In this tutorial, you will enable external access into your service mesh by deploying a Consul API Gateway. Consul API Gateway provides a consistent method to handle inbound requests and route them to the appropriate service within your service mesh.
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol. As of Consul 1.16, API Gateway is built into Consul which simplifies the installation and configuration process.
Review the additional configuration details.
# Contains values that affect multiple components of the chart. global: ## ... # Configures and installs the automatic Consul Connect sidecar injector. connectInject: enabled: true # Configures and installs the Consul API Gateway. apiGateway: # Configuration settings for the GatewayClass managedGatewayClass: # Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort) # LoadBalancer is primarily used for cloud deployments. serviceType: LoadBalancer
Since these Consul resources are managed with Terraform, the respective module's Helm configuration file controls the Helm chart deployment for this environment.
Update your Consul deployment's Helm chart values.
$ cp helm/values-v2.yaml modules/eks-client/template/consul.tpl
Then, deploy the resources. Confirm the run by entering
$ terraform apply ## ... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ## ... Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1beta1 # The Gateway is the main infrastructure resource that links API gateway components. kind: Gateway metadata: name: api-gateway namespace: consul spec: gatewayClassName: consul # Configures the listener that is bound to the gateway's address. listeners: # Defines the listener protocol (HTTP, HTTPS, or TCP) - protocol: HTTP port: 8080 name: http allowedRoutes: namespaces: from: Same
api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1beta1 # HTTPRoute routes HTTP requests to backend services. kind: HTTPRoute metadata: name: http-route-1 namespace: consul spec: # Defines the gateway listener. parentRefs: - name: api-gateway # Rules define behaviors for network traffic that goes through the route. rules: - matches: - path: type: PathPrefix value: / # Defines the backend service. backendRefs: - kind: Service name: nginx namespace: default port: 80
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, deploy the routes and apply the intentions for the API Gateway.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \ kubectl wait --for=condition=accepted gateway/api-gateway --namespace consul --timeout=90s && \ kubectl apply --filename api-gw/routes.yaml --namespace consul && \ kubectl apply --filename api-gw/intentions.yaml --namespace consul
gateway.gateway.networking.k8s.io/api-gateway created gateway.gateway.networking.k8s.io/api-gateway condition met httproute.gateway.networking.k8s.io/http-route-1 created serviceintentions.consul.hashicorp.com/api-gateway created
Verify you have created all the pods in your
consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway" NAME READY STATUS RESTARTS AGE api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/ clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created referencegrant.gateway.networking.k8s.io/consul-reference-grant created
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
In your terminal, run the CLI command
consul catalog services to return the
api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway api-gateway
Return the list of Consul intentions. Notice that there is an intention between
nginx to allow traffic between the two services.
$ consul intention list ID Source Action Destination Precedence api-gateway allow nginx 9 nginx allow frontend 9 nginx allow public-api 9 product-api allow product-api-db 9 public-api allow payments 9 public-api allow product-api 9
Set your Consul API Gateway address to the
CONSUL_APIGW_ADDR environment variable.
$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway --namespace consul -o json | jq -r '.status.loadBalancer.ingress.hostname'):8080
Output the Consul API Gateway value to your terminal and paste it in your browser to access the HashiCups UI through the API Gateway.
$ echo $CONSUL_APIGW_ADDR http://a46cc0cc9dc6841a4b1a0fa1771973ca-1032165333.us-west-2.elb.amazonaws.com:8080
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
In this tutorial, you enabled Consul ingress features and deployed Consul API Gateway into your Kubernetes cluster. After deploying Consul API Gateway, you accessed the demo application HashiCups through the Consul API Gateway endpoint and explored how ingress into a service mesh application works.
In the next tutorial, you will deploy an observability suite to explore metrics, logs, and distributed traces within your Consul service mesh.
For more information about the topics covered in this tutorial, refer to the following resources: