Consul API Gateway is our preferred solution for ingressing public traffic to the mesh and implements the Kubernetes Gateway API spec, which is intended to replace Ingress (as implemented by the controllers you mentioned). It currently meets two of your requirements.
- Traffic between ingress and mesh services is encrypted.
- Supports specifying a public CA for TLS termination (Consul’s ingress gateways don’t support this and are intended more for E/W ingress within a datacenter).
We don’t support gRPC directly yet (I’m unsure if it may be possible to implement indirectly over a lower-level protocol with HTTPRoute or TCPRoute), but GRPCRoute was recently added to the upstream Gateway API spec, and we’d definitely appreciate a feature request at Issues · hashicorp/consul-api-gateway · GitHub to help prioritize our future roadmap!