* invalid config key "TLS.TLSMinVersion"

pavansh · April 8, 2022, 2:02pm

Doc: Configuration Entry Kind: Ingress Gateway | Consul by HashiCorp

file:
{
“Kind”: “ingress-gateway”,
“Name”: “ingress-gateway”,
“TLS”: {
“Enabled”: true,
“TLSMinVersion”: “TLSv1_2”,
“TLSMaxVersion”: “TLSv1_3”
},
“Listeners”: [
{
“Port”: 8080,
“Protocol”: “http”,
“Services”: [
{
“Name”: “webapp”,
“Hosts”: [
“webapp.example.com”
]
},
{
“Name”: “apiapp”,
“Hosts”: [
“apiapp.example.com”
]
}
]
},
{
“Port”: 5432,
“Protocol”: “tcp”,
“Services”: [
{
“Name”: “database”,
“Hosts”: null
}
]
}
],
“CreateIndex”: 20531,
“ModifyIndex”: 68308
}

consul config write ingress.hcl

error:
Failed to decode config entry input: 2 errors occurred:
* invalid config key “TLS.TLSMaxVersion”
* invalid config key “TLS.TLSMinVersion”

i want to set min and max tls version in ingress-gateway
its not working Please help.

consul version
Consul v1.11.1
Revision 2c56447e
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

Jeff-Apple · April 8, 2022, 2:09pm

Hi @pavansh,

Setting these TLS parameters requires Consul v1.11.2 or greater. If you encounter any problems when using a newer Consul version, please let us know.

Regards,
Jeff

Jeff-Apple · April 8, 2022, 2:28pm

Hi @pavansh,

I forgot to mention that, if you are planning to use Ingress Gateway on Kubernetes, you might want to consider using Consul API Gateway instead.

A couple of things it allows you to do that Ingress Gateway doesn’t are:

Use TLS Server certificates signed by any Certificate Authority. This allows the listener on the gateway to use a certificate signed by a CA like Let’sEncrypt.
Create and deploy a new API Gateway at any time without rerunning the Consul Helm chart.

For more information, please see the Consul API Gateway documentation

Regards,
Jeff