I’m using Consul Connect to establish mTLS connection between Kubernetes services. For the internal configuration I’m using self-signed certificates provided by Vault. This is working fine, but now I’m trying to figure out what would be the best way to add certificates to an ingress gateway so that I can expose some of these services to the browser. The only solution that I found was to connect Ambassador and then use its integration with Lets Encrypt. What’s the common practice here? I didn’t find so much information in the documentation.
It is not currently possible to use custom certificates with Consul’s ingress controller. The current best practice is to use a gateway such as Ambassador, as you have already discovered. These third-party gateways can either be integrated with the service mesh and route directly to backend services, or placed in front of the Consul ingress to provide termination of traffic from external/public clients. For example:
(TLS) Public ingress -> (private TLS) Consul ingress -> (mTLS) services