Consul
Encrypt API gateway traffic on virtual machines
This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.
Requirements
- Consul 1.15 or later
- You must have a certificate and key from your CA
- A Consul cluster with service mesh enabled. Refer to
connect
- Network connectivity between the machine deploying the API gateway and a Consul cluster agent or server
ACL requirements
If ACLs are enabled, you must present a token with the following permissions to configure Consul and deploy API gateways:
Refer Mesh Rules for additional information about configuring policies that enable you to interact with Consul API gateway configurations.
Define TLS certificates
- Create an
inline-certificate
configuration entry and specify the following fields:Kind
: Specifies the type of configuration entry. This must be set toinline-certificate
.Name
: Specify the name in the API gateway listener configuration to bind the certificate to that listener.Certificate
: Specifies the inline public certificate to use for TLS as plain text.PrivateKey
: Specifies the inline private key to use for TLS as plain text.
- Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the
inline-certificate
configuration entry reference for additional information. - Save the configuration.
The following example defines a certificate named my-certificate
. API gateway configurations that specify inline-certificate
in the Certificate.Kind
field and my-certificate
in the Certificate.Name
field are able to use the certificate.
Kind = "inline-certificate"
Name = "my-certificate"
Certificate = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF
PrivateKey = <<EOF
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
EOF
Deploy the configuration to Consul
Run the consul config write
command to enable listeners to use the certificate. The following example writes a configuration called my-certificate.hcl
:
$ consul config write my-certificate.hcl