2020-06-17 23:26:14 +00:00
---
layout: docs
2022-09-14 22:48:49 +00:00
page_title: Configure Ingress Gateways for Consul on Kubernetes
description: >-
2022-09-16 15:28:32 +00:00
Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh running on Kubernetes. Learn how to configure ingress gateways, set intentions, and connect them to k8s applications.
2020-06-17 23:26:14 +00:00
---
2022-09-14 22:48:49 +00:00
# Configure Ingress Gateways for Consul on Kubernetes
2020-07-15 22:45:20 +00:00
2023-07-13 22:17:32 +00:00
<Note>
Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported
in this version but will be removed in a future release of Consul.
Consul's API gateway is the recommended alternative to ingress gateway.
</Note>
2020-07-15 22:45:20 +00:00
2023-01-25 16:52:43 +00:00
~> This topic requires familiarity with [Ingress Gateways](/consul/docs/connect/gateways/ingress-gateway).
2020-07-15 22:45:20 +00:00
2023-05-05 17:41:40 +00:00
This page describes how to enable external access through Consul ingress gateways to mesh services running inside Kubernetes.
2023-01-25 16:52:43 +00:00
See [Ingress Gateways](/consul/docs/connect/gateways/ingress-gateway) for more information on use-cases and how it works.
2020-07-15 22:45:20 +00:00
Adding an ingress gateway is a multi-step process that consists of the following steps:
2021-04-16 19:49:02 +00:00
- Setting the Helm chart configuration
- Deploying the Helm chart
2020-08-18 22:22:29 +00:00
- Configuring the gateway
- Defining an Intention (if ACLs are enabled)
- Deploying your application to Kubernetes
- Connecting to your application
2020-07-15 22:45:20 +00:00
## Setting the helm chart configuration
2020-08-18 22:22:29 +00:00
2021-04-16 19:49:02 +00:00
When deploying the Helm chart you must provide Helm with a custom YAML file that contains your environment configuration.
2020-07-15 22:45:20 +00:00
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml">
2021-07-31 01:37:33 +00:00
2020-07-15 22:45:20 +00:00
```yaml
global:
name: consul
connectInject:
enabled: true
ingressGateways:
enabled: true
gateways:
- name: ingress-gateway
service:
2020-07-15 23:24:55 +00:00
type: LoadBalancer
2020-07-15 22:45:20 +00:00
```
2020-08-18 22:22:29 +00:00
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
~> **Note:** this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
2020-07-15 22:45:20 +00:00
2021-04-16 19:49:02 +00:00
The YAML snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul).
2023-01-25 16:52:43 +00:00
Information on additional options can be found in the [Helm reference](/consul/docs/k8s/helm).
Configuration options for ingress gateways reside under the [ingressGateways](/consul/docs/k8s/helm#v-ingressgateways) entry.
2020-07-15 22:45:20 +00:00
The gateways stanza is where you will define and configure the set of ingress gateways you want deployed to your environment.
The only required field for each entry is `name`, though entries may contain any of the fields found in the `defaults` stanza.
Values in this section override the values from the defaults stanza for the given ingress gateway with one exception:
2020-08-18 22:22:29 +00:00
the annotations from the defaults stanza will be _appended_ to any user-defined annotations defined in the gateways stanza rather than being overridden.
2023-01-25 16:52:43 +00:00
Please refer to the ingress gateway configuration [documentation](/consul/docs/k8s/helm#v-ingressgateways-defaults) for a detailed explanation of each option.
2020-07-15 22:45:20 +00:00
2021-04-16 19:49:02 +00:00
## Deploying the Helm chart
2020-07-15 22:45:20 +00:00
Ensure you have the latest consul-helm chart and install Consul via helm using the following
2023-01-25 16:52:43 +00:00
[guide](/consul/docs/k8s/installation/install#installing-consul) while being sure to provide the yaml configuration
2020-07-15 22:45:20 +00:00
as previously discussed.
