The Consul API Gateway has now reached its first GA release, adding TCPRoute support, Helm chart support, and a new HashiCorp Learn tutorial.
At HashiConf Global 2021 we introduced the Consul API Gateway, a solution to help users consistently manage access to their service mesh applications. Today, we are pleased to announce that the Consul API Gateway is now generally available to the public. This milestone further cements Consul’s ability to help users control access and manage north-south traffic from external clients in production ready environments. This blog post covers some of the features introduced at the tech preview and beta releases and provides instructions on how to get started.
At the core of the Consul API Gateway is the ability to dynamically create, modify, and delete routes for external client requests that hit the gateway. This is done using the HttpRoute spec from the Kubernetes Gateway API. Users configure how client requests are handled based on certain parameters, e.g. path prefixes, header values, or query parameters. These rules are then applied using a Custom Resource Definition and attached to the gateway as a route. Here is an example of an HTTPRoute for splitting client requests between two services based on the path prefix
/echo and weights:
apiVersion: gateway.networking.k8s.io/v1alpha2kind: HTTPRoutemetadata: name: gateway-routespec: parentRefs: - name: my-api-gateway rules:matches: - path: type: PathPrefix value: /echo - backendRefs: - kind: service name: echo-1 port: 6000 weight: 50 - kind: service name: echo-2 port: 6100 weight: 50
The Consul API Gateway can be used to manage route destinations and protocol connections between mesh services and external clients. In the tech preview, the API Gateway supported HTTP/S routes, but we recognize that some applications require different protocols, namely TCP. In the beta release, we added
TCPRoute support for both TCP and TCP+TLS connections between clients and service mesh applications. The example below uses the Kubernetes Gateway API CRD for implementing and managing these TCP routes:
apiVersion: gateway.networking.k8s.io/v1alpha2kind: TCPRoutemetadata: name: tcp-app-1spec: parentRefs: - name: my-tcp-gateway sectionName: foo rules: - backendRefs: - name: my-foo-service port: 6000
TLSRoute resource, users can also create a TCP-based route that leverages a TLS listener. For more information on these resources, please review the TCPRoute documentation in the API specification.
To improve security controls, we’ve added the ability to configure TLS settings on a per-listener basis. The settings can set the minimum and maximum enabled TLS versions, and the allowed cipher suites. The example below shows how to configure them on a listener:
listeners: - protocol: HTTPS port: 8443 name: https allowedRoutes: namespaces: from: Same tls: certificateRefs: - name: consul-server-cert options: "api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3" "api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
As of version 0.41.0, the Consul Helm chart supports the installation and configuration of the Consul API Gateway and underlying components. Users need to add the following block to their Helm values file in order to get started:
global: name: consul image: "hashicorp/consul:1.11.2" enabled: false acls: manageSystemACLs: true gossipEncryption: autoGenerate: true tls: enabled: true enableAutoEncrypt: true server: replicas: 1connectInject: enabled: truecontroller: enabled: trueapiGateway: enabled: true image: "hashicorp/consul-api-gateway:0.1.0" logLevel: debug
The Consul servers must be running version 1.11.2 or higher for the Consul API Gateway.
A HashiCorp Learn tutorial is now available to help you get started with Consul API Gateway on Kubernetes. The tutorial steps through how to deploy a set of microservices using Consul API Gateway as an ingress point, and how to leverage the API Gateway as a load balancer.
We are excited to offer this new solution to our customers and look forward to your feedback. With the addition of the Consul API Gateway, HashiCorp Consul gives users the ability to discover services, secure networking, automate networking, and now manage access to those services. For more information, please read the Consul API Gateway documentation.
The latest version of HashiCorp Consul on Amazon ECS adds support for AWS IAM authentication and mesh gateways.
HashiCorp Cloud Platform has added several new capabilities, including managed services for HashiCorp Boundary and Waypoint, and Drift Detection for Terraform Cloud.
The latest release of the HashiCorp Consul API Gateway allows users to generate multiple instances of a logical gateway — avoiding single points of failure.