Consul
Terminating Gateway Configuration Entry
v1.8.4+: On Kubernetes, the TerminatingGateway
custom resource is supported in Consul versions 1.8.4+.
v1.8.0+: On other platforms, this config entry is supported in Consul versions 1.8.0+.
The terminating-gateway
config entry kind (TerminatingGateway
on Kubernetes) allows you to configure terminating gateways
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
Connect service sidecar proxy. The configuration is associated with the name of a gateway service
and will apply to all instances of the gateway with that name.
Configuration entries are global in scope. A configuration entry for a gateway name applies across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different sets of services within their datacenter then the terminating gateways must be registered with different names.
See Terminating Gateway for more information.
TLS Origination
By specifying a path to a CA file connections from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a client certificate and private key are also specified connections from the terminating gateway will be encrypted using mutual TLS authentication.
Setting the SNI
field is strongly recommended when enabling TLS to a service. If this field is not set,
Consul will not attempt to verify the Subject Alternative Name fields in the service's certificate.
If none of these are provided, Consul will only encrypt connections to the gateway and not from the gateway to the destination service.
Wildcard service specification
Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard "*" as the service name. Configuration options set on the wildcard act as defaults that can be overridden by options set on a specific service name.
Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy, traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
Sample Config Entries
Access an external service
Link gateway named "us-west-gateway" with the billing service.
Connections to the external service will be unencrypted.
Kind = "terminating-gateway"
Name = "us-west-gateway"
Services = [
{
Name = "billing"
}
]
Access an external service over TLS
Link gateway named "us-west-gateway" with the billing service, and specify a CA file to be used for one-way TLS authentication.
Note: The CAFile
parameter must be specified and point to a valid CA
bundle in order to properly initiate a TLS connection to the destination service.
Kind = "terminating-gateway"
Name = "us-west-gateway"
Services = [
{
Name = "billing"
CAFile = "/etc/certs/ca-chain.cert.pem"
SNI = "billing.service.com"
}
]
Access an external service over mutual TLS
Link gateway named "us-west-gateway" with the billing service, and specify a CA file, key file, and cert file to be used for mutual TLS authentication.
Note: The CAFile
parameter must be specified and point to a valid CA
bundle in order to properly initiate a TLS connection to the destination service.
Kind = "terminating-gateway"
Name = "us-west-gateway"
Services = [
{
Name = "billing"
CAFile = "/etc/certs/ca-chain.cert.pem"
KeyFile = "/etc/certs/gateway.key.pem"
CertFile = "/etc/certs/gateway.cert.pem"
SNI = "billing.service.com"
}
]
Override connection parameters for a specific service
Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS.
Override the SNI and CA file used for connections to the billing service.
Kind = "terminating-gateway"
Name = "us-west-gateway"
Services = [
{
Name = "*"
CAFile = "/etc/common-certs/ca-chain.cert.pem"
KeyFile = "/etc/common-certs/gateway.key.pem"
CertFile = "/etc/common-certs/gateway.cert.pem"
},
{
Name = "billing"
CAFile = "/etc/billing-ca/ca-chain.cert.pem"
SNI = "billing.service.com"
}
]
Available Fields
Kind
- Must be set toterminating-gateway
Name
(string: <required>)
- Set to the name of the gateway being configured.Namespace
(string: "default")
Enterprise - Specifies the namespace to which the configuration entry will apply. This must match the namespace in which the gateway is registered. If omitted, the namespace will be inherited from the request or will default to thedefault
namespace.Partition
(string: "default")
Enterprise - Specifies the admin partition to which the configuration entry will apply. This must match the partition in which the gateway is registered. If omitted, the partition will be inherited from the request or will default to thedefault
partition.Meta
(map<string|string>: nil)
- Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.Services
(array<LinkedService>: <optional>)
- A list of services to link with the gateway. The gateway will proxy traffic to these services. These linked services must be registered with Consul for the gateway to discover their addresses. They must also be registered in the same Consul datacenter as the terminating gateway. If Consul ACLs are enabled, the Terminating Gateway's ACL token must grantservice:write
for all linked services.Name
(string: "")
- The name of the service to link with the gateway. If the wildcard specifier,*
, is provided, then ALL services within the namespace will be linked with the gateway.Namespace
(string: "")
Enterprise - The namespace of the service. If omitted, the namespace will be inherited from the config entry.CAFile
(string: "")
- A file path to a PEM-encoded certificate authority. The file must be present on the proxy's filesystem. The certificate authority is used to verify the authenticity of the service linked with the gateway. It can be provided along with a CertFile and KeyFile for mutual TLS authentication, or on its own for one-way TLS authentication. If none is provided the gateway will not encrypt the traffic to the destination.CertFile
(string: "")
- A file path to a PEM-encoded certificate. The file must be present on the proxy's filesystem. The certificate is provided servers to verify the gateway's authenticity. It must be provided if aKeyFile
was specified.KeyFile
(string: "")
- A file path to a PEM-encoded private key. The file must be present on the proxy's filesystem. The key is used with the certificate to verify the gateway's authenticity. It must be provided along if aCertFile
was specified.SNI
(string: "")
- An optional hostname or domain name to specify during the TLS handshake. This option will also configure strict SAN matching, which requires the external services to have certificates with SANs, not having which will result inCERTIFICATE_VERIFY_FAILED
error.
ACLs
Configuration entries may be protected by ACLs.
Reading a terminating-gateway
config entry requires service:read
on the Name
field of the config entry.
Creating, updating, or deleting a terminating-gateway
config entry requires
operator:write
.