2023-09-21 22:17:14 +00:00
The following example installs Consul 1.0.4 using the `values.yaml` configuration:
2023-02-28 02:43:12 +00:00
```shell-session
$ helm install consul -f values.yaml hashicorp/consul --version 1.0.4 --wait --debug
```
2020-07-15 22:45:20 +00:00
## Configuring the gateway
2021-04-16 19:49:02 +00:00
Now that Consul has been installed with ingress gateways enabled,
2023-01-25 16:52:43 +00:00
you can configure the gateways via the [`IngressGateway`](/consul/docs/connect/config-entries/ingress-gateway) custom resource.
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
Here is an example `IngressGateway` resource:
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="ingress-gateway.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
name: ingress-gateway
spec:
listeners:
- port: 8080
protocol: http
services:
- name: static-server
```
2021-08-27 00:58:59 +00:00
</CodeBlockConfig>
2021-08-04 23:25:36 +00:00
~> **Note:** The 'name' field for the IngressGateway resource must match the name
specified when creating the gateway in the Helm chart. In the above example, the
2023-01-25 16:52:43 +00:00
name "ingress-gateway" is the [default name](/consul/docs/k8s/helm#v-ingressgateways-gateways-name)
2021-08-04 23:25:36 +00:00
used by the Helm chart when enabling ingress gateways.
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
Apply the `IngressGateway` resource with `kubectl apply`:
2020-07-15 22:45:20 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl apply --filename ingress-gateway.yaml
2021-01-08 22:30:41 +00:00
ingressgateway.consul.hashicorp.com/ingress-gateway created
2020-07-15 22:45:20 +00:00
```
2020-08-18 22:22:29 +00:00
2021-01-08 22:30:41 +00:00
Since we're using `protocol: http`, we also need to set the protocol of our service
2023-01-25 16:52:43 +00:00
`static-server` to http. To do that, we create a [`ServiceDefaults`](/consul/docs/connect/config-entries/service-defaults) custom resource:
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="service-defaults.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: static-server
spec:
protocol: http
```
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
Apply the `ServiceDefaults` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl apply --filename service-defaults.yaml
2021-01-08 22:30:41 +00:00
servicedefaults.consul.hashicorp.com/static-server created
2020-07-15 22:45:20 +00:00
```
2021-01-08 22:30:41 +00:00
Ensure both resources have synced to Consul successfully:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2021-01-08 22:30:41 +00:00
$ kubectl get servicedefaults
NAME SYNCED AGE
static-server True 45s
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
$ kubectl get ingressgateway
NAME SYNCED AGE
ingress-gateway True 13m
2020-07-15 22:45:20 +00:00
```
2021-01-08 22:30:41 +00:00
### Viewing the UI
2020-07-15 22:45:20 +00:00
You can confirm the ingress gateways have been configured as expected by viewing the ingress-gateway service instances
2021-01-08 22:30:41 +00:00
in the Consul UI.
2023-01-25 16:52:43 +00:00
To view the UI, use the `kubectl port-forward` command. See [Viewing The Consul UI](/consul/docs/k8s/installation/install#viewing-the-consul-ui)
2021-01-08 22:30:41 +00:00
for full instructions.
Once you've port-forwarded to the UI, navigate to the Ingress Gateway instances: [http://localhost:8500/ui/dc1/services/ingress-gateway/instances](http://localhost:8500/ui/dc1/services/ingress-gateway/instances)
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
If TLS is enabled, use [https://localhost:8501/ui/dc1/services/ingress-gateway/instances](https://localhost:8501/ui/dc1/services/ingress-gateway/instances).
2020-07-15 22:45:20 +00:00
## Defining an Intention
2023-01-25 16:52:43 +00:00
If ACLs are enabled (via the `global.acls.manageSystemACLs` setting), you must define an [intention](/consul/docs/connect/intentions)
2021-01-08 22:30:41 +00:00
to allow the ingress gateway to route to the upstream services defined in the `IngressGateway` resource (in the example above the upstream service is `static-server`).
