Multi-zone authentication

Uses: Kong Mesh

How does multi-zone authentication work?

To add to the security of your deployments, Kong Mesh provides authentication of zone Control Planes to the global Control Plane. Authentication is based on the Zone Token which is also used to authenticate the zone proxy. See zone proxy authentication to learn about token characteristics, revocation, rotation, and more. To enable authentication between Control Planes:

Generate a token for each Zone Control Plane with the cp scope.
Pass the token to the Zone Control Plane.
Enable authentication on the Global Control Plane.

Generate the token

On the global Control Plane, run the following command to store the token in /tmp/token:

kumactl generate zone-token --zone=west --scope=cp --valid-for=720h > /tmp/token

Copied to clipboard!

Add tokens to zones

If you install the zone Control Plane with kumactl install control-plane, pass the --cp-token-path argument, where the value is the path to the file where the token is stored:

kumactl install control-plane \
  --mode=zone \
  --zone=$ZONE-NAME \
  --cp-token-path=/tmp/token \
  --ingress-enabled \
  --kds-global-address grpcs://$GLOBAL-KDS-ADDRESS:5685 | kubectl apply -f -

Copied to clipboard!

Create a secret with a token in the same namespace where Kong Mesh is installed:

kubectl create secret generic cp-token -n kong-mesh-system --from-file=/tmp/token

Copied to clipboard!

Add the following to Values.yaml:

kuma:
  controlPlane:
    secrets:
      - Env: "KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE"
        Secret: "cp-token"
        Key: "token"

Copied to clipboard!

Set the token as an inline value in a KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE environment variable:

KUMA_MODE=zone \
KUMA_MULTIZONE_ZONE_NAME="YOUR-ZONE-NAME" \
KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS="grpcs://EXAMPLE-GLOBAL-KDS-ADDRESS" \
KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE="eyJhbGciOiJSUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.eyJab25lIjoid2VzdCIsIlNjb3BlIjpbImNwIl0sImV4cCI6MTY2OTU0NjkzOSwibmJmIjoxNjY2OTU0NjM5LCJpYXQiOjE2NjY5NTQ5MzksImp0aSI6IjZiYWYyYzkwLTBlODYtNGM2Mi05N2E3LTc4MzU4NTU4MzRiYyJ9.DJfA0M6uUfO4oytp8jHtzngiVggQWQR88YQxWVU1ujc0Zv-XStRDwvpdEoFGOzWVn4EUfI3gcv9qS2MxqIzQjJ83k5Jq85w4hkPyLGr-0jNS1UZF6yXz7lB_As8f91gMVHbRAoFuoybV5ndDtfYzwZknyzott7doxk-SjTes2GDvpg0-kFNGc4MBR2EprGl7YKO0vhFxQjln5AyCAhmAA7-PM7WRCzhmS-pUXacfZtP2VulWYhmTAuLPnkJrJN-ZWPkIpnV1MZmsgWbzTpnW-PhmCMQfD5m2im1c_3OlFwa9P9rZQQhdhbTp0ofMvW-cdCAcG_lOJI5j60cqPh2DGg" \
./kuma-cp run

Copied to clipboard!

Enable authentication

If you are starting from scratch and not securing an existing Kong Mesh deployment, you can do this as a first step.

If you install the zone Control Plane with kumactl install control-plane, pass the --cp-auth argument with the value cpToken:

kumactl install control-plane \
  --mode=global \
  --cp-auth=cpToken | kubectl apply -f -

Copied to clipboard!

Add the following to Values.yaml:

kuma:
  controlPlane:
    envVars:
      KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken

Copied to clipboard!

Set KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE to cpToken:

KUMA_MODE=global \
KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE=cpToken \
./kuma-cp run

Copied to clipboard!

Verify the zone Control Plane is connected with authentication by looking at the global Control Plane logs:

2021-02-24T14:30:38.596+0100	INFO	kds.auth	Zone CP successfully authenticated	{"zone": "cluster-2"}

Copied to clipboard!

Additional security

By default, a connection from the zone Control Plane to the global Control Plane is secured with TLS.

Multi-zone authentication

How does multi-zone authentication work?

Generate the token

Add tokens to zones

Enable authentication

Additional security

Did this doc help?

Help us make these docs great!

Still need help