Ingress with Consul on Kubernetes
10min
- ConsulConsul
In this tutorial, you will enable external access into your service mesh by deploying a Consul API Gateway. Consul API Gateway provides a consistent method to handle inbound requests and route them to the appropriate service within your service mesh.
Select your learning path by clicking one of the following tabs.
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
To set up ingress into your service mesh, you will:
- Enable Consul ingress features
- Deploy Consul API Gateway
- Deploy RBAC and Reference Grant resources
- View Consul services with the CLI, UI, and/or API
- Explore ingress into the HashiCups UI
Prerequisites
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
- An Azure account configured for use with Terraform
- An HCP account configured for use with Terraform
- Azure CLI
- terraform >= 1.0
- consul >= 1.14.4
- consul-k8s >= 1.0.0
- git >= 2.0
- helm >= 3.0
- kubectl <= 1.24
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
The tutorial assumes that you have completed the previous tutorials in this getting started collection.
For this tutorial, you will need:
Enable Consul ingress features
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the consul-k8s CLI.
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol.
First, create the custom resource definitions (CRD) for the API Gateway Controller.
$ kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.5.1"
customresourcedefinition.apiextensions.k8s.io/gatewayclassconfigs.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/meshservices.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/referencepolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
Review the additional configuration details.
# Contains values that affect multiple components of the chart.
global:
## ...
# Configures and installs the Consul API Gateway.
apiGateway:
enabled: true
# Image to use for the api-gateway-controller pods and gateway instances
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the GatewayClass
managedGatewayClass:
# Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort)
# LoadBalancer is primarily used for cloud deployments.
serviceType: LoadBalancer
Since these Consul resources are managed with Terraform, the respective module's Helm configuration file controls the Helm chart deployment for this environment.
Update your Consul deployment's Helm chart values.
cp helm/values-v2.yaml modules/eks-client/template/consul.tpl
Then, deploy the resources. Confirm the run by entering yes.
$ terraform apply
## ...
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
## ...
Apply complete! Resources: 1 added, 1 changed, 1 destroyed.
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the consul-k8s CLI.
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol.
First, create the custom resource definitions (CRD) for the API Gateway Controller.
$ kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.5.1"
customresourcedefinition.apiextensions.k8s.io/gatewayclassconfigs.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/meshservices.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/referencepolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
Review the additional configuration details.
# Contains values that affect multiple components of the chart.
global:
## ...
# Configures and installs the Consul API Gateway.
apiGateway:
enabled: true
# Image to use for the api-gateway-controller pods and gateway instances
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the GatewayClass
managedGatewayClass:
# Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort)
# LoadBalancer is primarily used for cloud deployments.
serviceType: LoadBalancer
Since these Consul resources are managed with Terraform, the respective module's Helm configuration file controls the Helm chart deployment for this environment.
Update your Consul deployment's Helm chart values.
cp helm/values-v2.yaml modules/hcp-aks-client/templates/consul.tpl
Then, deploy the resources. Confirm the run by entering yes.
$ terraform apply
## ...
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
## ...
Apply complete! Resources: 1 added, 1 changed, 1 destroyed.
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the consul-k8s CLI.
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol.
First, create the custom resource definitions (CRD) for the API Gateway Controller.
$ kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.5.1"
customresourcedefinition.apiextensions.k8s.io/gatewayclassconfigs.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/meshservices.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/referencepolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
Review the additional configuration details.
# Contains values that affect multiple components of the chart.
global:
## ...
# Configures and installs the Consul API Gateway.
apiGateway:
enabled: true
# Image to use for the api-gateway-controller pods and gateway instances
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the GatewayClass
managedGatewayClass:
# Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort)
# LoadBalancer is primarily used for cloud deployments.
serviceType: LoadBalancer
Update Consul in your Kubernetes cluster with Consul K8S CLI. Confirm the run by entering y.
$ consul-k8s upgrade -config-file=helm/values-v2.yaml
Refer to the Consul K8S CLI documentation to learn more about additional settings.
Update Consul in your Kubernetes cluster.
$ helm upgrade --values helm/values-v2.yaml consul hashicorp/consul --namespace consul --version "1.0.2"
Review the official Helm chart values to learn more about these settings.
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the consul-k8s CLI.
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol.
First, create the custom resource definitions (CRD) for the API Gateway Controller.
$ kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.5.1"
customresourcedefinition.apiextensions.k8s.io/gatewayclassconfigs.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/meshservices.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/referencepolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
Review the additional configuration details.
# Contains values that affect multiple components of the chart.
global:
## ...
# Configures and installs the Consul API Gateway.
apiGateway:
enabled: true
# Image to use for the api-gateway-controller pods and gateway instances
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the GatewayClass
managedGatewayClass:
# Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort)
# LoadBalancer is primarily used for cloud deployments.
serviceType: LoadBalancer
Update Consul in your Kubernetes cluster with Consul K8S CLI. Confirm the run by entering y.
$ consul-k8s upgrade -config-file=helm/values-v2.yaml
Refer to the Consul K8S CLI documentation to learn more about additional settings.
Update Consul in your Kubernetes cluster.
$ helm upgrade --values helm/values-v2.yaml consul hashicorp/consul --namespace consul --version "1.0.2"
Review the official Helm chart values to learn more about these settings.
You will now enable additional Consul features in your Kubernetes cluster using the official Consul Helm chart or the consul-k8s CLI.
Consul API Gateway implements and is configured through the Kubernetes Gateway API Specification. This specification defines a set of custom resource definitions (CRDs) that can create logical gateways which route traffic based on a client request's path or protocol.
First, create the custom resource definitions (CRD) for the API Gateway Controller.
$ kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.5.1"
customresourcedefinition.apiextensions.k8s.io/gatewayclassconfigs.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/meshservices.api-gateway.consul.hashicorp.com created
customresourcedefinition.apiextensions.k8s.io/referencepolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
Review the additional configuration details.
# Contains values that affect multiple components of the chart.
global:
## ...
# Configures and installs the Consul API Gateway.
apiGateway:
enabled: true
# Image to use for the api-gateway-controller pods and gateway instances
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the GatewayClass
managedGatewayClass:
# Defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP, NodePort)
# NodePort is primarily used for local deployments.
serviceType: NodePort
# Toggles the gateway ports to be mapped to host ports (used for local deployments)
useHostPorts: true
Update Consul in your Kubernetes cluster with Consul K8S CLI. Confirm the run by entering y.
$ consul-k8s upgrade -config-file=helm/values-v2.yaml
Refer to the Consul K8S CLI documentation to learn more about additional settings.
Update Consul in your Kubernetes cluster.
$ helm upgrade --values helm/values-v2.yaml consul hashicorp/consul --namespace consul --version "1.0.2"
Review the official Helm chart values to learn more about these settings.
Deploy Consul API Gateway
Review Consul API Gateway configuration
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
Review the api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1alpha2
# The Gateway is the main infrastructure resource that links API gateway components.
kind: Gateway
metadata:
name: api-gateway
namespace: consul
spec:
gatewayClassName: consul-api-gateway
# Configures the listener that is bound to the gateway's address.
listeners:
# Defines the listener protocol (HTTP, HTTPS, or TCP)
- protocol: HTTP
port: 8080
name: http
allowedRoutes:
namespaces:
from: Same
Review the api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1alpha2
# HTTPRoute routes HTTP requests to backend services.
kind: HTTPRoute
metadata:
name: http-route-1
namespace: consul
spec:
# Defines the gateway listener.
parentRefs:
- name: api-gateway
# Rules define behaviors for network traffic that goes through the route.
rules:
- matches:
- path:
type: PathPrefix
value: /
# Defines the backend service.
backendRefs:
- kind: Service
name: nginx
namespace: default
port: 80
Deploy Consul API Gateway
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, and deploy the routes.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \
kubectl wait --for=condition=ready gateway/api-gateway --namespace consul --timeout=90s && \
kubectl apply --filename api-gw/routes.yaml --namespace consul
Expected output:
gateway.gateway.networking.k8s.io/api-gateway created
gateway.gateway.networking.k8s.io/api-gateway condition met
httproute.gateway.networking.k8s.io/http-route-1 created
Verify you have created all the pods in your consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway"
NAME READY STATUS RESTARTS AGE
api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
consul-api-gateway-controller-66dddfb4c8-jj8w2 1/1 Running 1 7m9s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Review Consul API Gateway configuration
