HashiCorp has moved their Consul API Gateway into beta release. The release adds a number of new features to their Consul Service Mesh ingress solution including support for TCPRoute, installation via Helm Chart, and TLS settings per listener.
Consul API Gateway facilitates routing traffic to applications running on the Consul service mesh. It is meant to solve two primary problems: controlling access at the ingress point and simplifying traffic management. Consul API Gateway allows for setting the protocols of external connection requests and providing clients with TLS certificates from trusted providers. The service also allows for load balancing across services and routing traffic via pattern matching within the hostname, path, header, or HTTP verb.
Consul API Gateway is built on the Kubernetes Gateway API specification. This specification defines custom resource definitions (CRD) to create gateways and routes based on the path or protocol of the client request. It is an open-source project that aims "to evolve Kubernetes service networking through expressive, extensible, and role-oriented interfaces that are implemented by many vendors and have broad industry support".
This release adds support for both TCP and TCP + TLS connections between clients and service mesh applications through TCPRoute. It is also possible to create TCP-based routes that leverage a TLS listener. The example below uses the Kubernetes Gateway API CRD to implement and manage the TCP route:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcp-app-1
spec:
parentRefs:
- name: my-tcp-gateway
sectionName: foo
rules:
- backendRefs:
- name: my-foo-service
port: 6000
It is now possible to configure TLS settings on a per listener basis. This includes setting the minimum and maximum allowable TLS version and cipher suites. This example sets the minimum TLS version at 1.3 along with dictating the allowed cipher suites for HTTPS traffic on port 8843:
listeners:
- protocol: HTTPS
port: 8443
name: https
allowedRoutes:
namespaces:
from: Same
tls:
certificateRefs:
- name: consul-server-cert
options:
"api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3"
"api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
This release enhances the Consul Helm chart by having it now support installing and configuring the Consul API Gateway. This is available on version 0.40.0 and higher of the Consul Helm chart and the Consul servers must be running version 1.11.1 or higher.
More details about the release can be found on the HashiCorp blog and within the Consul documentation. There is also a new HashiCorp Learn Tutorial that walks through setting up Consul API Gateway on Kubernetes.