -``` - -## Set up tokens - -To generate the tokens you need and configure your clusters: - -- Generate a token for each remote control plane. -- Add the token to the configuration for each remote zone. -- Enable authentication on the global control plane. - -### Generate token for each remote zone - -On the global control plane, [authenticate](/mesh/latest/production/secure-deployment/certificates/#user-to-control-plane-communication) and run the following command: - -``` -$ kumactl generate control-plane-token --zone=west > /tmp/token -$ cat /tmp/token -``` - -The generated token looks like: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API. - -### Add token to each zone configuration - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-token-path` argument, where the value is the path to the file where the token is stored: - -``` -$ kumactl install control-plane \ - --mode=zone \ - --zone= \ - --cp-token-path=/tmp/token \ - --ingress-enabled \ - --kds-global-address grpcs://`` | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Create a secret with a token in the same namespace where {{site.mesh_product_name}} is installed: - -``` -$ kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token -``` - -Add the following to `Values.yaml`: -```yaml -kuma: - controlPlane: - secrets: - - Env: "KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE" - Secret: "cp-token" - Key: "token" -``` - - -{% endnavtab %} -{% navtab Universal %} - -Either: - -- Set the token as an inline value in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable: - -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ" \ - ./kuma-cp run -``` - -OR - -- Store the token in a file, then set the path to the file in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable. -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH="/tmp/token" \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -### Enable authentication on the global control plane - -If you are starting from scratch and not securing existing {{site.mesh_product_name}} deployment, you can do this as a first step. - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-auth` argument with the value `cpToken`: - -```sh -$ kumactl install control-plane \ - --mode=global \ - --cp-auth=cpToken | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Add the following to `Values.yaml`: - -```yaml -kuma: - controlPlane: - envVars: - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken -``` - -{% endnavtab %} -{% navtab Universal %} - -Set `KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE` to `cpToken`: - -```sh -$ KUMA_MODE=global \ - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -Verify the remote control plane is connected with authentication by looking at the global control plane logs: - -``` -2021-02-24T14:30:38.596+0100 INFO kds.auth Remote CP successfully authenticated using Control Plane Token {"tokenSerialNumber": 1, "zone": "cluster-2"} -``` - -## Rotate tokens - -If a control plane token or signing key is compromised, you must rotate all tokens. - -### Generate new signing key - -The signing key is stored as a `GlobalSecret` with a name that looks like `control-plane-signing-key-{serialNumber}`. - -Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key. - - -{% navtabs %} -{% navtab Kubernetes %} - -Check what is the current highest serial number. - -```sh -$ kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret' -NAME TYPE DATA AGE -control-plane-signing-key-0001 system.kuma.io/global-secret 1 25m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -$ TOKEN="$(kumactl generate signing-key)" && echo " -apiVersion: v1 -data: - value: $TOKEN -kind: Secret -metadata: - name: control-plane-signing-key-0002 - namespace: kong-mesh-system -type: system.kuma.io/global-secret -" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Universal %} - -Check what is the current highest serial number. - -```sh -$ kumactl get global-secrets -NAME AGE -control-plane-signing-key-0001 36m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -echo " -type: GlobalSecret -name: control-plane-signing-key-0002 -data: {{ key }} -" | kumactl apply --var key=$(kumactl generate signing-key) -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -### Regenerate control plane tokens - -Create and add a new token for each zone control plane. These tokens are automatically created with the signing key that's assigned the highest serial number, so they're created with the new signing key. - -Make sure the new signing key is available; otherwise old and new tokens are created with the same signing key and can both provide authentication. - -### Remove the old signing key - -{% navtabs %} -{% navtab Kubernetes %} - -```sh -$ kubectl delete secret control-plane-signing-key-0001 -n kong-mesh-system -``` - -{% endnavtab %} -{% navtab Universal %} - -```sh -$ kumactl delete global-secret control-plane-signing-key-0001 -``` - -{% endnavtab %} -{% endnavtabs %} - -All new connections to the global control plane now require tokens signed with the new signing key. - -### Restart the global control plane - -Restart all instances of the global control plane. All connections are now authenticated with the new tokens. - -## Explore an example token - -You can decode the tokens to validate the signature or explore details. - -For example, run: -``` -$ kumactl generate control-plane-token --zone=west -``` - -which returns: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -Paste the token into the UI at jwt.io, or run - -``` -$ kumactl generate control-plane-token --zone=west | jwt -``` - -The result looks like: - -![JWT token decoded](/assets/images/docs/mesh/jwt-decoded.png) - -## Additional security - -By default, a connection from the zone control plane to the global control plane is secured with TLS. You should also configure the zone control plane to [verify the certificate authority (CA) of the global control plane]((/mesh/latest/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone){:target="_blank"}. diff --git a/app/mesh/1.3.x/features/opa.md b/app/mesh/1.3.x/features/opa.md deleted file mode 100644 index a1e49745b1ac..000000000000 --- a/app/mesh/1.3.x/features/opa.md +++ /dev/null @@ -1,589 +0,0 @@ ---- -title: Kong Mesh - OPA Policy Integration ---- - -## OPA policy plugin - -{{site.mesh_product_name}} integrates the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to provide access control for your services. - -The agent is included in the data plane proxy sidecar, instead of the more common deployment as a separate sidecar. - -When `OPAPolicy` is applied, the control plane configures: - -- the embedded policy agent, with the specified policy -- Envoy, to use [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) that points to the embedded policy agent - -## Usage - -To apply a policy with OPA: - -- Specify the group of data plane proxies to apply the policy to with the `selectors` property. -- Provide a policy with the `conf` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). -{:.note} -> **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. - -- Optionally provide custom configuration for the policy agent. - - -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} - -### With Secrets - -Encoding the policy in a [Secret](https://kuma.io/docs/1.3.x/security/secrets/) provides some security for policies that contain sensitive data. - -{% navtabs %} -{% navtab Kubernetes %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: opa-policy - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - data: - value: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - type: system.kuma.io/secret - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% navtab Universal %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - type: Secret - name: sample-secret - mesh: default - data: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - type: OPAPolicy - mesh: default - name: opa-1 - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% endnavtabs %} - -## Configuration - -{{site.mesh_product_name}} defines a default configuration for OPA, but you can adjust the configuration to meet your environment's requirements. - -The following environment variables are available: - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | [plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow] | - -{% navtabs %} -{% navtab Kubernetes %} - -You can customize the agent in either of the following ways: - -- Override variables in the data plane proxy config: -{% navtabs %} -{% navtab kumactl %} - -When you deploy the Mesh control plane, edit the `kong-mesh-control-plane-config` ConfigMap: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kong-mesh-control-plane-config - namespace: kong-mesh-system -data: - config.yaml: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% navtab Helm %} - -Override the Helm value in `values.yaml` - -```yaml -kuma: - controlPlane: - config: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% endnavtabs %} -{% endnavtab %} -{% navtab Universal %} - -The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables: - - -``` ---opa-addr ---opa-config-path ---opa-diagnostic-addr ---opa-enabled ---opa-ext-authz-addr ---opa-set strings -``` - -{% endnavtab %} -{% endnavtabs %} - -- Override the config for individual data plane proxies by placing the appropriate annotations on the Pod: - -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example-app - namespace: kuma-example -spec: - ... - template: - metadata: - ... - annotations: - # indicate to Kuma that this Pod doesn't need a sidecar - kuma.io/sidecar-env-vars: "KMESH_OPA_ENABLED=false;KMESH_OPA_ADDR=:8888;KMESH_OPA_CONFIG_OVERRIDES=config1:x,config2:y" -``` - -## Configuring the authorization filter - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny' defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the max number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - secret: opa-policy -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. http statusCode to use when the connection to the agent failed. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny'. defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the maximum number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - secret: opa-policy -``` - -{% endnavtab %} -{% endnavtabs %} - -By default, the body will not be sent to the agent. -To send it, set `authConfig.requestBody.maxSize` to the maximum size of your body. -If the request body is larger than this parameter, it will be truncated and the header `x-envoy-auth-partial-body` will be set to `true`. - -## Support for external API management servers - -The `agentConfig` field lets you define a custom configuration that points to an external management server: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: - inlineString: | - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: - inlineString: | # one of: inlineString, secret - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% endnavtabs %} - -## Example - -The following example shows how to deploy and test a sample OPA Policy on Kubernetes, using the kuma-demo application. - -1. Deploy the example application: - - ``` - kubectl apply -f https://bit.ly/demokuma - ``` - -1. Make a request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 1717af9c-2587-43b9-897f-f8061bba5ad4 - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 15:33:18 GMT - < x-envoy-upstream-service-time: 1521 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - -1. Apply an OPA Policy that requires a valid JWT token: - - ``` - echo " - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` - -1. Make an invalid request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod. - * Trying 10.105.146.164:3001... - * TCP_NODELAY set - * Connected to backend (10.105.146.164) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < date: Tue, 09 Mar 2021 16:50:40 GMT - < server: envoy - < x-envoy-upstream-service-time: 2 - < content-length: 0 - < - * Connection #0 to host backend left intact - ``` - - Note the `HTTP/1.1 403 Forbidden` message. The application doesn't allow a request without a valid token. - - The policy can take up to 30 seconds to propagate, so if this request succeeds the first time, wait and then try again. - -1. Make a valid request from the frontend to the backend: - - ``` - $ export ADMIN_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJzdWIiOiJZbTlpIiwibmJmIjoxNTE0ODUxMTM5LCJleHAiOjI1MjQ2MDgwMDB9.H0-42LYzoWyQ_4MXAcED30u6lA5JE087eECV2nxDfXo" - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001 - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 8fd7b398-1ba2-4c2e-b229-5159d04d782e - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 17:26:00 GMT - < x-envoy-upstream-service-time: 261 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - - The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. diff --git a/app/mesh/1.3.x/features/vault.md b/app/mesh/1.3.x/features/vault.md deleted file mode 100644 index 20dcfa16bd6f..000000000000 --- a/app/mesh/1.3.x/features/vault.md +++ /dev/null @@ -1,259 +0,0 @@ ---- -title: Kong Mesh - Vault Policy ---- - -## Vault CA Backend - -The default [mTLS policy in Kuma](https://kuma.io/docs/latest/policies/mutual-tls/) -supports the following backends: - -* `builtin`: {{site.mesh_product_name}} automatically generates the Certificate -Authority (CA) root certificate and key that will be used to generate the data -plane certificates. -* `provided`: the CA root certificate and key can be provided by the user. - -{{site.mesh_product_name}} adds: - -* `vault`: {{site.mesh_product_name}} generates data plane certificates -using a CA root certificate and key stored in a HashiCorp Vault -server. - -## Vault mode - -In `vault` mTLS mode, {{site.mesh_product_name}} communicates with the HashiCorp Vault PKI, -which generates the data plane proxy certificates automatically. -{{site.mesh_product_name}} does not retrieve private key of the CA to generate data plane proxy certificates, -which means that private key of the CA is secured by Vault and not exposed to third parties. - -In `vault` mode, you point {{site.mesh_product_name}} to the -Vault server and provide the appropriate credentials. {{site.mesh_product_name}} -uses these parameters to authenticate the control plane and generate the -data plane certificates. - -When {{site.mesh_product_name}} is running in `vault` mode, the backend communicates with Vault and ensures -that Vault's PKI automatically issues data plane certificates and rotates them for -each proxy. - -### Configure Vault - -The `vault` mTLS backend expects a configured PKI and role for generating data plane proxy certificates. - -The following steps show how to configure Vault for {{site.mesh_product_name}} with a mesh named -`default`. For your environment, replace `default` with the appropriate mesh name. - -#### Step 1. Configure the Certificate Authority - -{{site.mesh_product_name}} works with a Root CA or an Intermediate CA. - -{% navtabs %} -{% navtab Root CA %} - -Create a new PKI for the `default` Mesh called `kmesh-pki-default`: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate a new Root Certificate Authority for the `default` Mesh: - -```sh -vault secrets tune -max-lease-ttl=87600h kmesh-pki-default -``` - -```sh -vault write -field=certificate kmesh-pki-default/root/generate/internal \ - common_name="Kong Mesh Mesh Default" \ - uri_sans="spiffe://default" \ - ttl=87600h -``` - -{% endnavtab %} -{% navtab Intermediate CA %} - -Create a new Root Certificate Authority and save it to a file called `ca.pem`: - -```sh -vault secrets enable pki -``` - -```sh -vault secrets tune -max-lease-ttl=87600h pki -``` - -```sh -vault write -field=certificate pki/root/generate/internal \ - common_name="Organization CA" \ - ttl=87600h > ca.pem -``` - -You can also use your current Root CA, retrieve the PEM-encoded certificate, and save it to `ca.pem`. - -Create a new PKI for the `default` Mesh: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate the Intermediate CA for the `default` Mesh: - -```sh -vault write -format=json kmesh-pki-default/intermediate/generate/internal \ - common_name="Kong Mesh Mesh Default" \ - uri_sans="spiffe://default" \ - | jq -r '.data.csr' > pki_intermediate.csr -``` - -Sign the Intermediate CA with the Root CA. Make sure to pass the right path for the PKI that has the Root CA. -In this example, the path value is `pki`: - -```sh -vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \ - format=pem_bundle \ - ttl="43800h" \ - | jq -r '.data.certificate' > intermediate.cert.pem -``` - -Set the certificate of signed Intermediate CA to the `default` Mesh PKI. You must include the public certificate of the Root CA -so that data plane proxies can verify the certificates: - -```sh -cat intermediate.cert.pem > bundle.pem -echo "" >> bundle.pem -cat ca.pem >> bundle.pem -vault write kmesh-pki-default/intermediate/set-signed certificate=@bundle.pem -``` - -{% endnavtab %} -{% endnavtabs %} - -#### Step 2. Create a role for generating data plane proxy certificates: - -```sh -vault write kmesh-pki-default/roles/dataplane-proxies \ - allowed_uri_sans="spiffe://default/*,kuma://*" \ - key_usage="KeyUsageKeyEncipherment,KeyUsageKeyAgreement,KeyUsageDigitalSignature" \ - ext_key_usage="ExtKeyUsageServerAuth,ExtKeyUsageClientAuth" \ - client_flag=true \ - require_cn=false \ - basic_constraints_valid_for_non_ca=true \ - max_ttl="720h" \ - ttl="720h" -``` - -#### Step 3. Create a policy to use the new role: - -```sh -cat > kmesh-default-dataplane-proxies.hcl <<- EOM -path "/kmesh-pki-default/issue/dataplane-proxies" -{ - capabilities = ["create", "update"] -} -EOM -vault policy write kmesh-default-dataplane-proxies kmesh-default-dataplane-proxies.hcl -``` - -#### Step 4. Create a Vault token: - -```sh -vault token create -format=json -policy="kmesh-default-dataplane-proxies" | jq -r ".auth.client_token" -``` - -The output should print a Vault token that you then provide as the `conf.fromCp.auth.token` value of the `Mesh` object. - -### Configure Mesh - -`kuma-cp` communicates directly with Vault. To connect to -Vault, you must provide credentials in the configuration of the `mesh` object of `kuma-cp`. - -You can authenticate with the `token` or with client certificates by providing `clientKey` and `clientCert`. - -You can provide these values inline for testing purposes only, as a path to a file on the -same host as `kuma-cp`, or contained in a `secret`. See [the Kuma Secrets documentation](https://kuma.io/docs/1.3.x/security/secrets/). - -Here's an example of a configuration with a `vault`-backed CA: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 1d # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inline - clientCert: - file: /tmp/cert.pem # can be file, secret or inlineString -``` - -Apply the configuration with `kubectl apply -f [..]`. - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: Mesh -name: default -mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 24h # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inlineString - clientCert: - file: /tmp/cert.pem # can be file, secret or inline -``` - -Apply the configuration with `kumactl apply -f [..]`, or with the [HTTP API](https://kuma.io/docs/latest/reference/http-api). - -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone and Vault - -In a multi-zone environment, the global control plane provides the `Mesh` to the zone control planes. However, you must make sure that each zone control plane communicates with Vault over the same address. This is because certificates for data plane proxies are issued from the zone control plane, not from the global control plane. - -You must also make sure the global control plane communicates with Vault. When a new Vault backend is configured, {{site.mesh_product_name}} validates the connection by issuing a test certificate. In a multi-zone environment, validation is performed on the global control plane. diff --git a/app/mesh/1.3.x/gettingstarted.md b/app/mesh/1.3.x/gettingstarted.md deleted file mode 100644 index 9b4f89a1b4af..000000000000 --- a/app/mesh/1.3.x/gettingstarted.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Getting Started with Kong Mesh ---- - -## Getting Started - -{{site.mesh_product_name}} — built on top of CNCF's Kuma and Envoy — - tries to be as close as possible to the usage of Kuma itself, while providing - drop-in binary replacements for both the control plane and data plane - executables. - -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs){:target="_blank"} to start using the product. - -{:.note} -Kuma, a donated CNCF project, was originally created by Kong, which is -currently maintaining both the project and the documentation. - -## 1. Installing {{site.mesh_product_name}} - -Download and install {{site.mesh_product_name}} from the -[official installation page](/mesh/{{page.release}}/install). - -## 2. Getting Started - -After you install, follow the Kuma getting started guide to get -{{site.mesh_product_name}} up and running: - -* [Getting started with Kubernetes](https://kuma.io/docs/latest/quickstart/kubernetes/){:target="_blank"} -* [Getting started with Universal](https://kuma.io/docs/latest/quickstart/universal/){:target="_blank"} - -## 3. Learn more - -* Read the [Kuma documentation](https://kuma.io/docs/){:target="_blank"} -* Learn about enterprise features: - * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) - * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) - * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) - * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) - -If you are a {{site.mesh_product_name}} customer, you can also open a support -ticket with any question or feedback you may have. diff --git a/app/mesh/1.3.x/index.md b/app/mesh/1.3.x/index.md deleted file mode 100644 index f2291cfa000a..000000000000 --- a/app/mesh/1.3.x/index.md +++ /dev/null @@ -1,137 +0,0 @@ ---- -title: Kong Mesh -subtitle: A modern control plane built on top of Envoy and focused on simplicity, security, and scalability ---- - -{:.note} -> **Demo**: To see {{site.mesh_product_name}} in action, you can -[request a demo](https://konghq.com/request-demo-kong-mesh/) and -we will get in touch with you. - -Welcome to the official documentation for {{site.mesh_product_name}}! - -{{site.mesh_product_name}} is an enterprise-grade service mesh that runs on -both Kubernetes and VMs on any cloud. Built on top of CNCF's -[Kuma](https://kuma.io) and Envoy and focused on simplicity, -{{site.mesh_product_name}} enables the microservices transformation with: -* Out-of-the-box service connectivity and discovery -* Zero-trust security -* Traffic reliability -* Global observability across all traffic, including cross-cluster deployments - -{{site.mesh_product_name}} extends Kuma and Envoy with enterprise features and -support, while providing native integration with -[{{site.ee_product_name}}](https://konghq.com/products/kong-enterprise) for a -full-stack connectivity platform for all of your services and APIs, across -every cloud and environment. - -{:.note} -> Kuma itself was originally created by Kong and donated to CNCF to -provide the first neutral Envoy-based service mesh to the industry. Kong -still maintains and develops Kuma, which is the foundation for -{{site.mesh_product_name}}. - -
- -
- {{site.mesh_product_name}} extends CNCF's Kuma and Envoy to provide an - enterprise-grade service mesh with unique features in the service mesh - landscape, while still relying on a neutral foundation. -
-
-{{site.mesh_product_name}} provides a unique combination of strengths and -features in the service mesh ecosystem, specifically designed for the enterprise -architect, including: - -* **Universal** support for both Kubernetes and VM-based services. -* **Single and Multi Zone** deployments to support multi-cloud and multi-cluster - environments with global/remote control plane modes, automatic Ingress - connectivity, and service discovery. -* **Multi-Mesh** to create as many service meshes as we need, using one cluster - with low operational costs. -* **Easy to install and use** and turnkey, by abstracting away all the -complexity of running a service mesh with easy-to-use policies for managing -services and traffic. -* **Full-Stack Connectivity** by natively integrating with Kong and -{{site.ee_product_name}} for end-to-end connectivity that goes from the API -gateway to the service mesh. -* **Powered by Kuma and Envoy** to provide a modern and reliable CNCF -open source foundation for an enterprise service mesh. - -When used in combination with {{site.ee_product_name}}, {{site.mesh_product_name}} -provides a full stack connectivity platform for all of our L4-L7 connectivity, -for both edge and internal API traffic. - -
- -
- Two different applications - "Banking" and "Trading" - run in their - own meshes "A" and "B" across different data centers. In this example, - {{site.base_gateway}} is being used both for edge communication, and for internal - communication between meshes. -
- -## Why {{site.mesh_product_name}}? {#why-kong-mesh} - -Organizations are transitioning to distributed software architectures to -support and accelerate innovation, gain digital revenue, and reduce costs. -A successful transition to microservices requires many pieces to fall into -place: that services are connected reliably with minimal latency, -that they are protected with end-to-end security, that they are discoverable -and fully observable. However, this presents challenges due to the need to -write custom code for security and identity, a lack of granular telemetry, -and insufficient traffic management capabilities, especially as the number of -services grows. - -Leading organizations are looking to service meshes to address these challenges -in a scalable and standardized way. With a service mesh, you can: - -* **Ensure service connectivity, discovery, and traffic reliability**: Apply -out-of-box traffic management to intelligently route traffic across any -platform and any cloud to meet expectations and SLAs. -* **Achieve Zero-Trust Security**: Restrict access by default, encrypt all -traffic, and only complete transactions when identity is verified. -* **Gain Global Traffic Observability**: Gain a detailed understanding of your -service behavior to increase application reliability and the efficiency of -your teams. - -{{site.mesh_product_name}} is the universal service mesh for enterprise -organizations focused on simplicity and scalability with Kuma and Envoy. -Kong’s service mesh is unique in that it allows you to: - -* **Start, secure, and scale with ease**: - * Deploy a turnkey service mesh with a single command. - * Group services by attributes to efficiently apply policies. - * Manage multiple service meshes as tenants of a single control plane to - provide scale and reduce operational costs. -* **Run anywhere**: - * Deploy the service mesh across any environment, including multi-cluster, - multi-cloud, and multi-platform. - * Manage service meshes natively in Kubernetes using CRDs, or start with a - service mesh in a VM environment and migrate to Kubernetes at your own pace. -* **Connect services end-to-end**: - * Integrate into the {{site.ee_product_name}} platform for full stack connectivity, - including Ingress and Egress traffic for your service mesh. - * Expose mesh services for internal or external consumption and manage the - full lifecycle of APIs. - -Thanks to the underlying Kuma runtime, with {{site.mesh_product_name}}, you -can easily support multiple clusters, clouds, and architectures using the -multi-zone capability that ships out of the box. This — combined with -multi-mesh support — lets you create a service mesh powered by an Envoy proxy -for the entire organization in just a few steps. You can do this for both -simple and distributed deployments, including multi-cloud, multi-cluster, and -hybrid Kubernetes/VMs: - -
- -
- {{site.mesh_product_name}} can support multiple zones (like a Kubernetes - cluster, VPC, data center, etc.) together in the same distributed deployment. - Then, you can create multiple isolated virtual meshes with the same - control plane in order to support every team and application in the - organization. -
-
-[Learn more](/mesh/latest/production/deployment/) about the -standalone and multi-zone deployment modes in the Kuma documentation. diff --git a/app/mesh/1.3.x/install.md b/app/mesh/1.3.x/install.md deleted file mode 100644 index 44b3bc73c810..000000000000 --- a/app/mesh/1.3.x/install.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -On this page, you will find access to the official {{site.mesh_product_name}} -distributions that provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - -{% navtabs %} -{% navtab Containerized %} - - - -{% endnavtab %} -{% navtab Operating Systems %} - - - -{% endnavtab %} -{% endnavtabs %} - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -Kong Mesh [VERSION NUMBER] - -$ kuma-cp version -Kong Mesh [VERSION NUMBER] - -$ kuma-dp version -Kong Mesh [VERSION NUMBER] -``` diff --git a/app/mesh/1.3.x/installation/amazonlinux.md b/app/mesh/1.3.x/installation/amazonlinux.md deleted file mode 100644 index 0130c8bfb791..000000000000 --- a/app/mesh/1.3.x/installation/amazonlinux.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Kong Mesh with Amazon Linux ---- - -{:.note} -> If you want to use {{site.mesh_product_name}} on Amazon EKS, follow the -[Kubernetes instructions](/mesh/{{page.release}}/installation/kubernetes/) -instead. - -To install and run {{site.mesh_product_name}} on Amazon Linux (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download the latest version of {{site.mesh_product_name}}: - -```sh -$ yum install -y tar gzip -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/installation/centos.md b/app/mesh/1.3.x/installation/centos.md deleted file mode 100644 index f2272d48a02c..000000000000 --- a/app/mesh/1.3.x/installation/centos.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Kong Mesh with CentOS ---- - -To install and run {{site.mesh_product_name}} on CentOS (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on CentOS 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/installation/debian.md b/app/mesh/1.3.x/installation/debian.md deleted file mode 100644 index d2e32294a077..000000000000 --- a/app/mesh/1.3.x/installation/debian.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Kong Mesh with Debian ---- - -To install and run {{site.mesh_product_name}} on Debian (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/installation/docker.md b/app/mesh/1.3.x/installation/docker.md deleted file mode 100644 index 473ccc7421f7..000000000000 --- a/app/mesh/1.3.x/installation/docker.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Kong Mesh with Docker ---- - -To install and run {{site.mesh_product_name}} on Docker: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -The official Docker images are used by default in the -Kubernetes -distributions. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{{site.mesh_product_name}} provides the following Docker images for all of its -executables, hosted on Docker Hub: - -* **kuma-cp**: at [`kong/kuma-cp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-cp) -* **kuma-dp**: at [`kong/kuma-dp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-dp) -* **kumactl**: at [`kong/kumactl:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kumactl) -* **kuma-prometheus-sd**: at [`kong/kuma-prometheus-sd:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-prometheus-sd) - -`docker pull` each image that you need. For example: - -```sh -$ docker pull kong/kuma-cp:{{page.kong_latest.version}} -``` - -## 2. Run {{site.mesh_product_name}} - -Run the control plane with: - -```sh -$ docker run \ - -p 5681:5681 \ - -v /path/to/license.json:/license.json \ - -e "KMESH_LICENSE_PATH=/license.json" \ - kong/kuma-cp:{{page.kong_latest.version}} run -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the host that will be mounted as `/license.json` into the -container. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) is running, you can access the -control plane using either the GUI, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681/gui` to see -the GUI. - -{% endnavtab %} -{% navtab HTTP API (Read & Write) %} - -{{site.mesh_product_name}} ships with a **read and write** HTTP API that you can -use to perform operations on {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681` to see -the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read & Write) %} - -You can use the `kumactl` CLI to perform **read and write** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. For example: - -```sh -$ docker run \ - --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | docker run -i --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl apply -f - -``` - -This runs `kumactl` from the Docker -container on the same network as the host, but most likely you want to download -a compatible version of {{site.mesh_product_name}} for the machine where you -will be executing the commands. - -See the individual installation pages for your OS to download and extract -`kumactl` to your machine: -* [CentOS](/mesh/{{page.release}}/installation/centos/) -* [Red Hat](/mesh/{{page.release}}/installation/redhat/) -* [Debian](/mesh/{{page.release}}/installation/debian/) -* [Ubuntu](/mesh/{{page.release}}/installation/ubuntu/) -* [macOS](/mesh/{{page.release}}/installation/macos/) - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Universal deployments](https://kuma.io/docs/latest/quickstart/universal/). -If you are entirely using Docker, you may also be interested in checking out the -[Kubernetes quickstart](https://kuma.io/docs/latest/quickstart/kubernetes/) as well. diff --git a/app/mesh/1.3.x/installation/helm.md b/app/mesh/1.3.x/installation/helm.md deleted file mode 100644 index a133b3f0a927..000000000000 --- a/app/mesh/1.3.x/installation/helm.md +++ /dev/null @@ -1,174 +0,0 @@ ---- -title: Kong Mesh with Helm ---- - -To install and run {{site.mesh_product_name}} on Kubernetes using Helm: - -1. [Add the {{site.mesh_product_name}} Helm Repository](#1-add-the-kong-mesh-helm-repository) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Add the {{site.mesh_product_name}} Helm Repository - -To start using {{site.mesh_product_name}} with Helm charts, first add the -{{site.mesh_product_name}} charts repository to your local Helm deployment: - -```sh -$ helm repo add kong-mesh https://kong.github.io/kong-mesh-charts -``` - -Once the repo is added, any following updates can be fetched with -`helm repo update`. - -## 2. Run {{site.mesh_product_name}} - -Install and run {{site.mesh_product_name}} using the following commands. -You can use any Kubernetes namespace to install {{site.mesh_product_name}}, but as a default, we -suggest `kong-mesh-system`. - -1. Create the `kong-mesh-system` namespace: - - ```sh - $ kubectl create namespace kong-mesh-system - ``` - -2. Upload the license secret to the cluster: - - ```sh - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` - - Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} - license file on the file system. - - The filename should be license.json, unless otherwise specified in values.yaml. - -3. Deploy the {{site.mesh_product_name}} Helm chart: - - By default the license option is disabled and so you need to enable it in order for the license to take effect. - The easiest option is to override each field on the CLI, the only - downside with this is every time you run a helm upgrade you need to supply these values otherwise they will be - reverted back to what the charts default values are for those fields, i.e. disabled - - ```sh - $ helm repo update - $ helm upgrade -i -n kong-mesh-system kong-mesh kong-mesh/kong-mesh \ - --set kuma.controlPlane.secrets[0].Env="KMESH_LICENSE_INLINE" \ - --set kuma.controlPlane.secrets[0].Secret="kong-mesh-license" \ - --set kuma.controlPlane.secrets[0].Key="license.json" - ``` - - This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ - deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) - like _multi-zone_. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) has been installed in the newly -created `kong-mesh-system` namespace, you can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.3.x/quickstart/kubernetes/). diff --git a/app/mesh/1.3.x/installation/kubernetes.md b/app/mesh/1.3.x/installation/kubernetes.md deleted file mode 100644 index 0dd017f3c221..000000000000 --- a/app/mesh/1.3.x/installation/kubernetes.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Kong Mesh with Kubernetes ---- - -To install and run {{site.mesh_product_name}} on Kubernetes: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -Download a compatible version of {{site.mesh_product_name}} for the machine from which you -will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the client host from the machine where you plan to run the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can create a link -in `/usr/local/bin/` by running: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -It may take a while for Kubernetes to start the -{{site.mesh_product_name}} resources. You can check the status by executing: - -```sh -$ kubectl get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -You can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -{{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.3.x/quickstart/kubernetes/). diff --git a/app/mesh/1.3.x/installation/macos.md b/app/mesh/1.3.x/installation/macos.md deleted file mode 100644 index 73d718720179..000000000000 --- a/app/mesh/1.3.x/installation/macos.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Kong Mesh with macOS ---- - -To install and run {{site.mesh_product_name}} on macOS: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on macOS, you can choose from the following -installation methods: - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/installation/openshift.md b/app/mesh/1.3.x/installation/openshift.md deleted file mode 100644 index c2690810ef6d..000000000000 --- a/app/mesh/1.3.x/installation/openshift.md +++ /dev/null @@ -1,265 +0,0 @@ ---- -title: Kong Mesh with OpenShift ---- - -To install and run {{site.mesh_product_name}} on OpenShift: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on OpenShift, you need to download a -compatible version of {{site.mesh_product_name}} for the machine from which -you will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the **client host** from where you will be executing the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can also create a link -in `/usr/local/bin/` by executing: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -Then, run the control plane on OpenShift with: - -{% navtabs %} -{% navtab OpenShift 4.x %} - -```sh -kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f - -``` - -Starting from version 4.1, OpenShift uses `nftables` instead of `iptables`. So, -using init container for redirecting traffic to the proxy no longer works. -Instead, we use `kuma-cni`, which can be installed with the `--cni-enabled` flag. - -{% endnavtab %} -{% navtab OpenShift 3.11 %} - -By default, `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` are -disabled on OpenShift 3.11. - -To make them work, add the following `pluginConfig` into -`/etc/origin/master/master-config.yaml` on the master node: - -```yaml -admissionConfig: - pluginConfig: - MutatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission - ValidatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission -``` - -After updating `master-config.yaml`, restart the cluster and install -`control-plane`: - -```sh -$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -It may take a while for OpenShift to start the -{{site.mesh_product_name}} resources. You can check the status by running: - -```sh -$ oc get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -Now you can access the control plane with the GUI, `oc`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681` and defaults to `:5681/gui`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab oc (Read & Write) %} -You can use {{site.mesh_product_name}} with `oc` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ oc get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | oc apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -Notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -{{site.mesh_product_name}} explicitly specifies a UID -for the `kuma-dp` sidecar to avoid capturing traffic from -`kuma-dp` itself. You must grant a `nonroot` -[Security Context Constraint](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) -to the application namespace: - -```sh -$ oc adm policy add-scc-to-group nonroot system:serviceaccounts: -``` - -If the namespace is not configured properly, you will see the following error -on the `Deployment` or `DeploymentConfig`: - -```sh -'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: -[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]' -``` - -## 4. Quickstart - -Congratulations! You have successfully installed {{site.mesh_product_name}}. - -Before running the Kuma Demo in the Quickstart guide, -run the following command: - -```sh -$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo -``` - -One of the components in the demo requires root access, therefore it uses the -`anyuid` instead of the `nonroot` permission. - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.3.x/quickstart/kubernetes/). diff --git a/app/mesh/1.3.x/installation/redhat.md b/app/mesh/1.3.x/installation/redhat.md deleted file mode 100644 index 4f366cca09d6..000000000000 --- a/app/mesh/1.3.x/installation/redhat.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Kong Mesh with Red Hat ---- - -To install and run {{site.mesh_product_name}} on Red Hat (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on Red Hat 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/installation/ubuntu.md b/app/mesh/1.3.x/installation/ubuntu.md deleted file mode 100644 index 3ed46bfefadc..000000000000 --- a/app/mesh/1.3.x/installation/ubuntu.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Kong Mesh with Ubuntu ---- - -To install and run {{site.mesh_product_name}} on Ubuntu (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) - the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include /md/mesh/install-universal-run.md kong_latest=page.kong_latest %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.3.x/patches/opa-policy.yaml b/app/mesh/1.3.x/patches/opa-policy.yaml deleted file mode 100644 index cc8b2e75cbf3..000000000000 --- a/app/mesh/1.3.x/patches/opa-policy.yaml +++ /dev/null @@ -1,392 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - validation: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - initializers: - description: "An initializer is a controller which enforces some system - invariant at object creation time. This field is a list of initializers - that have not yet acted on this object. If nil or empty, this object - has been completely initialized. Otherwise, the object is considered - uninitialized and is hidden (in list/watch and get calls) from clients - that haven't explicitly asked to observe uninitialized objects. \n - When an object is created, the system will populate this list with - the current set of initializers. Only privileged users may set or - modify this list. Once it is empty, it may not be modified further - by any user. \n DEPRECATED - initializers are an alpha field and will - be removed in v1.15." - properties: - pending: - description: Pending is a list of initializers that must execute - in order before this object is visible. When the last pending - initializer is removed, and no failing result is set, the initializers - struct will be set to nil and the object is considered as initialized - and visible to all clients. - items: - properties: - name: - description: name of the process that is responsible for initializing - this object. - type: string - required: - - name - type: object - type: array - result: - description: If result is set with the Failure field, the object - will be persisted to storage and then deleted, ensuring that other - clients can observe the deletion. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this - representation of an object. Servers should convert recognized - schemas to the latest internal value, and may reject unrecognized - values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - code: - description: Suggested HTTP return code for this status, 0 if - not set. - format: int32 - type: integer - details: - description: Extended data associated with the reason. Each - reason may define its own extended details. This field is - optional and the data returned is not guaranteed to conform - to any schema except that defined by the reason type. - properties: - causes: - description: The Causes array includes more details associated - with the StatusReason failure. Not all StatusReasons may - provide detailed causes. - items: - properties: - field: - description: "The field of the resource that has caused - this error, as named by its JSON serialization. - May include dot and postfix notation for nested - attributes. Arrays are zero-indexed. Fields may - appear more than once in an array of causes due - to fields having multiple errors. Optional. \n Examples: - \ \"name\" - the field \"name\" on the current - resource \"items[0].name\" - the field \"name\" - on the first array entry in \"items\"" - type: string - message: - description: A human-readable description of the cause - of the error. This field may be presented as-is - to a reader. - type: string - reason: - description: A machine-readable description of the - cause of the error. If this value is empty there - is no information available. - type: string - type: object - type: array - group: - description: The group attribute of the resource associated - with the status StatusReason. - type: string - kind: - description: 'The kind attribute of the resource associated - with the status StatusReason. On some operations may differ - from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: The name attribute of the resource associated - with the status StatusReason (when there is a single name - which can be described). - type: string - retryAfterSeconds: - description: If specified, the time in seconds before the - operation should be retried. Some errors may indicate - the client must take an alternate action - for those errors - this field may indicate how long to wait before taking - the alternate action. - format: int32 - type: integer - uid: - description: 'UID of the resource. (when there is a single - resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - type: object - kind: - description: 'Kind is a string value representing the REST resource - this object represents. Servers may infer this from the endpoint - the client submits requests to. Cannot be updated. In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - message: - description: A human-readable description of the status of this - operation. - type: string - metadata: - description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - properties: - continue: - description: continue may be set if the user set a limit - on the number of items returned, and indicates that the - server has more data available. The value is opaque and - may be used to issue another request to the endpoint that - served this list to retrieve the next set of available - objects. Continuing a consistent list may not be possible - if the server configuration has changed or more than a - few minutes have passed. The resourceVersion field returned - when using this continue value will be identical to the - value in the first response, unless you have received - this token from an error message. - type: string - resourceVersion: - description: 'String that identifies the server''s internal - version of this object that can be used by clients to - determine when objects have changed. Value must be treated - as opaque by clients and passed unmodified back to the - server. Populated by the system. Read-only. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - selfLink: - description: selfLink is a URL representing this object. - Populated by the system. Read-only. - type: string - type: object - reason: - description: A machine-readable description of why this operation - is in the "Failure" status. If this value is empty there is - no information available. A Reason clarifies an HTTP status - code but does not override it. - type: string - status: - description: 'Status of the operation. One of: "Success" or - "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' - type: string - type: object - required: - - pending - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: "ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like \"ci-cd\". The set of fields - is always in the version that the workflow used when modifying the - object. \n This field is alpha and can be changed or removed without - notice." - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fields: - additionalProperties: true - description: Fields identifies a set of fields. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: SelfLink is a URL representing this object. Populated by - the system. Read-only. - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - mesh: - type: string - spec: - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true diff --git a/app/mesh/1.4.x/features/ca-rotation.md b/app/mesh/1.4.x/features/ca-rotation.md deleted file mode 100644 index e105f5dbcb94..000000000000 --- a/app/mesh/1.4.x/features/ca-rotation.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: Certificate Authority rotation ---- - -## Overview - -{{site.mesh_product_name}} lets you provide secure communication between applications with mTLS. You can change the mTLS backend with -Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA. - -You can define many backends in the `mtls` section of the Mesh configuration. The data plane proxy is configured to support -certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the `enabledBackend` -tag. For example: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% endnavtabs %} - -## Usage - -Start with mTLS enabled and a `builtin` backend named `ca-1`: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% endnavtabs %} - -Then, follow the steps to rotate certificates to a new `provided` backend named `ca-2`. -Each step can take some time, but {{site.mesh_product_name}} provides validators to prevent you from -continuing too soon. - -{% navtabs %} -{% navtab Kubernetes %} -1. Add a new backend to the list of backends: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. - -{% endnavtab %} -{% navtab Universal %} -1. Add a new backend to the list of backends: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. -{% endnavtab %} -{% endnavtabs %} \ No newline at end of file diff --git a/app/mesh/1.4.x/features/fips-support.md b/app/mesh/1.4.x/features/fips-support.md deleted file mode 100644 index 08db52166d88..000000000000 --- a/app/mesh/1.4.x/features/fips-support.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Kong Mesh - FIPS Support -toc: false ---- - -With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors. - -FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringSSL. For more information about how it works, see Envoy's [FIPS 140-2 documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. diff --git a/app/mesh/1.4.x/features/kds-auth.md b/app/mesh/1.4.x/features/kds-auth.md deleted file mode 100644 index 793c89861413..000000000000 --- a/app/mesh/1.4.x/features/kds-auth.md +++ /dev/null @@ -1,283 +0,0 @@ ---- -title: Multi-zone authentication ---- - -To add to the security of your deployments, {{site.mesh_product_name}} provides token generation for authenticating remote control planes to the global control plane. - -The control plane token is a JWT that contains: - -- The name of the zone the token is generated for -- The token's serial number, used for token rotation - -The control plane token is signed by a signing key that is autogenerated on the global control plane. The signing key is SHA256 encrypted. - -You can check for the signing key: - -``` -$ kumactl get global-secrets -``` - -which returns something like: - -``` -NAME AGE -control-plane-signing-key-0001 36m -``` - -## Set up tokens - -To generate the tokens you need and configure your clusters: - -- Generate a token for each remote control plane. -- Add the token to the configuration for each remote zone. -- Enable authentication on the global control plane. - -### Generate token for each remote zone - -On the global control plane, [authenticate](/mesh/latest/production/secure-deployment/certificates/#user-to-control-plane-communication) and run the following command: - -``` -$ kumactl generate control-plane-token --zone=west > /tmp/token -$ cat /tmp/token -``` - -The generated token looks like: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API. - -### Add token to each zone configuration - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-token-path` argument, where the value is the path to the file where the token is stored: - -``` -$ kumactl install control-plane \ - --mode=zone \ - --zone= \ - --cp-token-path=/tmp/token \ - --ingress-enabled \ - --kds-global-address grpcs://`` | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Create a secret with a token in the same namespace where {{site.mesh_product_name}} is installed: - -``` -$ kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token -``` - -Add the following to `Values.yaml`: -```yaml -kuma: - controlPlane: - secrets: - - Env: "KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE" - Secret: "cp-token" - Key: "token" -``` - - -{% endnavtab %} -{% navtab Universal %} - -Either: - -- Set the token as an inline value in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable: - -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ" \ - ./kuma-cp run -``` - -OR - -- Store the token in a file, then set the path to the file in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable. -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH="/tmp/token" \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -### Enable authentication on the global control plane - -If you are starting from scratch and not securing existing {{site.mesh_product_name}} deployment, you can do this as a first step. - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-auth` argument with the value `cpToken`: - -```sh -$ kumactl install control-plane \ - --mode=global \ - --cp-auth=cpToken | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Add the following to `Values.yaml`: - -```yaml -kuma: - controlPlane: - envVars: - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken -``` - -{% endnavtab %} -{% navtab Universal %} - -Set `KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE` to `cpToken`: - -```sh -$ KUMA_MODE=global \ - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -Verify the remote control plane is connected with authentication by looking at the global control plane logs: - -``` -2021-02-24T14:30:38.596+0100 INFO kds.auth Remote CP successfully authenticated using Control Plane Token {"tokenSerialNumber": 1, "zone": "cluster-2"} -``` - -## Rotate tokens - -If a control plane token or signing key is compromised, you must rotate all tokens. - -### Generate new signing key - -The signing key is stored as a `GlobalSecret` with a name that looks like `control-plane-signing-key-{serialNumber}`. - -Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key. - - -{% navtabs %} -{% navtab Kubernetes %} - -Check what is the current highest serial number. - -```sh -$ kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret' -NAME TYPE DATA AGE -control-plane-signing-key-0001 system.kuma.io/global-secret 1 25m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -$ TOKEN="$(kumactl generate signing-key)" && echo " -apiVersion: v1 -data: - value: $TOKEN -kind: Secret -metadata: - name: control-plane-signing-key-0002 - namespace: kong-mesh-system -type: system.kuma.io/global-secret -" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Universal %} - -Check what is the current highest serial number. - -```sh -$ kumactl get global-secrets -NAME AGE -control-plane-signing-key-0001 36m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -echo " -type: GlobalSecret -name: control-plane-signing-key-0002 -data: {{ key }} -" | kumactl apply --var key=$(kumactl generate signing-key) -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -### Regenerate control plane tokens - -Create and add a new token for each zone control plane. These tokens are automatically created with the signing key that's assigned the highest serial number, so they're created with the new signing key. - -Make sure the new signing key is available; otherwise old and new tokens are created with the same signing key and can both provide authentication. - -### Remove the old signing key - -{% navtabs %} -{% navtab Kubernetes %} - -```sh -$ kubectl delete secret control-plane-signing-key-0001 -n kong-mesh-system -``` - -{% endnavtab %} -{% navtab Universal %} - -```sh -$ kumactl delete global-secret control-plane-signing-key-0001 -``` - -{% endnavtab %} -{% endnavtabs %} - -All new connections to the global control plane now require tokens signed with the new signing key. - -### Restart the global control plane - -Restart all instances of the global control plane. All connections are now authenticated with the new tokens. - -## Explore an example token - -You can decode the tokens to validate the signature or explore details. - -For example, run: -``` -$ kumactl generate control-plane-token --zone=west -``` - -which returns: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -Paste the token into the UI at jwt.io, or run - -``` -$ kumactl generate control-plane-token --zone=west | jwt -``` - -The result looks like: - -![JWT token decoded](/assets/images/docs/mesh/jwt-decoded.png) - -## Additional security - -By default, a connection from the zone control plane to the global control plane is secured with TLS. You should also configure the zone control plane to [verify the certificate authority (CA) of the global control plane](/mesh/latest/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone){:target="_blank"}. diff --git a/app/mesh/1.4.x/features/opa.md b/app/mesh/1.4.x/features/opa.md deleted file mode 100644 index 1a4bab1241fe..000000000000 --- a/app/mesh/1.4.x/features/opa.md +++ /dev/null @@ -1,639 +0,0 @@ ---- -title: Kong Mesh - OPA Policy Integration ---- - -## OPA policy plugin - -{{site.mesh_product_name}} integrates the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to provide access control for your services. - -The agent is included in the data plane proxy sidecar, instead of the more common deployment as a separate sidecar. - -When `OPAPolicy` is applied, the control plane configures: - -- the embedded policy agent, with the specified policy -- Envoy, to use [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) that points to the embedded policy agent - -## Usage - -To apply a policy with OPA: - -- Specify the group of data plane proxies to apply the policy to with the `selectors` property. -- Provide a policy with the `conf` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). -{:.note} -> **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. - -- Optionally provide custom configuration for the policy agent. - - -You must also specify the HTTP protocol in your mesh configuration: - -{% navtabs %} -{% navtab Kubernetes %} - -Add the HTTP protocol annotation to the Kubernetes Service configuration, with the general syntax `.service.kuma.io/protocol`. - -Example: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: kong-mesh-example - annotations: - 8080.service.kuma.io/protocol: http # required for OPA support -spec: - selector: - app: web - ports: - - port: 8080 -``` - -{% endnavtab %} -{% navtab Universal %} - -Add the HTTP protocol tag to the `Dataplane` configuration. - -Example: - -```yaml -type: Dataplane -mesh: default -name: web -networking: - address: 192.168.0.1 - inbound: - - port: 80 - servicePort: 8080 - tags: - kuma.io/service: web - kuma.io/protocol: http # required for OPA support -``` - -{% endnavtab %} -{% endnavtabs %} - -For more information, see [the Kuma documentation about protocol support](https://kuma.io/docs/latest/policies/protocol-support-in-kuma/). - -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} - -### With Secrets - -Encoding the policy in a [Secret](https://kuma.io/docs/1.4.x/security/secrets/)) provides some security for policies that contain sensitive data. - -{% navtabs %} -{% navtab Kubernetes %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: opa-policy - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - data: - value: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - type: system.kuma.io/secret - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% navtab Universal %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - type: Secret - name: sample-secret - mesh: default - data: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - type: OPAPolicy - mesh: default - name: opa-1 - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% endnavtabs %} - -## Configuration - -{{site.mesh_product_name}} defines a default configuration for OPA, but you can adjust the configuration to meet your environment's requirements. - -The following environment variables are available: - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | [plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow] | - -{% navtabs %} -{% navtab Kubernetes %} - -You can customize the agent in either of the following ways: - -- Override variables in the data plane proxy config: -{% navtabs %} -{% navtab kumactl %} - -When you deploy the Mesh control plane, edit the `kong-mesh-control-plane-config` ConfigMap: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kong-mesh-control-plane-config - namespace: kong-mesh-system -data: - config.yaml: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% navtab Helm %} - -Override the Helm value in `values.yaml` - -```yaml -kuma: - controlPlane: - config: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% endnavtabs %} -{% endnavtab %} -{% navtab Universal %} - -The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables: - - -``` ---opa-addr ---opa-config-path ---opa-diagnostic-addr ---opa-enabled ---opa-ext-authz-addr ---opa-set strings -``` - -{% endnavtab %} -{% endnavtabs %} - -- Override the config for individual data plane proxies by placing the appropriate annotations on the Pod: - -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example-app - namespace: kuma-example -spec: - ... - template: - metadata: - ... - annotations: - # indicate to Kuma that this Pod doesn't need a sidecar - kuma.io/sidecar-env-vars: "KMESH_OPA_ENABLED=false;KMESH_OPA_ADDR=:8888;KMESH_OPA_CONFIG_OVERRIDES=config1:x,config2:y" -``` - -## Configuring the authorization filter - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny' defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the max number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - secret: opa-policy -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. http statusCode to use when the connection to the agent failed. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny'. defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the maximum number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - secret: opa-policy -``` - -{% endnavtab %} -{% endnavtabs %} - -By default, the body will not be sent to the agent. -To send it, set `authConfig.requestBody.maxSize` to the maximum size of your body. -If the request body is larger than this parameter, it will be truncated and the header `x-envoy-auth-partial-body` will be set to `true`. - -## Support for external API management servers - -The `agentConfig` field lets you define a custom configuration that points to an external management server: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: - inlineString: | - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: - inlineString: | # one of: inlineString, secret - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% endnavtabs %} - -## Example - -The following example shows how to deploy and test a sample OPA Policy on Kubernetes, using the kuma-demo application. - -1. Deploy the example application: - - ``` - kubectl apply -f https://bit.ly/demokuma - ``` - -1. Make a request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 1717af9c-2587-43b9-897f-f8061bba5ad4 - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 15:33:18 GMT - < x-envoy-upstream-service-time: 1521 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - -1. Apply an OPA Policy that requires a valid JWT token: - - ``` - echo " - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` - -1. Make an invalid request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod. - * Trying 10.105.146.164:3001... - * TCP_NODELAY set - * Connected to backend (10.105.146.164) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < date: Tue, 09 Mar 2021 16:50:40 GMT - < server: envoy - < x-envoy-upstream-service-time: 2 - < content-length: 0 - < - * Connection #0 to host backend left intact - ``` - - Note the `HTTP/1.1 403 Forbidden` message. The application doesn't allow a request without a valid token. - - The policy can take up to 30 seconds to propagate, so if this request succeeds the first time, wait and then try again. - -1. Make a valid request from the frontend to the backend: - - ``` - $ export ADMIN_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJzdWIiOiJZbTlpIiwibmJmIjoxNTE0ODUxMTM5LCJleHAiOjI1MjQ2MDgwMDB9.H0-42LYzoWyQ_4MXAcED30u6lA5JE087eECV2nxDfXo" - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001 - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 8fd7b398-1ba2-4c2e-b229-5159d04d782e - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 17:26:00 GMT - < x-envoy-upstream-service-time: 261 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - - The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. diff --git a/app/mesh/1.4.x/features/vault.md b/app/mesh/1.4.x/features/vault.md deleted file mode 100644 index 53d40d9e46ec..000000000000 --- a/app/mesh/1.4.x/features/vault.md +++ /dev/null @@ -1,269 +0,0 @@ ---- -title: Kong Mesh - Vault Policy ---- - -## Vault CA Backend - -The default [mTLS policy in Kuma](https://kuma.io/docs/latest/policies/mutual-tls/) -supports the following backends: - -* `builtin`: {{site.mesh_product_name}} automatically generates the Certificate -Authority (CA) root certificate and key that will be used to generate the data -plane certificates. -* `provided`: the CA root certificate and key can be provided by the user. - -{{site.mesh_product_name}} adds: - -* `vault`: {{site.mesh_product_name}} generates data plane certificates -using a CA root certificate and key stored in a HashiCorp Vault -server. - -## Vault mode - -In `vault` mTLS mode, {{site.mesh_product_name}} communicates with the HashiCorp Vault PKI, -which generates the data plane proxy certificates automatically. -{{site.mesh_product_name}} does not retrieve private key of the CA to generate data plane proxy certificates, -which means that private key of the CA is secured by Vault and not exposed to third parties. - -In `vault` mode, you point {{site.mesh_product_name}} to the -Vault server and provide the appropriate credentials. {{site.mesh_product_name}} -uses these parameters to authenticate the control plane and generate the -data plane certificates. - -When {{site.mesh_product_name}} is running in `vault` mode, the backend communicates with Vault and ensures -that Vault's PKI automatically issues data plane certificates and rotates them for -each proxy. - -### Configure Vault - -The `vault` mTLS backend expects a configured PKI and role for generating data plane proxy certificates. - -The following steps show how to configure Vault for {{site.mesh_product_name}} with a mesh named -`default`. For your environment, replace `default` with the appropriate mesh name. - -#### Step 1. Configure the Certificate Authority - -{{site.mesh_product_name}} works with a Root CA or an Intermediate CA. - -{% navtabs %} -{% navtab Root CA %} - -Create a new PKI for the `default` Mesh called `kmesh-pki-default`: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate a new Root Certificate Authority for the `default` Mesh: - -```sh -vault secrets tune -max-lease-ttl=87600h kmesh-pki-default -``` - -```sh -vault write -field=certificate kmesh-pki-default/root/generate/internal \ - common_name="Kong Mesh Default" \ - uri_sans="spiffe://default" \ - ttl=87600h -``` - -{% endnavtab %} -{% navtab Intermediate CA %} - -Create a new Root Certificate Authority and save it to a file called `ca.pem`: - -```sh -vault secrets enable pki -``` - -```sh -vault secrets tune -max-lease-ttl=87600h pki -``` - -```sh -vault write -field=certificate pki/root/generate/internal \ - common_name="Organization CA" \ - ttl=87600h > ca.pem -``` - -You can also use your current Root CA, retrieve the PEM-encoded certificate, and save it to `ca.pem`. - -Create a new PKI for the `default` Mesh: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate the Intermediate CA for the `default` Mesh: - -```sh -vault write -format=json kmesh-pki-default/intermediate/generate/internal \ - common_name="Kong Mesh Mesh Default" \ - uri_sans="spiffe://default" \ - | jq -r '.data.csr' > pki_intermediate.csr -``` - -Sign the Intermediate CA with the Root CA. Make sure to pass the right path for the PKI that has the Root CA. -In this example, the path value is `pki`: - -```sh -vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \ - format=pem_bundle \ - ttl="43800h" \ - | jq -r '.data.certificate' > intermediate.cert.pem -``` - -Set the certificate of signed Intermediate CA to the `default` Mesh PKI. You must include the public certificate of the Root CA -so that data plane proxies can verify the certificates: - -```sh -cat intermediate.cert.pem > bundle.pem -echo "" >> bundle.pem -cat ca.pem >> bundle.pem -vault write kmesh-pki-default/intermediate/set-signed certificate=@bundle.pem -``` - -{% endnavtab %} -{% endnavtabs %} - -#### Step 2. Create a role for generating data plane proxy certificates: - -```sh -vault write kmesh-pki-default/roles/dataplane-proxies \ - allowed_uri_sans="spiffe://default/*,kuma://*" \ - key_usage="KeyUsageKeyEncipherment,KeyUsageKeyAgreement,KeyUsageDigitalSignature" \ - ext_key_usage="ExtKeyUsageServerAuth,ExtKeyUsageClientAuth" \ - client_flag=true \ - require_cn=false \ - allowed_domains="mesh" \ - allow_subdomains=true \ - basic_constraints_valid_for_non_ca=true \ - max_ttl="720h" \ - ttl="720h" -``` - -{:.note} -> **Note:** Use the `allowed_domains` and `allow_subdomains` parameters -**only** when `commonName` is set in the mTLS Vault backend. - -#### Step 3. Create a policy to use the new role: - -```sh -cat > kmesh-default-dataplane-proxies.hcl <<- EOM -path "/kmesh-pki-default/issue/dataplane-proxies" -{ - capabilities = ["create", "update"] -} -EOM -vault policy write kmesh-default-dataplane-proxies kmesh-default-dataplane-proxies.hcl -``` - -#### Step 4. Create a Vault token: - -```sh -vault token create -format=json -policy="kmesh-default-dataplane-proxies" | jq -r ".auth.client_token" -``` - -The output should print a Vault token that you then provide as the `conf.fromCp.auth.token` value of the `Mesh` object. - -### Configure Mesh - -`kuma-cp` communicates directly with Vault. To connect to -Vault, you must provide credentials in the configuration of the `mesh` object of `kuma-cp`. - -You can authenticate with the `token` or with client certificates by providing `clientKey` and `clientCert`. - -You can provide these values inline for testing purposes only, as a path to a file on the -same host as `kuma-cp`, or contained in a `secret`. See [the Kuma Secrets documentation](https://kuma.io/docs/1.4.x/security/secrets/). - -Here's an example of a configuration with a `vault`-backed CA: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 1d # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inline - clientCert: - file: /tmp/cert.pem # can be file, secret or inlineString -``` - -Apply the configuration with `kubectl apply -f [..]`. - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: Mesh -name: default -mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 24h # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inlineString - clientCert: - file: /tmp/cert.pem # can be file, secret or inline -``` - -Apply the configuration with `kumactl apply -f [..]`, or with the [HTTP API](https://kuma.io/docs/latest/reference/http-api). - -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone and Vault - -In a multi-zone environment, the global control plane provides the `Mesh` to the zone control planes. However, you must make sure that each zone control plane communicates with Vault over the same address. This is because certificates for data plane proxies are issued from the zone control plane, not from the global control plane. - -You must also make sure the global control plane communicates with Vault. When a new Vault backend is configured, {{site.mesh_product_name}} validates the connection by issuing a test certificate. In a multi-zone environment, validation is performed on the global control plane. diff --git a/app/mesh/1.4.x/gettingstarted.md b/app/mesh/1.4.x/gettingstarted.md deleted file mode 100644 index b12da3459ad3..000000000000 --- a/app/mesh/1.4.x/gettingstarted.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Getting Started with Kong Mesh ---- - -## Getting Started - -{{site.mesh_product_name}} — built on top of CNCF's Kuma and Envoy — - tries to be as close as possible to the usage of Kuma itself, while providing - drop-in binary replacements for both the control plane and data plane - executables. - -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs){:target="_blank"} to start using the product. - -{:.note} -Kuma, a donated CNCF project, was originally created by Kong, which is -currently maintaining both the project and the documentation. - -## 1. Installing {{site.mesh_product_name}} - -Download and install {{site.mesh_product_name}} from the -[official installation page](/mesh/{{page.release}}/install). - -## 2. Getting Started - -After you install, follow the Kuma getting started guide to get -{{site.mesh_product_name}} up and running: - -* [Getting started with Kubernetes](https://kuma.io/docs/latest/quickstart/kubernetes/){:target="_blank"} -* [Getting started with Universal](https://kuma.io/docs/latest/quickstart/universal/){:target="_blank"} - -## 3. Learn more - -* Read the [Kuma documentation](https://kuma.io/docs/){:target="_blank"} -* Learn about enterprise features: - * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) - * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) - * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) - * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) - * [Certificate Authority rotation](/mesh/{{page.release}}/features/ca-rotation/) - -If you are a {{site.mesh_product_name}} customer, you can also open a support -ticket with any question or feedback you may have. diff --git a/app/mesh/1.4.x/index.md b/app/mesh/1.4.x/index.md deleted file mode 100644 index 2d8fa9cf282a..000000000000 --- a/app/mesh/1.4.x/index.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -title: Kong Mesh -subtitle: A modern control plane built on top of Envoy and focused on simplicity, security, and scalability ---- - -{:.note} -> **Demo**: To see {{site.mesh_product_name}} in action, you can -[request a demo](https://konghq.com/request-demo-kong-mesh/) and -we will get in touch with you. - -Welcome to the official documentation for {{site.mesh_product_name}}! - -{{site.mesh_product_name}} is an enterprise-grade service mesh that runs on -both Kubernetes and VMs on any cloud. Built on top of CNCF's -[Kuma](https://kuma.io) and Envoy and focused on simplicity, -{{site.mesh_product_name}} enables the microservices transformation with: -* Out-of-the-box service connectivity and discovery -* Zero-trust security -* Traffic reliability -* Global observability across all traffic, including cross-cluster deployments - -{{site.mesh_product_name}} extends Kuma and Envoy with enterprise features and -support, while providing native integration with -[{{site.ee_product_name}}](https://konghq.com/products/api-gateway-platform) for a -full-stack connectivity platform for all of your services and APIs, across -every cloud and environment. - -{:.note} -> Kuma itself was originally created by Kong and donated to CNCF to -provide the first neutral Envoy-based service mesh to the industry. Kong -still maintains and develops Kuma, which is the foundation for -{{site.mesh_product_name}}. - -
-
- -
- {{site.mesh_product_name}} extends CNCF's Kuma and Envoy to provide an - enterprise-grade service mesh with unique features in the service mesh - landscape, while still relying on a neutral foundation. -
-
-{{site.mesh_product_name}} provides a unique combination of strengths and -features in the service mesh ecosystem, specifically designed for the enterprise -architect, including: - -* **Universal** support for both Kubernetes and VM-based services. -* **Single and Multi Zone** deployments to support multi-cloud and multi-cluster - environments with global/remote control plane modes, automatic Ingress - connectivity, and service discovery. -* **Multi-Mesh** to create as many service meshes as we need, using one cluster - with low operational costs. -* **Easy to install and use** and turnkey, by abstracting away all the -complexity of running a service mesh with easy-to-use policies for managing -services and traffic. -* **Full-Stack Connectivity** by natively integrating with Kong and -{{site.ee_product_name}} for end-to-end connectivity that goes from the API -gateway to the service mesh. -* **Powered by Kuma and Envoy** to provide a modern and reliable CNCF -open source foundation for an enterprise service mesh. - -When used in combination with {{site.ee_product_name}}, {{site.mesh_product_name}} -provides a full stack connectivity platform for all of our L4-L7 connectivity, -for both edge and internal API traffic. - -
- -
- Two different applications - "Banking" and "Trading" - run in their - own meshes "A" and "B" across different data centers. In this example, - {{site.base_gateway}} is being used both for edge communication, and for internal - communication between meshes. -
- -## Why {{site.mesh_product_name}}? {#why-kong-mesh} - -Organizations are transitioning to distributed software architectures to -support and accelerate innovation, gain digital revenue, and reduce costs. -A successful transition to microservices requires many pieces to fall into -place: that services are connected reliably with minimal latency, -that they are protected with end-to-end security, that they are discoverable -and fully observable. However, this presents challenges due to the need to -write custom code for security and identity, a lack of granular telemetry, -and insufficient traffic management capabilities, especially as the number of -services grows. - -Leading organizations are looking to service meshes to address these challenges -in a scalable and standardized way. With a service mesh, you can: - -* **Ensure service connectivity, discovery, and traffic reliability**: Apply -out-of-box traffic management to intelligently route traffic across any -platform and any cloud to meet expectations and SLAs. -* **Achieve Zero-Trust Security**: Restrict access by default, encrypt all -traffic, and only complete transactions when identity is verified. -* **Gain Global Traffic Observability**: Gain a detailed understanding of your -service behavior to increase application reliability and the efficiency of -your teams. - -{{site.mesh_product_name}} is the universal service mesh for enterprise -organizations focused on simplicity and scalability with Kuma and Envoy. -Kong’s service mesh is unique in that it allows you to: - -* **Start, secure, and scale with ease**: - * Deploy a turnkey service mesh with a single command. - * Group services by attributes to efficiently apply policies. - * Manage multiple service meshes as tenants of a single control plane to - provide scale and reduce operational costs. -* **Run anywhere**: - * Deploy the service mesh across any environment, including multi-cluster, - multi-cloud, and multi-platform. - * Manage service meshes natively in Kubernetes using CRDs, or start with a - service mesh in a VM environment and migrate to Kubernetes at your own pace. -* **Connect services end-to-end**: - * Integrate into the {{site.ee_product_name}} platform for full stack connectivity, - including Ingress and Egress traffic for your service mesh. - * Expose mesh services for internal or external consumption and manage the - full lifecycle of APIs. - -Thanks to the underlying Kuma runtime, with {{site.mesh_product_name}}, you -can easily support multiple clusters, clouds, and architectures using the -multi-zone capability that ships out of the box. This — combined with -multi-mesh support — lets you create a service mesh powered by an Envoy proxy -for the entire organization in just a few steps. You can do this for both -simple and distributed deployments, including multi-cloud, multi-cluster, and -hybrid Kubernetes/VMs: - -
- -
- {{site.mesh_product_name}} can support multiple zones (like a Kubernetes - cluster, VPC, data center, etc.) together in the same distributed deployment. - Then, you can create multiple isolated virtual meshes with the same - control plane in order to support every team and application in the - organization. -
-
-[Learn more](/mesh/latest/production/deployment/) about the -standalone and multi-zone deployment modes in the Kuma documentation. - -## Support policy -Kong primarily follows a [semantic versioning](https://semver.org/) (SemVer) -model for its products. - -For the latest version support information for -{{site.mesh_product_name}}, see our [version support policy](/mesh/latest/support-policy/). diff --git a/app/mesh/1.4.x/install.md b/app/mesh/1.4.x/install.md deleted file mode 100644 index 44b3bc73c810..000000000000 --- a/app/mesh/1.4.x/install.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -On this page, you will find access to the official {{site.mesh_product_name}} -distributions that provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - -{% navtabs %} -{% navtab Containerized %} - - - -{% endnavtab %} -{% navtab Operating Systems %} - - - -{% endnavtab %} -{% endnavtabs %} - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -Kong Mesh [VERSION NUMBER] - -$ kuma-cp version -Kong Mesh [VERSION NUMBER] - -$ kuma-dp version -Kong Mesh [VERSION NUMBER] -``` diff --git a/app/mesh/1.4.x/installation/amazonlinux.md b/app/mesh/1.4.x/installation/amazonlinux.md deleted file mode 100644 index a0ce434228dd..000000000000 --- a/app/mesh/1.4.x/installation/amazonlinux.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Kong Mesh with Amazon Linux ---- - -{:.note} -> If you want to use {{site.mesh_product_name}} on Amazon EKS, follow the -[Kubernetes instructions](/mesh/{{page.release}}/installation/kubernetes/) -instead. - -To install and run {{site.mesh_product_name}} on Amazon Linux (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download the latest version of {{site.mesh_product_name}}: - -```sh -$ yum install -y tar gzip -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/installation/centos.md b/app/mesh/1.4.x/installation/centos.md deleted file mode 100644 index aa40af65efe0..000000000000 --- a/app/mesh/1.4.x/installation/centos.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Kong Mesh with CentOS ---- - -To install and run {{site.mesh_product_name}} on CentOS (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on CentOS 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/installation/debian.md b/app/mesh/1.4.x/installation/debian.md deleted file mode 100644 index 9e204e1e4791..000000000000 --- a/app/mesh/1.4.x/installation/debian.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Kong Mesh with Debian ---- - -To install and run {{site.mesh_product_name}} on Debian (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/installation/docker.md b/app/mesh/1.4.x/installation/docker.md deleted file mode 100644 index 473ccc7421f7..000000000000 --- a/app/mesh/1.4.x/installation/docker.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Kong Mesh with Docker ---- - -To install and run {{site.mesh_product_name}} on Docker: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -The official Docker images are used by default in the -Kubernetes -distributions. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{{site.mesh_product_name}} provides the following Docker images for all of its -executables, hosted on Docker Hub: - -* **kuma-cp**: at [`kong/kuma-cp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-cp) -* **kuma-dp**: at [`kong/kuma-dp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-dp) -* **kumactl**: at [`kong/kumactl:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kumactl) -* **kuma-prometheus-sd**: at [`kong/kuma-prometheus-sd:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-prometheus-sd) - -`docker pull` each image that you need. For example: - -```sh -$ docker pull kong/kuma-cp:{{page.kong_latest.version}} -``` - -## 2. Run {{site.mesh_product_name}} - -Run the control plane with: - -```sh -$ docker run \ - -p 5681:5681 \ - -v /path/to/license.json:/license.json \ - -e "KMESH_LICENSE_PATH=/license.json" \ - kong/kuma-cp:{{page.kong_latest.version}} run -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the host that will be mounted as `/license.json` into the -container. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) is running, you can access the -control plane using either the GUI, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681/gui` to see -the GUI. - -{% endnavtab %} -{% navtab HTTP API (Read & Write) %} - -{{site.mesh_product_name}} ships with a **read and write** HTTP API that you can -use to perform operations on {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681` to see -the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read & Write) %} - -You can use the `kumactl` CLI to perform **read and write** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. For example: - -```sh -$ docker run \ - --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | docker run -i --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl apply -f - -``` - -This runs `kumactl` from the Docker -container on the same network as the host, but most likely you want to download -a compatible version of {{site.mesh_product_name}} for the machine where you -will be executing the commands. - -See the individual installation pages for your OS to download and extract -`kumactl` to your machine: -* [CentOS](/mesh/{{page.release}}/installation/centos/) -* [Red Hat](/mesh/{{page.release}}/installation/redhat/) -* [Debian](/mesh/{{page.release}}/installation/debian/) -* [Ubuntu](/mesh/{{page.release}}/installation/ubuntu/) -* [macOS](/mesh/{{page.release}}/installation/macos/) - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Universal deployments](https://kuma.io/docs/latest/quickstart/universal/). -If you are entirely using Docker, you may also be interested in checking out the -[Kubernetes quickstart](https://kuma.io/docs/latest/quickstart/kubernetes/) as well. diff --git a/app/mesh/1.4.x/installation/helm.md b/app/mesh/1.4.x/installation/helm.md deleted file mode 100644 index cd6514d46980..000000000000 --- a/app/mesh/1.4.x/installation/helm.md +++ /dev/null @@ -1,175 +0,0 @@ ---- -title: Kong Mesh with Helm ---- - -To install and run {{site.mesh_product_name}} on Kubernetes using Helm: - -1. [Add the {{site.mesh_product_name}} Helm Repository](#1-add-the-kong-mesh-helm-repository) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Add the {{site.mesh_product_name}} Helm Repository - -To start using {{site.mesh_product_name}} with Helm charts, first add the -{{site.mesh_product_name}} charts repository to your local Helm deployment: - -```sh -$ helm repo add kong-mesh https://kong.github.io/kong-mesh-charts -``` - -Once the repo is added, any following updates can be fetched with -`helm repo update`. - -## 2. Run {{site.mesh_product_name}} - -Install and run {{site.mesh_product_name}} using the following commands. -You can use any Kubernetes namespace to install {{site.mesh_product_name}}, but as a default, we -suggest `kong-mesh-system`. - -1. Create the `kong-mesh-system` namespace: - - ```sh - $ kubectl create namespace kong-mesh-system - ``` - -2. Upload the license secret to the cluster: - - ```sh - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` - - Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} - license file on the file system. - - The filename should be license.json, unless otherwise specified in values.yaml. - -3. Deploy the {{site.mesh_product_name}} Helm chart. - - By default, the license option is disabled, so you need to enable it for the license to take effect. - The easiest option is to override each field on the CLI. The only - downside to this method is that you need to supply these values every time you run a - `helm upgrade`, otherwise they will be reverted back to what the chart's default values are - for those fields, i.e. disabled. - - ```sh - $ helm repo update - $ helm upgrade -i -n kong-mesh-system kong-mesh kong-mesh/kong-mesh \ - --set kuma.controlPlane.secrets[0].Env="KMESH_LICENSE_INLINE" \ - --set kuma.controlPlane.secrets[0].Secret="kong-mesh-license" \ - --set kuma.controlPlane.secrets[0].Key="license.json" - ``` - - This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ - deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) - like _multi-zone_. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) has been installed in the newly -created `kong-mesh-system` namespace, you can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.4.x/quickstart/kubernetes/). diff --git a/app/mesh/1.4.x/installation/kubernetes.md b/app/mesh/1.4.x/installation/kubernetes.md deleted file mode 100644 index 62094760398c..000000000000 --- a/app/mesh/1.4.x/installation/kubernetes.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Kong Mesh with Kubernetes ---- - -To install and run {{site.mesh_product_name}} on Kubernetes: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -Download a compatible version of {{site.mesh_product_name}} for the machine from which you -will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the client host from the machine where you plan to run the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can create a link -in `/usr/local/bin/` by running: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -It may take a while for Kubernetes to start the -{{site.mesh_product_name}} resources. You can check the status by executing: - -```sh -$ kubectl get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -You can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -{{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.4.x/quickstart/kubernetes/). diff --git a/app/mesh/1.4.x/installation/macos.md b/app/mesh/1.4.x/installation/macos.md deleted file mode 100644 index 3c759fa1eaaf..000000000000 --- a/app/mesh/1.4.x/installation/macos.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Kong Mesh with macOS ---- - -To install and run {{site.mesh_product_name}} on macOS: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on macOS, you can choose from the following -installation methods: - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/installation/openshift.md b/app/mesh/1.4.x/installation/openshift.md deleted file mode 100644 index 38d7d5c98150..000000000000 --- a/app/mesh/1.4.x/installation/openshift.md +++ /dev/null @@ -1,265 +0,0 @@ ---- -title: Kong Mesh with OpenShift ---- - -To install and run {{site.mesh_product_name}} on OpenShift: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on OpenShift, you need to download a -compatible version of {{site.mesh_product_name}} for the machine from which -you will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the **client host** from where you will be executing the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can also create a link -in `/usr/local/bin/` by executing: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -Then, run the control plane on OpenShift with: - -{% navtabs %} -{% navtab OpenShift 4.x %} - -```sh -kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f - -``` - -Starting from version 4.1, OpenShift uses `nftables` instead of `iptables`. So, -using init container for redirecting traffic to the proxy no longer works. -Instead, we use `kuma-cni`, which can be installed with the `--cni-enabled` flag. - -{% endnavtab %} -{% navtab OpenShift 3.11 %} - -By default, `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` are -disabled on OpenShift 3.11. - -To make them work, add the following `pluginConfig` into -`/etc/origin/master/master-config.yaml` on the master node: - -```yaml -admissionConfig: - pluginConfig: - MutatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission - ValidatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission -``` - -After updating `master-config.yaml`, restart the cluster and install -`control-plane`: - -```sh -$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -It may take a while for OpenShift to start the -{{site.mesh_product_name}} resources. You can check the status by running: - -```sh -$ oc get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -Now you can access the control plane with the GUI, `oc`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681` and defaults to `:5681/gui`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab oc (Read & Write) %} -You can use {{site.mesh_product_name}} with `oc` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ oc get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | oc apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -Notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -{{site.mesh_product_name}} explicitly specifies a UID -for the `kuma-dp` sidecar to avoid capturing traffic from -`kuma-dp` itself. You must grant a `nonroot` -[Security Context Constraint](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) -to the application namespace: - -```sh -$ oc adm policy add-scc-to-group nonroot system:serviceaccounts: -``` - -If the namespace is not configured properly, you will see the following error -on the `Deployment` or `DeploymentConfig`: - -```sh -'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: -[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]' -``` - -## 4. Quickstart - -Congratulations! You have successfully installed {{site.mesh_product_name}}. - -Before running the Kuma Demo in the Quickstart guide, -run the following command: - -```sh -$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo -``` - -One of the components in the demo requires root access, therefore it uses the -`anyuid` instead of the `nonroot` permission. - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.4.x/quickstart/kubernetes/). diff --git a/app/mesh/1.4.x/installation/redhat.md b/app/mesh/1.4.x/installation/redhat.md deleted file mode 100644 index 9e78739420c8..000000000000 --- a/app/mesh/1.4.x/installation/redhat.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Kong Mesh with Red Hat ---- - -To install and run {{site.mesh_product_name}} on Red Hat (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on Red Hat 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/installation/ubuntu.md b/app/mesh/1.4.x/installation/ubuntu.md deleted file mode 100644 index c3362b6ac348..000000000000 --- a/app/mesh/1.4.x/installation/ubuntu.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Kong Mesh with Ubuntu ---- - -To install and run {{site.mesh_product_name}} on Ubuntu (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) - the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.4.x/patches/opa-policy.yaml b/app/mesh/1.4.x/patches/opa-policy.yaml deleted file mode 100644 index cc8b2e75cbf3..000000000000 --- a/app/mesh/1.4.x/patches/opa-policy.yaml +++ /dev/null @@ -1,392 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - validation: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - initializers: - description: "An initializer is a controller which enforces some system - invariant at object creation time. This field is a list of initializers - that have not yet acted on this object. If nil or empty, this object - has been completely initialized. Otherwise, the object is considered - uninitialized and is hidden (in list/watch and get calls) from clients - that haven't explicitly asked to observe uninitialized objects. \n - When an object is created, the system will populate this list with - the current set of initializers. Only privileged users may set or - modify this list. Once it is empty, it may not be modified further - by any user. \n DEPRECATED - initializers are an alpha field and will - be removed in v1.15." - properties: - pending: - description: Pending is a list of initializers that must execute - in order before this object is visible. When the last pending - initializer is removed, and no failing result is set, the initializers - struct will be set to nil and the object is considered as initialized - and visible to all clients. - items: - properties: - name: - description: name of the process that is responsible for initializing - this object. - type: string - required: - - name - type: object - type: array - result: - description: If result is set with the Failure field, the object - will be persisted to storage and then deleted, ensuring that other - clients can observe the deletion. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this - representation of an object. Servers should convert recognized - schemas to the latest internal value, and may reject unrecognized - values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - code: - description: Suggested HTTP return code for this status, 0 if - not set. - format: int32 - type: integer - details: - description: Extended data associated with the reason. Each - reason may define its own extended details. This field is - optional and the data returned is not guaranteed to conform - to any schema except that defined by the reason type. - properties: - causes: - description: The Causes array includes more details associated - with the StatusReason failure. Not all StatusReasons may - provide detailed causes. - items: - properties: - field: - description: "The field of the resource that has caused - this error, as named by its JSON serialization. - May include dot and postfix notation for nested - attributes. Arrays are zero-indexed. Fields may - appear more than once in an array of causes due - to fields having multiple errors. Optional. \n Examples: - \ \"name\" - the field \"name\" on the current - resource \"items[0].name\" - the field \"name\" - on the first array entry in \"items\"" - type: string - message: - description: A human-readable description of the cause - of the error. This field may be presented as-is - to a reader. - type: string - reason: - description: A machine-readable description of the - cause of the error. If this value is empty there - is no information available. - type: string - type: object - type: array - group: - description: The group attribute of the resource associated - with the status StatusReason. - type: string - kind: - description: 'The kind attribute of the resource associated - with the status StatusReason. On some operations may differ - from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: The name attribute of the resource associated - with the status StatusReason (when there is a single name - which can be described). - type: string - retryAfterSeconds: - description: If specified, the time in seconds before the - operation should be retried. Some errors may indicate - the client must take an alternate action - for those errors - this field may indicate how long to wait before taking - the alternate action. - format: int32 - type: integer - uid: - description: 'UID of the resource. (when there is a single - resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - type: object - kind: - description: 'Kind is a string value representing the REST resource - this object represents. Servers may infer this from the endpoint - the client submits requests to. Cannot be updated. In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - message: - description: A human-readable description of the status of this - operation. - type: string - metadata: - description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - properties: - continue: - description: continue may be set if the user set a limit - on the number of items returned, and indicates that the - server has more data available. The value is opaque and - may be used to issue another request to the endpoint that - served this list to retrieve the next set of available - objects. Continuing a consistent list may not be possible - if the server configuration has changed or more than a - few minutes have passed. The resourceVersion field returned - when using this continue value will be identical to the - value in the first response, unless you have received - this token from an error message. - type: string - resourceVersion: - description: 'String that identifies the server''s internal - version of this object that can be used by clients to - determine when objects have changed. Value must be treated - as opaque by clients and passed unmodified back to the - server. Populated by the system. Read-only. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - selfLink: - description: selfLink is a URL representing this object. - Populated by the system. Read-only. - type: string - type: object - reason: - description: A machine-readable description of why this operation - is in the "Failure" status. If this value is empty there is - no information available. A Reason clarifies an HTTP status - code but does not override it. - type: string - status: - description: 'Status of the operation. One of: "Success" or - "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' - type: string - type: object - required: - - pending - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: "ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like \"ci-cd\". The set of fields - is always in the version that the workflow used when modifying the - object. \n This field is alpha and can be changed or removed without - notice." - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fields: - additionalProperties: true - description: Fields identifies a set of fields. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: SelfLink is a URL representing this object. Populated by - the system. Read-only. - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - mesh: - type: string - spec: - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true diff --git a/app/mesh/1.5.x/features/ca-rotation.md b/app/mesh/1.5.x/features/ca-rotation.md deleted file mode 100644 index e105f5dbcb94..000000000000 --- a/app/mesh/1.5.x/features/ca-rotation.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: Certificate Authority rotation ---- - -## Overview - -{{site.mesh_product_name}} lets you provide secure communication between applications with mTLS. You can change the mTLS backend with -Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA. - -You can define many backends in the `mtls` section of the Mesh configuration. The data plane proxy is configured to support -certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the `enabledBackend` -tag. For example: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% endnavtabs %} - -## Usage - -Start with mTLS enabled and a `builtin` backend named `ca-1`: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% endnavtabs %} - -Then, follow the steps to rotate certificates to a new `provided` backend named `ca-2`. -Each step can take some time, but {{site.mesh_product_name}} provides validators to prevent you from -continuing too soon. - -{% navtabs %} -{% navtab Kubernetes %} -1. Add a new backend to the list of backends: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. - -{% endnavtab %} -{% navtab Universal %} -1. Add a new backend to the list of backends: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. -{% endnavtab %} -{% endnavtabs %} \ No newline at end of file diff --git a/app/mesh/1.5.x/features/fips-support.md b/app/mesh/1.5.x/features/fips-support.md deleted file mode 100644 index 0b607e1028c4..000000000000 --- a/app/mesh/1.5.x/features/fips-support.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Kong Mesh - FIPS Support ---- - -With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors. - -FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringSSL. For more information about how it works, see Envoy's [FIPS 140-2 documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. diff --git a/app/mesh/1.5.x/features/kds-auth.md b/app/mesh/1.5.x/features/kds-auth.md deleted file mode 100644 index 447dce496ab0..000000000000 --- a/app/mesh/1.5.x/features/kds-auth.