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
Review the api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1alpha2
# The Gateway is the main infrastructure resource that links API gateway components.
kind: Gateway
metadata:
name: api-gateway
namespace: consul
spec:
gatewayClassName: consul-api-gateway
# Configures the listener that is bound to the gateway's address.
listeners:
# Defines the listener protocol (HTTP, HTTPS, or TCP)
- protocol: HTTP
port: 8080
name: http
allowedRoutes:
namespaces:
from: Same
Review the api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1alpha2
# HTTPRoute routes HTTP requests to backend services.
kind: HTTPRoute
metadata:
name: http-route-1
namespace: consul
spec:
# Defines the gateway listener.
parentRefs:
- name: api-gateway
# Rules define behaviors for network traffic that goes through the route.
rules:
- matches:
- path:
type: PathPrefix
value: /
# Defines the backend service.
backendRefs:
- kind: Service
name: nginx
namespace: default
port: 80
Deploy Consul API Gateway
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, and deploy the routes.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \
kubectl wait --for=condition=ready gateway/api-gateway --namespace consul --timeout=90s && \
kubectl apply --filename api-gw/routes.yaml --namespace consul
Expected output:
gateway.gateway.networking.k8s.io/api-gateway created
gateway.gateway.networking.k8s.io/api-gateway condition met
httproute.gateway.networking.k8s.io/http-route-1 created
Verify you have created all the pods in your consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway"
NAME READY STATUS RESTARTS AGE
api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
consul-api-gateway-controller-66dddfb4c8-jj8w2 1/1 Running 1 7m9s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Review Consul API Gateway configuration
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
Review the api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1alpha2
# The Gateway is the main infrastructure resource that links API gateway components.
kind: Gateway
metadata:
name: api-gateway
namespace: consul
spec:
gatewayClassName: consul-api-gateway
# Configures the listener that is bound to the gateway's address.
listeners:
# Defines the listener protocol (HTTP, HTTPS, or TCP)
- protocol: HTTP
port: 8080
name: http
allowedRoutes:
namespaces:
from: Same
Review the api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1alpha2
# HTTPRoute routes HTTP requests to backend services.
kind: HTTPRoute
metadata:
name: http-route-1
namespace: consul
spec:
# Defines the gateway listener.
parentRefs:
- name: api-gateway
# Rules define behaviors for network traffic that goes through the route.
rules:
- matches:
- path:
type: PathPrefix
value: /
# Defines the backend service.
backendRefs:
- kind: Service
name: nginx
namespace: default
port: 80
Deploy Consul API Gateway
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, and deploy the routes.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \
kubectl wait --for=condition=ready gateway/api-gateway --namespace consul --timeout=90s && \
kubectl apply --filename api-gw/routes.yaml --namespace consul
Expected output:
gateway.gateway.networking.k8s.io/api-gateway created
gateway.gateway.networking.k8s.io/api-gateway condition met
httproute.gateway.networking.k8s.io/http-route-1 created
Verify you have created all the pods in your consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway"
NAME READY STATUS RESTARTS AGE
api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
consul-api-gateway-controller-66dddfb4c8-jj8w2 1/1 Running 1 7m9s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Review Consul API Gateway configuration
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
Review the api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1alpha2
# The Gateway is the main infrastructure resource that links API gateway components.
kind: Gateway
metadata:
name: api-gateway
namespace: consul
spec:
gatewayClassName: consul-api-gateway
# Configures the listener that is bound to the gateway's address.
listeners:
# Defines the listener protocol (HTTP, HTTPS, or TCP)
- protocol: HTTP
port: 8080
name: http
allowedRoutes:
namespaces:
from: Same
Review the api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1alpha2
# HTTPRoute routes HTTP requests to backend services.
kind: HTTPRoute
metadata:
name: http-route-1
namespace: consul
spec:
# Defines the gateway listener.
parentRefs:
- name: api-gateway
# Rules define behaviors for network traffic that goes through the route.
rules:
- matches:
- path:
