From b3496a337af058fd3af05777d3f30e5b5506b757 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 5 Jan 2022 18:45:00 -0800 Subject: [PATCH 01/31] initial commit/draft of the API gateway docs --- .../content/docs/k8s/connect/api-gateway.mdx | 171 ++++++++++++++++++ website/data/docs-nav-data.json | 4 + 2 files changed, 175 insertions(+) create mode 100644 website/content/docs/k8s/connect/api-gateway.mdx diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/k8s/connect/api-gateway.mdx new file mode 100644 index 0000000000..732bed8689 --- /dev/null +++ b/website/content/docs/k8s/connect/api-gateway.mdx @@ -0,0 +1,171 @@ +--- +layout: docs +page_title: API Gateway +description: Using Consul API gateway functionality +--- + +# Consul API Gateway + +This topic describes how to use the Consul API Gateway module, which enables applications and services running in a datacenter to be accessed by network clients outside the datacenter. This type of network traffic is commonly referred to as "north-south" network traffic. + +## Introduction + +Consul API Gateway is an implementation of the Kubernetes Gateway API Specification (https://gateway-api.sigs.k8s.io/). The specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes. + +## Requirements + +Your datacenter must meet the following requirements prior to configuring the Consul API Gateway: + +- A Kubernetes cluster must be running +- Consul 1.11.0+ + +## Installation + +1. Create a values file for your Consul server agents that contains the following parameters: + + ```yaml + global: + name: consul + image: 'hashicorp/consul:1.11.0' + tls: + enabled: true + connectInject: + enabled: true + controller: + enabled: true + ``` + +1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. + +```shell-session +helm install consul hashicorp/consul --version 0.37.0 -f values.yaml +``` + +The following components will be installed: + + - Gateway controller + - CRDs required by the Kubernetes Gateway API specification + - `kustomize` manifests for completing the installation + +1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. + +```shell-session +kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-techpreview" +kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-techpreview" +``` + +## Usage + +1. Verify that the [requirements](#requirements) have been met. +1. Verify that the Consul API Gateway software has been installed and applied (see [Installation](#installation)). +1. Configure the gateway, listener(s), and route(s) as described in [Configuration](#configuration) +1. Issue the `kubectl apply` command to implement the configurations, e.g.: + +```shell-session +kubectl apply -f gateway-configuration.yaml +``` + +### Using the Consul API Gateway Binary + +You can manually start the Consul API Gateway control plane server using the binary located in the home directory to issue the `server` command: + +```shell-session +./consul-api-gateway server +``` + +The following options are supported: + +| Option | Description | Required | Default | +| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | --------------------------------------------------------- | ------ | +| `-ca-file` | String value that specifies the path to the CA for the Consul server. | Required | none | +| `-ca-secret` | String value that specifies the CA secret for the Consul server. | Required | none | +| `-ca-secret-namespace`                         | String value that specifies the CA secret namespace for the Consul server. | Required | none | +| `-k8-context` | String value that specifies the Kubernetes context to use when starting the Consul server. | Optional | current context | +| `-k8-namespace` | String value that specifies the Kubernetes namespace to use when starting the Consul server. | Optional | `default` | +| `-log-json` | Boolean value that enables or disables JSON format for the log output. | Required | `false` | +| `-log-level` | String value that specifies the logging level. The following values are supported:
- `trace` (highest level of detail)
- `debug`
- `info`
- `warn`
- `error` | context to use when starting the Consul server. | Required | `info` | +| `-metrics-port` | Integer value that specifies the port number for collecting metrics. | Optional | none | +| `-pprof` | Integer value that specifies the Go pprof port number for collecting metrics. | Optional | none | +| `-sds-server-host` | String value that specifies the host server for the secret discovery service (SDS). | Optional | `consul-api-gateway-controller.default.svc.cluster.local` | +| `-sds-server-host` | Integer value that specifies the port number for the secret discovery service (SDS). | Optional | `9090` | + +You can also issue the `version` command to print the Consul API Gateway version to the console: + +```shell-session +./consul-api-gateway version +consul-api-gateway 0.1.0-dev +``` + +## Configuration + +Create the following artifacts to configure the API Gateway: + +- [Gateway](#gateway): Defines the gateway properties, including listeners. +- [Listeners](#listeners): Defines listener properties, such as protocol, port, and namespace. +- [Routes](#routes): Specifies the path from the client to the listener. + +### Gateway + +The gateway object contains gateway listeners. +Add the `kind: Gateway` option to the configuration file to declare a gateway. +The following example creates a gateway called `example-gateway` that includes a listener called `https` (see Listeners for details about the `listener` configuration). + +```yaml +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: Gateway +metadata: + name: example-gateway + annotations: + 'external-dns.alpha.kubernetes.io/hostname': DNS_HOSTNAME +spec: + gatewayClassName: default-consul-gateway-class + listeners: + - protocol: HTTPS + hostname: DNS_HOSTNAME + port: 443 + name: https + allowedRoutes: + namespaces: + from: Same + tls: + certificateRefs: + - name: gateway-production-certificate +``` + +Refer to the Kubernetes Gateway API documentation for details about configuring gateways: +https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway + +### Listener + +Listeners are the logical endpoints bound to the gateway's addresses. +Add the `listener` object to the `gateway` configuration and specify the following properties to define a listener: + +- `hostname`: Hostname specifies the virtual hostname to match for protocol types. +- `port`: Specifies the network port. +- `protocol`: Specifies the network protocol expected by the listener. + +Refer to the Kubernetes Gateway API documentation for details about configuring listeners: +https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Listener + +In the example included the [Gateway](#gateway) description, a listener named `https` that listens over `HTTPS` is configured to listen on port `443` + +### Route + +Routes are independent configuration objects that are associated with a specific listener. +Use the `kind: HTTPRoute` option to declare a route and use the `spec` option to specify the route details. +The following example creates a route named `example-route` associated with a listener defined in `example-gateway`. + +```yaml +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: HTTPRoute +metadata: + name: example-route +spec: + parentRefs: + - name: example-gateway + rules: + - backendRefs: + - kind: Service + name: echo + port: 8080 +``` diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 77a5ef1ffe..f16ce4f4ff 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -475,6 +475,10 @@ "title": "Transparent Proxy", "href": "/docs/connect/transparent-proxy" }, + { + "title": "Consul API Gateway", + "path": "k8s/connect/api-gateway" + }, { "title": "Ingress Gateways", "path": "k8s/connect/ingress-gateways" From 66ac665925701f4a7ab82996788f8c75e2093af2 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 11:19:15 -0800 Subject: [PATCH 02/31] applied feedback --- .../content/docs/k8s/connect/api-gateway.mdx | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/k8s/connect/api-gateway.mdx index 732bed8689..9e06730c5f 100644 --- a/website/content/docs/k8s/connect/api-gateway.mdx +++ b/website/content/docs/k8s/connect/api-gateway.mdx @@ -10,14 +10,14 @@ This topic describes how to use the Consul API Gateway module, which enables app ## Introduction -Consul API Gateway is an implementation of the Kubernetes Gateway API Specification (https://gateway-api.sigs.k8s.io/). The specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes. +Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). The specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes. ## Requirements Your datacenter must meet the following requirements prior to configuring the Consul API Gateway: - A Kubernetes cluster must be running -- Consul 1.11.0+ +- Consul 1.11.1+ ## Installation @@ -38,20 +38,16 @@ Your datacenter must meet the following requirements prior to configuring the Co 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. ```shell-session -helm install consul hashicorp/consul --version 0.37.0 -f values.yaml +$ helm install consul hashicorp/consul --version 0.39.0 -f values.yaml ``` -The following components will be installed: - - - Gateway controller - - CRDs required by the Kubernetes Gateway API specification - - `kustomize` manifests for completing the installation +The following components will be installed: - Gateway controller - CRDs required by the Kubernetes Gateway API specification - `kustomize` manifests for completing the installation 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. ```shell-session -kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-techpreview" -kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-techpreview" +$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-techpreview" +$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-techpreview" ``` ## Usage @@ -62,7 +58,7 @@ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-tech 1. Issue the `kubectl apply` command to implement the configurations, e.g.: ```shell-session -kubectl apply -f gateway-configuration.yaml +$ kubectl apply -f gateway-configuration.yaml ``` ### Using the Consul API Gateway Binary @@ -75,24 +71,24 @@ You can manually start the Consul API Gateway control plane server using the bin The following options are supported: -| Option | Description | Required | Default | -| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | --------------------------------------------------------- | ------ | -| `-ca-file` | String value that specifies the path to the CA for the Consul server. | Required | none | -| `-ca-secret` | String value that specifies the CA secret for the Consul server. | Required | none | -| `-ca-secret-namespace`                         | String value that specifies the CA secret namespace for the Consul server. | Required | none | -| `-k8-context` | String value that specifies the Kubernetes context to use when starting the Consul server. | Optional | current context | -| `-k8-namespace` | String value that specifies the Kubernetes namespace to use when starting the Consul server. | Optional | `default` | -| `-log-json` | Boolean value that enables or disables JSON format for the log output. | Required | `false` | -| `-log-level` | String value that specifies the logging level. The following values are supported:
- `trace` (highest level of detail)
- `debug`
- `info`
- `warn`
- `error` | context to use when starting the Consul server. | Required | `info` | -| `-metrics-port` | Integer value that specifies the port number for collecting metrics. | Optional | none | -| `-pprof` | Integer value that specifies the Go pprof port number for collecting metrics. | Optional | none | -| `-sds-server-host` | String value that specifies the host server for the secret discovery service (SDS). | Optional | `consul-api-gateway-controller.default.svc.cluster.local` | -| `-sds-server-host` | Integer value that specifies the port number for the secret discovery service (SDS). | Optional | `9090` | +| Option | Description | Required | Default | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | ----------------------------------------------------------------------- | ------ | +| `-ca-file` | String value that specifies the path to the CA for the Consul server. | Required | none | +| `-ca-secret` | String value that specifies the CA secret for the Consul server. | Required | none | +| `-ca-secret-namespace` | String value that specifies the CA secret namespace for the Consul server. | Required | none | +| `-k8-context` | String value that specifies the Kubernetes context to use when starting the Consul server. | Optional | current context | +| `-k8-namespace` | String value that specifies the Kubernetes namespace to use when starting the Consul server. | Optional | `default` | +| `-log-json` | Boolean value that enables or disables JSON format for the log output. | Required | `false` | +| `-log-level` | String value that specifies the logging level. The following values are supported:
- `trace` (highest level of detail)
- `debug`
- `info`
- `warn`
- `error` | context to use when starting the Consul server. | Required | `info` | +| `-metrics-port` | Integer value that specifies the port number for collecting metrics. | Optional | none | +| `-pprof` | Integer value that specifies the Go pprof port number for collecting metrics. | Optional | none | +| `-sds-server-host` | String value that specifies the host server for the secret discovery service (SDS). | Optional | `consul-api-gateway-controller.default.`
`svc.cluster.`
`local` | +| `-sds-server-host` | Integer value that specifies the port number for the secret discovery service (SDS). | Optional | `9090` | You can also issue the `version` command to print the Consul API Gateway version to the console: ```shell-session -./consul-api-gateway version +$ ./consul-api-gateway version consul-api-gateway 0.1.0-dev ``` @@ -108,7 +104,9 @@ Create the following artifacts to configure the API Gateway: The gateway object contains gateway listeners. Add the `kind: Gateway` option to the configuration file to declare a gateway. -The following example creates a gateway called `example-gateway` that includes a listener called `https` (see Listeners for details about the `listener` configuration). +The following example creates a gateway called `example-gateway` that includes a listener called `https` (see [Listeners](#listeners) for details about the `listener` configuration). + + ```yaml apiVersion: gateway.networking.k8s.io/v1alpha2 @@ -132,10 +130,12 @@ spec: - name: gateway-production-certificate ``` + + Refer to the Kubernetes Gateway API documentation for details about configuring gateways: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway -### Listener +### Listeners Listeners are the logical endpoints bound to the gateway's addresses. Add the `listener` object to the `gateway` configuration and specify the following properties to define a listener: From fb40ad05cf9fe2f209151dc596848a2059aff0a0 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 11:23:22 -0800 Subject: [PATCH 03/31] forgot to update the image version --- website/content/docs/k8s/connect/api-gateway.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/k8s/connect/api-gateway.mdx index 9e06730c5f..2d931ea758 100644 --- a/website/content/docs/k8s/connect/api-gateway.mdx +++ b/website/content/docs/k8s/connect/api-gateway.mdx @@ -26,7 +26,7 @@ Your datacenter must meet the following requirements prior to configuring the Co ```yaml global: name: consul - image: 'hashicorp/consul:1.11.0' + image: 'hashicorp/consul:1.11.1' tls: enabled: true connectInject: From 3510430522f5a42a6987c93880f50db28719c2ac Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 11:24:36 -0800 Subject: [PATCH 04/31] missed a cmd block when adding dollar signs --- website/content/docs/k8s/connect/api-gateway.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/k8s/connect/api-gateway.mdx index 2d931ea758..a799535711 100644 --- a/website/content/docs/k8s/connect/api-gateway.mdx +++ b/website/content/docs/k8s/connect/api-gateway.mdx @@ -66,7 +66,7 @@ $ kubectl apply -f gateway-configuration.yaml You can manually start the Consul API Gateway control plane server using the binary located in the home directory to issue the `server` command: ```shell-session -./consul-api-gateway server +$ ./consul-api-gateway server ``` The following options are supported: From c67612e6edd9069a4d94f129651d2f4b91d5bb74 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 11:32:32 -0800 Subject: [PATCH 05/31] added beta flag to nav link --- website/data/docs-nav-data.