The Consul API Gateway has now reached its first GA release, adding TCPRoute support, Helm chart support, and a new HashiCorp Learn tutorial.
At HashiConf Global 2021 we introduced the Consul API Gateway, a solution to help users consistently manage access to their service mesh applications. Today, we are pleased to announce that the Consul API Gateway is now generally available to the public. This milestone further cements Consul’s ability to help users control access and manage north-south traffic from external clients in production ready environments. This blog post covers some of the features introduced at the tech preview and beta releases and provides instructions on how to get started.
At the core of the Consul API Gateway is the ability to dynamically create, modify, and delete routes for external client requests that hit the gateway. This is done using the HttpRoute spec from the Kubernetes Gateway API. Users configure how client requests are handled based on certain parameters, e.g. path prefixes, header values, or query parameters. These rules are then applied using a Custom Resource Definition and attached to the gateway as a route. Here is an example of an HTTPRoute for splitting client requests between two services based on the path prefix
/echo and weights:
apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: name: gateway-route spec: parentRefs: - name: my-api-gateway rules: matches: - path: type: PathPrefix value: /echo - backendRefs: - kind: service name: echo-1 port: 6000 weight: 50 - kind: service name: echo-2 port: 6100 weight: 50
The Consul API Gateway can be used to manage route destinations and protocol connections between mesh services and external clients. In the tech preview, the API Gateway supported HTTP/S routes, but we recognize that some applications require different protocols, namely TCP. In the beta release, we added
TCPRoute support for both TCP and TCP+TLS connections between clients and service mesh applications. The example below uses the Kubernetes Gateway API CRD for implementing and managing these TCP routes:
apiVersion: gateway.networking.k8s.io/v1alpha2 kind: TCPRoute metadata: name: tcp-app-1 spec: parentRefs: - name: my-tcp-gateway sectionName: foo rules: - backendRefs: - name: my-foo-service port: 6000
TLSRoute resource, users can also create a TCP-based route that leverages a TLS listener. For more information on these resources, please review the TCPRoute documentation in the API specification.
To improve security controls, we’ve added the ability to configure TLS settings on a per-listener basis. The settings can set the minimum and maximum enabled TLS versions, and the allowed cipher suites. The example below shows how to configure them on a listener:
listeners: - protocol: HTTPS port: 8443 name: https allowedRoutes: namespaces: from: Same tls: certificateRefs: - name: consul-server-cert options: "api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3" "api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
As of version 0.41.0, the Consul Helm chart supports the installation and configuration of the Consul API Gateway and underlying components. Users need to add the following block to their Helm values file in order to get started:
global: name: consul image: "hashicorp/consul:1.11.2" enabled: false acls: manageSystemACLs: true gossipEncryption: autoGenerate: true tls: enabled: true enableAutoEncrypt: true server: replicas: 1 connectInject: enabled: true controller: enabled: true apiGateway: enabled: true image: "hashicorp/consul-api-gateway:0.1.0" logLevel: debug
The Consul servers must be running version 1.11.2 or higher for the Consul API Gateway.
A HashiCorp Learn tutorial is now available to help you get started with Consul API Gateway on Kubernetes. The tutorial steps through how to deploy a set of microservices using Consul API Gateway as an ingress point, and how to leverage the API Gateway as a load balancer.
We are excited to offer this new solution to our customers and look forward to your feedback. With the addition of the Consul API Gateway, HashiCorp Consul gives users the ability to discover services, secure networking, automate networking, and now manage access to those services. For more information, please read the Consul API Gateway documentation.
Our tests show Consul servers remain healthy under all test configurations and that splitting up a large LAN gossip pool cuts the risk of gossip instability.
The new global management plane for Consul is now available as a free public beta. Try it out to gain full visibility for both self-managed and HCP Consul clusters.
Before we ring in the new year, here’s a look back at some of the most important moments in 2022 for HashiCorp.