type: PathPrefix
value: /
# Defines the backend service.
backendRefs:
- kind: Service
name: nginx
namespace: default
port: 80
Deploy Consul API Gateway
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, and deploy the routes.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \
kubectl wait --for=condition=ready gateway/api-gateway --namespace consul --timeout=90s && \
kubectl apply --filename api-gw/routes.yaml --namespace consul
Expected output:
gateway.gateway.networking.k8s.io/api-gateway created
gateway.gateway.networking.k8s.io/api-gateway condition met
httproute.gateway.networking.k8s.io/http-route-1 created
Verify you have created all the pods in your consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway"
NAME READY STATUS RESTARTS AGE
api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
consul-api-gateway-controller-66dddfb4c8-jj8w2 1/1 Running 1 7m9s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Review Consul API Gateway configuration
Now that you have enabled ingress features in your Consul service mesh, you can deploy the Consul API Gateway and associated HTTP Routes to your Kubernetes cluster. The Consul API Gateway uses HTTP Routes to route traffic to your applications.
Review the api-gw/consul-api-gateway.yaml configuration file. This file contains the configuration for the API Gateway pod, the listener, and TLS attributes.
apiVersion: gateway.networking.k8s.io/v1alpha2
# The Gateway is the main infrastructure resource that links API gateway components.
kind: Gateway
metadata:
name: api-gateway
namespace: consul
spec:
gatewayClassName: consul-api-gateway
# Configures the listener that is bound to the gateway's address.
listeners:
# Defines the listener protocol (HTTP, HTTPS, or TCP)
- protocol: HTTPS
port: 8443
name: https
allowedRoutes:
namespaces:
from: Same
tls:
# Defines the certificate to use for the HTTPS listener.
certificateRefs:
- name: consul-server-cert
Review the api-gw/routes.yaml configuration file. This file contains the configuration for HTTP routing including the network traffic rules and the backend service that will receive the ingress traffic.
apiVersion: gateway.networking.k8s.io/v1alpha2
# HTTPRoute routes HTTP requests to backend services.
kind: HTTPRoute
metadata:
name: http-route-1
namespace: consul
spec:
# Defines the gateway listener.
parentRefs:
- name: api-gateway
# Rules define behaviors for network traffic that goes through the route.
rules:
- matches:
- path:
type: PathPrefix
value: /
# Defines the backend service.
backendRefs:
- kind: Service
name: nginx
namespace: default
port: 80
Deploy Consul API Gateway
Next, deploy the API Gateway, wait for the API Gateway to completely deploy, and deploy the routes.
$ kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul && \
kubectl wait --for=condition=ready gateway/api-gateway --namespace consul --timeout=90s && \
kubectl apply --filename api-gw/routes.yaml --namespace consul
Expected output:
gateway.gateway.networking.k8s.io/api-gateway created
gateway.gateway.networking.k8s.io/api-gateway condition met
httproute.gateway.networking.k8s.io/http-route-1 created
Verify you have created all the pods in your consul namespace. You should find an output similar to the following.
$ kubectl get pods --namespace consul | grep "api-gateway"
NAME READY STATUS RESTARTS AGE
api-gateway-6ddbd69979-bm5kq 1/1 Running 0 64s
consul-api-gateway-controller-66dddfb4c8-jj8w2 1/1 Running 1 7m9s
The diagram below shows the services running in your Kubernetes cluster. This includes Consul API Gateway, service mesh layer, and HashiCups microservice application pods.
Consul API Gateway enables ingress, load-balancing, and other advanced traffic behavior for your service mesh applications. In this tutorial, Consul API Gateway allows external traffic into the HashiCups service.
Deploy RBAC and Reference Grant resources
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created
clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created
clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created
referencegrant.gateway.networking.k8s.io/consul-reference-grant created
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created
clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created
clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created
referencegrant.gateway.networking.k8s.io/consul-reference-grant created
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created
clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created
clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created
referencegrant.gateway.networking.k8s.io/consul-reference-grant created
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created
clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created
clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created
referencegrant.gateway.networking.k8s.io/consul-reference-grant created
Now that Consul API Gateway is operational in your cluster, you will deploy role-based access control (RBAC) and Reference Grant resources. RBAC enables the Consul API gateway to interact with Consul datacenter resources and reference grants enable the Consul API Gateway to route traffic between different namespaces.
Deploy the RBAC and Reference Grant resources.