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index f16ce4f4ff..af3f213a37 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -476,7 +476,7 @@ "href": "/docs/connect/transparent-proxy" }, { - "title": "Consul API Gateway", + "title": "Consul API Gateway BETA", "path": "k8s/connect/api-gateway" }, { From c2c717df1b707599efe2899c23dd09a1f0f24497 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 11:53:32 -0800 Subject: [PATCH 06/31] fixes to the params table --- .../content/docs/k8s/connect/api-gateway.mdx | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/k8s/connect/api-gateway.mdx index a799535711..ec00cda18b 100644 --- a/website/content/docs/k8s/connect/api-gateway.mdx +++ b/website/content/docs/k8s/connect/api-gateway.mdx @@ -71,19 +71,19 @@ $ ./consul-api-gateway server The following options are supported: -| Option | Description | Required | Default | -| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | ----------------------------------------------------------------------- | ------ | -| `-ca-file` | String value that specifies the path to the CA for the Consul server. | Required | none | -| `-ca-secret` | String value that specifies the CA secret for the Consul server. | Required | none | -| `-ca-secret-namespace` | String value that specifies the CA secret namespace for the Consul server. | Required | none | -| `-k8-context` | String value that specifies the Kubernetes context to use when starting the Consul server. | Optional | current context | -| `-k8-namespace` | String value that specifies the Kubernetes namespace to use when starting the Consul server. | Optional | `default` | -| `-log-json` | Boolean value that enables or disables JSON format for the log output. | Required | `false` | -| `-log-level` | String value that specifies the logging level. The following values are supported:
- `trace` (highest level of detail)
- `debug`
- `info`
- `warn`
- `error` | context to use when starting the Consul server. | Required | `info` | -| `-metrics-port` | Integer value that specifies the port number for collecting metrics. | Optional | none | -| `-pprof` | Integer value that specifies the Go pprof port number for collecting metrics. | Optional | none | -| `-sds-server-host` | String value that specifies the host server for the secret discovery service (SDS). | Optional | `consul-api-gateway-controller.default.`
`svc.cluster.`
`local` | -| `-sds-server-host` | Integer value that specifies the port number for the secret discovery service (SDS). | Optional | `9090` | +| Option | Description | Required | Default | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------------------------------------- | +| `-ca-file` | String value that specifies the path to the CA for the Consul server. | Required | none | +| `-ca-secret` | String value that specifies the CA secret for the Consul server. | Required | none | +| `-ca-secret-namespace` | String value that specifies the CA secret namespace for the Consul server. | Required | none | +| `-k8-context` | String value that specifies the Kubernetes context to use when starting the Consul server. | Optional | current context | +| `-k8-namespace` | String value that specifies the Kubernetes namespace to use when starting the Consul server. | Optional | `default` | +| `-log-json` | Boolean value that enables or disables JSON format for the log output. | Required | `false` | +| `-log-level` | String value that specifies the logging level. The following values are supported:
- `trace` (highest level of detail)
- `debug`
- `info`
- `warn`
- `error` | Optional | `info` | +| `-metrics-port` | Integer value that specifies the port number for collecting metrics. | Optional | none | +| `-pprof` | Integer value that specifies the Go pprof port number for collecting metrics. | Optional | none | +| `-sds-server-host` | String value that specifies the host server for the secret discovery service (SDS). | Optional | `consul-api-gateway-controller.default.`
`svc.cluster.`
`local` | +| `-sds-server-host` | Integer value that specifies the port number for the secret discovery service (SDS). | Optional | `9090` | You can also issue the `version` command to print the Consul API Gateway version to the console: From 0d35c303609c78a82fd742779a8bf592ad6a528c Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 12 Jan 2022 14:04:03 -0800 Subject: [PATCH 07/31] moved consul api gateway to top of nav hierarchy --- website/content/docs/{k8s/connect => }/api-gateway.mdx | 0 website/data/docs-nav-data.json | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) rename website/content/docs/{k8s/connect => }/api-gateway.mdx (100%) diff --git a/website/content/docs/k8s/connect/api-gateway.mdx b/website/content/docs/api-gateway.mdx similarity index 100% rename from website/content/docs/k8s/connect/api-gateway.mdx rename to website/content/docs/api-gateway.mdx diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index af3f213a37..fcd8697403 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -356,6 +356,10 @@ } ] }, + { + "title": "Consul API Gateway BETA", + "path": "api-gateway" + }, { "title": "Kubernetes", "routes": [ @@ -475,10 +479,6 @@ "title": "Transparent Proxy", "href": "/docs/connect/transparent-proxy" }, - { - "title": "Consul API Gateway BETA", - "path": "k8s/connect/api-gateway" - }, { "title": "Ingress Gateways", "path": "k8s/connect/ingress-gateways" From 203c5033c32c70fd8fa4e0f202c637847cbfe90c Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Tue, 18 Jan 2022 12:23:17 -0800 Subject: [PATCH 08/31] addressed feedback about binary --- website/content/docs/api-gateway.mdx | 53 +++++++++++++++++++--------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index ec00cda18b..0ee9ffa84d 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -17,23 +17,27 @@ Consul API Gateway is an implementation of the Kubernetes Gateway [API Specifica Your datacenter must meet the following requirements prior to configuring the Consul API Gateway: - A Kubernetes cluster must be running -- Consul 1.11.1+ +- Consul 1.11.2+ ## Installation 1. Create a values file for your Consul server agents that contains the following parameters: - ```yaml - global: - name: consul - image: 'hashicorp/consul:1.11.1' - tls: - enabled: true - connectInject: - enabled: true - controller: - enabled: true - ``` + + +```yaml +global: + name: consul + image: 'hashicorp/consul:1.11.2' + tls: + enabled: true +connectInject: + enabled: true +controller: + enabled: true +``` + + 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. @@ -46,8 +50,8 @@ The following components will be installed: - Gateway controller - CRDs required 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. ```shell-session -$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-techpreview" -$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-techpreview" +$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" +$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta" ``` ## Usage @@ -63,7 +67,22 @@ $ kubectl apply -f gateway-configuration.yaml ### Using the Consul API Gateway Binary -You can manually start the Consul API Gateway control plane server using the binary located in the home directory to issue the `server` command: +You can download the Consul API Gateway binary and use it to manually start the control plane server. + +1. Download the binary from the [Consul API Gateway repository](https://github.com/hashicorp/consul-api-gateway). +1. Navigate to the `consul-api-gateway-main` directory and build the binary: + +```shell-session +$ go build +``` + +1. (Optional) Copy the binary to the execution path, e.g.: + +```shell-session +$ cp consul-api-gateway /usr/bin +``` + +1. Use the `server` command to interact with the Consul API Gateway binary: ```shell-session $ ./consul-api-gateway server @@ -89,7 +108,7 @@ You can also issue the `version` command to print the Consul API Gateway version ```shell-session $ ./consul-api-gateway version -consul-api-gateway 0.1.0-dev +consul-api-gateway 0.1.0 ``` ## Configuration @@ -151,7 +170,7 @@ In the example included the [Gateway](#gateway) description, a listener named `h ### Route -Routes are independent configuration objects that are associated with a specific listener. +Routes are independent configuration objects that are associated with specific listeners. Use the `kind: HTTPRoute` option to declare a route and use the `spec` option to specify the route details. The following example creates a route named `example-route` associated with a listener defined in `example-gateway`. From 6cda05a6df93176036405103a7f09f5b47864c72 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Tue, 18 Jan 2022 12:28:44 -0800 Subject: [PATCH 09/31] addressed feedback about binary - fixed bad formatting --- website/content/docs/api-gateway.