IngressGateway: listenerPort vs containerPort question

Consul
1

Hi folks,

I successfully have an IngressGateway setup that allows outside services to talk to services in our service mesh. Everything seems to work great if the listenerPort on the ingressGateway matches the containerPort used by the pod in my mesh. However, if they differ - it doesn’t seem to connect. Here is an example:

apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: ingress-gateway
spec:
  listeners:
    - port: 8080
      protocol: http
      services:
        - name: my-service

Then, we have my-service defined as such:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    consul.hashicorp.com/connect-service: my-service
    consul.hashicorp.com/connect-service-port: "8081"
spec:
  containers:
    image: my-service:latest
    imagePullPolicy: IfNotPresent
    name: my-service
    ports:
    - containerPort: 8081
      name: http
      protocol: TCP

(p.s. I left out the ServiceDefaults/Intentions for brevity)

Note, the listenerPort on the IngressGateway is listening on 8080, but the containerPort in the mesh is actually serving on 8081. Other services can communicate within the mess with my-service no prob, but externally - it fails. Now, if I updated my-service to be the same port number (8080) then everything is happy.

Is there a way to make this work? Hopefully I missed something in the docs and it’s an easy fix.

Thanks,
Ben

2

Hi Ben,

The containerPort (or ingressGateways.<name>.service.ports if using the Helm chart) define the port(s) that Kubernetes needs to expose to allow connections to the Envoy container.

The listeners correspondingly define the set of ports Envoy should listen on in order to handle incoming connections.

The ports defined in K8s and the ingress gateway config entry need to match in order to successfully route ingress connections.

3

Thank you for the confirmation Blake, I appreciate it!

Thanks,
Ben