$ kubectl apply --filename hashicups/v2/
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-tokenreview-binding created
clusterrole.rbac.authorization.k8s.io/consul-api-gateway-auth created
clusterrolebinding.rbac.authorization.k8s.io/consul-api-gateway-auth-binding created
clusterrolebinding.rbac.authorization.k8s.io/consul-auth-binding created
referencegrant.gateway.networking.k8s.io/consul-reference-grant created
View Consul services
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
In your terminal, run the CLI command consul catalog services to return the api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway
api-gateway
Return the list of Consul intentions. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ consul intention list
ID Source Action Destination Precedence
api-gateway allow nginx 9
nginx allow frontend 9
nginx allow public-api 9
product-api allow product-api-db 9
public-api allow payments 9
public-api allow product-api 9
Output the HCP Consul URL value to your terminal and paste it in your browser.
$ echo $CONSUL_HTTP_ADDR
learn-hcp-eks-cluster.public.consul.00000000-0000-0000-0000-000000000000.aws.hashicorp.cloud
Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.
$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc
On the left navigation pane, click the Services tab to review your deployed services. Click the API Gateway service to view the service details.
Within the API Gateway service details page, click the Intentions sub-tab. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
In your terminal, run the following curl command to return the list of Consul services. Notice that api-gateway is one of them.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/catalog/services
Sample output:
{"api-gateway":[],"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}
Run the following curl command to return the list of intentions defined in Consul. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/connect/intentions
Sample output:
[{"Description":"Allow traffic from Consul API Gateway. Reconciled by controller at 2022-09-12T14:45:16Z.","SourceNS":"default","SourceName":"api-gateway","DestinationNS":"default","DestinationName":"nginx","SourceType":"consul","Action":"allow","Precedence":9,"CreateIndex":205,"ModifyIndex":205},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"frontend","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":256,"ModifyIndex":256},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"public-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":257,"ModifyIndex":257},{"SourceNS":"default","SourceName":"product-api","DestinationNS":"default","DestinationName":"product-api-db","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":259,"ModifyIndex":259},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"payments","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":260,"ModifyIndex":260},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"product-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":258,"ModifyIndex":258}]
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
In your terminal, run the CLI command consul catalog services to return the api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway
api-gateway
Return the list of Consul intentions. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ consul intention list
ID Source Action Destination Precedence
api-gateway allow nginx 9
nginx allow frontend 9
nginx allow public-api 9
product-api allow product-api-db 9
public-api allow payments 9
public-api allow product-api 9
Output the HCP Consul URL value to your terminal and paste it in your browser.
$ echo $CONSUL_HTTP_ADDR
learn-hcp-aks-cluster.public.consul.00000000-0000-0000-0000-000000000000.azure.hashicorp.cloud
Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.
$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc
On the left navigation pane, click the Services tab to review your deployed services. Click the API Gateway service to view the service details.
Within the API Gateway service details page, click the Intentions sub-tab. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
In your terminal, run the following curl command to return the list of Consul services. Notice that api-gateway is one of them.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/catalog/services
Sample output:
{"api-gateway":[],"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}
Run the following curl command to return the list of intentions defined in Consul. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/connect/intentions
Sample output:
[{"Description":"Allow traffic from Consul API Gateway. Reconciled by controller at 2022-09-12T14:45:16Z.","SourceNS":"default","SourceName":"api-gateway","DestinationNS":"default","DestinationName":"nginx","SourceType":"consul","Action":"allow","Precedence":9,"CreateIndex":205,"ModifyIndex":205},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"frontend","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":256,"ModifyIndex":256},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"public-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":257,"ModifyIndex":257},{"SourceNS":"default","SourceName":"product-api","DestinationNS":"default","DestinationName":"product-api-db","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":259,"ModifyIndex":259},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"payments","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":260,"ModifyIndex":260},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"product-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":258,"ModifyIndex":258}]
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
In your terminal, run the CLI command consul catalog services to return the api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway
api-gateway
Return the list of Consul intentions. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ consul intention list
ID Source Action Destination Precedence
api-gateway allow nginx 9
nginx allow frontend 9
nginx allow public-api 9
product-api allow product-api-db 9
public-api allow payments 9
public-api allow product-api 9
Output the Consul URL value to your terminal and paste it in your browser.
