mirror of https://github.com/status-im/consul.git
website(consul-api-gateway): add ReferencePolicy to overview docs (#12861)
* website(consul-api-gateway): add ReferencePolicy to overview docs * website(consul-api-gateway): bump required Consul Helm chart version For allowing Consul API Gateway controller to read ReferencePolicy resources and UX improvement re-using connectInject.consulNamespaces config for Consul API Gateway config. * added referencepolicy documentation to route section * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update consul-api-gateway-install.mdx * Update consul-api-gateway-install.mdx * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx * Update website/content/docs/api-gateway/consul-api-gateway-install.mdx * Update website/content/docs/api-gateway/index.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Update website/content/docs/api-gateway/index.mdx * Update website/content/docs/api-gateway/index.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
This commit is contained in:
parent
0474b35c62
commit
195ec096bb
|
@ -304,6 +304,48 @@ spec:
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
|
To create a route for a `backendRef` in a different namespace, you must also
|
||||||
|
create a [ReferencePolicy](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy).
|
||||||
|
|
||||||
|
The following example creates a route named `example-route` in namespace `gateway-namespace`. This route has a `backendRef` in namespace `service-namespace`. Traffic is allowed because the `ReferencePolicy`, named `reference-policy` in namespace `service-namespace`, allows traffic from `HTTPRoutes` in `gateway-namespace` to `Services` in `service-namespace`.
|
||||||
|
|
||||||
|
<CodeBlockConfig filename="route_with_referencepolicy.yaml">
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1alpha2
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: example-route
|
||||||
|
namespace: gateway-namespace
|
||||||
|
spec:
|
||||||
|
parentRefs:
|
||||||
|
- name: example-gateway
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- kind: Service
|
||||||
|
name: echo
|
||||||
|
namespace: service-namespace
|
||||||
|
port: 8080
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1alpha2
|
||||||
|
kind: ReferencePolicy
|
||||||
|
metadata:
|
||||||
|
name: reference-policy
|
||||||
|
namespace: service-namespace
|
||||||
|
spec:
|
||||||
|
from:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: HTTPRoute
|
||||||
|
namespace: gateway-namespace
|
||||||
|
to:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: echo
|
||||||
|
```
|
||||||
|
|
||||||
|
</CodeBlockConfig>
|
||||||
|
|
||||||
### MeshService
|
### MeshService
|
||||||
|
|
||||||
The `MeshService` configuration holds a reference to an externally-managed Consul service mesh service and can be used as a `backendRef` for a [`Route`](#route).
|
The `MeshService` configuration holds a reference to an externally-managed Consul service mesh service and can be used as a `backendRef` for a [`Route`](#route).
|
||||||
|
|
|
@ -7,7 +7,7 @@ description: >-
|
||||||
|
|
||||||
# Consul API Gateway Overview
|
# Consul API Gateway Overview
|
||||||
|
|
||||||
This topic provides an overview of the Consul API Gateway.
|
This topic provides an overview of the Consul API Gateway.
|
||||||
|
|
||||||
## What is Consul API Gateway?
|
## What is Consul API Gateway?
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ Consul API Gateway can be deployed on Kubernetes-based runtime environments and
|
||||||
|
|
||||||
API Gateway routes traffic to services connected to the same service mesh. Those services can be running on the same Kubernetes cluster as the API Gateway, a different Kubernetes cluster, or another runtime, as long as they are connected to the same service mesh deployment and reachable over the network.
|
API Gateway routes traffic to services connected to the same service mesh. Those services can be running on the same Kubernetes cluster as the API Gateway, a different Kubernetes cluster, or another runtime, as long as they are connected to the same service mesh deployment and reachable over the network.
|
||||||
|
|
||||||
Consul API Gateway implements, and is configured through, the Kubernetes [Gateway API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request.
|
Consul API Gateway implements and is configured through the Kubernetes [Gateway API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways which route traffic based on a client request's path or protocol.
