Hi,
I am trying to use Consul API gateway on a EKS cluster but the gateway doesn’t seem to be fully compliant with the official conformance specs. I’m specifically looking at HTTPRoute and RequestRedirect which is a core filter.
The documentation has no mention of it: HTTP route configuration entry reference | Consul | HashiCorp Developer
Weirdly it does kind of work, as in the controller accepts routes with RequestRedirect filters but the routes don’t do anything in my setup.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: external-gtw
namespace: kube-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<redacted>"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
gatewayClassName: consul
listeners:
- protocol: HTTPS
port: 443
name: https
allowedRoutes:
namespaces:
from: "All"
- protocol: HTTP
port: 80
name: http
allowedRoutes:
namespaces:
from: "All"
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: http-to-https-redirect
annotations:
gateway.networking.k8s.io/controller: consul.hashicorp.com/gateway-controller
spec:
parentRefs:
- name: external-gtw
sectionName: http
namespace: kube-system
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
backendRefs:
- kind: Service
name: <redacted>
namespace: <redacted>
port: 81
The way the controller accepts the route is also a bit strange, in that it needs a backendref and without it I get
status:
parents:
- conditions:
- lastTransitionTime: '2025-08-29T16:36:23Z'
message: resolved backend references
observedGeneration: 1
reason: ResolvedRefs
status: 'True'
type: ResolvedRefs
- lastTransitionTime: '2025-08-29T16:36:23Z'
message: route accepted
observedGeneration: 1
reason: Accepted
status: 'True'
type: Accepted
- lastTransitionTime: '2025-08-29T16:36:23Z'
message: route synced to Consul
observedGeneration: 1
reason: Synced
status: 'True'
type: Synced
- lastTransitionTime: '2025-08-29T16:36:23Z'
message: route must target at least one upstream service
observedGeneration: 1
reason: NoUpstreamServicesTargeted
status: 'False'
type: ConsulAccepted
Which is wildly different from the Gateway API example at: HTTP redirects and rewrites - Kubernetes Gateway API
The other issue I’ve run into is that HTTPRoute Hostnames should support wildcards based on the official CRD, but the consul controller spits out
message: >-
Unexpected response code: 500 (host "*.<redacted>.com" must not be
a wildcard)
Versions:
consul-helm: 1.4.8
consul: 1.18.2