$ echo $CONSUL_HTTP_ADDR
https://my-loadbalancer-1234567890.us-east-1.elb.amazonaws.com
Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.
$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc
On the left navigation pane, click the Services tab to review your deployed services. Click the API Gateway service to view the service details.
Within the API Gateway service details page, click the Intentions sub-tab. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
In your terminal, run the following curl command to return the list of Consul services. Notice that api-gateway is one of them.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/catalog/services
Sample output:
{"api-gateway":[],"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}
Run the following curl command to return the list of intentions defined in Consul. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/connect/intentions
Sample output:
[{"Description":"Allow traffic from Consul API Gateway. Reconciled by controller at 2022-09-12T14:45:16Z.","SourceNS":"default","SourceName":"api-gateway","DestinationNS":"default","DestinationName":"nginx","SourceType":"consul","Action":"allow","Precedence":9,"CreateIndex":205,"ModifyIndex":205},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"frontend","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":256,"ModifyIndex":256},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"public-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":257,"ModifyIndex":257},{"SourceNS":"default","SourceName":"product-api","DestinationNS":"default","DestinationName":"product-api-db","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":259,"ModifyIndex":259},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"payments","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":260,"ModifyIndex":260},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"product-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":258,"ModifyIndex":258}]
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
In your terminal, run the CLI command consul catalog services to return the api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway
api-gateway
Return the list of Consul intentions. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ consul intention list
ID Source Action Destination Precedence
api-gateway allow nginx 9
nginx allow frontend 9
nginx allow public-api 9
product-api allow product-api-db 9
public-api allow payments 9
public-api allow product-api 9
Output the Consul URL value to your terminal and paste it in your browser.
$ echo $CONSUL_HTTP_ADDR
https://24.122.12.125
Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.
$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc
On the left navigation pane, click the Services tab to review your deployed services. Click the API Gateway service to view the service details.
Within the API Gateway service details page, click the Intentions sub-tab. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
In your terminal, run the following curl command to return the list of Consul services. Notice that api-gateway is one of them.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/catalog/services
Sample output:
{"api-gateway":[],"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}
Run the following curl command to return the list of intentions defined in Consul. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/connect/intentions
Sample output:
[{"Description":"Allow traffic from Consul API Gateway. Reconciled by controller at 2022-09-12T14:45:16Z.","SourceNS":"default","SourceName":"api-gateway","DestinationNS":"default","DestinationName":"nginx","SourceType":"consul","Action":"allow","Precedence":9,"CreateIndex":205,"ModifyIndex":205},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"frontend","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":256,"ModifyIndex":256},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"public-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":257,"ModifyIndex":257},{"SourceNS":"default","SourceName":"product-api","DestinationNS":"default","DestinationName":"product-api-db","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":259,"ModifyIndex":259},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"payments","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":260,"ModifyIndex":260},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"product-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":258,"ModifyIndex":258}]
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh ingress.
Open a separate terminal window and expose the Consul server with kubectl port-forward using the consul-ui service name as the target.
$ kubectl port-forward svc/consul-ui --namespace consul 8501:443
In your original terminal, run the CLI command consul catalog services to return the api-gateway service registered in Consul.
$ consul catalog services | grep api-gateway
api-gateway
Return the list of Consul intentions. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ consul intention list
ID Source Action Destination Precedence
api-gateway allow nginx 9
nginx allow frontend 9
nginx allow public-api 9
product-api allow product-api-db 9
public-api allow payments 9
public-api allow product-api 9
Open a separate terminal window and expose the Consul UI with kubectl port-forward using the consul-ui service name as the target.
$ kubectl port-forward svc/consul-ui --namespace consul 8501:443
Open https://localhost:8501 in your browser to find the Consul UI.
On the left navigation pane, click the Services tab to review your deployed services. Click the API Gateway service to view the service details.
Within the API Gateway service details page, click the Intentions sub-tab. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
Open a separate terminal window and expose the Consul server with kubectl port-forward using the consul-ui service name as the target.
$ kubectl port-forward svc/consul-ui --namespace consul 8501:443
In your original terminal, run the following curl command to return the list of Consul services. Notice that api-gateway is one of them.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/catalog/services
Sample output:
{"api-gateway":[],"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}
Run the following curl command to return the list of intentions defined in Consul. Consul automatically creates intentions between the Consul API Gateway and any destination services defined in your route configuration files. In this case, it created an intention to allow traffic from api-gateway to nginx.