|
||||||
|
|
||||||
### Supported Kubernetes Gateway Specification Features
|
### Supported Kubernetes Gateway Specification Features
|
||||||
|
|
||||||
|
@ -38,8 +38,8 @@ are used, see the [documentation in our GitHub repo](https://github.com/hashicor
|
||||||
| [`Gateway`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway) | <ul><li>Supported protocols: `HTTP`, `HTTPS`, `TCP`</li><li>Header-based hostname matching (no SNI support)</li><li>Supported filters: header addition, removal, and setting</li><li>TLS modes supported: `terminate`</li><li>Certificate types supported: `core/v1/Secret`</li><li>Extended options: TLS version and cipher constraints</li></ul> |
|
| [`Gateway`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway) | <ul><li>Supported protocols: `HTTP`, `HTTPS`, `TCP`</li><li>Header-based hostname matching (no SNI support)</li><li>Supported filters: header addition, removal, and setting</li><li>TLS modes supported: `terminate`</li><li>Certificate types supported: `core/v1/Secret`</li><li>Extended options: TLS version and cipher constraints</li></ul> |
|
||||||
| [`HTTPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute) | <ul><li>Weight-based load balancing</li><li>Supported rules: path, header, query, and method-based matching</li><li>Supported filters: header addition, removal, and setting</li><li>Supported backend types: <ol><li>`core/v1/Service` (must map to a registered Consul service)</li><li>`api-gateway.consul.hashicorp.com/v1alpha1/MeshService`</li></ol></li></ul> |
|
| [`HTTPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute) | <ul><li>Weight-based load balancing</li><li>Supported rules: path, header, query, and method-based matching</li><li>Supported filters: header addition, removal, and setting</li><li>Supported backend types: <ol><li>`core/v1/Service` (must map to a registered Consul service)</li><li>`api-gateway.consul.hashicorp.com/v1alpha1/MeshService`</li></ol></li></ul> |
|
||||||
| [`TCPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute) | <ul><li>Supported backend types: <ol><li>`core/v1/Service` (must map to a registered Consul service)</li><li>`api-gateway.consul.hashicorp.com/v1alpha1/MeshService`</li></ol></li></ul> |
|
| [`TCPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute) | <ul><li>Supported backend types: <ol><li>`core/v1/Service` (must map to a registered Consul service)</li><li>`api-gateway.consul.hashicorp.com/v1alpha1/MeshService`</li></ol></li></ul> |
|
||||||
|
| [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) | <ul><li>Required to allow any reference from an `HTTPRoute` or `TCPRoute` to a Kubernetes `core/v1/Service` in a different namespace.</li><li>A route with an unpermitted BackendRef caused by the lack of a ReferencePolicy sets a `ResolvedRefs` status to `False` with the reason `RefNotPermitted`. The gateway listener rejects routes with an unpermitted BackendRef.</li><li>WARNING: If a route BackendRef becomes unpermitted, the entire route is removed from the gateway listener. <ul><li>A BackendRef can become unpermitted when you delete a Reference Policy or add a new unpermitted BackendRef to an existing route.</li></ul></li></ul> |
|
||||||
|
|
||||||
## Additional Resources
|
## Additional Resources
|
||||||
|
|
||||||
You can learn more about using Consul API Gateway by completing the [Consul API Gateway tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway).
|
You can learn more about using Consul API Gateway by completing the [Consul API Gateway tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway).
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ Your datacenter must meet the following requirements prior to configuring the Co
|
||||||
- Kubernetes 1.21+
|
- Kubernetes 1.21+
|
||||||
- `kubectl` 1.21+
|
- `kubectl` 1.21+
|
||||||
- Consul 1.11.2+
|
- Consul 1.11.2+
|
||||||
- HashiCorp Consul Helm chart 0.41.1+
|
- HashiCorp Consul Helm chart 0.43.0+
|
||||||
- Consul Service Mesh must be deployed on the Kubernetes cluster that API Gateway is deployed on.
|
- Consul Service Mesh must be deployed on the Kubernetes cluster that API Gateway is deployed on.
|
||||||
|
|
||||||
### TCP Port Requirements
|
### TCP Port Requirements
|
||||||
|
|
Loading…
Reference in New Issue