Ingress Gateway Helm Chart

jason123 · March 28, 2022, 7:08pm

Hi all,

I am trying to understand ingress gateways to expose a web service to the outside world through consul. I am using the Consul helm chart. How would I be able add listeners to the helm chart?

Listeners = [
 {
   Port = 8080
   Protocol = "tcp"
   Services = [
     {
       Name = "counting"
     }
   ]
 }
]

I’m following the tutorial below but it doesn’t look like theres a field to put services.name = “counting” in the helm chart

Protocol = "tcp"
   Services = [
     {
       Name = "counting"
     }

Jeff-Apple · March 28, 2022, 8:34pm

Hi @jason123,

Here is the page in our product documentation that I think will help you: Ingress Gateways on Kubernetes.

We also have a new product, Consul API Gateway, that may fit your needs better than Ingress Gateway. It is tightly integrated with Consul and has some features that Ingress Gateway doesn’t.

It can use SSL/TLS Server certificates signed by any Certificate Authority (such as Let’s Encrypt and Verisign).
It implements the Kubernetes Gateway API and you configure it using that standard. See the Kubernetes Gateway API (k8s.io) website for more info on that standard.

Here is the link that takes you directly to the product documentation: Consul API Gateway Overview.

Let us know if you have more questions.

Regards,
Jeff

jason123 · March 28, 2022, 8:38pm

Hi @Jeff-Apple,

Thanks! This is helpful. Would the Consul API Gateway be like a better version than Ingress Gateways?

Jeff-Apple · March 28, 2022, 8:52pm

Hi @jason123,

Yes, for Kubernetes environments, Consul API Gateway is now our recommended solution instead of Ingress Gateway.

Our focus is on adding features to API Gateway, not Ingress Gateway. The focus includes a team of engineers that work exclusively on API Gateway.

Again, let us know if you have any other questions.

Regards,
Jeff

jason123 · March 28, 2022, 10:43pm

Hi @Jeff-Apple ,

I’m getting
Error: [ERROR] installing App V2: helm install --namespace=default --timeout=10m0s --values=/home/shell/helm/values-consul-0.41.1.yaml --version=0.41.1 --wait=true backend-consul /home/shell/helm/consul-0.41.1.tgz Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "GatewayClass" in version "gateway.networking.k8s.io/v1alpha2", unable to recognize "": no matches for kind "GatewayClassConfig" in version "api-gateway.consul.hashicorp.com/v1alpha1"]

My current config is

global:
    datacenter: dc2
    name: consul
    domain: consul
    image: "hashicorp/consul:1.11.2"
    tls:
        enabled: true
        enableAutoEncrypt: true
        caCert:
            secretName: consul-federation
            secretKey: caCert
        caKey:
            secretName: consul-federation
            secretKey: caKey
    acls:
        manageSystemACLs: false
    federation:
        enabled: true
    gossipEncryption:
        secretName: consul-federation
        secretKey: gossipEncryptionKey
    logJSON: true
connectInject:
    enabled: true
    transparentProxy:
      defaultEnabled: true
    default: false
controller:
    enabled: true
meshGateway:
    enabled: true
metrics:
    enabled: true
prometheus:
    enabled: true
ui:
    enabled: true
server:
    replicas: 1
    extraVolumes:
        - type: secret
          name: consul-federation
          items:
              - key: serverConfigJSON
                path: config.json
          load: true
client:
    enabled: true
ingressGateways:
    enabled: true
    gateways:
    - name: ingress-gateway
      service:
        type: LoadBalancer
apiGateway:
    enabled: true
    image: "hashicorp/consul-api-gateway:0.1.0"
    logLevel: debug

Jeff-Apple · March 28, 2022, 11:18pm

@jason123,

This error is usually caused by not installing the Gateway API CRDs. The command to do that is shown as the first step in the installation instructions. See Consul API Gateway Usage | Consul by HashiCorp.

Here is the actual command:

kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0"

After you have run that command, retry the install and let us know if that solved the problem for you.

Jeff

blake · April 6, 2022, 6:08pm

Hi Jason,

I wanted to answer your original question in this thread so that others can benefit if they come across this post.

By default the Helm chart configures Kubernetes to expose ports 8080 and 8443 for each logical ingress gateway that is deployed. When ingressGateways.enabled is set to true in the Helm chart, the Helm chart creates a deployment for a single logical gateway named ingress-gateway.

If you want to customize the ports for this specific gateway, create additional logical gateways, or modify the default ports used for all gateways, you can do that using the aforementioned vars in the Helm chart.

Below is an example config where the default ports have been changed from 8080 and 8443 to 9090, and 9443. In addition, the chart has been configured to deploy two logical ingress gateways–ingress-gateway and bar-ingress-gateway. The first gateway is using the default listener ports. The other is using a custom listener port list.

---
ingressGateways:
  enabled: true
  defaults:
    service:
      # This changes the default port list from 8080 and 8443 to 9090 and 9443.
      ports:
        - 9090
        - 9443
  gateways:
    # Kubernetes will expose the default ports of 9090 and 9443 for this gateway's Service object
    - name: ingress-gateway
    # Kubernetes will expose the ports defined below for this gateway's Service object
    - name: bar-ingress-gateway
      service:
        ports:
          - 8000
          - 8080
          - 8443

After Kubernetes has been configured to forward these ports to the gateway’s pod via the Service, the Envoy proxy needs to be configured to actually listen on these ports.

---
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: ingress-gateway
spec:
  listeners:
    - port: 9090
      protocol: tcp
      services:
        - name: counting
    - port: 9443
      protocol: http
      services:
        - name: foo-service

---
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: bar-ingress-gateway
spec:
  listeners:
    - port: 8000
      protocol: tcp
      services:
        - name: bar
    - port: 8080
      protocol: tcp
      services:
        - name: baz
    - port: 8443
      tls:
        enabled: true
      protocol: http
      services:
        - name: bar

Consul’s API gateway has a controller that provides a simplified UX for completely managing the lifecycle and config of gateways via custom resource definitions, as opposed to the Ingress gateway which requires managing parts of it via config in the Helm chart, and settings via Consul’s ingress gateway CRD.