Consul API Gateway Now Generally Available
The Consul API Gateway has now reached its first GA release, adding TCPRoute support, Helm chart support, and a new HashiCorp Learn tutorial.
At HashiConf Global 2021 we introduced the Consul API Gateway, a solution to help users consistently manage access to their service mesh applications. Today, we are pleased to announce that the Consul API Gateway is now generally available to the public. This milestone further cements Consul’s ability to help users control access and manage north-south traffic from external clients in production ready environments. This blog post covers some of the features introduced at the tech preview and beta releases and provides instructions on how to get started.
» HTTPRoute Support
At the core of the Consul API Gateway is the ability to dynamically create, modify, and delete routes for external client requests that hit the gateway. This is done using the HttpRoute spec from the Kubernetes Gateway API. Users configure how client requests are handled based on certain parameters, e.g. path prefixes, header values, or query parameters. These rules are then applied using a Custom Resource Definition and attached to the gateway as a route. Here is an example of an HTTPRoute for splitting client requests between two services based on the path prefix /echo
and weights:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: gateway-route
spec:
parentRefs:
- name: my-api-gateway
rules:
matches:
- path:
type: PathPrefix
value: /echo
- backendRefs:
- kind: service
name: echo-1
port: 6000
weight: 50
- kind: service
name: echo-2
port: 6100
weight: 50
» TCPRoute Support
The Consul API Gateway can be used to manage route destinations and protocol connections between mesh services and external clients. In the tech preview, the API Gateway supported HTTP/S routes, but we recognize that some applications require different protocols, namely TCP. In the beta release, we added TCPRoute
support for both TCP and TCP+TLS connections between clients and service mesh applications. The example below uses the Kubernetes Gateway API CRD for implementing and managing these TCP routes:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcp-app-1
spec:
parentRefs:
- name: my-tcp-gateway
sectionName: foo
rules:
- backendRefs:
- name: my-foo-service
port: 6000
With the TLSRoute
resource, users can also create a TCP-based route that leverages a TLS listener. For more information on these resources, please review the TCPRoute documentation in the API specification.
» TLS Settings per Listener
To improve security controls, we’ve added the ability to configure TLS settings on a per-listener basis. The settings can set the minimum and maximum enabled TLS versions, and the allowed cipher suites. The example below shows how to configure them on a listener:
listeners:
- protocol: HTTPS
port: 8443
name: https
allowedRoutes:
namespaces:
from: Same
tls:
certificateRefs:
- name: consul-server-cert
options:
"api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3"
"api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
» Helm Chart Support
As of version 0.41.0, the Consul Helm chart supports the installation and configuration of the Consul API Gateway and underlying components. Users need to add the following block to their Helm values file in order to get started:
global:
name: consul
image: "hashicorp/consul:1.11.2"
enabled: false
acls:
manageSystemACLs: true
gossipEncryption:
autoGenerate: true
tls:
enabled: true
enableAutoEncrypt: true
server:
replicas: 1
connectInject:
enabled: true
controller:
enabled: true
apiGateway:
enabled: true
image: "hashicorp/consul-api-gateway:0.1.0"
logLevel: debug
The Consul servers must be running version 1.11.2 or higher for the Consul API Gateway.
» New Consul API Gateway Guide
A HashiCorp Learn tutorial is now available to help you get started with Consul API Gateway on Kubernetes. The tutorial steps through how to deploy a set of microservices using Consul API Gateway as an ingress point, and how to leverage the API Gateway as a load balancer.
» Next Steps
We are excited to offer this new solution to our customers and look forward to your feedback. With the addition of the Consul API Gateway, HashiCorp Consul gives users the ability to discover services, secure networking, automate networking, and now manage access to those services. For more information, please read the Consul API Gateway documentation.
Sign up for the latest HashiCorp news
More blog posts like this one
Consul 1.19 improves Kubernetes workflows, snapshot support, and Nomad integration
HashiCorp Consul 1.19 simplifies external service registration in Consul on Kubernetes, boosts Nomad support, and adds even more enhancements.
Mitigate cloud risk with Security Lifecycle Management
Protect, inspect, and connect your sensitive data with Security Lifecycle Management solutions from HashiCorp.
Introducing The Infrastructure Cloud
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.