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 0ee9ffa84d..1ce7f49813 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -37,7 +37,7 @@ controller: enabled: true ``` - + 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. From fe867ddf9c6d1f6cc12fd3a33c9dd9f447e23cae Mon Sep 17 00:00:00 2001 From: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Date: Tue, 18 Jan 2022 14:30:35 -0800 Subject: [PATCH 10/31] Apply suggestions from code review Co-authored-by: Blake Covarrubias --- website/content/docs/api-gateway.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 1ce7f49813..5a5b4f1a21 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -50,8 +50,8 @@ The following components will be installed: - Gateway controller - CRDs required 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. ```shell-session -$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" -$ kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta" +$ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" +$ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta" ``` ## Usage From 30032f434e89646e35756f942d8f625c7ae2c735 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Tue, 18 Jan 2022 15:06:55 -0800 Subject: [PATCH 11/31] fixed formatting --- website/content/docs/api-gateway.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 5a5b4f1a21..3327e80046 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -42,7 +42,7 @@ controller: 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. ```shell-session -$ helm install consul hashicorp/consul --version 0.39.0 -f values.yaml +$ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml ``` The following components will be installed: - Gateway controller - CRDs required by the Kubernetes Gateway API specification - `kustomize` manifests for completing the installation @@ -62,7 +62,7 @@ $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref= 1. Issue the `kubectl apply` command to implement the configurations, e.g.: ```shell-session -$ kubectl apply -f gateway-configuration.yaml +$ kubectl apply --values gateway-configuration.yaml ``` ### Using the Consul API Gateway Binary @@ -152,7 +152,7 @@ spec: Refer to the Kubernetes Gateway API documentation for details about configuring gateways: -https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway + ### Listeners @@ -164,7 +164,7 @@ Add the `listener` object to the `gateway` configuration and specify the followi - `protocol`: Specifies the network protocol expected by the listener. Refer to the Kubernetes Gateway API documentation for details about configuring listeners: -https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Listener + In the example included the [Gateway](#gateway) description, a listener named `https` that listens over `HTTPS` is configured to listen on port `443` From 8c2399a862aa75b025aa0e5788ac507e13d8aa08 Mon Sep 17 00:00:00 2001 From: Peter M <36747421+pcmccarron@users.noreply.github.com> Date: Fri, 21 Jan 2022 16:14:45 -0700 Subject: [PATCH 12/31] Updated intro text Jeff and I re-worded/expanded the text a bit here for the introduction section. --- website/content/docs/api-gateway.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 3327e80046..d2d44d4656 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -3,14 +3,16 @@ layout: docs page_title: API Gateway description: Using Consul API gateway functionality --- - # Consul API Gateway -This topic describes how to use the Consul API Gateway module, which enables applications and services running in a datacenter to be accessed by network clients outside the datacenter. This type of network traffic is commonly referred to as "north-south" network traffic. +The Consul API Gateway add-on module helps users control access to services running within a Consul service mesh. Using the API Gateway, applications and services running in a Consul datacenter can be accessed by network clients residing outside of the datacenter. This type of network traffic is commonly referred to as "north-south" network traffic as it refers to the flow of data into and out of a specific environment. Requests from clients can also be forwarded based on path or request protocol. ## Introduction -Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). The specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes. +Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. The Consul API gateway solves for two primary use cases: + +* **Controlling access at the point entry** - The Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g. VeriSign, Let’sEncrypt). +* **Simplifying traffic management** - The Consul API Gateway can be used to load balance requests across services and route traffic to the appropriate service based on matching one or more criteria such as hostname, path, header presence or value, and HTTP Method type (e.g. Get, Post, Patch). ## Requirements From 4c4a9f3e65aac77ba9cf515d6dac39b64e2b9e7a Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 26 Jan 2022 09:23:10 -0800 Subject: [PATCH 13/31] added GWclass and GWClassConfig --- website/content/docs/api-gateway.mdx | 113 ++++++++++++++++++++++++--- 1 file changed, 101 insertions(+), 12 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index d2d44d4656..e1ec5cc673 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -3,16 +3,17 @@ layout: docs page_title: API Gateway description: Using Consul API gateway functionality --- + # Consul API Gateway -The Consul API Gateway add-on module helps users control access to services running within a Consul service mesh. Using the API Gateway, applications and services running in a Consul datacenter can be accessed by network clients residing outside of the datacenter. This type of network traffic is commonly referred to as "north-south" network traffic as it refers to the flow of data into and out of a specific environment. Requests from clients can also be forwarded based on path or request protocol. +This topic describes how to use the Consul API Gateway add-on module, which helps users control access to services running within a Consul service mesh. The API gateway enables external network clients to access applications and services running in a Consul datacenter. This type of network traffic is commonly referred to as "north-south" network traffic as it refers to the flow of data into and out of a specific environment. Requests from clients can also be forwarded based on path or request protocol. ## Introduction -Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. The Consul API gateway solves for two primary use cases: +Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. Consul API Gateway solves two primary use cases: -* **Controlling access at the point entry** - The Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g. VeriSign, Let’sEncrypt). -* **Simplifying traffic management** - The Consul API Gateway can be used to load balance requests across services and route traffic to the appropriate service based on matching one or more criteria such as hostname, path, header presence or value, and HTTP Method type (e.g. Get, Post, Patch). +- **Controlling access at the point entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., VeriSign, Let’sEncrypt). +- **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service based on matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH). ## Requirements @@ -47,7 +48,11 @@ controller: $ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml ``` -The following components will be installed: - Gateway controller - CRDs required by the Kubernetes Gateway API specification - `kustomize` manifests for completing the installation +The following components will be installed: + +- Gateway controller +- CRDs required by the Kubernetes Gateway API specification +- `kustomize` manifests for completing the installation 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. @@ -67,6 +72,8 @@ $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref= $ kubectl apply --values gateway-configuration.yaml ``` + ## Configuration -Create the following artifacts to configure the API Gateway: +Configure the following artifacts to facilitate ingress into your Consul service mesh: -- [Gateway](#gateway): Defines the gateway properties, including listeners. +- [Gateway](#gateway): Defines the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners`. +- [GatewayClass](#gatewayclass): Defines a class of gateway resources