Setup Envoy as Ingress Gateway

Consul
1

Followed steps outlined here

ingress-gateway.hcl ==> Protocol = “tcp” does not work as the destination "counting: service is http based. After changing it to ‘http’, I was able to write config.

However, I am getting 404 when I curl -v http://{vm-ip}:8080/

My ingress-gateway.hcl is as follows

Kind = "ingress-gateway"
Name = "ingress-service"

Listeners = [
 {
   Port = 8080
   Protocol = "http"
   Services = [
     {
       Name = "counting"
     }
   ]
 }
]

o/p from - nestat -plnt

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:9102            0.0.0.0:*               LISTEN      14012/envoy         
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      474/rpcbind         
tcp        0      0 192.168.56.170:8080     0.0.0.0:*               LISTEN      14012/envoy         
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      518/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      988/sshd            
tcp        0      0 192.168.56.170:8888     0.0.0.0:*               LISTEN      14012/envoy         
tcp        0      0 127.0.0.1:19000         0.0.0.0:*               LISTEN      14012/envoy         
tcp6       0      0 :::8301                 :::*                    LISTEN      13774/consul        
tcp6       0      0 :::111                  :::*                    LISTEN      474/rpcbind         
tcp6       0      0 :::8500                 :::*                    LISTEN      13774/consul        
tcp6       0      0 :::8502                 :::*                    LISTEN      13774/consul        
tcp6       0      0 :::22                   :::*                    LISTEN      988/sshd            
tcp6       0      0 :::8600                 :::*                    LISTEN      13774/consul
2

Hi @bbuddha,

When an ingress is configured with an HTTP listener, applications must send an HTTP Host header with the configured (or default) hostname for the backend service in order for the request to be correctly routed. This is documented on the Hosts of the ingress gateway config entry.

Hosts (array<string>: <optional>) - A list of hosts that specify what requests will match this service. This cannot be used with a tcp listener, and cannot be specified alongside a * service name. If not specified, the default domain .ingress.* will be used to match services. Requests must send the correct host to be routed to the defined service.

Given the configuration you provided, you would need to use the following curl command to reach your backend service.

$ curl --header "Host: counting.ingress.consul" http://${vm_ip}:8080/

If your applications outside of the mesh are configured to use Consul for DNS resolution, then they can use an ingress service lookup to find the IP address of the gateway(s) associated with a given service. For example:

$ curl http://counting.ingress.consul:8080/

I hope this information is helpful. Let me know if you have any questions.

3

Thanks @blake . Your suggestions worked and I was able to CURL ingress controller using IP and host header as you suggested.

The example on learning site here suggests to set counting service url property using IP resolved by DNS query to "counting.ingress.dc1.consul". Based on what you are suggesting, the steps in the learning site are not accurate/correct.

Also, is envoy dependent on service name/id coming from host header or <service>.ingress.<domain> for all traffic? Is there any path based routing to avoid this requirement for applications outside mesh wanting to consume services hosted in a mesh?

Exploring what’s documented here

My modified ingress-gateway.hcl

Kind = "ingress-gateway"
Name = "ingress-service"

Listeners = [
 {
   Port = 8080
   Protocol = "http"
   Services = [
     {
       Name = "api"
       RequestHeaders {
         Add {
           "x-gateway" = "ingress-service"
         }
       }
       ResponseHeaders {
         Remove = ["x-debug"]
       }
     }
   ]
 }
]

o/p from : consul config write ingress-gateway.hcl

Failed to decode config entry input: 2 errors occurred:
	* invalid config key "Listeners[0].Services[0].RequestHeaders"
	* invalid config key "Listeners[0].Services[0].ResponseHeaders"
4

Datacenter is actually an optional component when performing DNS queries. For example:

$ dig @10.0.0.203 freshrss.ingress.consul +short
10.0.0.6
$ dig @10.0.0.203 freshrss.ingress.dc2.consul +short
10.0.0.6

A few of the sections on https://www.consul.io/docs/discovery/dns#standard-lookup document datacenter as being an optional parameter, but its not explicitly stated as being optional for all DNS sub-domains. I’ll look at updating the docs to clarify this.

HTTP header manipulation is only supported in Consul 1.11.0 and later. Are both your Consul CLI and Consul server versions using 1.11.0 or later?

5

I’m on 1.9.6. I will upgrade to latest and give it a try.