Unable to setup ingress controller on eks cluster

I am getting this error :::::

error: unable to recognize “ingress.yml”: no matches for kind “IngressGateway” in version “consul.hashicorp.com/v1alpha1

whenever I do kubectl apply -f ingress.yml. Here is the file

apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
  name: ingress-gateway
    enabled: true
    - port: 8080
      protocol: http
        - name: '*'

Hi @keepCalmndCodeOn is your Consul deploying on running v1.8+ as described here? Configuration Entry Kind: Ingress Gateway | Consul by HashiCorp

Also I wanted to also just provide some context around our Ingress Gateway. Although TLS is possible Ingress Gateway and you could encrypt traffic sent to the Gateway using the TLS cert that is presented to you if you trust the Consul Connect CA, it is mainly meant to be utilized for service to service communication.

We have some high level documentation on how to help you get started with Integrating Ingress Controllers: Ingress Controller Integrations | Consul by HashiCorp. This would require you to upgrade to the latest version of Consul and Consul K8s however.

Thanks @david-yu will check it out and revert on this thread

@david-yu I just want to describe the original problem that I was saying. So I am doing a POC on kubernetes and consul connect. I have setup consul and deployed application. But when I deployed envoy proxy. My service was unable to hit external urls such as of zookeeper or even curl google.com was unreachable from my service pod. Thats how I started exploring ingress. So should I go ahead with it or is there some other approach. Btw I am using 1.10 version of consul.

Edit: See @ishustava1’s answer below. This should work by default.

You can use the consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs or consul.hashicorp.com/transparent-proxy-exclude-outbound-ports annotations to allow access to those external URLs.

Hey @keepCalmndCodeOn

It sounds like your problem is related more to egress than ingress. Reaching external services, like google.com, should work by default. This behavior is controlled by the MeshDestinationsOnly property of the Mesh Config entry. Since it’s false by default, you should be able to reach those services through the proxy with no problem.

I’ve tried deploying it myself on kind and it worked:

helm install consul --set global.name=consul --set server.replicas=1 --set controller.enabled=true --set connectInject.enabled=true hashicorp/consul

Then I deployed static-client service and tried calling curl from the container:

$ kubectl exec -it deploy/static-client -c static-client -- /bin/sh
/ $ curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.

Here is my static-client.yaml:

apiVersion: v1
kind: Service
  name: static-client
    app: static-client
    - port: 80
apiVersion: v1
kind: ServiceAccount
  name: static-client
apiVersion: apps/v1
kind: Deployment
  name: static-client
  replicas: 1
      app: static-client
      name: static-client
        app: static-client
        "consul.hashicorp.com/connect-inject": "true"
        - name: static-client
          image: docker.mirror.hashicorp.services/curlimages/curl:latest
          command: [ "/bin/sh", "-c", "--" ]
          args: [ "while true; do sleep 30; done;" ]
      serviceAccountName: static-client

If that doesn’t work, you can try to use exclusion rules like Luke mentioned above.

@ishustava1 @lkysow Thanks my problem got resolved. But there is something else I am stuck with, earlier we were using consul for service discovery. All are services are deployed in separate vm’s and interact via consul. Now we are shifting to service mesh and kubernetes. So I have successfully deployed a service A on k8 container along with side-car. Now I want to call that service A from outisde k8 that is from service B(running in one of the VMs) . How can I use name based discovery here as well(from service B to service A). Is there some documentation on the same. I am not using mtls now. So I wont be needing gateways.

The best way to do that is to use an ingress gateway. The reason you need that is two-fold. First, your networking on k8s and VMs are likely different and so adding an ingress gateway to proxy between those networks will help. Second, your services on the service mesh will require mTLS by default and there’s no way to disable that. So now if your service from VM will try to call a service on the mesh without mTLS certs, it’ll get rejected by the sidecar proxy.

Ingress gateway on k8s docs