that you can use as a template for creating gateways. +- [GatewayClassConfig](#gatewayclassconfig): Describes additional Consul API Gatway-related configuration parameters for the `GatewayClass` resource. - [Listeners](#listeners): Defines listener properties, such as protocol, port, and namespace. - [Routes](#routes): Specifies the path from the client to the listener. ### Gateway -The gateway object contains gateway listeners. -Add the `kind: Gateway` option to the configuration file to declare a gateway. -The following example creates a gateway called `example-gateway` that includes a listener called `https` (see [Listeners](#listeners) for details about the `listener` configuration). +The gateway configuration is the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners`. - +Add the `kind: Gateway` option to the configuration file to declare a gateway. +The following example creates a gateway called `example-gateway`. +The gateway is based on the `test-gateway-class` and includes a listener called `https` (see [Listeners](#listeners) for details about the `listener` configuration). + + ```yaml apiVersion: gateway.networking.k8s.io/v1alpha2 @@ -137,7 +149,7 @@ metadata: annotations: 'external-dns.alpha.kubernetes.io/hostname': DNS_HOSTNAME spec: - gatewayClassName: default-consul-gateway-class + gatewayClassName: test-gateway-class listeners: - protocol: HTTPS hostname: DNS_HOSTNAME @@ -156,6 +168,83 @@ spec: Refer to the Kubernetes Gateway API documentation for details about configuring gateways: +### GatewayClass + +The `GatewayClass` resource is used as a template for creating `Gateway` resources. +The specification includes the name of the controller (`controllerName`) and an API object containing controller-specific configuration resource within the cluster (`parametersRef`). + +When gateways are created from a `GatewayClass`, they use the parameters specified in the `GatewayClass` at the time of instantiation. +If you want to propagate changes made to the `GatewayClass` after gateways have been created, then the implementation must document this behavior. +The `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer must also be added to a `GatewayClass` to ensure that a `GatewayClass` associated with a `Gateway` is not deleted while in use. + +Add the `kind: GatewayClass` option to the the gateway values file to declare a gateway class. +The following example creates a gateway class called `test-gateway-class`. + + + +```yaml +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: test-gateway-class +spec: + controllerName: 'hashicorp.com/consul-api-gateway-controller' + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: test-gateway-class-config +``` + + + +Refer to the Kubernetes Gateway API documentation for details about configuring gateway classes: + + +### GatewayClassConfig + +The `GatewayClassConfig` object describes additional Consul API Gateway-related configuration parameters for the `GatewayClass`. + +Add the `kind: GatewayClassConfig` option to the gateway values file to declare a gateway class. +The following example creates a gateway class called `test-gateway-class-config`. + + + +```yaml +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: test-gateway-class-config +spec: + useHostPorts: true + logLevel: trace + consul: + scheme: https + caSecret: consul-ca-cert + ports: + http: 8501 + grpc: 8502 +``` + + + +The following table describes the required parameters for the `spec` array: + +| Parameter | Description | Type | Default | +| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------- | +| `useHostPorts` | Enables the gateway to use the host ports | Boolean | `true` | +| `logLevel` | Specifies the error reporting level for logs. You can specify the following values: `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`, `OFF` | String | `trace` | +| `consul` | Specifies ingress properties for Consul. See [Consul Configuration](#consul-configuration) | Array | N/A | + +#### Consul Configuration + +The following table describes the parameters available for the `consul` element of the `GatewayClassConfiguration`: + +| Parameter | Description | Type | Default | +| ---------- | ------------------------------------------------------------- | ------ | ------------------------------- | +| `scheme` | Specifies the message protocol. | String | `http` | +| `caSecret` | Specifies the name of the CA secret. | String | none | +| `ports` | Specifies which ports to use for API and application traffic. | Array | `http: 8501`
`grpc: 8502` | + ### Listeners Listeners are the logical endpoints bound to the gateway's addresses. From 52ac7657c7f61683216ab18b00359bd7c7a02272 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 26 Jan 2022 09:32:47 -0800 Subject: [PATCH 14/31] fixed formattting issues --- website/content/docs/api-gateway.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index e1ec5cc673..9a8168a2db 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -50,9 +50,9 @@ $ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml The following components will be installed: -- Gateway controller -- CRDs required by the Kubernetes Gateway API specification -- `kustomize` manifests for completing the installation + - Gateway controller + - CRDs required by the Kubernetes Gateway API specification + - `kustomize` manifests for completing the installation 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. From 41709dcc291e07dcb1d7c10d22f04de35496e29a Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 26 Jan 2022 09:44:32 -0800 Subject: [PATCH 15/31] trying to fix persistent formatting problems --- website/content/docs/api-gateway.mdx | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 9a8168a2db..38d48c725b 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -28,27 +28,27 @@ Your datacenter must meet the following requirements prior to configuring the Co -```yaml -global: - name: consul - image: 'hashicorp/consul:1.11.2' - tls: + ```yaml + global: + name: consul + image: 'hashicorp/consul:1.11.2' + tls: + enabled: true + connectInject: enabled: true -connectInject: - enabled: true -controller: - enabled: true -``` + controller: + enabled: true + ``` 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. -```shell-session -$ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml -``` + ```shell-session + $ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml + ``` -The following components will be installed: + The following components will be installed: - Gateway controller - CRDs required by the Kubernetes Gateway API specification From f28f0375a5368db837b1a78e365d9efa5256b98c Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 26 Jan 2022 15:11:40 -0800 Subject: [PATCH 16/31] added more complete spec info and applied feedback --- website/content/docs/api-gateway.mdx | 153 ++++++++++++++------------- 1 file changed, 81 insertions(+), 72 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 38d48c725b..11cdf3355e 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -28,27 +28,27 @@ Your datacenter must meet the following requirements prior to configuring the Co - ```yaml - global: - name: consul - image: 'hashicorp/consul:1.11.2' - tls: - enabled: true - connectInject: +```yaml +global: + name: consul + image: 'hashicorp/consul:1.11.2' + tls: enabled: true - controller: - enabled: true - ``` +connectInject: + enabled: true +controller: + enabled: true +``` 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. - ```shell-session - $ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml - ``` +```shell-session +$ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml +``` - The following components will be installed: +The following components will be installed: - Gateway controller - CRDs required by the Kubernetes Gateway API specification @@ -125,53 +125,16 @@ consul-api-gateway 0.1.0 Configure the following artifacts to facilitate ingress into your Consul service mesh: -- [Gateway](#gateway): Defines the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners`. -- [GatewayClass](#gatewayclass): Defines a class of gateway resources that you can use as a template for creating gateways. - [GatewayClassConfig](#gatewayclassconfig): Describes additional Consul API Gatway-related configuration parameters for the `GatewayClass` resource. -- [Listeners](#listeners): Defines listener properties, such as protocol, port, and namespace. +- [GatewayClass](#gatewayclass): Defines a class