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -title: Multi-zone authentication ---- - -To add to the security of your deployments, {{site.mesh_product_name}} provides token generation for authenticating zone control planes to the global control plane. - -The control plane token is a JWT that contains: - -- The name of the zone the token is generated for -- Expiration date (10 years by default if not specified) - -The control plane token is signed by a signing key that is autogenerated on the global control plane. The signing key is SHA256 encrypted. - -You can check for the signing key: - -``` -$ kumactl get global-secrets -``` - -which returns something like: - -``` -NAME AGE -control-plane-signing-key-0001 36m -``` - -## Set up tokens - -To generate the tokens you need and configure your clusters: - -- Generate a token for each zone control plane. -- Add the token to the configuration for each zone. -- Enable authentication on the global control plane. - -### Generate token for each zone - -On the global control plane, [authenticate](/mesh/latest/production/secure-deployment/certificates/#user-to-control-plane-communication) and run the following command: - -``` -$ kumactl generate control-plane-token --zone=west --valid-for=720h > /tmp/token -$ cat /tmp/token -``` - -The generated token looks like: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API. - -### Add token to each zone configuration - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-token-path` argument, where the value is the path to the file where the token is stored: - -``` -$ kumactl install control-plane \ - --mode=zone \ - --zone= \ - --cp-token-path=/tmp/token \ - --ingress-enabled \ - --kds-global-address grpcs://`` | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Create a secret with a token in the same namespace where {{site.mesh_product_name}} is installed: - -``` -$ kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token -``` - -Add the following to `Values.yaml`: -```yaml -kuma: - controlPlane: - secrets: - - Env: "KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE" - Secret: "cp-token" - Key: "token" -``` - - -{% endnavtab %} -{% navtab Universal %} - -Either: - -- Set the token as an inline value in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable: - -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ" \ - ./kuma-cp run -``` - -OR - -- Store the token in a file, then set the path to the file in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable. -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH="/tmp/token" \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -### Enable authentication on the global control plane - -If you are starting from scratch and not securing existing {{site.mesh_product_name}} deployment, you can do this as a first step. - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-auth` argument with the value `cpToken`: - -```sh -$ kumactl install control-plane \ - --mode=global \ - --cp-auth=cpToken | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Add the following to `Values.yaml`: - -```yaml -kuma: - controlPlane: - envVars: - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken -``` - -{% endnavtab %} -{% navtab Universal %} - -Set `KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE` to `cpToken`: - -```sh -$ KUMA_MODE=global \ - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -Verify the zone control plane is connected with authentication by looking at the global control plane logs: - -``` -2021-02-24T14:30:38.596+0100 INFO kds.auth Zone CP successfully authenticated using Control Plane Token {"tokenSerialNumber": 1, "zone": "cluster-2"} -``` - -## Revoke token - -{{site.mesh_product_name}} does not keep a list of issued tokens. Whenever a single token is compromised, you can add it to revocation list so the token is no longer valid. - -Every token has its own ID, which is available in the payload under the `jti` key. You can extract an ID from the token using jwt.io or the [`jwt-cli`](https://www.npmjs.com/package/jwt-cli) tool. Here is an example of a `jti` key: -``` -0e120ec9-6b42-495d-9758-07b59fe86fb9 -``` - -Specify a list of revoked IDs separated by commas (`,`) and store it as a `GlobalSecret` object named `control-plane-token-revocations`: - -{% navtabs %} -{% navtab Kubernetes %} -```sh -REVOCATIONS=$(echo '0e120ec9-6b42-495d-9758-07b59fe86fb9' | base64) && echo "apiVersion: v1 -kind: Secret -metadata: - name: control-plane-token-revocations - namespace: kuma-system -data: - value: $REVOCATIONS -type: system.kuma.io/global-secret" | kubectl apply -f - -``` -{% endnavtab %} -{% navtab Universal %} -```sh -echo " -type: GlobalSecret -name: control-plane-token-revocations -data: {{ revocations }}" | kumactl apply --var revocations=$(echo '0e120ec9-6b42-495d-9758-07b59fe86fb9' | base64) -f - -``` -{% endnavtab %} -{% endnavtabs %} - -## Rotate signing key - -If a signing key is compromised, you must rotate it and all the tokens. When the signing key is rotated, all tokens signed with the -key are no longer valid. You do not need to add the tokens manually to a revocation list. - -### Generate new signing key - -The signing key is stored as a `GlobalSecret` with a name that looks like `control-plane-signing-key-{serialNumber}`. - -Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key. - - -{% navtabs %} -{% navtab Kubernetes %} - -Check what is the current highest serial number. - -```sh -$ kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret' -NAME TYPE DATA AGE -control-plane-signing-key-0001 system.kuma.io/global-secret 1 25m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -$ TOKEN="$(kumactl generate signing-key)" && echo " -apiVersion: v1 -data: - value: $TOKEN -kind: Secret -metadata: - name: control-plane-signing-key-0002 - namespace: kong-mesh-system -type: system.kuma.io/global-secret -" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Universal %} - -Check what is the current highest serial number. - -```sh -$ kumactl get global-secrets -NAME AGE -control-plane-signing-key-0001 36m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -echo " -type: GlobalSecret -name: control-plane-signing-key-0002 -data: {{ key }} -" | kumactl apply --var key=$(kumactl generate signing-key) -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -### Regenerate control plane tokens - -Create and add a new token for each zone control plane. These tokens are automatically created with the signing key that's assigned the highest serial number, so they're created with the new signing key. - -Make sure the new signing key is available; otherwise old and new tokens are created with the same signing key and can both provide authentication. - -### Remove the old signing key - -{% navtabs %} -{% navtab Kubernetes %} - -```sh -$ kubectl delete secret control-plane-signing-key-0001 -n kong-mesh-system -``` - -{% endnavtab %} -{% navtab Universal %} - -```sh -$ kumactl delete global-secret control-plane-signing-key-0001 -``` - -{% endnavtab %} -{% endnavtabs %} - -All new connections to the global control plane now require tokens signed with the new signing key. - -### Restart the global control plane - -Restart all instances of the global control plane. All connections are now authenticated with the new tokens. - -## Explore an example token - -You can decode the tokens to validate the signature or explore details. - -For example, run: -``` -$ kumactl generate control-plane-token --zone=west -``` - -which returns: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -Paste the token into the UI at jwt.io, or run - -``` -$ kumactl generate control-plane-token --zone=west | jwt -``` - -The result looks like: - -![JWT token decoded](/assets/images/docs/mesh/jwt-decoded.png) - -## Additional security - -By default, a connection from the zone control plane to the global control plane is secured with TLS. You should also configure the zone control plane to [verify the certificate authority (CA) of the global control plane](/mesh/latest/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone){:target="_blank"}. diff --git a/app/mesh/1.5.x/features/opa.md b/app/mesh/1.5.x/features/opa.md deleted file mode 100644 index 374d4c656a2f..000000000000 --- a/app/mesh/1.5.x/features/opa.md +++ /dev/null @@ -1,639 +0,0 @@ ---- -title: Kong Mesh - OPA Policy Integration ---- - -## OPA policy plugin - -{{site.mesh_product_name}} integrates the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to provide access control for your services. - -The agent is included in the data plane proxy sidecar, instead of the more common deployment as a separate sidecar. - -When `OPAPolicy` is applied, the control plane configures: - -- the embedded policy agent, with the specified policy -- Envoy, to use [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) that points to the embedded policy agent - -## Usage - -To apply a policy with OPA: - -- Specify the group of data plane proxies to apply the policy to with the `selectors` property. -- Provide a policy with the `conf` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). -{:.note} -> **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. - -- Optionally provide custom configuration for the policy agent. - - -You must also specify the HTTP protocol in your mesh configuration: - -{% navtabs %} -{% navtab Kubernetes %} - -Add the HTTP protocol annotation to the Kubernetes Service configuration, with the general syntax `.service.kuma.io/protocol`. - -Example: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: kong-mesh-example - annotations: - 8080.service.kuma.io/protocol: http # required for OPA support -spec: - selector: - app: web - ports: - - port: 8080 -``` - -{% endnavtab %} -{% navtab Universal %} - -Add the HTTP protocol tag to the `Dataplane` configuration. - -Example: - -```yaml -type: Dataplane -mesh: default -name: web -networking: - address: 192.168.0.1 - inbound: - - port: 80 - servicePort: 8080 - tags: - kuma.io/service: web - kuma.io/protocol: http # required for OPA support -``` - -{% endnavtab %} -{% endnavtabs %} - -For more information, see [the Kuma documentation about protocol support](https://kuma.io/docs/latest/policies/protocol-support-in-kuma/). - -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} - -### With Secrets - -Encoding the policy in a [Secret](https://kuma.io/docs/1.5.x/security/secrets/) provides some security for policies that contain sensitive data. - -{% navtabs %} -{% navtab Kubernetes %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: opa-policy - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - data: - value: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - type: system.kuma.io/secret - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% navtab Universal %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - type: Secret - name: sample-secret - mesh: default - data: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - type: OPAPolicy - mesh: default - name: opa-1 - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% endnavtabs %} - -## Configuration - -{{site.mesh_product_name}} defines a default configuration for OPA, but you can adjust the configuration to meet your environment's requirements. - -The following environment variables are available: - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | [plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow] | - -{% navtabs %} -{% navtab Kubernetes %} - -You can customize the agent in either of the following ways: - -- Override variables in the data plane proxy config: -{% navtabs %} -{% navtab kumactl %} - -When you deploy the Mesh control plane, edit the `kong-mesh-control-plane-config` ConfigMap: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kong-mesh-control-plane-config - namespace: kong-mesh-system -data: - config.yaml: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% navtab Helm %} - -Override the Helm value in `values.yaml` - -```yaml -kuma: - controlPlane: - config: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% endnavtabs %} -{% endnavtab %} -{% navtab Universal %} - -The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables: - - -``` ---opa-addr ---opa-config-path ---opa-diagnostic-addr ---opa-enabled ---opa-ext-authz-addr ---opa-set strings -``` - -{% endnavtab %} -{% endnavtabs %} - -- Override the config for individual data plane proxies by placing the appropriate annotations on the Pod: - -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example-app - namespace: kuma-example -spec: - ... - template: - metadata: - ... - annotations: - # indicate to Kuma that this Pod doesn't need a sidecar - kuma.io/sidecar-env-vars: "KMESH_OPA_ENABLED=false;KMESH_OPA_ADDR=:8888;KMESH_OPA_CONFIG_OVERRIDES=config1:x,config2:y" -``` - -## Configuring the authorization filter - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny' defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the max number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - secret: opa-policy -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. http statusCode to use when the connection to the agent failed. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny'. defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the maximum number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - secret: opa-policy -``` - -{% endnavtab %} -{% endnavtabs %} - -By default, the body will not be sent to the agent. -To send it, set `authConfig.requestBody.maxSize` to the maximum size of your body. -If the request body is larger than this parameter, it will be truncated and the header `x-envoy-auth-partial-body` will be set to `true`. - -## Support for external API management servers - -The `agentConfig` field lets you define a custom configuration that points to an external management server: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: - inlineString: | - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: - inlineString: | # one of: inlineString, secret - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% endnavtabs %} - -## Example - -The following example shows how to deploy and test a sample OPA Policy on Kubernetes, using the kuma-demo application. - -1. Deploy the example application: - - ``` - kubectl apply -f https://bit.ly/demokuma - ``` - -1. Make a request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 1717af9c-2587-43b9-897f-f8061bba5ad4 - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 15:33:18 GMT - < x-envoy-upstream-service-time: 1521 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - -1. Apply an OPA Policy that requires a valid JWT token: - - ``` - echo " - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` - -1. Make an invalid request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod. - * Trying 10.105.146.164:3001... - * TCP_NODELAY set - * Connected to backend (10.105.146.164) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < date: Tue, 09 Mar 2021 16:50:40 GMT - < server: envoy - < x-envoy-upstream-service-time: 2 - < content-length: 0 - < - * Connection #0 to host backend left intact - ``` - - Note the `HTTP/1.1 403 Forbidden` message. The application doesn't allow a request without a valid token. - - The policy can take up to 30 seconds to propagate, so if this request succeeds the first time, wait and then try again. - -1. Make a valid request from the frontend to the backend: - - ``` - $ export ADMIN_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJzdWIiOiJZbTlpIiwibmJmIjoxNTE0ODUxMTM5LCJleHAiOjI1MjQ2MDgwMDB9.H0-42LYzoWyQ_4MXAcED30u6lA5JE087eECV2nxDfXo" - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001 - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 8fd7b398-1ba2-4c2e-b229-5159d04d782e - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 17:26:00 GMT - < x-envoy-upstream-service-time: 261 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - - The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. diff --git a/app/mesh/1.5.x/features/rbac.md b/app/mesh/1.5.x/features/rbac.md deleted file mode 100644 index 0f79cc1db257..000000000000 --- a/app/mesh/1.5.x/features/rbac.md +++ /dev/null @@ -1,674 +0,0 @@ ---- -title: Role-Based Access Control ---- - -Role-Based Access Control (RBAC) lets you restrict access to resources and actions to specified users or groups, based on user roles. - -## How it works - -{{site.mesh_product_name}} provides two resources to implement RBAC: - -- `AccessRole` specifies kinds of access and resources to which access is granted. Note that access is defined only for write operations. Read access is available to all users. -- `AccessRoleBinding` lists users and the access roles that are assigned to them. - -### AccessRole - -AccessRole defines a role that is assigned separately to users. -It is global-scoped, which means it is not bound to a mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: role-1 -rules: -- types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types to which access is granted. If empty, then access is granted to all types - names: ["res-1"] # list of allowed names of types to which access is granted. If empty, then access is granted to resources regardless of the name. - mesh: default # Mesh within which the access to resources is granted. It can only be used with the Mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] # an action that is bound to a type. - when: # a set of qualifiers to receive an access. Only one of them needs to be fulfilled to receive an access - - sources: # a condition on sources section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all sources are allowed - match: - kuma.io/service: web - destinations: # a condition on destinations section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all destinations are allowed - match: - kuma.io/service: backend - - selectors: # a condition on selectors section in dataplane policies (like TrafficTrace or ProxyTemplate). - match: - kuma.io/service: web - - dpToken: # a condition on generate dataplane token. - tags: - - name: kuma.io/service - value: web -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: role-1 -spec: - rules: - - types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types to which access is granted. If empty, then access is granted to all types - names: ["res-1"] # list of allowed names of types to which access is granted. If empty, then access is granted to resources regardless of the name. - mesh: default # Mesh within which the access to resources is granted. It can only be used with the Mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] # an action that is bound to a type. - when: # a set of qualifiers to receive an access. Only one of them needs to be fulfilled to receive an access - - sources: # a condition on sources section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all sources are allowed - match: - kuma.io/service: web - destinations: # a condition on destinations section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all destinations are allowed - match: - kuma.io/service: backend - - selectors: # a condition on selectors section in dataplane policies (like TrafficTrace or ProxyTemplate). - match: - kuma.io/service: web - - dpToken: # a condition on generate dataplane token. - tags: - - name: kuma.io/service - value: web -``` -{% endnavtab %} -{% endnavtabs %} - -### AccessRoleBinding - -AccessRoleBinding assigns a set of AccessRoles to a set of subjects (users and groups). -It is global-scoped, which means it is not bound to a mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRoleBinding -name: binding-1 -subjects: # a list of subjects that will be assigned roles -- type: User # type of the subject. Available values: ("User", "Group") - name: john.doe@example.com # name of the subject. -- type: Group - name: team-a -roles: # a list of roles that will be assigned to the list of subjects. -- role-1 -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: binding-1 -spec: - subjects: # a list of subjects that will be assigned roles - - type: User # type of the subject. Available values: ("User", "Group") - name: john.doe@example.com # name of the subject. - - type: Group - name: team-a - roles: # a list of roles that will be assigned to the list of subjects. - - role-1 -``` -{% endnavtab %} -{% endnavtabs %} - -## Example roles - -Let's go through example roles in the organization that can be created using {{site.mesh_product_name}} RBAC. - -### {{site.mesh_product_name}} operator (admin) - -Mesh operator is a part of infrastructure team responsible for {{site.mesh_product_name}} deployment. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: admin -rules: -- access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: admin -spec: - rules: - - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] -``` -{% endnavtab %} -{% endnavtabs %} - -This way {{site.mesh_product_name}} operators can execute any action. - -_Note: this role is created on the start of the control plane._ - -### Service owner - -Service owner is a part of team responsible for given service. Let's take a `backend` service as an example. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: backend-owner -rules: -- mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: backend-owner -spec: - rules: - - mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endnavtab %} -{% endnavtabs %} - -This way a service owners can: -* Modify `RateLimit` and `TrafficPermission` that allows/restrict access to the backend service. - This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies (`TrafficRoute`, `HealthCheck`, `CircuitBreaker`, `FaultInjection`, `Retry`, `Timeout`, `RateLimit`, `TrafficLog`) - that matches backend service that connects to other services. This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies that matches any service that consumes backend service. - This changes the configuration of data plane proxies that are connecting to backend, but the configuration only affects connections to backend service. - It's useful because the service owner of backend has the best knowledge what (Timeouts, HealthCheck) should be applied when communicating with their service. -* Modify `TrafficTrace` or `ProxyTemplate` that matches backend service. This changes the configuration of data plane proxy that implements `backend` service. - -### Observability operator - -We may also have an infrastructure team which is responsible for the logging/metrics/tracing systems in the organization. -Currently, those features are configured on `Mesh`, `TrafficLog` and `TrafficTrace` objects. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: observability-operator -rules: -- mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] -- types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: observability-operator -spec: - rules: - - mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] - - types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% endnavtabs %} - -This way an observability operator can: -* Modify `TrafficLog` and `TrafficTrace` in any mesh -* Modify any `Mesh` - -### Single Mesh operator - -{{site.mesh_product_name}} lets us segment the deployment into many logical Service Meshes configured by Mesh object. -We may want to give an access to one specific Mesh and all objects connected with this Mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: demo-mesh-operator -rules: -- mesh: demo - access: ["CREATE", "DELETE", "UPDATE"] -- types: ["Mesh"] - names: ["demo"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: demo-mesh-operator -spec: - rules: - - mesh: demo - access: ["CREATE", "DELETE", "UPDATE"] - - types: ["Mesh"] - names: ["demo"] - access: ["CREATE", "DELETE", "UPDATE"] - -``` -{% endnavtab %} -{% endnavtabs %} - -This way all observability operator can: -* Modify all resources in the demo mesh -* Modify `demo` Mesh object. - -## Kubernetes - -Kubernetes provides their own RBAC system, but it's not sufficient to cover use cases for several reasons: -* You cannot restrict an access to resources of specific Mesh -* You cannot restrict an access based on the content of the policy - -{{site.mesh_product_name}} RBAC works on top of Kubernetes RBAC. -For example, to restrict the access for a user to modify TrafficPermission for backend service, they need to be able to create TrafficPermission in the first place. - -The `subjects` in `AccessRoleBinding` are compatible with Kubernetes users and groups. -{{site.mesh_product_name}} RBAC on Kubernetes is implemented using Kubernetes Webhook when applying resources. This means you can only use Kubernetes users and groups for `CREATE`, `DELETE` and `UPDATE` access. -`GENERATE_DATAPLANE_TOKEN`, `GENERATE_USER_TOKEN`, `GENERATE_ZONE_CP_TOKEN` are used when interacting with {{site.mesh_product_name}} API Server, in this case you need to use the user token. - -## Default - -{{site.mesh_product_name}} creates an `admin` AccessRole that allows every action. - -In a standalone deployment, the `default` AccessRoleBinding assigns this role to every authenticated and unauthenticated user. - -In a multi-zone deployment, the `default` AccessRoleBinding on the global control plane assigns this role to every authenticated and unauthenticated user. -However, on the zone control plane, the `default` AccessRoleBinding is restricted to the `admin` AccessRole only. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: admin -rules: -- access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] ---- -type: AccessRoleBinding -name: default -subjects: -- type: Group - name: mesh-system:authenticated -- type: Group - name: mesh-system:unauthenticated -roles: -- admin -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: admin -spec: - rules: - - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] ---- -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: default -spec: - subjects: - - type: Group - name: mesh-system:authenticated - - type: Group - name: mesh-system:unauthenticated - - type: Group - name: system:authenticated - - type: Group - name: system:unauthenticated - roles: - - admin -``` -{% endnavtab %} -{% endnavtabs %} - -To restrict access to `admin` only, change the default AccessRole policy: - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRoleBinding -name: default -subjects: -- type: Group - name: mesh-system:admin -roles: -- admin -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: default -spec: - subjects: - - type: Group - name: mesh-system:admin - - type: Group - name: system:masters - - type: Group - name: system:serviceaccounts:kube-system - roles: - - admin -``` -`system:serviceaccounts:kube-system` is required for Kubernetes controllers to manage Kuma resources -- for example, to remove Dataplane objects when a namespace is removed. -{% endnavtab %} -{% endnavtabs %} - -## Example - -Here are the steps to create a new user and restrict the access only to TrafficPermission for backend service. - -{% navtabs %} -{% navtab Universal %} - -**NOTE** By default, all requests that originates from localhost are authenticated as user `admin` belonging to group `mesh-system:admin`. -In order for this example to work you must either run the control plane with `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN` set to `false` or be accessing the control plane not via localhost. - -1. Extract admin token and configure kumactl with admin - - ```sh - $ export ADMIN_TOKEN=$(curl http://localhost:5681/global-secrets/admin-user-token | jq -r .data | base64 -d) - $ kumactl config control-planes add \ - --name=cp-admin \ - --address=https://localhost:5682 \ - --skip-verify=true \ - --auth-type=tokens \ - --auth-conf token=$ADMIN_TOKEN - ``` - -1. Configure backend-owner - - ```sh - $ export BACKEND_OWNER_TOKEN=$(kumactl generate user-token --valid-for=24h --name backend-owner) - $ kumactl config control-planes add \ - --name=cp-backend-owner \ - --address=https://localhost:5682 \ - --skip-verify=true \ - --auth-type=tokens \ - --auth-conf token=$BACKEND_OWNER_TOKEN - $ kumactl config control-planes switch --name cp-admin # switch back to admin - ``` - -1. Change default {{site.mesh_product_name}} RBAC to restrict access to resources by default - - ```sh - $ echo "type: AccessRoleBinding - name: default - subjects: - - type: Group - name: mesh-system:admin - roles: - - admin" | kumactl apply -f - - ``` - -1. Create {{site.mesh_product_name}} RBAC to restrict backend-owner to only modify TrafficPermission for backend - - ```sh - $ echo ' - type: AccessRole - name: backend-owner - rules: - - types: ["TrafficPermission"] - mesh: default - access: ["CREATE", "UPDATE", "DELETE"] - when: - - destinations: - match: - kuma.io/service: backend - ' | kumactl apply -f - - $ echo ' - type: AccessRoleBinding - name: backend-owners - subjects: - - type: User - name: backend-owner - roles: - - backend-owner' | kumactl apply -f - - ``` - -1. Change the user and test RBAC - - ```sh - $ kumactl config control-planes switch --name cp-backend-owner - $ echo " - type: TrafficPermission - mesh: default - name: web-to-backend - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: backend - " | kumactl apply -f - - # this operation should succeed - - $ echo " - type: TrafficPermission - mesh: default - name: web-to-backend - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: other - " | kumactl apply -f - - Error: Access Denied (user "backend-owner/mesh-system:authenticated" cannot access the resource) - ``` - -{% endnavtab %} -{% navtab Kubernetes %} - -1. Create a backend-owner Kubernetes user and configure kubectl - - ```sh - $ mkdir -p /tmp/k8s-certs - $ cd /tmp/k8s-certs - $ openssl genrsa -out backend-owner.key 2048 # generate client key - $ openssl req -new -key backend-owner.key -subj "/CN=backend-owner" -out backend-owner.csr # generate client certificate request - $ CSR=$(cat backend-owner.csr | base64 | tr -d "\n") && echo "apiVersion: certificates.k8s.io/v1 - kind: CertificateSigningRequest - metadata: - name: backend-owner - spec: - request: $CSR - signerName: kubernetes.io/kube-apiserver-client - usages: - - client auth" | kubectl apply -f - - $ kubectl certificate approve backend-owner - $ kubectl get csr backend-owner -o jsonpath='{.status.certificate}'| base64 -d > backend-owner.crt - $ kubectl config set-credentials backend-owner \ - --client-key=/tmp/k8s-certs/backend-owner.key \ - --client-certificate=/tmp/k8s-certs/backend-owner.crt \ - --embed-certs=true - $ kubectl config set-context backend-owner --cluster=YOUR_CLUSTER_NAME --user=backend-owner - ``` - -1. Create Kubernetes RBAC to allow backend-owner to manage all TrafficPermission - - ```sh - $ echo " - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: kuma-policy-management - rules: - - apiGroups: - - kuma.io - resources: - - trafficpermissions - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: kuma-policy-management-backend-owner - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuma-policy-management - subjects: - - kind: User - name: backend-owner - apiGroup: rbac.authorization.k8s.io - " | kubectl apply -f - - ``` - -1. Change default {{site.mesh_product_name}} RBAC to restrict access to resources by default - - ```sh - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: AccessRoleBinding - metadata: - name: default - spec: - subjects: - - type: Group - name: mesh-system:admin - - type: Group - name: system:masters - roles: - - admin - " | kubectl apply -f - - ``` - -1. Create an AccessRole to grant permissions to user `backend-owner` to modify TrafficPermission only for the backend service: - - ```sh - $ echo " - --- - apiVersion: kuma.io/v1alpha1 - kind: AccessRole - metadata: - name: backend-owner - spec: - rules: - - types: ["TrafficPermission"] - mesh: default - access: ["CREATE", "UPDATE", "DELETE"] - when: - - destinations: - match: - kuma.io/service: backend - --- - apiVersion: kuma.io/v1alpha1 - kind: AccessRoleBinding - metadata: - name: backend-owners - spec: - subjects: - - type: User - name: backend-owner - roles: - - backend-owner - " | kubectl apply -f - - ``` - -1. Change the service to test user access: - - ```sh - $ kubectl config use-context backend-owner - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: TrafficPermission - mesh: default - metadata: - name: web-to-backend - spec: - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: backend - " | kubectl apply -f - - # operation should succeed, access to backend service access is granted - - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: TrafficPermission - mesh: default - metadata: - name: web-to-backend - spec: - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: not-backend # access to this service is not granted - " | kubectl apply -f - - # operation should not succeed - ``` -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone - -In a multi-zone setup, `AccessRole` and `AccessRoleBinding` are not synchronized between the global control plane and the zone control plane. diff --git a/app/mesh/1.5.x/features/vault.md b/app/mesh/1.5.x/features/vault.md deleted file mode 100644 index 6820828e33ca..000000000000 --- a/app/mesh/1.5.x/features/vault.md +++ /dev/null @@ -1,286 +0,0 @@ ---- -title: Kong Mesh - Vault Policy ---- - -## Vault CA Backend - -The default [mTLS policy in Kuma](https://kuma.io/docs/latest/policies/mutual-tls/) -supports the following backends: - -* `builtin`: {{site.mesh_product_name}} automatically generates the Certificate -Authority (CA) root certificate and key that will be used to generate the data -plane certificates. -* `provided`: the CA root certificate and key can be provided by the user. - -{{site.mesh_product_name}} adds: - -* `vault`: {{site.mesh_product_name}} generates data plane certificates -using a CA root certificate and key stored in a HashiCorp Vault -server. - -## Vault mode - -In `vault` mTLS mode, {{site.mesh_product_name}} communicates with the HashiCorp Vault PKI, -which generates the data plane proxy certificates automatically. -{{site.mesh_product_name}} does not retrieve private key of the CA to generate data plane proxy certificates, -which means that private key of the CA is secured by Vault and not exposed to third parties. - -In `vault` mode, you point {{site.mesh_product_name}} to the -Vault server and provide the appropriate credentials. {{site.mesh_product_name}} -uses these parameters to authenticate the control plane and generate the -data plane certificates. - -When {{site.mesh_product_name}} is running in `vault` mode, the backend communicates with Vault and ensures -that Vault's PKI automatically issues data plane certificates and rotates them for -each proxy. - -If {{site.mesh_product_name}} is configured to authenticate to Vault using a renewable token, -it will handle keeping the token renewed. - -### Configure Vault - -The `vault` mTLS backend expects a configured PKI and role for generating data plane proxy certificates. - -The following steps show how to configure Vault for {{site.mesh_product_name}} with a mesh named -`default`. For your environment, replace `default` with the appropriate mesh name. - -#### Step 1. Configure the Certificate Authority - -{{site.mesh_product_name}} works with a Root CA or an Intermediate CA. - -{% navtabs %} -{% navtab Root CA %} - -Create a new PKI for the `default` Mesh called `kmesh-pki-default`: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate a new Root Certificate Authority for the `default` Mesh: - -```sh -vault secrets tune -max-lease-ttl=87600h kmesh-pki-default -``` - -```sh -vault write -field=certificate kmesh-pki-default/root/generate/internal \ - common_name="{{site.mesh_product_name}} Default" \ - uri_sans="spiffe://default" \ - ttl=87600h -``` - -{% endnavtab %} -{% navtab Intermediate CA %} - -Create a new Root Certificate Authority and save it to a file called `ca.pem`: - -```sh -vault secrets enable pki -``` - -```sh -vault secrets tune -max-lease-ttl=87600h pki -``` - -```sh -vault write -field=certificate pki/root/generate/internal \ - common_name="Organization CA" \ - ttl=87600h > ca.pem -``` - -You can also use your current Root CA, retrieve the PEM-encoded certificate, and save it to `ca.pem`. - -Create a new PKI for the `default` Mesh: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate the Intermediate CA for the `default` Mesh: - -```sh -vault write -format=json kmesh-pki-default/intermediate/generate/internal \ - common_name="{{site.mesh_product_name}} Mesh Default" \ - uri_sans="spiffe://default" \ - | jq -r '.data.csr' > pki_intermediate.csr -``` - -Sign the Intermediate CA with the Root CA. Make sure to pass the right path for the PKI that has the Root CA. -In this example, the path value is `pki`: - -```sh -vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \ - format=pem_bundle \ - ttl="43800h" \ - | jq -r '.data.certificate' > intermediate.cert.pem -``` - -Set the certificate of signed Intermediate CA to the `default` Mesh PKI. You must include the public certificate of the Root CA -so that data plane proxies can verify the certificates: - -```sh -cat intermediate.cert.pem > bundle.pem -echo "" >> bundle.pem -cat ca.pem >> bundle.pem -vault write kmesh-pki-default/intermediate/set-signed certificate=@bundle.pem -``` - -{% endnavtab %} -{% endnavtabs %} - -#### Step 2. Create a role for generating data plane proxy certificates: - -```sh -vault write kmesh-pki-default/roles/dataplane-proxies \ - allowed_uri_sans="spiffe://default/*,kuma://*" \ - key_usage="KeyUsageKeyEncipherment,KeyUsageKeyAgreement,KeyUsageDigitalSignature" \ - ext_key_usage="ExtKeyUsageServerAuth,ExtKeyUsageClientAuth" \ - client_flag=true \ - require_cn=false \ - allowed_domains="mesh" \ - allow_subdomains=true \ - basic_constraints_valid_for_non_ca=true \ - max_ttl="720h" \ - ttl="720h" -``` - -{:.note} -> **Note:** Use the `allowed_domains` and `allow_subdomains` parameters -**only** when `commonName` is set in the mTLS Vault backend. - -#### Step 3. Create a policy to use the new role: - -```sh -cat > kmesh-default-dataplane-proxies.hcl <<- EOM -path "/kmesh-pki-default/issue/dataplane-proxies" -{ - capabilities = ["create", "update"] -} -EOM -vault policy write kmesh-default-dataplane-proxies kmesh-default-dataplane-proxies.hcl -``` - -#### Step 4. Create a Vault token: - -```sh -vault token create -format=json -policy="kmesh-default-dataplane-proxies" | jq -r ".auth.client_token" -``` - -The output should print a Vault token that you then provide as the `conf.fromCp.auth.token` value of the `Mesh` object. - -{:.note} -> **Note:** There are some failure modes where the `vault` CLI still returns a token -even though an error was encountered and the token is invalid. For example, if the -policy creation fails in the previous step, then the `vault token create` command -both returns a token and exposes an error. In such situations, using `jq` to parse -the output hides the error message provided in the `vault` CLI output. Manually -parse the output instead of using `jq` so that the full output of the `vault` CLI -command is available. - -### Configure Mesh - -`kuma-cp` communicates directly with Vault. To connect to -Vault, you must provide credentials in the configuration of the `mesh` object of `kuma-cp`. - -You can authenticate with the `token` or with client certificates by providing `clientKey` and `clientCert`. - -You can provide these values inline for testing purposes only, as a path to a file on the -same host as `kuma-cp`, or contained in a `secret`. When using a `secret`, it should be a mesh-scoped -secret (see [the Kuma Secrets documentation](https://kuma.io/docs/1.5.x/security/secrets/) for details -on mesh-scoped secrets versus global secrets). On Kubernetes, this mesh-scoped secret should be stored -in the system namespace (`kong-mesh-system` by default) and should be configured as `type: system.kuma.io/secret`. - -Here's an example of a configuration with a `vault`-backed CA: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 1d # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - - tls: # options for connecting to Vault via TLS - skipVerify: false # if set to true, caCert is optional, should only be used in development - caCert: # caCert is used to verify the TLS certificate presented by Vault - secret: sec-1 # one of secret, inline, or inlineString - serverName: "" # optional. The SNI to use when connecting to Vault - - auth: # how to authenticate Kong Mesh when connecting to Vault - token: - secret: token-1 # one of secret, inline, or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inline - clientCert: - file: /tmp/cert.pem # can be file, secret or inlineString -``` - -Apply the configuration with `kubectl apply -f [..]`. - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: Mesh -name: default -mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 24h # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inlineString - clientCert: - file: /tmp/cert.pem # can be file, secret or inline -``` - -Apply the configuration with `kumactl apply -f [..]`, or with the [HTTP API](https://kuma.io/docs/latest/reference/http-api). - -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone and Vault - -In a multi-zone environment, the global control plane provides the `Mesh` to the zone control planes. However, you must make sure that each zone control plane communicates with Vault over the same address. This is because certificates for data plane proxies are issued from the zone control plane, not from the global control plane. - -You must also make sure the global control plane communicates with Vault. When a new Vault backend is configured, {{site.mesh_product_name}} validates the connection by issuing a test certificate. In a multi-zone environment, validation is performed on the global control plane. diff --git a/app/mesh/1.5.x/gettingstarted.md b/app/mesh/1.5.x/gettingstarted.md deleted file mode 100644 index b12da3459ad3..000000000000 --- a/app/mesh/1.5.x/gettingstarted.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Getting Started with Kong Mesh ---- - -## Getting Started - -{{site.mesh_product_name}} — built on top of CNCF's Kuma and Envoy — - tries to be as close as possible to the usage of Kuma itself, while providing - drop-in binary replacements for both the control plane and data plane - executables. - -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs){:target="_blank"} to start using the product. - -{:.note} -Kuma, a donated CNCF project, was originally created by Kong, which is -currently maintaining both the project and the documentation. - -## 1. Installing {{site.mesh_product_name}} - -Download and install {{site.mesh_product_name}} from the -[official installation page](/mesh/{{page.release}}/install). - -## 2. Getting Started - -After you install, follow the Kuma getting started guide to get -{{site.mesh_product_name}} up and running: - -* [Getting started with Kubernetes](https://kuma.io/docs/latest/quickstart/kubernetes/){:target="_blank"} -* [Getting started with Universal](https://kuma.io/docs/latest/quickstart/universal/){:target="_blank"} - -## 3. Learn more - -* Read the [Kuma documentation](https://kuma.io/docs/){:target="_blank"} -* Learn about enterprise features: - * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) - * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) - * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) - * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) - * [Certificate Authority rotation](/mesh/{{page.release}}/features/ca-rotation/) - -If you are a {{site.mesh_product_name}} customer, you can also open a support -ticket with any question or feedback you may have. diff --git a/app/mesh/1.5.x/index.md b/app/mesh/1.5.x/index.md deleted file mode 100644 index 8591f64c0b65..000000000000 --- a/app/mesh/1.5.x/index.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Kong Mesh -subtitle: A modern control plane built on top of Envoy and focused on simplicity, security, and scalability ---- - -{:.note} -> **Demo**: To see {{site.mesh_product_name}} in action, you can -[request a demo](https://konghq.com/request-demo-kong-mesh/) and -we will get in touch with you. - -Welcome to the official documentation for {{site.mesh_product_name}}! - -{{site.mesh_product_name}} is an enterprise-grade service mesh that runs on -both Kubernetes and VMs on any cloud. Built on top of CNCF's -[Kuma](https://kuma.io) and Envoy and focused on simplicity, -{{site.mesh_product_name}} enables the microservices transformation with: -* Out-of-the-box service connectivity and discovery -* Zero-trust security -* Traffic reliability -* Global observability across all traffic, including cross-cluster deployments - -{{site.mesh_product_name}} extends Kuma and Envoy with enterprise features and -support, while providing native integration with -[{{site.ee_product_name}}](https://konghq.com/products/api-gateway-platform) for a -full-stack connectivity platform for all of your services and APIs, across -every cloud and environment. - -{:.note} -> Kuma itself was originally created by Kong and donated to CNCF to -provide the first neutral Envoy-based service mesh to the industry. Kong -still maintains and develops Kuma, which is the foundation for -{{site.mesh_product_name}}. - -
- -
- {{site.mesh_product_name}} extends CNCF's Kuma and Envoy to provide an - enterprise-grade service mesh with unique features in the service mesh - landscape, while still relying on a neutral foundation. -
-
-{{site.mesh_product_name}} provides a unique combination of strengths and -features in the service mesh ecosystem, specifically designed for the enterprise -architect, including: - -* **Universal** support for both Kubernetes and VM-based services. -* **Single and Multi Zone** deployments to support multi-cloud and multi-cluster - environments with global/remote control plane modes, automatic Ingress - connectivity, and service discovery. -* **Multi-Mesh** to create as many service meshes as we need, using one cluster - with low operational costs. -* **Easy to install and use** and turnkey, by abstracting away all the -complexity of running a service mesh with easy-to-use policies for managing -services and traffic. -* **Full-Stack Connectivity** by natively integrating with Kong and -{{site.ee_product_name}} for end-to-end connectivity that goes from the API -gateway to the service mesh. -* **Powered by Kuma and Envoy** to provide a modern and reliable CNCF -open source foundation for an enterprise service mesh. - -When used in combination with {{site.ee_product_name}}, {{site.mesh_product_name}} -provides a full stack connectivity platform for all of our L4-L7 connectivity, -for both edge and internal API traffic. - -
- -
- Two different applications - "Banking" and "Trading" - run in their - own meshes "A" and "B" across different data centers. In this example, - {{site.base_gateway}} is being used both for edge communication, and for internal - communication between meshes. -
- -## Why {{site.mesh_product_name}}? {#why-kong-mesh} - -Organizations are transitioning to distributed software architectures to -support and accelerate innovation, gain digital revenue, and reduce costs. -A successful transition to microservices requires many pieces to fall into -place: that services are connected reliably with minimal latency, -that they are protected with end-to-end security, that they are discoverable -and fully observable. However, this presents challenges due to the need to -write custom code for security and identity, a lack of granular telemetry, -and insufficient traffic management capabilities, especially as the number of -services grows. - -Leading organizations are looking to service meshes to address these challenges -in a scalable and standardized way. With a service mesh, you can: - -* **Ensure service connectivity, discovery, and traffic reliability**: Apply -out-of-box traffic management to intelligently route traffic across any -platform and any cloud to meet expectations and SLAs. -* **Achieve Zero-Trust Security**: Restrict access by default, encrypt all -traffic, and only complete transactions when identity is verified. -* **Gain Global Traffic Observability**: Gain a detailed understanding of your -service behavior to increase application reliability and the efficiency of -your teams. - -{{site.mesh_product_name}} is the universal service mesh for enterprise -organizations focused on simplicity and scalability with Kuma and Envoy. -Kong’s service mesh is unique in that it allows you to: - -* **Start, secure, and scale with ease**: - * Deploy a turnkey service mesh with a single command. - * Group services by attributes to efficiently apply policies. - * Manage multiple service meshes as tenants of a single control plane to - provide scale and reduce operational costs. -* **Run anywhere**: - * Deploy the service mesh across any environment, including multi-cluster, - multi-cloud, and multi-platform. - * Manage service meshes natively in Kubernetes using CRDs, or start with a - service mesh in a VM environment and migrate to Kubernetes at your own pace. -* **Connect services end-to-end**: - * Integrate into the {{site.ee_product_name}} platform for full stack connectivity, - including Ingress and Egress traffic for your service mesh. - * Expose mesh services for internal or external consumption and manage the - full lifecycle of APIs. - -Thanks to the underlying Kuma runtime, with {{site.mesh_product_name}}, you -can easily support multiple clusters, clouds, and architectures using the -multi-zone capability that ships out of the box. This — combined with -multi-mesh support — lets you create a service mesh powered by an Envoy proxy -for the entire organization in just a few steps. You can do this for both -simple and distributed deployments, including multi-cloud, multi-cluster, and -hybrid Kubernetes/VMs: - -
- -
- {{site.mesh_product_name}} can support multiple zones (like a Kubernetes - cluster, VPC, data center, etc.) together in the same distributed deployment. - Then, you can create multiple isolated virtual meshes with the same - control plane in order to support every team and application in the - organization. -
-
-[Learn more](/mesh/latest/production/deployment/) about the -standalone and multi-zone deployment modes in the Kuma documentation. - -## Support policy -Kong primarily follows a [semantic versioning](https://semver.org/) (SemVer) -model for its products. - -For the latest version support information for -{{site.mesh_product_name}}, see our [version support policy](/mesh/latest/support-policy/). diff --git a/app/mesh/1.5.x/install.md b/app/mesh/1.5.x/install.md deleted file mode 100644 index 279bce45b9cc..000000000000 --- a/app/mesh/1.5.x/install.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -On this page, you will find access to the official {{site.mesh_product_name}} -distributions that provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - -{% navtabs %} -{% navtab Containerized %} - - - -{% endnavtab %} -{% navtab Operating Systems %} - - - -{% endnavtab %} -{% endnavtabs %} - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-cp version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-dp version -{{site.mesh_product_name}} [VERSION NUMBER] -``` diff --git a/app/mesh/1.5.x/installation/amazonlinux.md b/app/mesh/1.5.x/installation/amazonlinux.md deleted file mode 100644 index a0ce434228dd..000000000000 --- a/app/mesh/1.5.x/installation/amazonlinux.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Kong Mesh with Amazon Linux ---- - -{:.note} -> If you want to use {{site.mesh_product_name}} on Amazon EKS, follow the -[Kubernetes instructions](/mesh/{{page.release}}/installation/kubernetes/) -instead. - -To install and run {{site.mesh_product_name}} on Amazon Linux (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download the latest version of {{site.mesh_product_name}}: - -```sh -$ yum install -y tar gzip -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/centos.md b/app/mesh/1.5.x/installation/centos.md deleted file mode 100644 index aa40af65efe0..000000000000 --- a/app/mesh/1.5.x/installation/centos.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Kong Mesh with CentOS ---- - -To install and run {{site.mesh_product_name}} on CentOS (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on CentOS 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/debian.md b/app/mesh/1.5.x/installation/debian.md deleted file mode 100644 index 9e204e1e4791..000000000000 --- a/app/mesh/1.5.x/installation/debian.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Kong Mesh with Debian ---- - -To install and run {{site.mesh_product_name}} on Debian (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/docker.md b/app/mesh/1.5.x/installation/docker.md deleted file mode 100644 index 473ccc7421f7..000000000000 --- a/app/mesh/1.5.x/installation/docker.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Kong Mesh with Docker ---- - -To install and run {{site.mesh_product_name}} on Docker: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -The official Docker images are used by default in the -Kubernetes -distributions. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{{site.mesh_product_name}} provides the following Docker images for all of its -executables, hosted on Docker Hub: - -* **kuma-cp**: at [`kong/kuma-cp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-cp) -* **kuma-dp**: at [`kong/kuma-dp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-dp) -* **kumactl**: at [`kong/kumactl:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kumactl) -* **kuma-prometheus-sd**: at [`kong/kuma-prometheus-sd:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-prometheus-sd) - -`docker pull` each image that you need. For example: - -```sh -$ docker pull kong/kuma-cp:{{page.kong_latest.version}} -``` - -## 2. Run {{site.mesh_product_name}} - -Run the control plane with: - -```sh -$ docker run \ - -p 5681:5681 \ - -v /path/to/license.json:/license.json \ - -e "KMESH_LICENSE_PATH=/license.json" \ - kong/kuma-cp:{{page.kong_latest.version}} run -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the host that will be mounted as `/license.json` into the -container. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) is running, you can access the -control plane using either the GUI, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681/gui` to see -the GUI. - -{% endnavtab %} -{% navtab HTTP API (Read & Write) %} - -{{site.mesh_product_name}} ships with a **read and write** HTTP API that you can -use to perform operations on {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681` to see -the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read & Write) %} - -You can use the `kumactl` CLI to perform **read and write** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. For example: - -```sh -$ docker run \ - --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | docker run -i --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl apply -f - -``` - -This runs `kumactl` from the Docker -container on the same network as the host, but most likely you want to download -a compatible version of {{site.mesh_product_name}} for the machine where you -will be executing the commands. - -See the individual installation pages for your OS to download and extract -`kumactl` to your machine: -* [CentOS](/mesh/{{page.release}}/installation/centos/) -* [Red Hat](/mesh/{{page.release}}/installation/redhat/) -* [Debian](/mesh/{{page.release}}/installation/debian/) -* [Ubuntu](/mesh/{{page.release}}/installation/ubuntu/) -* [macOS](/mesh/{{page.release}}/installation/macos/) - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Universal deployments](https://kuma.io/docs/latest/quickstart/universal/). -If you are entirely using Docker, you may also be interested in checking out the -[Kubernetes quickstart](https://kuma.io/docs/latest/quickstart/kubernetes/) as well. diff --git a/app/mesh/1.5.x/installation/helm.md b/app/mesh/1.5.x/installation/helm.md deleted file mode 100644 index 5238b7580b3a..000000000000 --- a/app/mesh/1.5.x/installation/helm.md +++ /dev/null @@ -1,175 +0,0 @@ ---- -title: Kong Mesh with Helm ---- - -To install and run {{site.mesh_product_name}} on Kubernetes using Helm: - -1. [Add the {{site.mesh_product_name}} Helm Repository](#1-add-the-kong-mesh-helm-repository) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Add the {{site.mesh_product_name}} Helm Repository - -To start using {{site.mesh_product_name}} with Helm charts, first add the -{{site.mesh_product_name}} charts repository to your local Helm deployment: - -```sh -$ helm repo add kong-mesh https://kong.github.io/kong-mesh-charts -``` - -Once the repo is added, any following updates can be fetched with -`helm repo update`. - -## 2. Run {{site.mesh_product_name}} - -Install and run {{site.mesh_product_name}} using the following commands. -You can use any Kubernetes namespace to install {{site.mesh_product_name}}, but as a default, we -suggest `kong-mesh-system`. - -1. Create the `kong-mesh-system` namespace: - - ```sh - $ kubectl create namespace kong-mesh-system - ``` - -2. Upload the license secret to the cluster: - - ```sh - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` - - Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} - license file on the file system. - - The filename should be license.json, unless otherwise specified in values.yaml. - -3. Deploy the {{site.mesh_product_name}} Helm chart. - - By default, the license option is disabled, so you need to enable it for the license to take effect. - The easiest option is to override each field on the CLI. The only - downside to this method is that you need to supply these values every time you run a - `helm upgrade`, otherwise they will be reverted back to what the chart's default values are - for those fields, i.e. disabled. - - ```sh - $ helm repo update - $ helm upgrade -i -n kong-mesh-system kong-mesh kong-mesh/kong-mesh \ - --set kuma.controlPlane.secrets[0].Env="KMESH_LICENSE_INLINE" \ - --set kuma.controlPlane.secrets[0].Secret="kong-mesh-license" \ - --set kuma.controlPlane.secrets[0].Key="license.json" - ``` - - This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ - deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) - like _multi-zone_. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) has been installed in the newly -created `kong-mesh-system` namespace, you can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.5.x/quickstart/kubernetes/). diff --git a/app/mesh/1.5.x/installation/kubernetes.md b/app/mesh/1.5.x/installation/kubernetes.md deleted file mode 100644 index ce6dc456ad06..000000000000 --- a/app/mesh/1.5.x/installation/kubernetes.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Kong Mesh with Kubernetes ---- - -To install and run {{site.mesh_product_name}} on Kubernetes: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -Download a compatible version of {{site.mesh_product_name}} for the machine from which you -will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the client host from the machine where you plan to run the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can create a link -in `/usr/local/bin/` by running: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -It may take a while for Kubernetes to start the -{{site.mesh_product_name}} resources. You can check the status by executing: - -```sh -$ kubectl get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -You can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -{{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.5.x/quickstart/kubernetes/). diff --git a/app/mesh/1.5.x/installation/macos.md b/app/mesh/1.5.x/installation/macos.md deleted file mode 100644 index 3c759fa1eaaf..000000000000 --- a/app/mesh/1.5.x/installation/macos.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Kong Mesh with macOS ---- - -To install and run {{site.mesh_product_name}} on macOS: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on macOS, you can choose from the following -installation methods: - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/openshift.md b/app/mesh/1.5.x/installation/openshift.md deleted file mode 100644 index 982dbdaf628e..000000000000 --- a/app/mesh/1.5.x/installation/openshift.md +++ /dev/null @@ -1,265 +0,0 @@ ---- -title: Kong Mesh with OpenShift ---- - -To install and run {{site.mesh_product_name}} on OpenShift: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on OpenShift, you need to download a -compatible version of {{site.mesh_product_name}} for the machine from which -you will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the **client host** from where you will be executing the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can also create a link -in `/usr/local/bin/` by executing: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -Then, run the control plane on OpenShift with: - -{% navtabs %} -{% navtab OpenShift 4.x %} - -```sh -kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f - -``` - -Starting from version 4.1, OpenShift uses `nftables` instead of `iptables`. So, -using init container for redirecting traffic to the proxy no longer works. -Instead, we use `kuma-cni`, which can be installed with the `--cni-enabled` flag. - -{% endnavtab %} -{% navtab OpenShift 3.11 %} - -By default, `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` are -disabled on OpenShift 3.11. - -To make them work, add the following `pluginConfig` into -`/etc/origin/master/master-config.yaml` on the master node: - -```yaml -admissionConfig: - pluginConfig: - MutatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission - ValidatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission -``` - -After updating `master-config.yaml`, restart the cluster and install -`control-plane`: - -```sh -$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -It may take a while for OpenShift to start the -{{site.mesh_product_name}} resources. You can check the status by running: - -```sh -$ oc get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -Now you can access the control plane with the GUI, `oc`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681` and defaults to `:5681/gui`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab oc (Read & Write) %} -You can use {{site.mesh_product_name}} with `oc` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ oc get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | oc apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -Notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -{{site.mesh_product_name}} explicitly specifies a UID -for the `kuma-dp` sidecar to avoid capturing traffic from -`kuma-dp` itself. You must grant a `nonroot` -[Security Context Constraint](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) -to the application namespace: - -```sh -$ oc adm policy add-scc-to-group nonroot system:serviceaccounts: -``` - -If the namespace is not configured properly, you will see the following error -on the `Deployment` or `DeploymentConfig`: - -```sh -'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: -[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]' -``` - -## 4. Quickstart - -Congratulations! You have successfully installed {{site.mesh_product_name}}. - -Before running the Kuma Demo in the Quickstart guide, -run the following command: - -```sh -$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo -``` - -One of the components in the demo requires root access, therefore it uses the -`anyuid` instead of the `nonroot` permission. - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.5.x/quickstart/kubernetes/). diff --git a/app/mesh/1.5.x/installation/redhat.md b/app/mesh/1.5.x/installation/redhat.md deleted file mode 100644 index 9e78739420c8..000000000000 --- a/app/mesh/1.5.x/installation/redhat.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Kong Mesh with Red Hat ---- - -To install and run {{site.mesh_product_name}} on Red Hat (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on Red Hat 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/ubuntu.md b/app/mesh/1.5.x/installation/ubuntu.md deleted file mode 100644 index c3362b6ac348..000000000000 --- a/app/mesh/1.5.x/installation/ubuntu.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Kong Mesh with Ubuntu ---- - -To install and run {{site.mesh_product_name}} on Ubuntu (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) - the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.5.x/installation/windows.md b/app/mesh/1.5.x/installation/windows.md deleted file mode 100644 index 8fee80e89fad..000000000000 --- a/app/mesh/1.5.x/installation/windows.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Kong Mesh with Windows ---- - -To install and run {{site.mesh_product_name}} on Windows: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -Tested on Windows 10 and Windows Server 2019. - -{:.note} -> **Note**: Transparent proxying is not supported on Windows. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on Windows you can choose among different installation methods: - -{% navtabs %} -{% navtab PowerShell Script %} - -Run the following script in PowerShell to automatically detect the operating system and download {{site.mesh_product_name}}: - -```powershell -Invoke-Expression ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Uri https://docs.konghq.com/mesh/installer.ps1).Content)) -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-windows-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-windows-amd64.tar.gz) -the distribution manually. - -Then extract the archive with: - -```powershell -tar xvzf kong-mesh-{{page.version}}-windows-amd64.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Once downloaded, you will find the contents of {{site.mesh_product_name}} in the `kong-mesh-{{include.kong_latest.version}}` folder. In this folder, you will find — among other files — the bin directory that stores all the executables for {{site.mesh_product_name}}. - -Navigate to the `bin` folder: - -```powershell -cd kong-mesh-{{include.kong_latest.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ KMESH_LICENSE_PATH=/path/to/file/license.json kuma-cp run -``` - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always available in every working directory (PowerShell as Administrator): - -```powershell -New-Item -ItemType SymbolicLink -Path C:\Windows\kumactl.exe -Target .\kumactl.exe -``` - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} - diff --git a/app/mesh/1.5.x/patches/opa-policy.yaml b/app/mesh/1.5.x/patches/opa-policy.yaml deleted file mode 100644 index cc8b2e75cbf3..000000000000 --- a/app/mesh/1.5.x/patches/opa-policy.yaml +++ /dev/null @@ -1,392 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - validation: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - initializers: - description: "An initializer is a controller which enforces some system - invariant at object creation time. This field is a list of initializers - that have not yet acted on this object. If nil or empty, this object - has been completely initialized. Otherwise, the object is considered - uninitialized and is hidden (in list/watch and get calls) from clients - that haven't explicitly asked to observe uninitialized objects. \n - When an object is created, the system will populate this list with - the current set of initializers. Only privileged users may set or - modify this list. Once it is empty, it may not be modified further - by any user. \n DEPRECATED - initializers are an alpha field and will - be removed in v1.15." - properties: - pending: - description: Pending is a list of initializers that must execute - in order before this object is visible. When the last pending - initializer is removed, and no failing result is set, the initializers - struct will be set to nil and the object is considered as initialized - and visible to all clients. - items: - properties: - name: - description: name of the process that is responsible for initializing - this object. - type: string - required: - - name - type: object - type: array - result: - description: If result is set with the Failure field, the object - will be persisted to storage and then deleted, ensuring that other - clients can observe the deletion. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this - representation of an object. Servers should convert recognized - schemas to the latest internal value, and may reject unrecognized - values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - code: - description: Suggested HTTP return code for this status, 0 if - not set. - format: int32 - type: integer - details: - description: Extended data associated with the reason. Each - reason may define its own extended details. This field is - optional and the data returned is not guaranteed to conform - to any schema except that defined by the reason type. - properties: - causes: - description: The Causes array includes more details associated - with the StatusReason failure. Not all StatusReasons may - provide detailed causes. - items: - properties: - field: - description: "The field of the resource that has caused - this error, as named by its JSON serialization. - May include dot and postfix notation for nested - attributes. Arrays are zero-indexed. Fields may - appear more than once in an array of causes due - to fields having multiple errors. Optional. \n Examples: - \ \"name\" - the field \"name\" on the current - resource \"items[0].name\" - the field \"name\" - on the first array entry in \"items\"" - type: string - message: - description: A human-readable description of the cause - of the error. This field may be presented as-is - to a reader. - type: string - reason: - description: A machine-readable description of the - cause of the error. If this value is empty there - is no information available. - type: string - type: object - type: array - group: - description: The group attribute of the resource associated - with the status StatusReason. - type: string - kind: - description: 'The kind attribute of the resource associated - with the status StatusReason. On some operations may differ - from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: The name attribute of the resource associated - with the status StatusReason (when there is a single name - which can be described). - type: string - retryAfterSeconds: - description: If specified, the time in seconds before the - operation should be retried. Some errors may indicate - the client must take an alternate action - for those errors - this field may indicate how long to wait before taking - the alternate action. - format: int32 - type: integer - uid: - description: 'UID of the resource. (when there is a single - resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - type: object - kind: - description: 'Kind is a string value representing the REST resource - this object represents. Servers may infer this from the endpoint - the client submits requests to. Cannot be updated. In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - message: - description: A human-readable description of the status of this - operation. - type: string - metadata: - description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - properties: - continue: - description: continue may be set if the user set a limit - on the number of items returned, and indicates that the - server has more data available. The value is opaque and - may be used to issue another request to the endpoint that - served this list to retrieve the next set of available - objects. Continuing a consistent list may not be possible - if the server configuration has changed or more than a - few minutes have passed. The resourceVersion field returned - when using this continue value will be identical to the - value in the first response, unless you have received - this token from an error message. - type: string - resourceVersion: - description: 'String that identifies the server''s internal - version of this object that can be used by clients to - determine when objects have changed. Value must be treated - as opaque by clients and passed unmodified back to the - server. Populated by the system. Read-only. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - selfLink: - description: selfLink is a URL representing this object. - Populated by the system. Read-only. - type: string - type: object - reason: - description: A machine-readable description of why this operation - is in the "Failure" status. If this value is empty there is - no information available. A Reason clarifies an HTTP status - code but does not override it. - type: string - status: - description: 'Status of the operation. One of: "Success" or - "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' - type: string - type: object - required: - - pending - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: "ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like \"ci-cd\". The set of fields - is always in the version that the workflow used when modifying the - object. \n This field is alpha and can be changed or removed without - notice." - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fields: - additionalProperties: true - description: Fields identifies a set of fields. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: SelfLink is a URL representing this object. Populated by - the system. Read-only. - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - mesh: - type: string - spec: - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true diff --git a/app/mesh/1.6.x/features/ca-rotation.md b/app/mesh/1.6.x/features/ca-rotation.md deleted file mode 100644 index e105f5dbcb94..000000000000 --- a/app/mesh/1.6.x/features/ca-rotation.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: Certificate Authority rotation ---- - -## Overview - -{{site.mesh_product_name}} lets you provide secure communication between applications with mTLS. You can change the mTLS backend with -Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA. - -You can define many backends in the `mtls` section of the Mesh configuration. The data plane proxy is configured to support -certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the `enabledBackend` -tag. For example: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key -``` -{% endnavtab %} -{% endnavtabs %} - -## Usage - -Start with mTLS enabled and a `builtin` backend named `ca-1`: - -{% navtabs %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% navtab Universal %} -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin -``` -{% endnavtab %} -{% endnavtabs %} - -Then, follow the steps to rotate certificates to a new `provided` backend named `ca-2`. -Each step can take some time, but {{site.mesh_product_name}} provides validators to prevent you from -continuing too soon. - -{% navtabs %} -{% navtab Kubernetes %} -1. Add a new backend to the list of backends: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. - -{% endnavtab %} -{% navtab Universal %} -1. Add a new backend to the list of backends: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, all data plane proxies support CAs from `ca-1` and `ca-2`. - But the data plane proxy certificates are still signed by the CA from `ca-1`. - -2. Change `enabledBackend` to the new backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-1 - type: builtin - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates are signed by the CA from `ca-2`. - The data plane proxies still support CAs from `ca-1` and `ca-2`. - -3. Remove the old backend: - - ```yaml - type: Mesh - name: default - mtls: - enabledBackend: ca-2 - backends: - - name: ca-2 - type: provided - conf: - cert: - secret: ca-2-cert - key: - secret: ca-2-key - ``` - - After the configuration finishes, the data plane proxy certificates should still be signed by the CA from `ca-2`. - But the data plane proxies no longer support the CA from `ca-1`. -{% endnavtab %} -{% endnavtabs %} \ No newline at end of file diff --git a/app/mesh/1.6.x/features/fips-support.md b/app/mesh/1.6.x/features/fips-support.md deleted file mode 100644 index 0b607e1028c4..000000000000 --- a/app/mesh/1.6.x/features/fips-support.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Kong Mesh - FIPS Support ---- - -With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors. - -FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringSSL. For more information about how it works, see Envoy's [FIPS 140-2 documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. diff --git a/app/mesh/1.6.x/features/kds-auth.md b/app/mesh/1.6.x/features/kds-auth.md deleted file mode 100644 index 8ae819a2de74..000000000000 --- a/app/mesh/1.6.x/features/kds-auth.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -title: Multi-zone authentication ---- - -To add to the security of your deployments, {{site.mesh_product_name}} provides token generation for authenticating zone control planes to the global control plane. - -The control plane token is a JWT that contains: - -- The name of the zone the token is generated for -- Expiration date (10 years by default if not specified) - -The control plane token is signed by a signing key that is autogenerated on the global control plane. The signing key is SHA256 encrypted. - -You can check for the signing key: - -``` -$ kumactl get global-secrets -``` - -which returns something like: - -``` -NAME AGE -control-plane-signing-key-0001 36m -``` - -## Set up tokens - -To generate the tokens you need and configure your clusters: - -- Generate a token for each zone control plane. -- Add the token to the configuration for each zone. -- Enable authentication on the global control plane. - -### Generate token for each zone - -On the global control plane, [authenticate](/mesh/latest/production/secure-deployment/certificates/#user-to-control-plane-communication) and run the following command: - -``` -$ kumactl generate control-plane-token --zone=west --valid-for=720h > /tmp/token -$ cat /tmp/token -``` - -The generated token looks like: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -For authentication to the global control plane on Kubernetes, you can port-forward port 5681 to access the API. - -### Add token to each zone configuration - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-token-path` argument, where the value is the path to the file where the token is stored: - -``` -$ kumactl install control-plane \ - --mode=zone \ - --zone= \ - --cp-token-path=/tmp/token \ - --ingress-enabled \ - --kds-global-address grpcs://`` | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Create a secret with a token in the same namespace where {{site.mesh_product_name}} is installed: - -``` -$ kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token -``` - -Add the following to `Values.yaml`: -```yaml -kuma: - controlPlane: - secrets: - - Env: "KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE" - Secret: "cp-token" - Key: "token" -``` - - -{% endnavtab %} -{% navtab Universal %} - -Either: - -- Set the token as an inline value in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable: - -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ" \ - ./kuma-cp run -``` - -OR - -- Store the token in a file, then set the path to the file in a `KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE` environment variable. -```sh -$ KUMA_MODE=zone \ - KUMA_MULTIZONE_ZONE_NAME= \ - KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs:// \ - KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH="/tmp/token" \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -### Enable authentication on the global control plane - -If you are starting from scratch and not securing existing {{site.mesh_product_name}} deployment, you can do this as a first step. - -{% navtabs %} -{% navtab Kubernetes with kumactl %} - -If you install the zone control plane with `kumactl install control-plane`, pass the `--cp-auth` argument with the value `cpToken`: - -```sh -$ kumactl install control-plane \ - --mode=global \ - --cp-auth=cpToken | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Kubernetes with Helm %} - -Add the following to `Values.yaml`: - -```yaml -kuma: - controlPlane: - envVars: - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken -``` - -{% endnavtab %} -{% navtab Universal %} - -Set `KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE` to `cpToken`: - -```sh -$ KUMA_MODE=global \ - KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \ - ./kuma-cp run -``` - -{% endnavtab %} -{% endnavtabs %} - -Verify the zone control plane is connected with authentication by looking at the global control plane logs: - -``` -2021-02-24T14:30:38.596+0100 INFO kds.auth Zone CP successfully authenticated using Control Plane Token {"tokenSerialNumber": 1, "zone": "cluster-2"} -``` - -## Revoke token - -{{site.mesh_product_name}} does not keep a list of issued tokens. Whenever a single token is compromised, you can add it to revocation list so the token is no longer valid. - -Every token has its own ID, which is available in the payload under the `jti` key. You can extract an ID from the token using jwt.io or the [`jwt-cli`](https://www.npmjs.com/package/jwt-cli) tool. Here is an example of a `jti` key: -``` -0e120ec9-6b42-495d-9758-07b59fe86fb9 -``` - -Specify a list of revoked IDs separated by commas (`,`) and store it as a `GlobalSecret` object named `control-plane-token-revocations`: - -{% navtabs %} -{% navtab Kubernetes %} -```sh -REVOCATIONS=$(echo '0e120ec9-6b42-495d-9758-07b59fe86fb9' | base64) && echo "apiVersion: v1 -kind: Secret -metadata: - name: control-plane-token-revocations - namespace: kuma-system -data: - value: $REVOCATIONS -type: system.kuma.io/global-secret" | kubectl apply -f - -``` -{% endnavtab %} -{% navtab Universal %} -```sh -echo " -type: GlobalSecret -name: control-plane-token-revocations -data: {{ revocations }}" | kumactl apply --var revocations=$(echo '0e120ec9-6b42-495d-9758-07b59fe86fb9' | base64) -f - -``` -{% endnavtab %} -{% endnavtabs %} - -## Rotate signing key - -If a signing key is compromised, you must rotate it and all the tokens. When the signing key is rotated, all tokens signed with the -key are no longer valid. You do not need to add the tokens manually to a revocation list. - -### Generate new signing key - -The signing key is stored as a `GlobalSecret` with a name that looks like `control-plane-signing-key-{serialNumber}`. - -Make sure to generate the new signing key with a serial number greater than the serial number of the current signing key. - - -{% navtabs %} -{% navtab Kubernetes %} - -Check what is the current highest serial number. - -```sh -$ kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/global-secret' -NAME TYPE DATA AGE -control-plane-signing-key-0001 system.kuma.io/global-secret 1 25m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -$ TOKEN="$(kumactl generate signing-key)" && echo " -apiVersion: v1 -data: - value: $TOKEN -kind: Secret -metadata: - name: control-plane-signing-key-0002 - namespace: kong-mesh-system -type: system.kuma.io/global-secret -" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab Universal %} - -Check what is the current highest serial number. - -```sh -$ kumactl get global-secrets -NAME AGE -control-plane-signing-key-0001 36m -``` - -In this case, the highest serial number is `0001`. Generate a new Signing Key with a serial number of `0002` - -```sh -echo " -type: GlobalSecret -name: control-plane-signing-key-0002 -data: {{ key }} -" | kumactl apply --var key=$(kumactl generate signing-key) -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -### Regenerate control plane tokens - -Create and add a new token for each zone control plane. These tokens are automatically created with the signing key that's assigned the highest serial number, so they're created with the new signing key. - -Make sure the new signing key is available; otherwise old and new tokens are created with the same signing key and can both provide authentication. - -### Remove the old signing key - -{% navtabs %} -{% navtab Kubernetes %} - -```sh -$ kubectl delete secret control-plane-signing-key-0001 -n kong-mesh-system -``` - -{% endnavtab %} -{% navtab Universal %} - -```sh -$ kumactl delete global-secret control-plane-signing-key-0001 -``` - -{% endnavtab %} -{% endnavtabs %} - -All new connections to the global control plane now require tokens signed with the new signing key. - -### Restart the global control plane - -Restart all instances of the global control plane. All connections are now authenticated with the new tokens. - -## Explore an example token - -You can decode the tokens to validate the signature or explore details. - -For example, run: -``` -$ kumactl generate control-plane-token --zone=west -``` - -which returns: - -``` -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJab25lIjoid2VzdCIsIlRva2VuU2VyaWFsTnVtYmVyIjoxfQ.kIrS5W0CPMkEVhuRXcUxk3F_uUoeI3XK1Gw-uguWMpQ -``` - -Paste the token into the UI at jwt.io, or run - -``` -$ kumactl generate control-plane-token --zone=west | jwt -``` - -The result looks like: - -![JWT token decoded](/assets/images/docs/mesh/jwt-decoded.png) - -## Additional security - -By default, a connection from the zone control plane to the global control plane is secured with TLS. You should also configure the zone control plane to [verify the certificate authority (CA) of the global control plane]((/mesh/latest/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone){:target="_blank"}. diff --git a/app/mesh/1.6.x/features/opa.md b/app/mesh/1.6.x/features/opa.md deleted file mode 100644 index 5dd8e24cdcc5..000000000000 --- a/app/mesh/1.6.x/features/opa.md +++ /dev/null @@ -1,639 +0,0 @@ ---- -title: Kong Mesh - OPA Policy Integration ---- - -## OPA policy plugin - -{{site.mesh_product_name}} integrates the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to provide access control for your services. - -The agent is included in the data plane proxy sidecar, instead of the more common deployment as a separate sidecar. - -When `OPAPolicy` is applied, the control plane configures: - -- the embedded policy agent, with the specified policy -- Envoy, to use [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) that points to the embedded policy agent - -## Usage - -To apply a policy with OPA: - -- Specify the group of data plane proxies to apply the policy to with the `selectors` property. -- Provide a policy with the `conf` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). -{:.note} -> **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. - -- Optionally provide custom configuration for the policy agent. - - -You must also specify the HTTP protocol in your mesh configuration: - -{% navtabs %} -{% navtab Kubernetes %} - -Add the HTTP protocol annotation to the Kubernetes Service configuration, with the general syntax `.service.kuma.io/protocol`. - -Example: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: kong-mesh-example - annotations: - 8080.service.kuma.io/protocol: http # required for OPA support -spec: - selector: - app: web - ports: - - port: 8080 -``` - -{% endnavtab %} -{% navtab Universal %} - -Add the HTTP protocol tag to the `Dataplane` configuration. - -Example: - -```yaml -type: Dataplane -mesh: default -name: web -networking: - address: 192.168.0.1 - inbound: - - port: 80 - servicePort: 8080 - tags: - kuma.io/service: web - kuma.io/protocol: http # required for OPA support -``` - -{% endnavtab %} -{% endnavtabs %} - -For more information, see [the Kuma documentation about protocol support](https://kuma.io/docs/latest/policies/protocol-support-in-kuma/). - -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} - -### With Secrets - -Encoding the policy in a [Secret](https://kuma.io/docs/1.6.x/security/secrets/) provides some security for policies that contain sensitive data. - -{% navtabs %} -{% navtab Kubernetes %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: opa-policy - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - data: - value: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - type: system.kuma.io/secret - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% navtab Universal %} - -1. Define a Secret with a policy that's Base64-encoded: - - ```yaml - type: Secret - name: sample-secret - mesh: default - data: cGFja2FnZSBlbnZveS5hdXRoegoKaW1wb3J0IGlucHV0LmF0dHJpYnV0ZXMucmVxdWVzdC5odHRwIGFzIGh0dHBfcmVxdWVzdAoKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCgp0b2tlbiA9IHsidmFsaWQiOiB2YWxpZCwgInBheWxvYWQiOiBwYXlsb2FkfSB7CiAgICBbXywgZW5jb2RlZF0gOj0gc3BsaXQoaHR0cF9yZXF1ZXN0LmhlYWRlcnMuYXV0aG9yaXphdGlvbiwgIiAiKQogICAgW3ZhbGlkLCBfLCBwYXlsb2FkXSA6PSBpby5qd3QuZGVjb2RlX3ZlcmlmeShlbmNvZGVkLCB7InNlY3JldCI6ICJzZWNyZXQifSkKfQoKYWxsb3cgewogICAgaXNfdG9rZW5fdmFsaWQKICAgIGFjdGlvbl9hbGxvd2VkCn0KCmlzX3Rva2VuX3ZhbGlkIHsKICB0b2tlbi52YWxpZAogIG5vdyA6PSB0aW1lLm5vd19ucygpIC8gMTAwMDAwMDAwMAogIHRva2VuLnBheWxvYWQubmJmIDw9IG5vdwogIG5vdyA8IHRva2VuLnBheWxvYWQuZXhwCn0KCmFjdGlvbl9hbGxvd2VkIHsKICBodHRwX3JlcXVlc3QubWV0aG9kID09ICJHRVQiCiAgdG9rZW4ucGF5bG9hZC5yb2xlID09ICJhZG1pbiIKfQoK - ``` - -1. Pass the Secret to `OPAPolicy`: - - ```yaml - type: OPAPolicy - mesh: default - name: opa-1 - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - secret: opa-policy - ``` - -{% endnavtab %} -{% endnavtabs %} - -## Configuration - -{{site.mesh_product_name}} defines a default configuration for OPA, but you can adjust the configuration to meet your environment's requirements. - -The following environment variables are available: - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | [plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow] | - -{% navtabs %} -{% navtab Kubernetes %} - -You can customize the agent in either of the following ways: - -- Override variables in the data plane proxy config: -{% navtabs %} -{% navtab kumactl %} - -When you deploy the Mesh control plane, edit the `kong-mesh-control-plane-config` ConfigMap: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kong-mesh-control-plane-config - namespace: kong-mesh-system -data: - config.yaml: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% navtab Helm %} - -Override the Helm value in `values.yaml` - -```yaml -kuma: - controlPlane: - config: | - runtime: - kubernetes: - injector: - sidecarContainer: - envVars: - KMESH_OPA_ENABLED: "false" - KMESH_OPA_ADDR: ":8888" - KMESH_OPA_CONFIG_OVERRIDES: "config1:x,config2:y" -``` - -{% endnavtab %} -{% endnavtabs %} -{% endnavtab %} -{% navtab Universal %} - -The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables: - - -``` ---opa-addr ---opa-config-path ---opa-diagnostic-addr ---opa-enabled ---opa-ext-authz-addr ---opa-set strings -``` - -{% endnavtab %} -{% endnavtabs %} - -- Override the config for individual data plane proxies by placing the appropriate annotations on the Pod: - -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example-app - namespace: kuma-example -spec: - ... - template: - metadata: - ... - annotations: - # indicate to Kuma that this Pod doesn't need a sidecar - kuma.io/sidecar-env-vars: "KMESH_OPA_ENABLED=false;KMESH_OPA_ADDR=:8888;KMESH_OPA_CONFIG_OVERRIDES=config1:x,config2:y" -``` - -## Configuring the authorization filter - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny' defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the max number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: - - secret: opa-policy -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - authConfig: # optional - statusOnError: 413 # optional: defaults to 403. http statusCode to use when the connection to the agent failed. - onAgentFailure: allow # optional: one of 'allow' or 'deny', defaults to 'deny'. defines the behaviour when communication with the agent fails or the policy execution fails. - requestBody: # optional - maxSize: 1024 # the maximum number of bytes to send to the agent, if we exceed this, the request to the agent will have: `x-envoy-auth-partial-body: true`. - sendRawBody: true # use when the body is not plaintext. The agent request will have `raw_body` instead of `body` - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - policies: # optional - - secret: opa-policy -``` - -{% endnavtab %} -{% endnavtabs %} - -By default, the body will not be sent to the agent. -To send it, set `authConfig.requestBody.maxSize` to the maximum size of your body. -If the request body is larger than this parameter, it will be truncated and the header `x-envoy-auth-partial-body` will be set to `true`. - -## Support for external API management servers - -The `agentConfig` field lets you define a custom configuration that points to an external management server: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: OPAPolicy -mesh: default -metadata: - name: opa-1 -spec: - selectors: - - match: - kuma.io/service: '*' - conf: - agentConfig: - inlineString: | - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: OPAPolicy -mesh: default -name: opa-1 -selectors: -- match: - kuma.io/service: '*' -conf: - agentConfig: - inlineString: | # one of: inlineString, secret - services: - acmecorp: - url: https://example.com/control-plane-api/v1 - credentials: - bearer: - token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" - discovery: - name: example - resource: /configuration/example/discovery -``` - -{% endnavtab %} -{% endnavtabs %} - -## Example - -The following example shows how to deploy and test a sample OPA Policy on Kubernetes, using the kuma-demo application. - -1. Deploy the example application: - - ``` - kubectl apply -f https://bit.ly/demokuma - ``` - -1. Make a request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 1717af9c-2587-43b9-897f-f8061bba5ad4 - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 15:33:18 GMT - < x-envoy-upstream-service-time: 1521 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - -1. Apply an OPA Policy that requires a valid JWT token: - - ``` - echo " - apiVersion: kuma.io/v1alpha1 - kind: OPAPolicy - mesh: default - metadata: - name: opa-1 - spec: - selectors: - - match: - kuma.io/service: '*' - conf: - policies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` - -1. Make an invalid request from the frontend to the backend: - - ``` - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl backend:3001 -v - ``` - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod. - * Trying 10.105.146.164:3001... - * TCP_NODELAY set - * Connected to backend (10.105.146.164) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < date: Tue, 09 Mar 2021 16:50:40 GMT - < server: envoy - < x-envoy-upstream-service-time: 2 - < content-length: 0 - < - * Connection #0 to host backend left intact - ``` - - Note the `HTTP/1.1 403 Forbidden` message. The application doesn't allow a request without a valid token. - - The policy can take up to 30 seconds to propagate, so if this request succeeds the first time, wait and then try again. - -1. Make a valid request from the frontend to the backend: - - ``` - $ export ADMIN_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJzdWIiOiJZbTlpIiwibmJmIjoxNTE0ODUxMTM5LCJleHAiOjI1MjQ2MDgwMDB9.H0-42LYzoWyQ_4MXAcED30u6lA5JE087eECV2nxDfXo" - $ kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001 - ``` - - The output looks like: - - ``` - Defaulting container name to kuma-fe. - Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod. - * Trying 10.111.108.218:3001... - * TCP_NODELAY set - * Connected to backend (10.111.108.218) port 3001 (#0) - > GET / HTTP/1.1 - > Host: backend:3001 - > User-Agent: curl/7.67.0 - > Accept: */* - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-powered-by: Express - < cache-control: no-store, no-cache, must-revalidate, private - < access-control-allow-origin: * - < access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS - < access-control-allow-headers: * - < host: backend:3001 - < user-agent: curl/7.67.0 - < accept: */* - < x-forwarded-proto: http - < x-request-id: 8fd7b398-1ba2-4c2e-b229-5159d04d782e - < content-length: 90 - < content-type: text/html; charset=utf-8 - < date: Tue, 16 Mar 2021 17:26:00 GMT - < x-envoy-upstream-service-time: 261 - < server: envoy - < - * Connection #0 to host backend left intact - Hello World! Marketplace with sales and reviews made with <3 by the OCTO team at Kong Inc. - ``` - - The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. diff --git a/app/mesh/1.6.x/features/rbac.md b/app/mesh/1.6.x/features/rbac.md deleted file mode 100644 index 76258f61836c..000000000000 --- a/app/mesh/1.6.x/features/rbac.md +++ /dev/null @@ -1,678 +0,0 @@ ---- -title: Role-Based Access Control ---- - -Role-Based Access Control (RBAC) lets you restrict access to resources and actions to specified users or groups, based on user roles. - -## How it works - -{{site.mesh_product_name}} provides two resources to implement RBAC: - -- `AccessRole` specifies kinds of access and resources to which access is granted. Note that access is defined only for write operations. Read access is available to all users. -- `AccessRoleBinding` lists users and the access roles that are assigned to them. - -### AccessRole - -`AccessRole` defines a role that is assigned separately to users. -It is global-scoped, which means it is not bound to a mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: role-1 -rules: -- types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types to which access is granted. If empty, then access is granted to all types - names: ["res-1"] # list of allowed names of types to which access is granted. If empty, then access is granted to resources regardless of the name. - mesh: default # Mesh within which the access to resources is granted. It can only be used with the Mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] # an action that is bound to a type. - when: # a set of qualifiers to receive an access. Only one of them needs to be fulfilled to receive an access - - sources: # a condition on sources section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all sources are allowed - match: - kuma.io/service: web - destinations: # a condition on destinations section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all destinations are allowed - match: - kuma.io/service: backend - - selectors: # a condition on selectors section in dataplane policies (like TrafficTrace or ProxyTemplate). - match: - kuma.io/service: web - - dpToken: # a condition on generate dataplane token. - tags: - - name: kuma.io/service - value: web -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: role-1 -spec: - rules: - - types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types to which access is granted. If empty, then access is granted to all types - names: ["res-1"] # list of allowed names of types to which access is granted. If empty, then access is granted to resources regardless of the name. - mesh: default # Mesh within which the access to resources is granted. It can only be used with the Mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] # an action that is bound to a type. - when: # a set of qualifiers to receive an access. Only one of them needs to be fulfilled to receive an access - - sources: # a condition on sources section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all sources are allowed - match: - kuma.io/service: web - destinations: # a condition on destinations section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all destinations are allowed - match: - kuma.io/service: backend - - selectors: # a condition on selectors section in dataplane policies (like TrafficTrace or ProxyTemplate). - match: - kuma.io/service: web - - dpToken: # a condition on generate dataplane token. - tags: - - name: kuma.io/service - value: web -``` -{% endnavtab %} -{% endnavtabs %} - -### AccessRoleBinding - -`AccessRoleBinding` assigns a set of `AccessRoles` to a set of subjects (users and groups). -It is global-scoped, which means it is not bound to a mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRoleBinding -name: binding-1 -subjects: # a list of subjects that will be assigned roles -- type: User # type of the subject. Available values: ("User", "Group") - name: john.doe@example.com # name of the subject. -- type: Group - name: team-a -roles: # a list of roles that will be assigned to the list of subjects. -- role-1 -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: binding-1 -spec: - subjects: # a list of subjects that will be assigned roles - - type: User # type of the subject. Available values: ("User", "Group") - name: john.doe@example.com # name of the subject. - - type: Group - name: team-a - roles: # a list of roles that will be assigned to the list of subjects. - - role-1 -``` -{% endnavtab %} -{% endnavtabs %} - -## Example roles - -Let's go through example roles in the organization that can be created using {{site.mesh_product_name}} RBAC. - -### {{site.mesh_product_name}} operator (admin) - -Mesh operator is a part of infrastructure team responsible for {{site.mesh_product_name}} deployment. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: admin -rules: -- access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: admin -spec: - rules: - - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] -``` -{% endnavtab %} -{% endnavtabs %} - -This way {{site.mesh_product_name}} operators can execute any action. - -{:.note} -> **Note**: This role is automatically created on the start of the control plane. - -### Service owner - -Service owner is a part of team responsible for given service. Let's take a `backend` service as an example. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: backend-owner -rules: -- mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: backend-owner -spec: - rules: - - mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endnavtab %} -{% endnavtabs %} - -This way a service owners can: -* Modify `RateLimit` and `TrafficPermission` that allows/restrict access to the backend service. - This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies (`TrafficRoute`, `HealthCheck`, `CircuitBreaker`, `FaultInjection`, `Retry`, `Timeout`, `RateLimit`, `TrafficLog`) - that matches backend service that connects to other services. This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies that matches any service that consumes backend service. - This changes the configuration of data plane proxies that are connecting to backend, but the configuration only affects connections to backend service. - It's useful because the service owner of backend has the best knowledge what (`Timeout`, `HealthCheck`) should be applied when communicating with their service. -* Modify `TrafficTrace` or `ProxyTemplate` that matches backend service. This changes the configuration of data plane proxy that implements `backend` service. - -### Observability operator - -We may also have an infrastructure team which is responsible for the logging/metrics/tracing systems in the organization. -Currently, those features are configured on `Mesh`, `TrafficLog` and `TrafficTrace` objects. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: observability-operator -rules: -- mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] -- types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: observability-operator -spec: - rules: - - mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] - - types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% endnavtabs %} - -This way an observability operator can: -* Modify `TrafficLog` and `TrafficTrace` in any mesh -* Modify any `Mesh` - -### Single Mesh operator - -{{site.mesh_product_name}} lets us segment the deployment into many logical service meshes configured by Mesh object. -We may want to give an access to one specific Mesh and all objects connected with this Mesh. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: demo-mesh-operator -rules: -- mesh: demo - access: ["CREATE", "DELETE", "UPDATE"] -- types: ["Mesh"] - names: ["demo"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: demo-mesh-operator -spec: - rules: - - mesh: demo - access: ["CREATE", "DELETE", "UPDATE"] - - types: ["Mesh"] - names: ["demo"] - access: ["CREATE", "DELETE", "UPDATE"] - -``` -{% endnavtab %} -{% endnavtabs %} - -This way all observability operator can: -* Modify all resources in the demo mesh -* Modify `demo` Mesh object. - -## Kubernetes - -Kubernetes provides their own RBAC system, but it's not sufficient to cover use cases for several reasons: -* You cannot restrict an access to resources of specific Mesh -* You cannot restrict an access based on the content of the policy - -{{site.mesh_product_name}} RBAC works on top of Kubernetes RBAC. -For example, to restrict the access for a user to modify `TrafficPermission` for backend service, they need to be able to create `TrafficPermission` in the first place. - -The `subjects` in `AccessRoleBinding` are compatible with Kubernetes users and groups. -{{site.mesh_product_name}} RBAC on Kubernetes is implemented using Kubernetes Webhook when applying resources. This means you can only use Kubernetes users and groups for `CREATE`, `DELETE` and `UPDATE` access. -`GENERATE_DATAPLANE_TOKEN`, `GENERATE_USER_TOKEN`, `GENERATE_ZONE_CP_TOKEN`, `GENERATE_ZONE_TOKEN` are used when interacting with {{site.mesh_product_name}} API Server, in this case you need to use the user token. - -## Default - -{{site.mesh_product_name}} creates an `admin` `AccessRole` that allows every action. - -In a standalone deployment, the `default` `AccessRoleBinding` assigns this role to every authenticated and unauthenticated user. - -In a multi-zone deployment, the `default` `AccessRoleBinding` on the global control plane assigns this role to every authenticated and unauthenticated user. -However, on the zone control plane, the `default` `AccessRoleBinding` is restricted to the `admin` `AccessRole` only. - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRole -name: admin -rules: -- access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] ---- -type: AccessRoleBinding -name: default -subjects: -- type: Group - name: mesh-system:authenticated -- type: Group - name: mesh-system:unauthenticated -roles: -- admin -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: admin -spec: - rules: - - access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN", "GENERATE_ZONE_TOKEN"] ---- -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: default -spec: - subjects: - - type: Group - name: mesh-system:authenticated - - type: Group - name: mesh-system:unauthenticated - - type: Group - name: system:authenticated - - type: Group - name: system:unauthenticated - roles: - - admin -``` -{% endnavtab %} -{% endnavtabs %} - -To restrict access to `admin` only, change the default `AccessRole` policy: - -{% navtabs %} -{% navtab Universal %} -```yaml -type: AccessRoleBinding -name: default -subjects: -- type: Group - name: mesh-system:admin -roles: -- admin -``` -{% endnavtab %} -{% navtab Kubernetes %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRoleBinding -metadata: - name: default -spec: - subjects: - - type: Group - name: mesh-system:admin - - type: Group - name: system:masters - - type: Group - name: system:serviceaccounts:kube-system - roles: - - admin -``` -`system:serviceaccounts:kube-system` is required for Kubernetes controllers to manage Kuma resources -- for example, to remove data plane objects when a namespace is removed. -{% endnavtab %} -{% endnavtabs %} - -## Example - -Here are the steps to create a new user and restrict the access only to `TrafficPermission` for backend service. - -{% navtabs %} -{% navtab Universal %} - -{:.note} -> **Note**: By default, all requests that originates from localhost are authenticated as user `admin` belonging to group `mesh-system:admin`. -In order for this example to work you must either run the control plane with `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN` set to `false` or be accessing the control plane not via localhost. - -1. Extract admin token and configure kumactl with admin: - - ```sh - $ export ADMIN_TOKEN=$(curl http://localhost:5681/global-secrets/admin-user-token | jq -r .data | base64 -d) - $ kumactl config control-planes add \ - --name=cp-admin \ - --address=https://localhost:5682 \ - --skip-verify=true \ - --auth-type=tokens \ - --auth-conf token=$ADMIN_TOKEN - ``` - -1. Configure backend-owner: - - ```sh - $ export BACKEND_OWNER_TOKEN=$(kumactl generate user-token --valid-for=24h --name backend-owner) - $ kumactl config control-planes add \ - --name=cp-backend-owner \ - --address=https://localhost:5682 \ - --skip-verify=true \ - --auth-type=tokens \ - --auth-conf token=$BACKEND_OWNER_TOKEN - $ kumactl config control-planes switch --name cp-admin # switch back to admin - ``` - -1. Change default {{site.mesh_product_name}} RBAC to restrict access to resources by default: - - ```sh - $ echo "type: AccessRoleBinding - name: default - subjects: - - type: Group - name: mesh-system:admin - roles: - - admin" | kumactl apply -f - - ``` - -1. Create {{site.mesh_product_name}} RBAC to restrict backend-owner to only modify `TrafficPermission` for backend: - - ```sh - $ echo ' - type: AccessRole - name: backend-owner - rules: - - types: ["TrafficPermission"] - mesh: default - access: ["CREATE", "UPDATE", "DELETE"] - when: - - destinations: - match: - kuma.io/service: backend - ' | kumactl apply -f - - $ echo ' - type: AccessRoleBinding - name: backend-owners - subjects: - - type: User - name: backend-owner - roles: - - backend-owner' | kumactl apply -f - - ``` - -1. Change the user and test RBAC: - - ```sh - $ kumactl config control-planes switch --name cp-backend-owner - $ echo " - type: TrafficPermission - mesh: default - name: web-to-backend - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: backend - " | kumactl apply -f - - # this operation should succeed - - $ echo " - type: TrafficPermission - mesh: default - name: web-to-backend - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: other - " | kumactl apply -f - - Error: Access Denied (user "backend-owner/mesh-system:authenticated" cannot access the resource) - ``` - -{% endnavtab %} -{% navtab Kubernetes %} - -1. Create a backend-owner Kubernetes user and configure kubectl: - - ```sh - $ mkdir -p /tmp/k8s-certs - $ cd /tmp/k8s-certs - $ openssl genrsa -out backend-owner.key 2048 # generate client key - $ openssl req -new -key backend-owner.key -subj "/CN=backend-owner" -out backend-owner.csr # generate client certificate request - $ CSR=$(cat backend-owner.csr | base64 | tr -d "\n") && echo "apiVersion: certificates.k8s.io/v1 - kind: CertificateSigningRequest - metadata: - name: backend-owner - spec: - request: $CSR - signerName: kubernetes.io/kube-apiserver-client - usages: - - client auth" | kubectl apply -f - - $ kubectl certificate approve backend-owner - $ kubectl get csr backend-owner -o jsonpath='{.status.certificate}'| base64 -d > backend-owner.crt - $ kubectl config set-credentials backend-owner \ - --client-key=/tmp/k8s-certs/backend-owner.key \ - --client-certificate=/tmp/k8s-certs/backend-owner.crt \ - --embed-certs=true - $ kubectl config set-context backend-owner --cluster=YOUR_CLUSTER_NAME --user=backend-owner - ``` - -1. Create Kubernetes RBAC to allow backend-owner to manage all `TrafficPermission`: - - ```sh - $ echo " - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: kuma-policy-management - rules: - - apiGroups: - - kuma.io - resources: - - trafficpermissions - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: kuma-policy-management-backend-owner - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuma-policy-management - subjects: - - kind: User - name: backend-owner - apiGroup: rbac.authorization.k8s.io - " | kubectl apply -f - - ``` - -1. Change default {{site.mesh_product_name}} RBAC to restrict access to resources by default: - - ```sh - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: AccessRoleBinding - metadata: - name: default - spec: - subjects: - - type: Group - name: mesh-system:admin - - type: Group - name: system:masters - - type: Group - name: system:serviceaccounts:kube-system - roles: - - admin - " | kubectl apply -f - - ``` - -1. Create an `AccessRole` to grant permissions to user `backend-owner` to modify `TrafficPermission` only for the backend service: - - ```sh - $ echo " - --- - apiVersion: kuma.io/v1alpha1 - kind: AccessRole - metadata: - name: backend-owner - spec: - rules: - - types: ["TrafficPermission"] - mesh: default - access: ["CREATE", "UPDATE", "DELETE"] - when: - - destinations: - match: - kuma.io/service: backend - --- - apiVersion: kuma.io/v1alpha1 - kind: AccessRoleBinding - metadata: - name: backend-owners - spec: - subjects: - - type: User - name: backend-owner - roles: - - backend-owner - " | kubectl apply -f - - ``` - -1. Change the service to test user access: - - ```sh - $ kubectl config use-context backend-owner - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: TrafficPermission - mesh: default - metadata: - name: web-to-backend - spec: - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: backend - " | kubectl apply -f - - # operation should succeed, access to backend service access is granted - - $ echo " - apiVersion: kuma.io/v1alpha1 - kind: TrafficPermission - mesh: default - metadata: - name: web-to-backend - spec: - sources: - - match: - kuma.io/service: web - destinations: - - match: - kuma.io/service: not-backend # access to this service is not granted - " | kubectl apply -f - - # operation should not succeed - ``` -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone - -In a multi-zone setup, `AccessRole` and `AccessRoleBinding` are not synchronized between the global control plane and the zone control plane. diff --git a/app/mesh/1.6.x/features/ubi-images.md b/app/mesh/1.6.x/features/ubi-images.md deleted file mode 100644 index b735c1385026..000000000000 --- a/app/mesh/1.6.x/features/ubi-images.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Red Hat Universal Base Images ---- - -In addition to the standard {{site.mesh_product_name}} images built on Alpine Linux, {{site.mesh_product_name}} also ships with images based on the [Red Hat Universal Base Image (UBI)](https://developers.redhat.com/products/rhel/ubi). - -{{site.mesh_product_name}} UBI images are distributed with all standard images, but with the `ubi-` prefix: - -* [kuma-dp UBI Image](https://hub.docker.com/r/kong/ubi-kuma-dp) -* [kuma-cp UBI Image](https://hub.docker.com/r/kong/ubi-kuma-cp) -* [kumactl UBI Image](https://hub.docker.com/r/kong/ubi-kumactl) -* [kuma-init UBI Image](https://hub.docker.com/r/kong/ubi-kuma-init) -* [kuma-prometheus-sd UBI Image](https://hub.docker.com/r/kong/ubi-kuma-prometheus-sd) - -The base UBI variant for all images is `ubi-minimal`. - -## Usage - -To use UBI images, you need to explicitly pass them when the control plane is installed: - -{% navtabs %} -{% navtab kumactl %} -```sh -kumactl install control plane \ - --control-plane-repository=ubi-kuma-cp \ - --dataplane-init-repository=ubi-kuma-init \ - --dataplane-repository=ubi-kuma-dp -``` -{% endnavtab %} -{% navtab Helm %} -```sh -helm install kong-mesh \ - --namespace kong-mesh-system \ - --set kuma.controlPlane.image.repository=ubi-kuma-cp \ - --set kuma.dataPlane.image.repository=ubi-kuma-dp \ - --set kuma.dataPlane.image.repository=ubi-kuma-dp \ - --set kuma.dataPlane.initImage.repository=ubi-kuma-dp \ - --set kuma.kumactl.image.repository=ubi-kumactl \ - kong-mesh/kong-mesh -``` -{% endnavtab %} -{% endnavtabs %} diff --git a/app/mesh/1.6.x/features/vault.md b/app/mesh/1.6.x/features/vault.md deleted file mode 100644 index cd09f0896ede..000000000000 --- a/app/mesh/1.6.x/features/vault.md +++ /dev/null @@ -1,286 +0,0 @@ ---- -title: Kong Mesh - Vault Policy ---- - -## Vault CA Backend - -The default [mTLS policy in Kuma](https://kuma.io/docs/latest/policies/mutual-tls/) -supports the following backends: - -* `builtin`: {{site.mesh_product_name}} automatically generates the Certificate -Authority (CA) root certificate and key that will be used to generate the data -plane certificates. -* `provided`: the CA root certificate and key can be provided by the user. - -{{site.mesh_product_name}} adds: - -* `vault`: {{site.mesh_product_name}} generates data plane certificates -using a CA root certificate and key stored in a HashiCorp Vault -server. - -## Vault mode - -In `vault` mTLS mode, {{site.mesh_product_name}} communicates with the HashiCorp Vault PKI, -which generates the data plane proxy certificates automatically. -{{site.mesh_product_name}} does not retrieve private key of the CA to generate data plane proxy certificates, -which means that private key of the CA is secured by Vault and not exposed to third parties. - -In `vault` mode, you point {{site.mesh_product_name}} to the -Vault server and provide the appropriate credentials. {{site.mesh_product_name}} -uses these parameters to authenticate the control plane and generate the -data plane certificates. - -When {{site.mesh_product_name}} is running in `vault` mode, the backend communicates with Vault and ensures -that Vault's PKI automatically issues data plane certificates and rotates them for -each proxy. - -If {{site.mesh_product_name}} is configured to authenticate to Vault using a renewable token, -it will handle keeping the token renewed. - -### Configure Vault - -The `vault` mTLS backend expects a configured PKI and role for generating data plane proxy certificates. - -The following steps show how to configure Vault for {{site.mesh_product_name}} with a mesh named -`default`. For your environment, replace `default` with the appropriate mesh name. - -#### Step 1. Configure the Certificate Authority - -{{site.mesh_product_name}} works with a Root CA or an Intermediate CA. - -{% navtabs %} -{% navtab Root CA %} - -Create a new PKI for the `default` Mesh called `kmesh-pki-default`: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate a new Root Certificate Authority for the `default` Mesh: - -```sh -vault secrets tune -max-lease-ttl=87600h kmesh-pki-default -``` - -```sh -vault write -field=certificate kmesh-pki-default/root/generate/internal \ - common_name="{{site.mesh_product_name}} Default" \ - uri_sans="spiffe://default" \ - ttl=87600h -``` - -{% endnavtab %} -{% navtab Intermediate CA %} - -Create a new Root Certificate Authority and save it to a file called `ca.pem`: - -```sh -vault secrets enable pki -``` - -```sh -vault secrets tune -max-lease-ttl=87600h pki -``` - -```sh -vault write -field=certificate pki/root/generate/internal \ - common_name="Organization CA" \ - ttl=87600h > ca.pem -``` - -You can also use your current Root CA, retrieve the PEM-encoded certificate, and save it to `ca.pem`. - -Create a new PKI for the `default` Mesh: - -```sh -vault secrets enable -path=kmesh-pki-default pki -``` - -Generate the Intermediate CA for the `default` Mesh: - -```sh -vault write -format=json kmesh-pki-default/intermediate/generate/internal \ - common_name="{{site.mesh_product_name}} Mesh Default" \ - uri_sans="spiffe://default" \ - | jq -r '.data.csr' > pki_intermediate.csr -``` - -Sign the Intermediate CA with the Root CA. Make sure to pass the right path for the PKI that has the Root CA. -In this example, the path value is `pki`: - -```sh -vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \ - format=pem_bundle \ - ttl="43800h" \ - | jq -r '.data.certificate' > intermediate.cert.pem -``` - -Set the certificate of signed Intermediate CA to the `default` Mesh PKI. You must include the public certificate of the Root CA -so that data plane proxies can verify the certificates: - -```sh -cat intermediate.cert.pem > bundle.pem -echo "" >> bundle.pem -cat ca.pem >> bundle.pem -vault write kmesh-pki-default/intermediate/set-signed certificate=@bundle.pem -``` - -{% endnavtab %} -{% endnavtabs %} - -#### Step 2. Create a role for generating data plane proxy certificates: - -```sh -vault write kmesh-pki-default/roles/dataplane-proxies \ - allowed_uri_sans="spiffe://default/*,kuma://*" \ - key_usage="KeyUsageKeyEncipherment,KeyUsageKeyAgreement,KeyUsageDigitalSignature" \ - ext_key_usage="ExtKeyUsageServerAuth,ExtKeyUsageClientAuth" \ - client_flag=true \ - require_cn=false \ - allowed_domains="mesh" \ - allow_subdomains=true \ - basic_constraints_valid_for_non_ca=true \ - max_ttl="720h" \ - ttl="720h" -``` - -{:.note} -> **Note:** Use the `allowed_domains` and `allow_subdomains` parameters -**only** when `commonName` is set in the mTLS Vault backend. - -#### Step 3. Create a policy to use the new role: - -```sh -cat > kmesh-default-dataplane-proxies.hcl <<- EOM -path "/kmesh-pki-default/issue/dataplane-proxies" -{ - capabilities = ["create", "update"] -} -EOM -vault policy write kmesh-default-dataplane-proxies kmesh-default-dataplane-proxies.hcl -``` - -#### Step 4. Create a Vault token: - -```sh -vault token create -format=json -policy="kmesh-default-dataplane-proxies" | jq -r ".auth.client_token" -``` - -The output should print a Vault token that you then provide as the `conf.fromCp.auth.token` value of the `Mesh` object. - -{:.note} -> **Note:** There are some failure modes where the `vault` CLI still returns a token -even though an error was encountered and the token is invalid. For example, if the -policy creation fails in the previous step, then the `vault token create` command -both returns a token and exposes an error. In such situations, using `jq` to parse -the output hides the error message provided in the `vault` CLI output. Manually -parse the output instead of using `jq` so that the full output of the `vault` CLI -command is available. - -### Configure Mesh - -`kuma-cp` communicates directly with Vault. To connect to -Vault, you must provide credentials in the configuration of the `mesh` object of `kuma-cp`. - -You can authenticate with the `token` or with client certificates by providing `clientKey` and `clientCert`. - -You can provide these values inline for testing purposes only, as a path to a file on the -same host as `kuma-cp`, or contained in a `secret`. When using a `secret`, it should be a mesh-scoped -secret (see [the Kuma Secrets documentation](https://kuma.io/docs/1.6.x/security/secrets/) for details -on mesh-scoped secrets versus global secrets). On Kubernetes, this mesh-scoped secret should be stored -in the system namespace (`kong-mesh-system` by default) and should be configured as `type: system.kuma.io/secret`. - -Here's an example of a configuration with a `vault`-backed CA: - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: Mesh -metadata: - name: default -spec: - mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 1d # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - - tls: # options for connecting to Vault via TLS - skipVerify: false # if set to true, caCert is optional, should only be used in development - caCert: # caCert is used to verify the TLS certificate presented by Vault - secret: sec-1 # one of secret, inline, or inlineString - serverName: "" # optional. The SNI to use when connecting to Vault - - auth: # how to authenticate Kong Mesh when connecting to Vault - token: - secret: token-1 # one of secret, inline, or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inline - clientCert: - file: /tmp/cert.pem # can be file, secret or inlineString -``` - -Apply the configuration with `kubectl apply -f [..]`. - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: Mesh -name: default -mtls: - enabledBackend: vault-1 - backends: - - name: vault-1 - type: vault - dpCert: - rotation: - expiration: 24h # must be lower than max_ttl in Vault role - conf: - fromCp: - address: https://vault.8200 - agentAddress: "" # optional - namespace: "" # optional - pki: kmesh-pki-default # name of the configured PKI - role: dataplane-proxies # name of the role that will be used to generate data plane proxy certificates - commonName: {% raw %}'{{ tag "kuma.io/service" }}.mesh'{% endraw %} # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. - tls: - caCert: - secret: sec-1 - skipVerify: false # if set to true, caCert is optional. Set to true only for development - serverName: "" # verify sever name - auth: # only one auth options is allowed so it's either "token" or "tls" - token: - secret: token-1 # can be file, secret or inlineString - tls: - clientKey: - secret: sec-2 # can be file, secret or inlineString - clientCert: - file: /tmp/cert.pem # can be file, secret or inline -``` - -Apply the configuration with `kumactl apply -f [..]`, or with the [HTTP API](https://kuma.io/docs/latest/reference/http-api). - -{% endnavtab %} -{% endnavtabs %} - -## Multi-zone and Vault - -In a multi-zone environment, the global control plane provides the `Mesh` to the zone control planes. However, you must make sure that each zone control plane communicates with Vault over the same address. This is because certificates for data plane proxies are issued from the zone control plane, not from the global control plane. - -You must also make sure the global control plane communicates with Vault. When a new Vault backend is configured, {{site.mesh_product_name}} validates the connection by issuing a test certificate. In a multi-zone environment, validation is performed on the global control plane. diff --git a/app/mesh/1.6.x/gettingstarted.md b/app/mesh/1.6.x/gettingstarted.md deleted file mode 100644 index 7670b617cc9a..000000000000 --- a/app/mesh/1.6.x/gettingstarted.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Getting Started with Kong Mesh ---- - -## Getting Started - -{{site.mesh_product_name}} — built on top of CNCF's Kuma and Envoy — - tries to be as close as possible to the usage of Kuma itself, while providing - drop-in binary replacements for both the control plane and data plane - executables. - -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs){:target="_blank"} to start using the product. - -{:.note} -Kuma, a donated CNCF project, was originally created by Kong, which is -currently maintaining both the project and the documentation. - -## 1. Installing {{site.mesh_product_name}} - -Download and install {{site.mesh_product_name}} from the -[official installation page](/mesh/{{page.release}}/install). - -## 2. Getting Started - -After you install, follow the Kuma getting started guide to get -{{site.mesh_product_name}} up and running: - -* [Getting started with Kubernetes](https://kuma.io/docs/latest/quickstart/kubernetes/){:target="_blank"} -* [Getting started with Universal](https://kuma.io/docs/latest/quickstart/universal/){:target="_blank"} - -## 3. Learn more - -* Read the [Kuma documentation](https://kuma.io/docs/){:target="_blank"} -* Learn about enterprise features: - * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) - * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) - * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) - * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) - * [Certificate Authority rotation](/mesh/{{page.release}}/features/ca-rotation/) - -If you are a {{site.mesh_product_name}} customer, you can also open a support -ticket with any questions or feedback you may have. diff --git a/app/mesh/1.6.x/index.md b/app/mesh/1.6.x/index.md deleted file mode 100644 index 3ae2a85706c4..000000000000 --- a/app/mesh/1.6.x/index.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Kong Mesh -subtitle: A modern control plane built on top of Envoy and focused on simplicity, security, and scalability ---- - -{:.note} -> **Demo**: To see {{site.mesh_product_name}} in action, you can -[request a demo](https://konghq.com/request-demo-kong-mesh/) and -we will get in touch with you. - -Welcome to the official documentation for {{site.mesh_product_name}}! - -{{site.mesh_product_name}} is an enterprise-grade service mesh that runs on -both Kubernetes and VMs on any cloud. Built on top of CNCF's -[Kuma](https://kuma.io) and Envoy and focused on simplicity, -{{site.mesh_product_name}} enables the microservices transformation with: -* Out-of-the-box service connectivity and discovery -* Zero-trust security -* Traffic reliability -* Global observability across all traffic, including cross-cluster deployments - -{{site.mesh_product_name}} extends Kuma and Envoy with enterprise features and -support, while providing native integration with -[{{site.ee_product_name}}](https://konghq.com/products/api-gateway-platform) for a -full-stack connectivity platform for all of your services and APIs, across -every cloud and environment. - -{:.note} -> Kuma itself was originally created by Kong and donated to CNCF to -provide the first neutral Envoy-based service mesh to the industry. Kong -still maintains and develops Kuma, which is the foundation for -{{site.mesh_product_name}}. - -
- -
- {{site.mesh_product_name}} extends CNCF's Kuma and Envoy to provide an - enterprise-grade service mesh with unique features in the service mesh - landscape, while still relying on a neutral foundation. -
-
-{{site.mesh_product_name}} provides a unique combination of strengths and -features in the service mesh ecosystem, specifically designed for the enterprise -architect, including: - -* **Universal** support for both Kubernetes and VM-based services. -* **Single and Multi Zone** deployments to support multi-cloud and multi-cluster - environments with global/remote control plane modes, automatic Ingress - connectivity, and service discovery. -* **Multi-Mesh** to create as many service meshes as we need, using one cluster - with low operational costs. -* **Easy to install and use** and turnkey, by abstracting away all the -complexity of running a service mesh with easy-to-use policies for managing -services and traffic. -* **Full-Stack Connectivity** by natively integrating with Kong and -{{site.ee_product_name}} for end-to-end connectivity that goes from the API -gateway to the service mesh. -* **Powered by Kuma and Envoy** to provide a modern and reliable CNCF -open source foundation for an enterprise service mesh. - -When used in combination with {{site.ee_product_name}}, {{site.mesh_product_name}} -provides a full stack connectivity platform for all of our L4-L7 connectivity, -for both edge and internal API traffic. - -
- -
- Two different applications - "Banking" and "Trading" - run in their - own meshes "A" and "B" across different data centers. In this example, - {{site.base_gateway}} is being used both for edge communication and for internal - communication between meshes. -
- -## Why {{site.mesh_product_name}}? {#why-kong-mesh} - -Organizations are transitioning to distributed software architectures to -support and accelerate innovation, gain digital revenue, and reduce costs. -A successful transition to microservices requires many pieces to fall into -place: that services are connected reliably with minimal latency, -that they are protected with end-to-end security, that they are discoverable -and fully observable. However, this presents challenges due to the need to -write custom code for security and identity, a lack of granular telemetry, -and insufficient traffic management capabilities, especially as the number of -services grows. - -Leading organizations are looking to service meshes to address these challenges -in a scalable and standardized way. With a service mesh, you can: - -* **Ensure service connectivity, discovery, and traffic reliability**: Apply -out-of-box traffic management to intelligently route traffic across any -platform and any cloud to meet expectations and SLAs. -* **Achieve Zero-Trust Security**: Restrict access by default, encrypt all -traffic, and only complete transactions when identity is verified. -* **Gain Global Traffic Observability**: Gain a detailed understanding of your -service behavior to increase application reliability and the efficiency of -your teams. - -{{site.mesh_product_name}} is the universal service mesh for enterprise -organizations focused on simplicity and scalability with Kuma and Envoy. -Kong’s service mesh is unique in that it allows you to: - -* **Start, secure, and scale with ease**: - * Deploy a turnkey service mesh with a single command. - * Group services by attributes to efficiently apply policies. - * Manage multiple service meshes as tenants of a single control plane to - provide scale and reduce operational costs. -* **Run anywhere**: - * Deploy the service mesh across any environment, including multi-cluster, - multi-cloud, and multi-platform. - * Manage service meshes natively in Kubernetes using CRDs, or start with a - service mesh in a VM environment and migrate to Kubernetes at your own pace. -* **Connect services end-to-end**: - * Integrate into the {{site.ee_product_name}} platform for full stack connectivity, - including Ingress and Egress traffic for your service mesh. - * Expose mesh services for internal or external consumption and manage the - full lifecycle of APIs. - -Thanks to the underlying Kuma runtime, with {{site.mesh_product_name}}, you -can easily support multiple clusters, clouds, and architectures using the -multi-zone capability that ships out of the box. This — combined with -multi-mesh support — lets you create a service mesh powered by an Envoy proxy -for the entire organization in just a few steps. You can do this for both -simple and distributed deployments, including multi-cloud, multi-cluster, and -hybrid Kubernetes/VMs: - -
- -
- {{site.mesh_product_name}} can support multiple zones (like a Kubernetes - cluster, VPC, data center, etc.) together in the same distributed deployment. - Then, you can create multiple isolated virtual meshes with the same - control plane in order to support every team and application in the - organization. -
-
-[Learn more](/mesh/latest/production/deployment/) about the -standalone and multi-zone deployment modes in the Kuma documentation. - -## Support policy -Kong primarily follows a [semantic versioning](https://semver.org/) (SemVer) -model for its products. - -For the latest version support information for -{{site.mesh_product_name}}, see our [version support policy](/mesh/latest/support-policy/). diff --git a/app/mesh/1.6.x/install.md b/app/mesh/1.6.x/install.md deleted file mode 100644 index 4d94338b7c76..000000000000 --- a/app/mesh/1.6.x/install.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Install Kong Mesh -disable_image_expand: true ---- - -## Install {{site.mesh_product_name}} - -{{site.mesh_product_name}} is built on top of Kuma and Envoy. To create a -seamless experience, {{site.mesh_product_name}} follows the same installation -and configuration procedures as Kuma, but with {{site.mesh_product_name}}-specific binaries. - -On this page, you will find access to the official {{site.mesh_product_name}} -distributions that provide a drop-in replacement to Kuma's native binaries, plus -links to cloud marketplace integrations. - -**The latest {{site.mesh_product_name}} version is -{{page.kong_latest.version}}.** - -{% navtabs %} -{% navtab Containerized %} - - - -{% endnavtab %} -{% navtab Operating Systems %} - - - -{% endnavtab %} -{% endnavtabs %} - -## Licensing - -Your {{site.mesh_product_name}} license includes an expiration date and the number of data plane proxies you can deploy. If you deploy more proxies than your license allows, you receive a warning. - -You have a 30-day grace period after the license expires. Make sure to renew your license before the grace period ends. - -## Check version - -To confirm that you have installed the right version of -{{site.mesh_product_name}}, run the following commands and -make sure the version output starts with the `{{site.mesh_product_name}}` -prefix: - -```sh -$ kumactl version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-cp version -{{site.mesh_product_name}} [VERSION NUMBER] - -$ kuma-dp version -{{site.mesh_product_name}} [VERSION NUMBER] -``` diff --git a/app/mesh/1.6.x/installation/amazonlinux.md b/app/mesh/1.6.x/installation/amazonlinux.md deleted file mode 100644 index a0ce434228dd..000000000000 --- a/app/mesh/1.6.x/installation/amazonlinux.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Kong Mesh with Amazon Linux ---- - -{:.note} -> If you want to use {{site.mesh_product_name}} on Amazon EKS, follow the -[Kubernetes instructions](/mesh/{{page.release}}/installation/kubernetes/) -instead. - -To install and run {{site.mesh_product_name}} on Amazon Linux (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download the latest version of {{site.mesh_product_name}}: - -```sh -$ yum install -y tar gzip -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/centos.md b/app/mesh/1.6.x/installation/centos.md deleted file mode 100644 index aa40af65efe0..000000000000 --- a/app/mesh/1.6.x/installation/centos.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Kong Mesh with CentOS ---- - -To install and run {{site.mesh_product_name}} on CentOS (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on CentOS 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/debian.md b/app/mesh/1.6.x/installation/debian.md deleted file mode 100644 index 9e204e1e4791..000000000000 --- a/app/mesh/1.6.x/installation/debian.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Kong Mesh with Debian ---- - -To install and run {{site.mesh_product_name}} on Debian (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/docker.md b/app/mesh/1.6.x/installation/docker.md deleted file mode 100644 index 473ccc7421f7..000000000000 --- a/app/mesh/1.6.x/installation/docker.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Kong Mesh with Docker ---- - -To install and run {{site.mesh_product_name}} on Docker: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -The official Docker images are used by default in the -Kubernetes -distributions. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{{site.mesh_product_name}} provides the following Docker images for all of its -executables, hosted on Docker Hub: - -* **kuma-cp**: at [`kong/kuma-cp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-cp) -* **kuma-dp**: at [`kong/kuma-dp:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-dp) -* **kumactl**: at [`kong/kumactl:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kumactl) -* **kuma-prometheus-sd**: at [`kong/kuma-prometheus-sd:{{page.kong_latest.version}}`](https://hub.docker.com/r/kong/kuma-prometheus-sd) - -`docker pull` each image that you need. For example: - -```sh -$ docker pull kong/kuma-cp:{{page.kong_latest.version}} -``` - -## 2. Run {{site.mesh_product_name}} - -Run the control plane with: - -```sh -$ docker run \ - -p 5681:5681 \ - -v /path/to/license.json:/license.json \ - -e "KMESH_LICENSE_PATH=/license.json" \ - kong/kuma-cp:{{page.kong_latest.version}} run -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the host that will be mounted as `/license.json` into the -container. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) is running, you can access the -control plane using either the GUI, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681/gui` to see -the GUI. - -{% endnavtab %} -{% navtab HTTP API (Read & Write) %} - -{{site.mesh_product_name}} ships with a **read and write** HTTP API that you can -use to perform operations on {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, navigate to `127.0.0.1:5681` to see -the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read & Write) %} - -You can use the `kumactl` CLI to perform **read and write** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. For example: - -```sh -$ docker run \ - --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "type: Mesh - name: default - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | docker run -i --net="host" \ - kong/kumactl:{{page.kong_latest.version}} kumactl apply -f - -``` - -This runs `kumactl` from the Docker -container on the same network as the host, but most likely you want to download -a compatible version of {{site.mesh_product_name}} for the machine where you -will be executing the commands. - -See the individual installation pages for your OS to download and extract -`kumactl` to your machine: -* [CentOS](/mesh/{{page.release}}/installation/centos/) -* [Red Hat](/mesh/{{page.release}}/installation/redhat/) -* [Debian](/mesh/{{page.release}}/installation/debian/) -* [Ubuntu](/mesh/{{page.release}}/installation/ubuntu/) -* [macOS](/mesh/{{page.release}}/installation/macos/) - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Universal deployments](https://kuma.io/docs/latest/quickstart/universal/). -If you are entirely using Docker, you may also be interested in checking out the -[Kubernetes quickstart](https://kuma.io/docs/latest/quickstart/kubernetes/) as well. diff --git a/app/mesh/1.6.x/installation/ecs.md b/app/mesh/1.6.x/installation/ecs.md deleted file mode 100644 index a5c607305c5b..000000000000 --- a/app/mesh/1.6.x/installation/ecs.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Kong Mesh on Amazon ECS ---- - -This page describes running {{site.mesh_product_name}} on ECS and offers guidelines -for integrating {{site.mesh_product_name}} into your deployment process. - -For a demo of {{site.mesh_product_name}} on ECS, see the [example repository for Cloudformation](https://github.com/Kong/kong-mesh-ecs). -This demo covers bootstrapping an ECS cluster from scratch, deploying {{site.mesh_product_name}}, and deploying some services into the mesh. - -## Overview - -On ECS, {{site.mesh_product_name}} runs in Universal mode. Every ECS task runs with an Envoy sidecar. -{{site.mesh_product_name}} supports tasks on the following launch types: - -- Fargate -- EC2 - -The control plane itself also runs as an ECS service in the cluster. - -### Data plane tokens - -As part of joining and synchronizing with the mesh, every sidecar needs to authenticate with -the control plane. On {{site.mesh_product_name}}, this is accomplished by using a data plane token. -Typically on Universal mode, creating and managing data plane tokens is a manual step for the mesh operator. -However, {{site.mesh_product_name}} on ECS handles automatically provisioning data plane tokens for your services. - -An additional ECS token controller runs in the cluster with permissions to use -the {{site.mesh_product_name}} API to create data plane tokens and put them in AWS secrets. - -New ECS services are given access to an AWS secret. When they -join the cluster, the controller requests a new data plane token scoped to that service. - -### Mesh communication - -With {{site.mesh_product_name}} on ECS, each service enumerates -other services it contacts in the mesh and -[exposes them in `Dataplane` specification](https://kuma.io/docs/1.6.x/reference/dpp-specification/). - -## Deployment - -This section covers ECS-specific parts of running {{site.mesh_product_name}}, using the -[example Cloudformation](https://github.com/Kong/kong-mesh-ecs) as a guide. - -### {{site.mesh_product_name}} control plane - -{{site.mesh_product_name}} runs in Universal mode on ECS. The example setup repository uses an AWS RDS -database as a PostgreSQL backend. It also uses ECS service discovery to enable ECS -tasks to communicate with {{site.mesh_product_name}} the control plane. - -The example Cloudformation includes two Cloudformation stacks for -[creating a cluster](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/vpc.yaml) and -[deploying {{site.mesh_product_name}}](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/controlplane.yaml) - -### {{site.mesh_product_name}} ECS controller - -The controller is published as a docker image -`docker.io/kong/kong-mesh-ecs-controller:0.1.0`. - -#### API permissions - -To generate data plane tokens, the controller -needs to authenticate with the {{site.mesh_product_name}} API and be authorized to create -new data plane tokens. - -The example repository [launches the control plane with two additional containers](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/controlplane.yaml#L358-L387) -that handle fetching this global secret and -[covers bootstrapping this controller and running it as an ECS task](https://github.com/Kong/kong-mesh-ecs/blob/main/README.md#ecs-controller). - -Any option that enables operators to query the API from `localhost` (for -example, an SSH container in the task) can extract the admin token. - -After `kumactl` is configured with the control plane, you can generate a new user -token for the controller with `kumactl generate user-token`. For example: - -``` -kumactl generate user-token --name ecs-controller --group mesh-system:admin --valid-for 8766h -``` - -Configure the controller using the environment variables: - -- `KUMA_API_TOKEN`: the API token -- `KUMA_API_CA_BYTES`: the CA used to verify the TLS certificates presented by the API. - We recommend communicating with the {{site.mesh_product_name}} API over TLS (served on port `5682` by default). - -#### IAM permissions - -The controller uses the AWS API. The ECS task role must be authorized to perform the following actions: - -- `ecs:ListTasks` and `ecs:DescribeTasks` -- `secretsmanager:GetSecretValue` and `secretsmanager:PutSecretValue` - -These permissions can be further restricted by including a `Resource` or `Condition` in -the IAM policy statements. To make this easier, the controller supports the `--secret-name-prefix` -command line switch to prefix the names of the AWS secrets under which it saves tokens. - -## Services - -When deploying an ECS task to be included in the mesh, the following must be -considered. - -### Outbounds - -Services are bootstrapped with a `Dataplane` specification. - -Transparent proxy is not supported on ECS, so the `Dataplane` resource for a -service must enumerate all other mesh services this service contacts and include them -[in the `Dataplane` specification as `outbounds`](https://kuma.io/docs/1.6.x/reference/dpp-specification). - -See the example repository to learn -[how to handle the `Dataplane` template with Cloudformation](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/counter-demo/demo-app.yaml#L30-L46). - -### `kuma.io/service` tag - -Every ECS task must be tagged with the `kuma.io/service` tag so that -the controller includes the task in the mesh. The ECS task -authenticates to the mesh as this service. The tag value should match the -`kuma.io/service` value in the `Dataplane` resource. - -### Sidecar - -The sidecar must run as a container in the ECS task. It must also run with the AWS secret -that holds the data plane token created by the ECS controller. - -The controller _does not create_ the secret, it only puts and gets it. The -AWS secret should be created and destroyed by the same mechanism that creates the -ECS service (for example, a Cloudformation stack). - -See the example repository for [an example container -definition](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/counter-demo/demo-app.yaml#L205-L243). - -#### Initialization - -When a task starts, the following happens: - -1. The task requests the `token` JSON key from an existing AWS secret. -1. Initially, the secret does not contain this key and ECS continues - trying to create the task. -1. Shortly after the task is created, while it's in the retry loop, the ECS - controller sees the task and checks whether `token` exists in the corresponding secret. -1. The controller sees an empty secret and generates a new data plane token via the - mesh API, saving the result as `token` in the secret. -1. Finally, ECS is able to fetch the `token` value and starts the task successfully. diff --git a/app/mesh/1.6.x/installation/helm.md b/app/mesh/1.6.x/installation/helm.md deleted file mode 100644 index fa58d4fd3aa9..000000000000 --- a/app/mesh/1.6.x/installation/helm.md +++ /dev/null @@ -1,187 +0,0 @@ ---- -title: Kong Mesh with Helm ---- - -To install and run {{site.mesh_product_name}} on Kubernetes using Helm: - -1. [Add the {{site.mesh_product_name}} Helm Repository](#1-add-the-kong-mesh-helm-repository) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Add the {{site.mesh_product_name}} Helm Repository - -To start using {{site.mesh_product_name}} with Helm charts, first add the -{{site.mesh_product_name}} charts repository to your local Helm deployment: - -```sh -$ helm repo add kong-mesh https://kong.github.io/kong-mesh-charts -``` - -Once the repo is added, any following updates can be fetched with -`helm repo update`. - -## 2. Run {{site.mesh_product_name}} - -Install and run {{site.mesh_product_name}} using the following commands. -You can use any Kubernetes namespace to install {{site.mesh_product_name}}, but as a default, we -suggest `kong-mesh-system`. - -1. Create the `kong-mesh-system` namespace: - - ```sh - $ kubectl create namespace kong-mesh-system - ``` - -2. Upload the license secret to the cluster: - - ```sh - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` - - Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} - license file on the file system. - - The filename should be license.json, unless otherwise specified in values.yaml. - -3. Deploy the {{site.mesh_product_name}} Helm chart. - - By default, the license option is disabled, so you need to enable it for the license to take effect. - The easiest option is to override each field on the CLI. The only - downside to this method is that you need to supply these values every time you run a - `helm upgrade`, otherwise they will be reverted back to what the chart's default values are - for those fields, i.e. disabled. - - ```sh - $ helm repo update - $ helm upgrade -i -n kong-mesh-system kong-mesh kong-mesh/kong-mesh \ - --set kuma.controlPlane.secrets[0].Env="KMESH_LICENSE_INLINE" \ - --set kuma.controlPlane.secrets[0].Secret="kong-mesh-license" \ - --set kuma.controlPlane.secrets[0].Key="license.json" - ``` - - This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ - deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) - like _multi-zone_. - - You can see all possible parameters of the charts by running `helm show values kong-mesh/kong-mesh`. - The Kong-Mesh chart has the Kuma chart as a [helm dependency](https://helm.sh/docs/helm/helm_dependency/) any value present in `helm show values kuma/kuma` is available by prepending it with: `kuma`. - - For example, see the following `values.yaml` snippet: - ```yaml - kuma: - controlPlane: - zone: "us-west" - mode: "zone" - ``` - This will configure the control-plane as the zone "us-west" in `zone` mode. - -## 3. Verify the Installation - -Now that {{site.mesh_product_name}} (`kuma-cp`) has been installed in the newly -created `kong-mesh-system` namespace, you can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -You will notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.6.x/quickstart/kubernetes/). diff --git a/app/mesh/1.6.x/installation/kubernetes.md b/app/mesh/1.6.x/installation/kubernetes.md deleted file mode 100644 index 10b858d7e7cf..000000000000 --- a/app/mesh/1.6.x/installation/kubernetes.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Kong Mesh with Kubernetes ---- - -To install and run {{site.mesh_product_name}} on Kubernetes: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -Download a compatible version of {{site.mesh_product_name}} for the machine from which you -will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the client host from the machine where you plan to run the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ kumactl install control-plane --license-path=/path/to/license.json | kubectl apply -f - -``` - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can create a link -in `/usr/local/bin/` by running: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -It may take a while for Kubernetes to start the -{{site.mesh_product_name}} resources. You can check the status by executing: - -```sh -$ kubectl get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -You can access the control plane using either -the GUI, `kubectl`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab kubectl (Read & Write) %} -You can use {{site.mesh_product_name}} with `kubectl` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ kubectl get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | kubectl apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ kubectl port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -{{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -## 4. Quickstart - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.6.x/quickstart/kubernetes/). diff --git a/app/mesh/1.6.x/installation/macos.md b/app/mesh/1.6.x/installation/macos.md deleted file mode 100644 index 3c759fa1eaaf..000000000000 --- a/app/mesh/1.6.x/installation/macos.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Kong Mesh with macOS ---- - -To install and run {{site.mesh_product_name}} on macOS: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -{:.important .no-icon} -> FIPS compliance is not supported on macOS. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on macOS, you can choose from the following -installation methods: - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) -the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/openshift.md b/app/mesh/1.6.x/installation/openshift.md deleted file mode 100644 index fbb289ee658c..000000000000 --- a/app/mesh/1.6.x/installation/openshift.md +++ /dev/null @@ -1,265 +0,0 @@ ---- -title: Kong Mesh with OpenShift ---- - -To install and run {{site.mesh_product_name}} on OpenShift: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on OpenShift, you need to download a -compatible version of {{site.mesh_product_name}} for the machine from which -you will be executing the commands. - -{% navtabs %} -{% navtab Script %} - -You can run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also download the distribution manually. Download a distribution for -the **client host** from where you will be executing the commands to access -Kubernetes: - -* [CentOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-centos-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-centos-amd64.tar.gz) -* [Red Hat]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) -* [Debian]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-debian-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-debian-amd64.tar.gz) -* [Ubuntu]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) -* [macOS]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` - -{% endnavtab %} -{% endnavtabs %} - - -## 2. Run {{site.mesh_product_name}} - -Navigate to the `bin` folder: - -```sh -$ cd kong-mesh-{{page.version}}/bin -``` - -We suggest adding the `kumactl` executable to your `PATH` so that it's always -available in every working directory. Alternatively, you can also create a link -in `/usr/local/bin/` by executing: - -```sh -$ ln -s ./kumactl /usr/local/bin/kumactl -``` - -Then, run the control plane on OpenShift with: - -{% navtabs %} -{% navtab OpenShift 4.x %} - -```sh -kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f - -``` - -Starting from version 4.1, OpenShift uses `nftables` instead of `iptables`. So, -using init container for redirecting traffic to the proxy no longer works. -Instead, we use `kuma-cni`, which can be installed with the `--cni-enabled` flag. - -{% endnavtab %} -{% navtab OpenShift 3.11 %} - -By default, `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` are -disabled on OpenShift 3.11. - -To make them work, add the following `pluginConfig` into -`/etc/origin/master/master-config.yaml` on the master node: - -```yaml -admissionConfig: - pluginConfig: - MutatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission - ValidatingAdmissionWebhook: - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kubeConfigFile: /dev/null - kind: WebhookAdmission -``` - -After updating `master-config.yaml`, restart the cluster and install -`control-plane`: - -```sh -$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f - -``` - -{% endnavtab %} -{% endnavtabs %} - -Where `/path/to/license.json` is the path to a valid {{site.mesh_product_name}} -license file on the file system. - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -It may take a while for OpenShift to start the -{{site.mesh_product_name}} resources. You can check the status by running: - -```sh -$ oc get pod -n kong-mesh-system -``` - -## 3. Verify the Installation - -Now you can access the control plane with the GUI, `oc`, the HTTP API, or the CLI: - -{% navtabs %} -{% navtab GUI (Read-Only) %} -{{site.mesh_product_name}} ships with a **read-only** GUI that you can use to -retrieve {{site.mesh_product_name}} resources. By default, the GUI listens on -the API port `5681` and defaults to `:5681/gui`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Navigate to `127.0.0.1:5681/gui` to see the GUI. - -{% endnavtab %} -{% navtab oc (Read & Write) %} -You can use {{site.mesh_product_name}} with `oc` to perform -**read and write** operations on {{site.mesh_product_name}} resources. For -example: - -```sh -$ oc get meshes - -NAME AGE -default 1m -``` - -Or, you can enable mTLS on the `default` Mesh with: - -```sh -$ echo "apiVersion: kuma.io/v1alpha1 - kind: Mesh - metadata: - name: default - spec: - mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: builtin" | oc apply -f - -``` - -{% endnavtab %} -{% navtab HTTP API (Read-Only) %} - -{{site.mesh_product_name}} ships with a **read-only** HTTP API that you use -to retrieve {{site.mesh_product_name}} resources. By default, -the HTTP API listens on port `5681`. - -To access {{site.mesh_product_name}}, port-forward the API service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Now you can navigate to `127.0.0.1:5681` to see the HTTP API. - -{% endnavtab %} -{% navtab kumactl (Read-Only) %} - -You can use the `kumactl` CLI to perform **read-only** operations on -{{site.mesh_product_name}} resources. The `kumactl` binary is a client to -the {{site.mesh_product_name}} HTTP API. To use it, first port-forward the API -service with: - -```sh -$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681 -``` - -Then run `kumactl`. For example: - -```sh -$ kumactl get meshes - -NAME mTLS METRICS LOGGING TRACING -default off off off off -``` - -You can configure `kumactl` to point to any remote `kuma-cp` instance by running: - -``` -$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681 -``` - -{% endnavtab %} -{% endnavtabs %} - -Notice that {{site.mesh_product_name}} automatically creates a `Mesh` -entity with the name `default`. - -{{site.mesh_product_name}} explicitly specifies a UID -for the `kuma-dp` sidecar to avoid capturing traffic from -`kuma-dp` itself. You must grant a `nonroot` -[Security Context Constraint](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) -to the application namespace: - -```sh -$ oc adm policy add-scc-to-group nonroot system:serviceaccounts: -``` - -If the namespace is not configured properly, you will see the following error -on the `Deployment` or `DeploymentConfig`: - -```sh -'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: -[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]' -``` - -## 4. Quickstart - -Congratulations! You have successfully installed {{site.mesh_product_name}}. - -Before running the Kuma Demo in the Quickstart guide, -run the following command: - -```sh -$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo -``` - -One of the components in the demo requires root access, therefore it uses the -`anyuid` instead of the `nonroot` permission. - -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers. - -To start using {{site.mesh_product_name}}, see the -[quickstart guide for Kubernetes deployments](https://kuma.io/docs/1.6.x/quickstart/kubernetes/). diff --git a/app/mesh/1.6.x/installation/redhat.md b/app/mesh/1.6.x/installation/redhat.md deleted file mode 100644 index 9e78739420c8..000000000000 --- a/app/mesh/1.6.x/installation/redhat.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Kong Mesh with Red Hat ---- - -To install and run {{site.mesh_product_name}} on Red Hat (**x86_64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -{:.note} -> **Note:** {{site.mesh_product_name}} ships with a FIPS 140-2 compliant -build of Envoy. This build is only available on Red Hat 8 and later. For any previous -versions, use [Docker](/mesh/{{page.release}}/installation/docker/). - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system -and download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-rhel-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-rhel-amd64.tar.gz) the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/ubuntu.md b/app/mesh/1.6.x/installation/ubuntu.md deleted file mode 100644 index c3362b6ac348..000000000000 --- a/app/mesh/1.6.x/installation/ubuntu.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Kong Mesh with Ubuntu ---- - -To install and run {{site.mesh_product_name}} on Ubuntu (**amd64**): - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here and continue your {{site.mesh_product_name}} journey. - -## Prerequisites - -You have a license for {{site.mesh_product_name}}. - -## 1. Download {{site.mesh_product_name}} - -{% navtabs %} -{% navtab Script %} - -Run the following script to automatically detect the operating system and -download {{site.mesh_product_name}}: - -```sh -$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh - -``` -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-ubuntu-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-ubuntu-amd64.tar.gz) - the distribution manually. - -Then, extract the archive with: - -```sh -$ tar xvzf kong-mesh-{{page.version}}*.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -{% include_cached /md/mesh/install-universal-run.md version=page.version %} - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} diff --git a/app/mesh/1.6.x/installation/windows.md b/app/mesh/1.6.x/installation/windows.md deleted file mode 100644 index a64565f08170..000000000000 --- a/app/mesh/1.6.x/installation/windows.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Kong Mesh with Windows ---- - -To install and run {{site.mesh_product_name}} on Windows: - -1. [Download {{site.mesh_product_name}}](#1-download-kong-mesh) -1. [Run {{site.mesh_product_name}}](#2-run-kong-mesh) -1. [Verify the Installation](#3-verify-the-installation) - -Finally, you can follow the [Quickstart](#4-quickstart) to take it from here -and continue your {{site.mesh_product_name}} journey. - -Tested on Windows 10 and Windows Server 2019. - -{:.note} -> **Note**: Transparent proxying is not supported on Windows. - -## 1. Download {{site.mesh_product_name}} - -To run {{site.mesh_product_name}} on Windows you can choose among different installation methods: - -{% navtabs %} -{% navtab PowerShell Script %} - -Run the following script in PowerShell to automatically detect the operating system and download {{site.mesh_product_name}}: - -```powershell -Invoke-Expression ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Uri https://docs.konghq.com/mesh/installer.ps1).Content)) -``` - -{% endnavtab %} -{% navtab Manually %} - -You can also [download]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-windows-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-windows-amd64.tar.gz) -the distribution manually. - -Then extract the archive with: - -```powershell -tar xvzf kong-mesh-{{page.version}}-windows-amd64.tar.gz -``` -{% endnavtab %} -{% endnavtabs %} - -## 2. Run {{site.mesh_product_name}} - -Once downloaded, you will find the contents of {{site.mesh_product_name}} in the `kong-mesh-{{include.kong_latest.version}}` folder. In this folder, you will find — among other files — the bin directory that stores all the executables for {{site.mesh_product_name}}. - -Navigate to the `bin` folder: - -```powershell -cd kong-mesh-{{include.kong_latest.version}}/bin -``` - -Then, run the control plane with: - -```sh -$ KMESH_LICENSE_PATH=/path/to/file/license.json kuma-cp run -``` - -This example will run {{site.mesh_product_name}} in standalone mode for a _flat_ -deployment, but there are more advanced [deployment modes](/mesh/latest/production/deployment/) -like _multi-zone_. - -We suggest adding the `kumactl` executable to your `PATH` so that it's always available in every working directory (PowerShell as Administrator): - -```powershell -New-Item -ItemType SymbolicLink -Path C:\Windows\kumactl.exe -Target .\kumactl.exe -``` - -This runs {{site.mesh_product_name}} with a [memory backend](https://kuma.io/docs/latest/explore/backends/), -but you can use a persistent storage like PostgreSQL by updating the `conf/kuma-cp.conf` file. - -{% include /md/mesh/install-universal-verify.md %} - -{% include /md/mesh/install-universal-quickstart.md %} - diff --git a/app/mesh/1.6.x/patches/opa-policy.yaml b/app/mesh/1.6.x/patches/opa-policy.yaml deleted file mode 100644 index cc8b2e75cbf3..000000000000 --- a/app/mesh/1.6.x/patches/opa-policy.yaml +++ /dev/null @@ -1,392 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: opapolicies.kuma.io -spec: - group: kuma.io - names: - kind: OPAPolicy - plural: opapolicies - scope: Cluster - validation: - openAPIV3Schema: - description: OPAPolicy is the Schema for the opapolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - initializers: - description: "An initializer is a controller which enforces some system - invariant at object creation time. This field is a list of initializers - that have not yet acted on this object. If nil or empty, this object - has been completely initialized. Otherwise, the object is considered - uninitialized and is hidden (in list/watch and get calls) from clients - that haven't explicitly asked to observe uninitialized objects. \n - When an object is created, the system will populate this list with - the current set of initializers. Only privileged users may set or - modify this list. Once it is empty, it may not be modified further - by any user. \n DEPRECATED - initializers are an alpha field and will - be removed in v1.15." - properties: - pending: - description: Pending is a list of initializers that must execute - in order before this object is visible. When the last pending - initializer is removed, and no failing result is set, the initializers - struct will be set to nil and the object is considered as initialized - and visible to all clients. - items: - properties: - name: - description: name of the process that is responsible for initializing - this object. - type: string - required: - - name - type: object - type: array - result: - description: If result is set with the Failure field, the object - will be persisted to storage and then deleted, ensuring that other - clients can observe the deletion. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this - representation of an object. Servers should convert recognized - schemas to the latest internal value, and may reject unrecognized - values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - code: - description: Suggested HTTP return code for this status, 0 if - not set. - format: int32 - type: integer - details: - description: Extended data associated with the reason. Each - reason may define its own extended details. This field is - optional and the data returned is not guaranteed to conform - to any schema except that defined by the reason type. - properties: - causes: - description: The Causes array includes more details associated - with the StatusReason failure. Not all StatusReasons may - provide detailed causes. - items: - properties: - field: - description: "The field of the resource that has caused - this error, as named by its JSON serialization. - May include dot and postfix notation for nested - attributes. Arrays are zero-indexed. Fields may - appear more than once in an array of causes due - to fields having multiple errors. Optional. \n Examples: - \ \"name\" - the field \"name\" on the current - resource \"items[0].name\" - the field \"name\" - on the first array entry in \"items\"" - type: string - message: - description: A human-readable description of the cause - of the error. This field may be presented as-is - to a reader. - type: string - reason: - description: A machine-readable description of the - cause of the error. If this value is empty there - is no information available. - type: string - type: object - type: array - group: - description: The group attribute of the resource associated - with the status StatusReason. - type: string - kind: - description: 'The kind attribute of the resource associated - with the status StatusReason. On some operations may differ - from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: The name attribute of the resource associated - with the status StatusReason (when there is a single name - which can be described). - type: string - retryAfterSeconds: - description: If specified, the time in seconds before the - operation should be retried. Some errors may indicate - the client must take an alternate action - for those errors - this field may indicate how long to wait before taking - the alternate action. - format: int32 - type: integer - uid: - description: 'UID of the resource. (when there is a single - resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - type: object - kind: - description: 'Kind is a string value representing the REST resource - this object represents. Servers may infer this from the endpoint - the client submits requests to. Cannot be updated. In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - message: - description: A human-readable description of the status of this - operation. - type: string - metadata: - description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - properties: - continue: - description: continue may be set if the user set a limit - on the number of items returned, and indicates that the - server has more data available. The value is opaque and - may be used to issue another request to the endpoint that - served this list to retrieve the next set of available - objects. Continuing a consistent list may not be possible - if the server configuration has changed or more than a - few minutes have passed. The resourceVersion field returned - when using this continue value will be identical to the - value in the first response, unless you have received - this token from an error message. - type: string - resourceVersion: - description: 'String that identifies the server''s internal - version of this object that can be used by clients to - determine when objects have changed. Value must be treated - as opaque by clients and passed unmodified back to the - server. Populated by the system. Read-only. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - selfLink: - description: selfLink is a URL representing this object. - Populated by the system. Read-only. - type: string - type: object - reason: - description: A machine-readable description of why this operation - is in the "Failure" status. If this value is empty there is - no information available. A Reason clarifies an HTTP status - code but does not override it. - type: string - status: - description: 'Status of the operation. One of: "Success" or - "Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status' - type: string - type: object - required: - - pending - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: "ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like \"ci-cd\". The set of fields - is always in the version that the workflow used when modifying the - object. \n This field is alpha and can be changed or removed without - notice." - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fields: - additionalProperties: true - description: Fields identifies a set of fields. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: SelfLink is a URL representing this object. Populated by - the system. Read-only. - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - mesh: - type: string - spec: - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true diff --git a/app/mesh/1.6.x/plan-and-deploy/license.md b/app/mesh/1.6.x/plan-and-deploy/license.md deleted file mode 100644 index b7ec762c8acf..000000000000 --- a/app/mesh/1.6.x/plan-and-deploy/license.md +++ /dev/null @@ -1,126 +0,0 @@ ---- -title: License ---- -​ -{{site.mesh_product_name}} requires a valid license before it can start the global `kuma-cp` process. When the license is not set, {{site.mesh_product_name}} automatically uses a **bundled license** with the following limits: -​ -* Number of data plane proxies (DPPs) allowed: 5 -* Expiration date: 30 days -​ - -The bundled license can be overwritten by explicitly setting a new one. You can obtain a {{site.mesh_product_name}} license by getting in touch with the [Kong team](https://konghq.com/request-demo-kong-mesh). -​ -A license file with a valid signature typically looks like the following example: -​ -```json -{ - "license": { - "version": 1, - "signature": "...", - "payload": { - "customer": "company_inc", - "license_creation_date": "2021-8-4", - "product_subscription": "Kong Mesh", - "dataplanes": "5", - "license_expiration_date": "2023-11-09", - "license_key": "..." - } - } -} -``` -​ -When installing {{site.mesh_product_name}}, the license file can be passed to `kuma-cp` with the -[following instructions](#Configure-the-license). -​ -If running {{site.mesh_product_name}} in a multi-zone deployment, the file must be passed to the global `kuma-cp`. -In this mode, {{site.mesh_product_name}} automatically synchronizes the license to the remote -`kuma-cp`, therefore this operation is only required on the global `kuma-cp`. -​ -## Licensed metrics -​ -The license encourages a pay-as-you-go model that delivers the best benefits to you, the end user, since the derived value of {{site.mesh_product_name}} is directly associated to the positive benefits of real service mesh usage. -​ -These metrics are: -​ -* Number of connected data plane proxies (DPPs), across every zone. -* An expiration date that determines the duration of the license. -​ -In the context of the metric, a data plane proxy (DPP) is a standard data plane proxy that is deployed next to your services, either as a sidecar container or in a virtual machine. Gateway data plane proxies, zone ingresses, and zone egresses are not counted. -​ -You can measure the number of data plane proxies needed in {{site.mesh_product_name}} by the -number of services you want to include in your service meshes. Use the following formula: -​ -``` -Number of DPPs = Number of Pods + Number of VMs. -``` -​ -With a valid issued license, a data plane proxy will always be able to join the service mesh, even if you go above the allowed limit to prevent service disruptions. If the number of DPPs does go above the limit, you will see a warning in the GUI and in the control plane logs. - -With the bundled license, if you go over the maximum allowed number of DPPs, the system will automatically refuse their connections. -​ -## License API -​ -You can inspect the license using the GUI or the API `/license` endpoint on the control plane. For example: -​ -``` -$ curl :5681/license -{ - "allowedDataplaneProxies": 20, - "activeDataplaneProxies": 2, - "expirationDate": "2032-11-09T00:00:00Z", - "demo": false -} -``` -​ -## Configure the license -​ -A valid license file can be passed to {{site.mesh_product_name}} in a variety of ways. -​ -### Kubernetes (kumactl) -​ -When installing the {{site.mesh_product_name}} control plane with `kumactl install control-plane`, provide a `--license-path` argument with a full path to a valid license file. For example: -​ -```sh -$ kumactl install control-plane --license-path=/path/to/license.json -``` -​ -### Kubernetes (Helm) -​ -To install a valid license via Helm: -​ -1. Create a secret named `kong-mesh-license` in the same namespace where {{site.mesh_product_name}} is being installed. For example: -​ - ```sh - $ kubectl create namespace kong-mesh-system - $ kubectl create secret generic kong-mesh-license -n kong-mesh-system --from-file=/path/to/license.json - ``` -​ - Where: - * `kong-mesh-system` is the namespace where {{site.mesh_product_name}} control plane is installed - * `/path/to/license.json` is the path to a valid license file. The filename should be `license.json` unless otherwise specified in `values.yaml`. -​ -1. Modify the `values.yaml` file to point to the secret. For example: -​ - ```yaml - kuma: - controlPlane: - secrets: - - Env: "KMESH_LICENSE_INLINE" - Secret: "kong-mesh-license" - Key: "license.json" - ``` -​ - -### Universal -​ -In Universal mode, configure a valid license by using the following environment variables: -​ -* `KMESH_LICENSE_PATH` - value with the path to a valid license file. -* `KMESH_LICENSE_INLINE` - value with the actual contents of the license file. -​ - -## Multi-zone -​ -In a multi-zone deployment of {{site.mesh_product_name}}, only the global control plane should be configured with a valid license. The global control plane automatically synchronizes the license to any remote control plane that is part of the cluster. -​ -In a multi-zone deployment, the DPPs count includes the total aggregate of every data plane proxy in every zone. For example, with a limit of 5 DPPs and 2 zones, you can connect 3 DPPs in one zone and 2 in another, but not 5 DPPs for each zone.