Best way for ingress into service mesh?

I wanted to add ingress traffic into the mesh these requirements:

• traffic between ingress controller (LB) is encrypted
• ingress controller supports both gRPC and HTTP traffic
• certificate for publically trusted CA terminated at endpoint

Right now, I am lost and a little confused on which is the route to take, as there seems to be quite a few options:

• ingress/mesh/terminating gateways
  • Gateways Overview | Consul | HashiCorp Developer
  • Configure Ingress Gateways for Consul on Kubernetes | Consul | HashiCorp Developer
• api gateway
  • Consul API Gateway Overview | Consul | HashiCorp Developer
  • Control Access into the Service Mesh with Consul API Gateway | Consul - HashiCorp Learn
• ingress controller
  • Configure Ingress Controllers for Consul on Kubernetes | Consul | HashiCorp Developer
    • GitHub - kschoche/traefik-consul
    • GitHub - joatmon08/consul-k8s-ingress-controllers: Testing for different API gateways with Consul
    • GitHub - dhiaayachi/eks-consul-ingressnginx: This a basic deployment to show case using nginx as ingress with Consul in transparent mode
  • Ambassador
    • https://www.getambassador.io/docs/edge-stack/latest/howtos/consul/
  • Traefik:
    • Traefik Consul Documentation - Traefik
    • Traefik Proxy and HashiCorp Consul | Traefik Labs
  • Kong
    • Using HashiCorp Consul with Kong Ingress Controller for Kubernetes

Consul API Gateway is our preferred solution for ingressing public traffic to the mesh and implements the Kubernetes Gateway API spec, which is intended to replace Ingress (as implemented by the controllers you mentioned). It currently meets two of your requirements.

• Traffic between ingress and mesh services is encrypted.
• Supports specifying a public CA for TLS termination (Consul’s ingress gateways don’t support this and are intended more for E/W ingress within a datacenter).

We don’t support gRPC directly yet (I’m unsure if it may be possible to implement indirectly over a lower-level protocol with HTTPRoute or TCPRoute), but GRPCRoute was recently added to the upstream Gateway API spec, and we’d definitely appreciate a feature request at Issues · hashicorp/consul-api-gateway · GitHub to help prioritize our future roadmap!

Thanks for the response, I will follow up with that request. Are there any solutions today that can meet the gRPC requirements + encrypted traffic b/w ingress controller and mesh?

I tried out NGINX service mesh recently, and the NGINX Kubernetes ingress controller has long supported both gRPC and HTTP with public CA for TLS termination. The only problem though, is that currently, integration between NGINX SM and NGINX KIC requires a commercial license of NGINX+ (ref). The NGINX SM is not currently optimal for many reasons, but more especially is that east-west traffic, it doesn’t support restricting/controlling gRPC traffic, only HTTP, as NGINX SM strictly follows the SMI Spec CRDs, which hasn’t gotten around to gRPC yet (ref).

Segue, the SMI Spec seems to have taken a pause (ref) while efforts between Gateway and SMI are collaborating with the Gamma Initiative group.