of gateway resources that you can use as a template for creating gateways. +- [Gateway](#gateway): Defines the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners` (see [Listeners](#listeners)), which specify the logical endpoints bound to the gateway's addresses. - [Routes](#routes): Specifies the path from the client to the listener. -### Gateway - -The gateway configuration is the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners`. - -Add the `kind: Gateway` option to the configuration file to declare a gateway. -The following example creates a gateway called `example-gateway`. -The gateway is based on the `test-gateway-class` and includes a listener called `https` (see [Listeners](#listeners) for details about the `listener` configuration). - - - -```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: Gateway -metadata: - name: example-gateway - annotations: - 'external-dns.alpha.kubernetes.io/hostname': DNS_HOSTNAME -spec: - gatewayClassName: test-gateway-class - listeners: - - protocol: HTTPS - hostname: DNS_HOSTNAME - port: 443 - name: https - allowedRoutes: - namespaces: - from: Same - tls: - certificateRefs: - - name: gateway-production-certificate -``` - - - -Refer to the Kubernetes Gateway API documentation for details about configuring gateways: - - ### GatewayClass The `GatewayClass` resource is used as a template for creating `Gateway` resources. The specification includes the name of the controller (`controllerName`) and an API object containing controller-specific configuration resource within the cluster (`parametersRef`). +The value of the `controllerName` field must be set to `hashicorp.com/consul-api-gateway-controller`. When gateways are created from a `GatewayClass`, they use the parameters specified in the `GatewayClass` at the time of instantiation. If you want to propagate changes made to the `GatewayClass` after gateways have been created, then the implementation must document this behavior. @@ -216,10 +179,10 @@ metadata: name: test-gateway-class-config spec: useHostPorts: true - logLevel: trace + logLevel: 'trace' consul: - scheme: https - caSecret: consul-ca-cert + scheme: 'https' + caSecret: 'consul-ca-cert' ports: http: 8501 grpc: 8502 @@ -229,23 +192,65 @@ spec: The following table describes the required parameters for the `spec` array: -| Parameter | Description | Type | Default | -| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------- | -| `useHostPorts` | Enables the gateway to use the host ports | Boolean | `true` | -| `logLevel` | Specifies the error reporting level for logs. You can specify the following values: `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`, `OFF` | String | `trace` | -| `consul` | Specifies ingress properties for Consul. See [Consul Configuration](#consul-configuration) | Array | N/A | +| Parameter | Description | Type | Default | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------------ | +| `consul.address` | Specifies the address of the Consul server to communicate with in the gateway pod. If unspecified, the pod will attempt to use a local agent on the host on which the pod is running. | String | N/A | +| `consul.authentication.account` | Specifies the Kubernetes service account to use for authentication. | String | N/A | +| `consul.authentication.managed` | Set to `true` to enable deployments to run with managed service accounts created by the gateway controller. The `consul.authentication.account` field is ignored when this option is enabled. | Boolean | `false` | +| `consul.authentication.method` | Specifies the Consul auth method used for initial authentication by Consul API Gateway. | String | N/A | +| `consul.authentication.namespace` | Specifies the Consul namespace to use for authentication. | String | N/A | +| `consul.ports.grpc` | Specifies the gRPC port for Consul's xDS server. | Integer | `8502` | +| `consul.ports.http` | Specifies the port for Consul's HTTP server. | Integer | `8500` | +| `consul.scheme` | Specifies the scheme to use for connecting to Consul. The supported values are `"http"` and `"https"`. | String | `"http"` | +| `copyAnnotations.service` | List of annotations to copy to the gateway service. | Array | `["external-dns.alpha.kubernetes.io/hostname"]` | +| `image.consulAPIGateway` | The image to use for consul-api-gateway. | String | `"hashicorp/consul-api-gateway:RELEASE_VERSION"` | +| `image.envoy` | Specifies the container image to use for Envoy. | String | `"envoyproxy/envoy:v1.19-latest"` | +| `logLevel` | Specifies the error reporting level for logs. You can specify the following values: `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`, `OFF` | String | `"info"` | +| `nodeSelector` | Specifies a set of parameters that constrain the nodes on which the pod can run. Defining nodes with the `nodeSelector` enables the pod to fit on a node. The selector must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | Object | N/A | +| `serviceType` | Sepcifies the ingress methods for a service. The following values are supported:
`ClusterIP`
`NodePort`
`LoadBalancer` | String | N/A | +| `useHostPorts` | If set to `true`, then the Envoy container ports are mapped to host ports. | Boolean | `false` | -#### Consul Configuration +Refer to the Consul API Gateway repository for the complete specification: + -The following table describes the parameters available for the `consul` element of the `GatewayClassConfiguration`: +### Gateway -| Parameter | Description | Type | Default | -| ---------- | ------------------------------------------------------------- | ------ | ------------------------------- | -| `scheme` | Specifies the message protocol. | String | `http` | -| `caSecret` | Specifies the name of the CA secret. | String | none | -| `ports` | Specifies which ports to use for API and application traffic. | Array | `http: 8501`
`grpc: 8502` | +The gateway configuration is the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners`. -### Listeners +Add the `kind: Gateway` option to the configuration file to declare a gateway. +The following example creates a gateway called `example-gateway`. +The gateway is based on the `test-gateway-class` and includes a listener called `https` (see [Listeners](#listeners) for details about the `listener` configuration). + + + +```yaml +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: Gateway +metadata: + name: example-gateway + annotations: + 'external-dns.alpha.kubernetes.io/hostname': DNS_HOSTNAME +spec: + gatewayClassName: test-gateway-class + listeners: + - protocol: HTTPS + hostname: DNS_HOSTNAME + port: 443 + name: https + allowedRoutes: + namespaces: + from: Same + tls: + certificateRefs: + - name: gateway-production-certificate +``` + + + +Refer to the Kubernetes Gateway API documentation for details about configuring gateways: + + +#### Listeners Listeners are the logical endpoints bound to the gateway's addresses. Add the `listener` object to the `gateway` configuration and specify the following properties to define a listener: @@ -257,14 +262,16 @@ Add the `listener` object to the `gateway` configuration and specify the followi Refer to the Kubernetes Gateway API documentation for details about configuring listeners: -In the example included the [Gateway](#gateway) description, a listener named `https` that listens over `HTTPS` is configured to listen on port `443` - ### Route Routes are independent configuration objects that are associated with specific listeners. + Use the `kind: HTTPRoute` option to declare a route and use the `spec` option to specify the route details. + The following example creates a route named `example-route` associated with a listener defined in `example-gateway`. + + ```yaml apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute @@ -279,3 +286,5 @@ spec: name: echo port: 8080 ``` + + From f2f0c5156b3de7955e0e586def83edbae9b4e253 Mon Sep 17 00:00:00 2001 From: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Date: Wed, 26 Jan 2022 15:16:22 -0800 Subject: [PATCH 17/31] Apply suggestions from code review Adding content and feedback from @mikemorris Co-authored-by: Mike Morris --- website/content/docs/api-gateway.mdx | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 11cdf3355e..79c5ba32d4 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -10,9 +10,9 @@ This topic describes how to use the Consul API Gateway add-on module, which help ## Introduction -Consul API Gateway is an implementation of the Kubernetes