$ curl -k \
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
$CONSUL_HTTP_ADDR/v1/connect/intentions
Sample output:
[{"Description":"Allow traffic from Consul API Gateway. Reconciled by controller at 2022-09-12T14:45:16Z.","SourceNS":"default","SourceName":"api-gateway","DestinationNS":"default","DestinationName":"nginx","SourceType":"consul","Action":"allow","Precedence":9,"CreateIndex":205,"ModifyIndex":205},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"frontend","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":256,"ModifyIndex":256},{"SourceNS":"default","SourceName":"nginx","DestinationNS":"default","DestinationName":"public-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":257,"ModifyIndex":257},{"SourceNS":"default","SourceName":"product-api","DestinationNS":"default","DestinationName":"product-api-db","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":259,"ModifyIndex":259},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"payments","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":260,"ModifyIndex":260},{"SourceNS":"default","SourceName":"public-api","DestinationNS":"default","DestinationName":"product-api","SourceType":"consul","Action":"allow","Meta":{"consul.hashicorp.com/source-datacenter":"dc1","external-source":"kubernetes"},"Precedence":9,"CreateIndex":258,"ModifyIndex":258}]
Explore ingress into the demo application
Set your Consul API Gateway address to the CONSUL_APIGW_ADDR environment variable.
$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway --namespace consul -o json | jq -r '.status.loadBalancer.ingress[0].hostname'):8080
Output the Consul API Gateway value to your terminal and paste it in your browser to access the HashiCups UI through the API Gateway.
$ echo $CONSUL_APIGW_ADDR
http://a46cc0cc9dc6841a4b1a0fa1771973ca-1032165333.us-west-2.elb.amazonaws.com:8080
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
Set your Consul API Gateway address to the CONSUL_APIGW_ADDR environment variable.
$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway --namespace consul -o json | jq -r '.status.loadBalancer.ingress[0].ip'):8080
Output the Consul API Gateway value to your terminal and paste it in your browser to access the HashiCups UI through the API Gateway.
$ echo $CONSUL_APIGW_ADDR
http://24.132.10.127:8080
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
Set your Consul API Gateway address to the CONSUL_APIGW_ADDR environment variable.
$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway --namespace consul -o json | jq -r '.status.loadBalancer.ingress[0].hostname'):8080
Output the Consul API Gateway value to your terminal and paste it in your browser to access the HashiCups UI through the API Gateway.
$ echo $CONSUL_APIGW_ADDR
http://a46cc0cc9dc6841a4b1a0fa1771973ca-1032165333.us-west-2.elb.amazonaws.com:8080
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
Set your Consul API Gateway address to the CONSUL_APIGW_ADDR environment variable.
$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway --namespace consul -o json | jq -r '.status.loadBalancer.ingress[0].ip'):8080
Output the Consul API Gateway value to your terminal and paste it in your browser to access the HashiCups UI through the API Gateway.
$ echo $CONSUL_APIGW_ADDR
http://24.132.10.127:8080
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
Retrieve information on the api-gateway service.
$ kubectl get services api-gateway --namespace consul
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
api-gateway NodePort 10.96.214.246 <none> 8443:31800/TCP 8m7s
In this local environment, API Gateway uses NodePort to let you access your application directly through the API Gateway without having to forward your Kubernetes cluster’s ports. In a cloud environment, API Gateway may use a LoadBalancer to automatically provision a publicly accessible DNS entry.
Access the HashiCups UI through the API Gateway by opening https://localhost:8443 in your browser.
For more information on accessing service mesh services via the Consul API Gateway, visit the Consul API Gateway documentation page.
Next Steps
In this tutorial, you enabled Consul ingress features and deployed Consul API Gateway into your Kubernetes cluster. After deploying Consul API Gateway, you accessed the demo application HashiCups through the Consul API Gateway endpoint and explored how ingress into a service mesh application works.
In the next tutorial, you will deploy an observability suite to explore metrics, logs, and distributed traces within your Consul service mesh.
For more information about the topics covered in this tutorial, refer to the following resources: