[Consul/K8S] api gateway has no address

I am somewhat new to consul and kubernetes. I have a problem where I am trying to follow this guide Enable external traffic ingress into Consul service mesh but for some reason, I am not able to get the api-gateway working. I am deploying locally and using helm.

My goal is to learn to create a microservice from ground up so I am starting with the guide. Do let me know if this guide/architecture is outdated.

Some loggings:

kubectl get svc/api-gateway -n consul
NAME          TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
api-gateway   LoadBalancer   10.96.155.20   <pending>     80:31325/TCP   6m44s

kubectl get gateway api-gateway -n consul
NAME          CLASS    ADDRESS   PROGRAMMED   AGE
api-gateway   consul             True         7m16s

I checked the log but I see no warnings besides:
2024-12-19T18:01:03.705Z+00:00 [warning] envoy.misc(19) Deprecated field: type envoy.config.cluster.v3.Cluster Using deprecated option 'envoy.config.cluster.v3.Cluster.http2_protocol_options' from file cluster.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.

Describe:

kubectl describe gateway api-gateway -n consul

Name:         api-gateway
Namespace:    consul
Labels:       <none>
Annotations:  consul.hashicorp.com/gateway-class-config:
                {"serviceType":"LoadBalancer","deployment":{"defaultInstances":1,"maxInstances":1,"minInstances":1,"resources":{"limits":{"cpu":"100m","me...
API Version:  gateway.networking.k8s.io/v1beta1
Kind:         Gateway
Metadata:
  Creation Timestamp:  2024-12-19T18:00:59Z
  Finalizers:
    gateway-finalizer.consul.hashicorp.com
  Generation:        1
  Resource Version:  1214
  UID:               86a86196-c855-49c1-beeb-f7cb9e17a0df
Spec:
  Gateway Class Name:  consul
  Listeners:
    Allowed Routes:
      Namespaces:
        From:  All
    Name:      http
    Port:      80
    Protocol:  HTTP
Status:
  Conditions:
    Last Transition Time:  2024-12-19T18:00:59Z
    Message:               gateway accepted
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  Accepted
    Last Transition Time:  2024-12-19T18:01:29Z
    Message:               gateway programmed
    Observed Generation:   1
    Reason:                Programmed
    Status:                True
    Type:                  Programmed
    Last Transition Time:  2024-12-19T18:00:59Z
    Message:               gateway synced to Consul
    Observed Generation:   1
    Reason:                Synced
    Status:                True
    Type:                  Synced
    Last Transition Time:  2024-12-19T18:01:00Z
    Message:               gateway is valid
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  ConsulAccepted
  Listeners:
    Attached Routes:  1
    Conditions:
      Last Transition Time:  2024-12-19T18:01:29Z
      Message:               listener accepted
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-12-19T18:01:29Z
      Message:               listener programmed
      Observed Generation:   1
      Reason:                Programmed
      Status:                True
      Type:                  Programmed
      Last Transition Time:  2024-12-19T18:01:29Z
      Message:               listener has no conflicts
      Observed Generation:   1
      Reason:                NoConflicts
      Status:                False
      Type:                  Conflicted
      Last Transition Time:  2024-12-19T18:01:29Z
      Message:               resolved references
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Name:                    http
    Supported Kinds:
      Group:  gateway.networking.k8s.io
      Kind:   HTTPRoute
Events:       <none>

Hi @anderalextu,

Welcome to HashiCorp Forums!

Assigning external IP to the LoadBalancer resource is within the scope of Kubernetes. What Kubernetes distribution are you using? If you are following the docs as it is, you will see that the doc uses Kind, and for local setup, it uses NodePort service type (instead of a LoadBalancer)

ref: Enable external traffic ingress into Consul service mesh | Consul | HashiCorp Developer

If your Kubernetes clusters don’t have a LoadBalancer Controller, you should switch the service type to NodePort to continue following that tutorial.

Ah, thanks. I didn’t modify that part, now there is an address. However, I still cannot reach localhost:8443. I am not sure which distribution I am using, I am just using kind, helm and kubectl.

Here is what I am doing in order. I don’t think the order is wrong, if it matters.

deploy:
	kind create cluster --config=kind/cluster.yaml
	helm install --values helm/values-v2.yaml consul hashicorp/consul --create-namespace --namespace consul

	timeout 30
	kubectl apply --filename hashicups/v1
	timeout 30
	kubectl apply --filename hashicups/intentions/allow.yaml
	timeout 30
	kubectl apply --filename api-gw/consul-api-gateway.yaml --namespace consul
	timeout 30
	kubectl wait --for=condition=accepted gateway/api-gateway --namespace consul --timeout=90s
	kubectl apply --filename api-gw/routes.yaml --namespace consul
	kubectl apply --filename api-gw/intentions.yaml --namespace consul
	timeout 30
	kubectl apply --filename hashicups/v2/

The only things that I do different than the guide is I am not specifying version for helm install so I am using whatever is the latest and I of course changed LoadBalancer to NodePort in values-v2.yaml.