Gateway [API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. Consul API Gateway solves two primary use cases: +Consul API Gateway is an implementation of the Kubernetes [Gateway API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. Consul API Gateway solves two primary use cases: -- **Controlling access at the point entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., VeriSign, Let’sEncrypt). +- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., VeriSign, Let’sEncrypt). - **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service based on matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH). ## Requirements @@ -137,8 +137,6 @@ The specification includes the name of the controller (`controllerName`) and an The value of the `controllerName` field must be set to `hashicorp.com/consul-api-gateway-controller`. When gateways are created from a `GatewayClass`, they use the parameters specified in the `GatewayClass` at the time of instantiation. -If you want to propagate changes made to the `GatewayClass` after gateways have been created, then the implementation must document this behavior. -The `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer must also be added to a `GatewayClass` to ensure that a `GatewayClass` associated with a `Gateway` is not deleted while in use. Add the `kind: GatewayClass` option to the the gateway values file to declare a gateway class. The following example creates a gateway class called `test-gateway-class`. @@ -258,6 +256,13 @@ Add the `listener` object to the `gateway` configuration and specify the followi - `hostname`: Hostname specifies the virtual hostname to match for protocol types. - `port`: Specifies the network port. - `protocol`: Specifies the network protocol expected by the listener. +- `tls` [`GatewayTLSConfig`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayTLSConfig) + - `mode` [`TLSModeType`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSModeType): Defaults to `Terminate` if unspecified, `Passthrough` is not yet supported. + - `certificateRefs` [`[]*SecretObjectReference`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.SecretObjectReference): Used for Envoy SDS (Secret Discovery Service) to support terminating TLS. + - `options`: Key/value pairs to enable implementation-specific extended TLS configuration. Consul API Gateway supports the following options: + - `"api-gateway.consul.hashicorp.com/tls_min_version"`: Set the minimum TLS version supported for this listener. Allowed values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`. If unspecified, Consul API Gateway will default to TLS 1.2. + - `"api-gateway.consul.hashicorp.com/tls_max_version"`: Set the maximum TLS version supported for this listener. Must be greater than or equal to `TLSMinVersion`. Allowed values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Consul API Gateway will use Envoy's current default of TLS 1.3. + - `"api-gateway.consul.hashicorp.com/tls_cipher_suites"`: Set the list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Consul API Gateway will set a [more secure set of cipher suites](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go#L3-L10) than Envoy's current [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). The full list of supported cipher suites can seen in [`internal/common/tls.go`](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go) and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul API Gateway may add new supported cipher suites if any are added to Envoy. Refer to the Kubernetes Gateway API documentation for details about configuring listeners: From c7ac8b0eaea127f0883e639a03881ae2f2836c45 Mon Sep 17 00:00:00 2001 From: trujillo-adam Date: Wed, 26 Jan 2022 16:04:24 -0800 Subject: [PATCH 18/31] integrated TLS info --- website/content/docs/api-gateway.mdx | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 79c5ba32d4..5cddea611c 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -253,16 +253,18 @@ Refer to the Kubernetes Gateway API documentation for details about configuring Listeners are the logical endpoints bound to the gateway's addresses. Add the `listener` object to the `gateway` configuration and specify the following properties to define a listener: -- `hostname`: Hostname specifies the virtual hostname to match for protocol types. -- `port`: Specifies the network port. -- `protocol`: Specifies the network protocol expected by the listener. -- `tls` [`GatewayTLSConfig`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayTLSConfig) - - `mode` [`TLSModeType`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSModeType): Defaults to `Terminate` if unspecified, `Passthrough` is not yet supported. - - `certificateRefs` [`[]*SecretObjectReference`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.SecretObjectReference): Used for Envoy SDS (Secret Discovery Service) to support terminating TLS. - - `options`: Key/value pairs to enable implementation-specific extended TLS configuration. Consul API Gateway supports the following options: - - `"api-gateway.consul.hashicorp.com/tls_min_version"`: Set the minimum TLS version supported for this listener. Allowed values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`. If unspecified, Consul API Gateway will default to TLS 1.2. - - `"api-gateway.consul.hashicorp.com/tls_max_version"`: Set the maximum TLS version supported for this listener. Must be greater than or equal to `TLSMinVersion`. Allowed values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Consul API Gateway will use Envoy's current default of TLS 1.3. - - `"api-gateway.consul.hashicorp.com/tls_cipher_suites"`: Set the list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Consul API Gateway will set a [more secure set of cipher suites](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go#L3-L10) than Envoy's current [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). The full list of supported cipher suites can seen in [`internal/common/tls.go`](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go) and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul API Gateway may add new supported cipher suites if any are added to Envoy. +| Parameter | Description | Type | Default | +| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------- | +| `hostname` | Specifies the virtual hostname to match for protocol types. | String | none | +| `port` | Specifies the network port number. | Integer | none | +| `protocol` | Specifies the network protocol expected by the listener. | String | `http` | +| `tls` | Collection of parameters that specify TLS options for the listener. Refer to the [`GatewayTLSConfig`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayTLSConfig) documentation for additional information about configuring TLS. | Object | N/A | +| `tls.mode` | Specifies a mode for operating Consul API Gateway listeners over TLS.
You can only specify the `Terminate` mode, which configures the TLS session between the downstream client and the gateway to terminate at the gateway.
Refer to the [`TLSModeType` documentation](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSModeType) for additional information. | String | `Terminate` | +| `tls.certificateRefs` | Specifies the name of secret object used for Envoy SDS (Secret Discovery Service) to support terminating TLS. Refer to the [`[]*SecretObjectReference` documentation](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.SecretObjectReference) for additional information. | String | N/A | +| `tls.options` | Specifies key/value pairs to enable extended TLS configuration specific to an implementation. | Object | N/A | +| `tls.options.tls_min_version` | Specifies the minimum TLS version supported for the listener. The following values are supported: `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`. | String | `TLS 1.2` | +| `tls.options.tls_max_version"` | Specifies the maximum TLS version supported for the listener. The specified version must be greater than or equal to `TLSMinVersion`. The following values are supported: `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`. | String | `TLS 1.3` | +| `tls.options.tls_cipher_suites` | Specifies the list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier.
If unspecified, a [more secure set of cipher suites](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go#L3-L10) than Envoy's current [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites) will be used.
