External Service

When you enable this policy, you should also disable passthrough mode for the mesh and enable the name resolution.

A simple HTTPS external service can be defined:

Then apply the configuration with kumactl apply -f [..] or with the HTTP API.

Universal mode is best combined with . For backward compatibility only, you can consume an external service from within the mesh by filling the proper outbound section of the relevant data plane resource:

Consuming the defined service from within the mesh for both Kubernetes and Universal deployments (assuming transparent proxy) can be done:

• With the real name and port, in this case curl httpbin.org:443. This approach works only with name resolution.

Although the external service is HTTPS, it’s consumed as plain HTTP. This is possible because of networking.tls.enbaled=true. To access the service over TLS, set the service protocol to kuma.io/protocol: tcp and networking.tls.enbaled=false, or else omit it entirely.

Available policy fields

• tags the external service can include an arbitrary number of tags, where kuma.io/service is mandatory. The special kuma.io/protocol tag is also taken into account and supports the standard Kuma protocol values. It designates the specific protocol for the service.
• describes the networking configuration of the external service
  • tls is the section to configure the TLS originator when consuming the external service
    • enabled turns on and off the TLS origination. Defaults to true
    • caCert the CA certificate for the external service TLS verification
    • clientKey the client key for mTLS