I also modified kind/cluster.yaml to use image: kindest/node:v1.32.0 (otherwise it just fails) and I added listenAddress: "127.0.0.1" to every extraPortMappings because I couldn’t for example forward the consul-ui port otherwise.

Like so:

$kind/cluster.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  image: kindest/node:v1.32.0
  extraPortMappings:
  - containerPort: 443
    hostPort: 443
    listenAddress: "127.0.0.1"
    protocol: TCP
  - containerPort: 8501
    hostPort: 8501
    listenAddress: "127.0.0.1"
    protocol: TCP
  - containerPort: 8502
    hostPort: 8502
    listenAddress: "127.0.0.1"
    protocol: TCP
  - containerPort: 8443
    hostPort: 8443
    protocol: TCP

Here are some warnings in the log. deprecated field, internal_address_config is not configured and There is no configured limit to the number of allowed active downstream connections.

2024-12-20T08:33:55.843Z+00:00 [warning] envoy.misc(19) Deprecated field: type envoy.config.cluster.v3.Cluster Using deprecated option 'envoy.config.cluster.v3.Cluster.http2_protocol_options' from file cluster.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.

2024-12-20T08:33:56.459Z+00:00 [warning] envoy.misc(19) internal_address_config is not configured. The existing default behaviour will trust RFC1918 IP addresses, but this will be changed in next release. Please explictily config internal address config as the migration step or config the envoy.reloadable_features.explicit_internal_address_config to true to untrust all ips by default

2024-12-20T08:33:56.639Z+00:00 [warning] envoy.main(19) There is no configured limit to the number of allowed active downstream connections. Configure a limit in `envoy.resource_monitors.global_downstream_max_connections` resource monitor.

Describe:

kubectl describe gateway api-gateway -n consul

Name:         api-gateway
Namespace:    consul
Labels:       <none>
Annotations:  consul.hashicorp.com/gateway-class-config:
                {"serviceType":"NodePort","deployment":{"defaultInstances":1,"maxInstances":1,"minInstances":1,"resources":{"limits":{"cpu":"100m","memory...
API Version:  gateway.networking.k8s.io/v1beta1
Kind:         Gateway
Metadata:
  Creation Timestamp:  2024-12-20T08:33:52Z
  Finalizers:
    gateway-finalizer.consul.hashicorp.com
  Generation:        1
  Resource Version:  1634
  UID:               33ea0e6a-218e-4d4e-9397-32e9e856e948
Spec:
  Gateway Class Name:  consul
  Listeners:
    Allowed Routes:
      Namespaces:
        From:  Same
    Name:      https
    Port:      8443
    Protocol:  HTTPS
    Tls:
      Certificate Refs:
        Group:
        Kind:   Secret
        Name:   consul-server-cert
      Mode:     Terminate
Status:
  Addresses:
    Type:   IPAddress
    Value:  172.18.0.2
  Conditions:
    Last Transition Time:  2024-12-20T08:33:52Z
    Message:               gateway accepted
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  Accepted
    Last Transition Time:  2024-12-20T08:33:53Z
    Message:               gateway programmed
    Observed Generation:   1
    Reason:                Programmed
    Status:                True
    Type:                  Programmed
    Last Transition Time:  2024-12-20T08:33:52Z
    Message:               gateway synced to Consul
    Observed Generation:   1
    Reason:                Synced
    Status:                True
    Type:                  Synced
    Last Transition Time:  2024-12-20T08:33:53Z
    Message:               gateway is valid
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  ConsulAccepted
  Listeners:
    Attached Routes:  1
    Conditions:
      Last Transition Time:  2024-12-20T08:34:22Z
      Message:               listener accepted
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-12-20T08:34:22Z
      Message:               listener programmed
      Observed Generation:   1
      Reason:                Programmed
      Status:                True
      Type:                  Programmed
      Last Transition Time:  2024-12-20T08:34:22Z
      Message:               listener has no conflicts
      Observed Generation:   1
      Reason:                NoConflicts
      Status:                False
      Type:                  Conflicted
      Last Transition Time:  2024-12-20T08:34:22Z
      Message:               resolved references
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Name:                    https
    Supported Kinds:
      Group:  gateway.networking.k8s.io
      Kind:   HTTPRoute
Events:       <none>

Hi @anderalextu,

With the change from LoadBalancer to NodePort, you should check the Kind documentation to determine how to access the services.

Could you also verify whether you have applied the proxy-defaults CRD? If not, please apply the same using this file. Without setting the service protocol to http the API Gateway listeners won’t get populated.

Ref: learn-consul-get-started-kubernetes/self-managed/local/proxy/proxy-defaults.yaml at main · hashicorp-education/learn-consul-get-started-kubernetes · GitHub

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.