Ingress Gateway for services without a connect proxy


I’m trying to setup an Ingress Gateway with a wildcard which works for services that have a proxy sidecar but I would like to reach services without one too. This would make parts of a migration much easier. Is this possible or not? Because my Ingress Gateway is always returning Status: 503 with Body “no healthy upstreams”

Hi @Hillkorn you can use the wildcard but only for HTTP traffic. If the service dosen’t have a sidecar, may I ask how it’s participating in the service mesh?

I use HTTP and the wildcard but it doesn’t work if the service is just registered in consul without the connect config and proxy sidecar.

We want to migrate to consul-connect and to make it easy as possible I thought developers can just use Ingress Gateways for Batch Jobs for example and don’t need to care whether the targeted service is in the connect mesh or not.
I also thought that I can have services in k8s accessible with the Ingress Gateway but that doesn’t work then too I guess and an Ingress Controller is still needed for that?

What I see as a bit problem is that the UI and consul DNS don’t complain in any way and even show that they will route to that service but the proxy in the end complains there is no healthy upstream which is wrong and instead the problem is that there is no healthy mesh registered upstream. To make it more clear the UI puts the labels on the service that they are available by a Gateway and all instances of the service are healthy.

The ingress gateway requires the service to be available in the mesh, otherwise it has no way of knowing where to send traffic to. So the service needs to be registered in the mesh with a sidecar, such as Envoy.

You are correct in thinking that services in K8s can become accessible to the outside world (non-k8s) through ingress gateway. But, yes that would require an ingress controller, or in simple terms, a deployment containing the ingress-controller and Envoy.

If the upstream is not registered in the mesh then as you pointed out, routing to it will fail.

But why isn’t it a problem for the envoy sidecar in transparent proxy mode? There it is able to route to services no matter they have a sidecar or not

Transparent proxy leverages Kubernetes DNS to resolve the upstream. That’s why you don’t need to the define the upstream explicitly. So instead of pointing to localhost you can now instead use the DNS name of the service. But if not using transparent proxy, then you need to have the application send traffic to localhost. This blog helps explain how transparent proxy works in Kubernetes.

Thanks will take a look

I think right now routing from ingress gateways to services not in the mesh but registered in regular Consul service discovery is just not supported.

It’s a valid feature request though.

I think the original thought was that you’d use a regular LB for non mesh services.