consul

Consul API Gateway Now Generally Available

The Consul API Gateway has now reached its first GA release, adding TCPRoute support, Helm chart support, and a new HashiCorp Learn tutorial.

At HashiConf Global 2021 we introduced the Consul API Gateway, a solution to help users consistently manage access to their service mesh applications. Today, we are pleased to announce that the Consul API Gateway is now generally available to the public. This milestone further cements Consul’s ability to help users control access and manage north-south traffic from external clients in production ready environments. This blog post covers some of the features introduced at the tech preview and beta releases and provides instructions on how to get started.

»HTTPRoute Support

At the core of the Consul API Gateway is the ability to dynamically create, modify, and delete routes for external client requests that hit the gateway. This is done using the HttpRoute spec from the Kubernetes Gateway API. Users configure how client requests are handled based on certain parameters, e.g. path prefixes, header values, or query parameters. These rules are then applied using a Custom Resource Definition and attached to the gateway as a route. Here is an example of an HTTPRoute for splitting client requests between two services based on the path prefix /echo and weights:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: gateway-route
spec:
  parentRefs:
  - name: my-api-gateway
  rules:
matches: 
- path: 
  type: PathPrefix
  value: /echo
  - backendRefs:
    - kind: service
      name: echo-1
      port: 6000
	weight: 50
    - kind: service
      name: echo-2
      port: 6100
	weight: 50
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: gateway-route
spec:
  parentRefs:
  - name: my-api-gateway
  rules:
matches: 
- path: 
  type: PathPrefix
  value: /echo
  - backendRefs:
    - kind: service
      name: echo-1
      port: 6000
	weight: 50
    - kind: service
      name: echo-2
      port: 6100
	weight: 50

»TCPRoute Support

The Consul API Gateway can be used to manage route destinations and protocol connections between mesh services and external clients. In the tech preview, the API Gateway supported HTTP/S routes, but we recognize that some applications require different protocols, namely TCP. In the beta release, we added TCPRoute support for both TCP and TCP+TLS connections between clients and service mesh applications. The example below uses the Kubernetes Gateway API CRD for implementing and managing these TCP routes:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: tcp-app-1
spec:
  parentRefs:
  - name: my-tcp-gateway
    sectionName: foo
  rules:
  - backendRefs:
    - name: my-foo-service
      port: 6000
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: tcp-app-1
spec:
  parentRefs:
  - name: my-tcp-gateway
    sectionName: foo
  rules:
  - backendRefs:
    - name: my-foo-service
      port: 6000

With the TLSRoute resource, users can also create a TCP-based route that leverages a TLS listener. For more information on these resources, please review the TCPRoute documentation in the API specification.

»TLS Settings per Listener

To improve security controls, we’ve added the ability to configure TLS settings on a per-listener basis. The settings can set the minimum and maximum enabled TLS versions, and the allowed cipher suites. The example below shows how to configure them on a listener:

listeners:
  - protocol: HTTPS
    port: 8443
    name: https
    allowedRoutes:
      namespaces:
        from: Same
    tls:
      certificateRefs:
        - name: consul-server-cert
      options:
        "api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3"
        "api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
listeners:
  - protocol: HTTPS
    port: 8443
    name: https
    allowedRoutes:
      namespaces:
        from: Same
    tls:
      certificateRefs:
        - name: consul-server-cert
      options:
        "api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3"
        "api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"

»Helm Chart Support

As of version 0.41.0, the Consul Helm chart supports the installation and configuration of the Consul API Gateway and underlying components. Users need to add the following block to their Helm values file in order to get started:

global:
 name: consul
 image: "hashicorp/consul:1.11.2"
 enabled: false
 acls:
   manageSystemACLs: true
 gossipEncryption:
   autoGenerate: true
 tls:
   enabled: true
   enableAutoEncrypt: true
 
server:
 replicas: 1
connectInject:
 enabled: true
controller:
 enabled: true
apiGateway:
 enabled: true
 image: "hashicorp/consul-api-gateway:0.1.0"
 logLevel: debug
global:
 name: consul
 image: "hashicorp/consul:1.11.2"
 enabled: false
 acls:
   manageSystemACLs: true
 gossipEncryption:
   autoGenerate: true
 tls:
   enabled: true
   enableAutoEncrypt: true
 
server:
 replicas: 1
connectInject:
 enabled: true
controller:
 enabled: true
apiGateway:
 enabled: true
 image: "hashicorp/consul-api-gateway:0.1.0"
 logLevel: debug

The Consul servers must be running version 1.11.2 or higher for the Consul API Gateway.

»New Consul API Gateway Guide

A HashiCorp Learn tutorial is now available to help you get started with Consul API Gateway on Kubernetes. The tutorial steps through how to deploy a set of microservices using Consul API Gateway as an ingress point, and how to leverage the API Gateway as a load balancer.

Consul API Gateway diagram in a Kubernetes environment.

»Next Steps

We are excited to offer this new solution to our customers and look forward to your feedback. With the addition of the Consul API Gateway, HashiCorp Consul gives users the ability to discover services, secure networking, automate networking, and now manage access to those services. For more information, please read the Consul API Gateway documentation.

Sign up for the latest HashiCorp news