I am getting this error :::::
error: unable to recognize “ingress.yml”: no matches for kind “IngressGateway” in version “consul.hashicorp.com/v1alpha1”
whenever I do kubectl apply -f ingress.yml. Here is the file
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
name: ingress-gateway
spec:
tls:
enabled: true
listeners:
- port: 8080
protocol: http
services:
- name: '*'
Hi @keepCalmndCodeOn is your Consul deploying on running v1.8+ as described here? Ingress gateway configuration entry reference | Consul | HashiCorp Developer
Also I wanted to also just provide some context around our Ingress Gateway. Although TLS is possible Ingress Gateway and you could encrypt traffic sent to the Gateway using the TLS cert that is presented to you if you trust the Consul Connect CA, it is mainly meant to be utilized for service to service communication.
We have some high level documentation on how to help you get started with Integrating Ingress Controllers: Configure Ingress Controllers for Consul on Kubernetes | Consul | HashiCorp Developer. This would require you to upgrade to the latest version of Consul and Consul K8s however.
@david-yu I just want to describe the original problem that I was saying. So I am doing a POC on kubernetes and consul connect. I have setup consul and deployed application. But when I deployed envoy proxy. My service was unable to hit external urls such as of zookeeper or even curl google.com was unreachable from my service pod. Thats how I started exploring ingress. So should I go ahead with it or is there some other approach. Btw I am using 1.10 version of consul.
Edit: See @ishustava1’s answer below. This should work by default.
You can use the consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs or consul.hashicorp.com/transparent-proxy-exclude-outbound-ports annotations to allow access to those external URLs.
It sounds like your problem is related more to egress than ingress. Reaching external services, like google.com, should work by default. This behavior is controlled by the MeshDestinationsOnly property of the Mesh Config entry. Since it’s false by default, you should be able to reach those services through the proxy with no problem.
I’ve tried deploying it myself on kind and it worked:
helm install consul --set global.name=consul --set server.replicas=1 --set controller.enabled=true --set connectInject.enabled=true hashicorp/consul
Then I deployed static-client service and tried calling curl from the container:
$ kubectl exec -it deploy/static-client -c static-client -- /bin/sh
/ $ curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
Here is my static-client.yaml:
apiVersion: v1
kind: Service
metadata:
name: static-client
spec:
selector:
app: static-client
ports:
- port: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: static-client
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: static-client
spec:
replicas: 1
selector:
matchLabels:
app: static-client
template:
metadata:
name: static-client
labels:
app: static-client
annotations:
"consul.hashicorp.com/connect-inject": "true"
spec:
containers:
- name: static-client
image: docker.mirror.hashicorp.services/curlimages/curl:latest
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
serviceAccountName: static-client
If that doesn’t work, you can try to use exclusion rules like Luke mentioned above.
@ishustava1 @lkysow Thanks my problem got resolved. But there is something else I am stuck with, earlier we were using consul for service discovery. All are services are deployed in separate vm’s and interact via consul. Now we are shifting to service mesh and kubernetes. So I have successfully deployed a service A on k8 container along with side-car. Now I want to call that service A from outisde k8 that is from service B(running in one of the VMs) . How can I use name based discovery here as well(from service B to service A). Is there some documentation on the same. I am not using mtls now. So I wont be needing gateways.
The best way to do that is to use an ingress gateway. The reason you need that is two-fold. First, your networking on k8s and VMs are likely different and so adding an ingress gateway to proxy between those networks will help. Second, your services on the service mesh will require mTLS by default and there’s no way to disable that. So now if your service from VM will try to call a service on the mesh without mTLS certs, it’ll get rejected by the sidecar proxy.