2020-07-15 22:45:20 +00:00
2023-01-25 16:52:43 +00:00
To create an intention that allows the ingress gateway to route to the service `static-server`, create a [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions)
2021-01-08 22:30:41 +00:00
resource:
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="service-intentions.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: static-server
spec:
destination:
name: static-server
sources:
- name: ingress-gateway
action: allow
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
Apply the `ServiceIntentions` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl apply --filename service-intentions.yaml
2021-01-08 22:30:41 +00:00
serviceintentions.consul.hashicorp.com/ingress-gateway created
2020-07-15 22:45:20 +00:00
```
2023-01-25 16:52:43 +00:00
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](/consul/tutorials/kubernetes-features/service-mesh-zero-trust-network?utm_source=docs).
2020-07-15 22:45:20 +00:00
## Deploying your application to Kubernetes
2020-08-18 22:22:29 +00:00
2023-09-21 22:17:14 +00:00
Now you will deploy a sample application which echoes "hello world"
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="static-server.yaml">
2020-07-15 22:45:20 +00:00
```yaml
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: Service
2020-07-15 22:45:20 +00:00
metadata:
name: static-server
2021-04-16 19:49:02 +00:00
spec:
selector:
app: static-server
ports:
- protocol: TCP
port: 80
targetPort: 8080
2020-07-15 22:45:20 +00:00
---
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: ServiceAccount
metadata:
name: static-server
---
apiVersion: apps/v1
kind: Deployment
2020-07-15 22:45:20 +00:00
metadata:
name: static-server
spec:
2021-04-16 19:49:02 +00:00
replicas: 1
selector:
matchLabels:
app: static-server
template:
metadata:
name: static-server
labels:
app: static-server
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-server
image: hashicorp/http-echo:latest
args:
- -text="hello world"
- -listen=:8080
ports:
- containerPort: 8080
name: http
serviceAccountName: static-server
2020-07-15 22:45:20 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-07-15 22:45:20 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl apply --filename static-server.yaml
2020-07-15 22:45:20 +00:00
```
## Connecting to your application
You can validate the service is running and registered in the Consul UI by navigating to
[http://localhost:8500/ui/dc1/services/static-server/instances](http://localhost:8500/ui/dc1/services/static-server/instances)
2020-07-15 23:24:55 +00:00
If TLS is enabled, use: [https://localhost:8501/ui/dc1/services/static-server/instances](https://localhost:8501/ui/dc1/services/static-server/instances)
2020-07-15 22:45:20 +00:00
You can also validate the connectivity of the application from the ingress gateway using `curl`:
```shell-session
2022-01-12 23:05:01 +00:00
$ EXTERNAL_IP=$(kubectl get services --selector component=ingress-gateway --output jsonpath="{range .items[*]}{@.status.loadBalancer.ingress[*].ip}{end}")
2021-01-08 22:30:41 +00:00
$ echo "Connecting to \"$EXTERNAL_IP\""
2022-01-12 23:05:01 +00:00
$ curl --header "Host: static-server.ingress.consul" "http://$EXTERNAL_IP:8080"
2021-01-08 22:30:41 +00:00
"hello world"
2020-07-15 22:45:20 +00:00
```
~> **Security Warning:** Please be sure to delete the application and services created here as they represent a security risk through
leaving an open and unauthenticated load balancer alive in your cluster.
2021-07-31 01:37:33 +00:00
To delete the ingress gateway, set enabled to `false` in your Helm configuration:
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml" highlight="8">
2020-07-15 22:45:20 +00:00
```yaml
global:
name: consul
connectInject:
enabled: true
ingressGateways:
enabled: false # Set to false
gateways:
- name: ingress-gateway
service:
2020-08-18 22:22:29 +00:00
type: LoadBalancer
2020-07-15 22:45:20 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-07-15 22:45:20 +00:00
And run Helm upgrade:
```shell-session
2022-09-09 20:56:33 +00:00
$ helm upgrade consul hashicorp/consul --values values.yaml
2020-07-15 22:45:20 +00:00
```