I’ve successfully setup a non Cloud cluster with Consul (connect enabled), Nomad and Vault. It’s done with 3 Nomad/Consul servers and 3 Nomad/Consul clients nodes, all on bare metal.
If I have well understood, the Ingress Gateway will handle the traffic from outside the cluster, to the service mesh of my nomad job services.
Do you have a reference architecture about managing the ingress gateway on Nomad hosts ?
Does I need an only one named Ingress Gateway instance which listen on port 80 for each client node in my cluster ? In my case 3 ingress gateway. But in this case, that’s means all the Ingress gateways are configured in one Consul Config Entry for all my Consul services. If I’ve hundred of services It’s complicated to manage this file
An other possibility would be to have an ingress gateway dedicated for each services that I want to be available outiside my service mesh, and so separated Consul Config Entries for each IG. As the IG do port mapping to the host, I cannot have 2 Ingress gateways listening on the same port (like the 80) of the Consul/Nomad node. Maybe putting a second stage reverse proxy (Traefik for example) in front of all the Ingress gateway with non static defined ports ? But I think I loose the Ingress Gateway avantages, because that add a second stage, and if I need TLS, the second proxy will have the role of terminating TLS connection
So I really enjoy the hashistack but I don’t really know how to deal with inbound client traffic into my Nomad/Consul service mesh cluster. It would be so great if the documentation would cover this use case
I have to use Traefik as edge proxy because of powerful routing criteria, automatic Let’s Encrypt SSL…
Ingress Gateway will listen to localhost, Traefik will forwad traffic to Ingress Gateway. It will be a bit slower because of adding extra proxy but have much more flexibility.