Kong Mesh 2.12: SPIFFE/SPIRE Support and Consistent XDS Resource Names
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma Resource Identifier (KRI) naming convention for resources in the Mesh. Read on to learn more!
What is Kong Mesh?
But first, what's Kong Mesh for the uninitiated?
Building on top of the open source Kuma service mesh, Kong Mesh is all about simplicity and bringing enterprise features to our customers. Kong Mesh is built for smooth operations with platform teams in mind, providing security, observability, and traffic control for modern, distributed applications. A single mesh can seamlessly span multiple zones: multiple cloud providers, Kubernetes clusters, and traditional server (VM / bare-metal) environments, while offering zero-trust security, multiple isolated mesh support, and global/remote control planes. Konnect Mesh Manager provides a global view across all your Mesh deployments. With Kong Mesh, organizations can deploy with confidence and efficiency, managing mission-critical services reliably at high performance.
SPIFFE / SPIRE support and MeshIdentity
MeshIdentity defines how workloads in a mesh obtain their cryptographic identity. It separates the responsibility of issuing identities from establishing trust, enabling Kong Mesh to adopt SPIFFE-compliant practices while remaining flexible and easy to use.
With MeshIdentity, you can:
- Enable secure mTLS between services, using trusted certificate authorities.
- Assign different identity providers to subsets of workloads, allowing more granular control and progressive migration.
Whilst this provides SPIFFE-compliant practices, we also worked on being able to integrate with a SPIRE agent running on your Kubernetes nodes to be able to obtain their SPIFFE Verifiable Identity Documents:
If you're using SPIRE, it's classed as the Trust authority for the Mesh, and for customers that have not rolled out SPIRE in their organisations, we've also introduced the concept of MeshTrust.
This allows you to validate the workload identity back to the MeshTrust authority that you control. Currently, this is only supported on Kubernetes environments, and we're working on cross-zone identity in the next release of Kong Mesh.
Consistent resource identifiers
To help with how you consume, aggregate, and draw value from service-to-service metrics, as well as how to define Services and their Identity, we took on the rather large effort of introducing a consistent naming convention for Mesh resources.
This has a number of benefits, including being able to inspect individual resources through the Inspect API, as well as browsing resources in Mesh Manager.
We'll continue to drive consistency across Kong Mesh resources to help with metrics and observability in the near future.
Next steps
For a deeper dive into a complete list of features, updates, and changes, please refer to the CHANGELOG here.
Want to see Kong Mesh in action? Request a demo or start using Kong Mesh today.
Thank you for your continued support and trust in our product.
Mesh your services together effortlessly with Kong