The full list of supported cipher suites can seen in [`internal/common/tls.go`](https://github.com/hashicorp/consul-api-gateway/blob/main/internal/common/tls.go) and is dependent on underlying support in Envoy. | String | See description | Refer to the Kubernetes Gateway API documentation for details about configuring listeners: From 4d97b6852619fca713ed54c2181272ce0350a72c Mon Sep 17 00:00:00 2001 From: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Date: Thu, 27 Jan 2022 08:06:54 -0800 Subject: [PATCH 19/31] Apply suggestions from code review Thanks for catching my typos! Co-authored-by: Nathan Coleman --- website/content/docs/api-gateway.mdx | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index 5cddea611c..eceefb8bd4 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -12,8 +12,8 @@ This topic describes how to use the Consul API Gateway add-on module, which help Consul API Gateway is an implementation of the Kubernetes [Gateway API Specification](https://gateway-api.sigs.k8s.io/). This specification defines a set of custom resource definitions (CRD) that can create logical gateways and routes based on the path or protocol of a client request. Consul API Gateway solves two primary use cases: -- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., VeriSign, Let’sEncrypt). -- **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service based on matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH). +- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., Verisign, Let’s Encrypt). +- **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service by matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH). ## Requirements @@ -54,7 +54,7 @@ The following components will be installed: - CRDs required by the Kubernetes Gateway API specification - `kustomize` manifests for completing the installation -1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster. +1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster: ```shell-session $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" @@ -65,7 +65,7 @@ $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref= 1. Verify that the [requirements](#requirements) have been met. 1. Verify that the Consul API Gateway software has been installed and applied (see [Installation](#installation)). -1. Configure the gateway, listener(s), and route(s) as described in [Configuration](#configuration) +1. Configure the gateway, listener(s), and route(s) as described in [Configuration](#configuration). 1. Issue the `kubectl apply` command to implement the configurations, e.g.: ```shell-session @@ -125,7 +125,7 @@ consul-api-gateway 0.1.0 Configure the following artifacts to facilitate ingress into your Consul service mesh: -- [GatewayClassConfig](#gatewayclassconfig): Describes additional Consul API Gatway-related configuration parameters for the `GatewayClass` resource. +- [GatewayClassConfig](#gatewayclassconfig): Describes additional Consul API Gateway-related configuration parameters for the `GatewayClass` resource. - [GatewayClass](#gatewayclass): Defines a class of gateway resources that you can use as a template for creating gateways. - [Gateway](#gateway): Defines the main infrastructure resource that links API gateway components. It specifies the name of the `GatewayClass` and one or more `listeners` (see [Listeners](#listeners)), which specify the logical endpoints bound to the gateway's addresses. - [Routes](#routes): Specifies the path from the client to the listener. @@ -133,13 +133,13 @@ Configure the following artifacts to facilitate ingress into your Consul service ### GatewayClass The `GatewayClass` resource is used as a template for creating `Gateway` resources. -The specification includes the name of the controller (`controllerName`) and an API object containing controller-specific configuration resource within the cluster (`parametersRef`). +The specification includes the name of the controller (`controllerName`) and an API object containing controller-specific configuration resources within the cluster (`parametersRef`). The value of the `controllerName` field must be set to `hashicorp.com/consul-api-gateway-controller`. When gateways are created from a `GatewayClass`, they use the parameters specified in the `GatewayClass` at the time of instantiation. Add the `kind: GatewayClass` option to the the gateway values file to declare a gateway class. -The following example creates a gateway class called `test-gateway-class`. +The following example creates a gateway class called `test-gateway-class`: @@ -166,7 +166,7 @@ Refer to the Kubernetes Gateway API documentation for details about configuring The `GatewayClassConfig` object describes additional Consul API Gateway-related configuration parameters for the `GatewayClass`. Add the `kind: GatewayClassConfig` option to the gateway values file to declare a gateway class. -The following example creates a gateway class called `test-gateway-class-config`. +The following example creates a gateway class called `test-gateway-class-config`: @@ -203,9 +203,9 @@ The following table describes the required parameters for the `spec` array: | `copyAnnotations.service` | List of annotations to copy to the gateway service. | Array | `["external-dns.alpha.kubernetes.io/hostname"]` | | `image.consulAPIGateway` | The image to use for consul-api-gateway. | String | `"hashicorp/consul-api-gateway:RELEASE_VERSION"` | | `image.envoy` | Specifies the container image to use for Envoy. | String | `"envoyproxy/envoy:v1.19-latest"` | -| `logLevel` | Specifies the error reporting level for logs. You can specify the following values: `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`, `OFF` | String | `"info"` | +| `logLevel` | Specifies the error reporting level for logs. You can specify the following values: `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`, `ALL`, `OFF`. | String | `"info"` | | `nodeSelector` | Specifies a set of parameters that constrain the nodes on which the pod can run. Defining nodes with the `nodeSelector` enables the pod to fit on a node. The selector must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | Object | N/A | -| `serviceType` | Sepcifies the ingress methods for a service. The following values are supported:
`ClusterIP`
`NodePort`
`LoadBalancer` | String | N/A | +| `serviceType` | Specifies the ingress methods for a service. The following values are supported:
`ClusterIP`
`NodePort`
`LoadBalancer`. | String | N/A | | `useHostPorts` | If set to `true`, then the Envoy container ports are mapped to host ports. | Boolean | `false` | Refer to the Consul API Gateway repository for the complete specification: From 3324bea8294ca18e8bb9c4a15075e3af58747f6c Mon Sep 17 00:00:00 2001 From: Mike Morris Date: Thu, 27 Jan 2022 11:12:23 -0500 Subject: [PATCH 20/31] website: fix indentation to resolve CodeBlockConfig syntax error --- website/content/docs/api-gateway.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index eceefb8bd4..d7446ec3a8 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -26,7 +26,7 @@ Your datacenter must meet the following requirements prior to configuring the Co 1. Create a values file for your Consul server agents that contains the following parameters: - + ```yaml global: @@ -40,7 +40,7 @@ controller: enabled: true ``` - + 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. From 1c7a9c688546106f63f34fc7c2950027fad051e9 Mon Sep 17 00:00:00 2001 From: Mike Morris Date: Thu, 27 Jan 2022 11:34:11 -0500 Subject: [PATCH 21/31] website: fix ordering of list with nested code blocks --- website/content/docs/api-gateway.mdx | 52 ++++++++++++++-------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/website/content/docs/api-gateway.mdx b/website/content/docs/api-gateway.mdx index d7446ec3a8..0f3817a79c 100644 --- a/website/content/docs/api-gateway.mdx +++ b/website/content/docs/api-gateway.mdx @@ -26,40 +26,40 @@ Your datacenter must meet the following requirements prior to configuring the Co 1. Create a values file for your Consul server agents that contains the following parameters: - + -```yaml -global: - name: consul - image: 'hashicorp/consul:1.11.2' - tls: + ```yaml + global: + name: consul + image: 'hashicorp/consul:1.11.2' + tls: + enabled: true + connectInject: enabled: true -connectInject: - enabled: true -controller: - enabled: true -``` + controller: + enabled: true + ``` - + 1. Install Consul API Gateway using the standard Consul Helm chart and specify the custom values file. -```shell-session -$ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml -``` + ```shell-session + $ helm install consul hashicorp/consul --version 0.39.0 --values values.yaml + ``` -The following components will be installed: + The following components will be installed: - - Gateway controller - - CRDs required by the Kubernetes Gateway API specification - - `kustomize` manifests for completing the installation + - Gateway controller + - CRDs required by the Kubernetes Gateway API specification + - `kustomize` manifests for completing the installation 1. After `helm` installs Consul API Gateway packages, issue the following commands to apply the API gateway to your Kubernetes cluster: -```shell-session -$ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" -$ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta" -``` + ```shell-session + $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta" + $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta" + ``` ## Usage @@ -68,9 +68,9 @@ $ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config?ref= 1. Configure the gateway, listener(s), and route(s) as described in [Configuration](#configuration). 1. Issue the `kubectl apply` command to implement the configurations, e.g.: -```shell-session -$ kubectl apply --values gateway-configuration.yaml -``` + ```shell-session + $ kubectl apply --values gateway-configuration.yaml + ```